Mainframe Connector subsystem internal configuration
Run-time parameters
Parmlib Customization
This section describes the parameters that you can specify for Mainframe Connector processing.
Every z/OS image running Mainframe Connector will require access to a parameter dataset. The parameter dataset is specified through the PARMLIB DD referenced in the Mainframe Connector cataloged procedure. This dataset is read during startup processing only, so any changes to this dataset will not take effect until Mainframe Connector is restarted.
Parmlib Syntax
- An "*" coded in column one indicates that the corresponding statement is to be treated as a comment. 
- Parameter statements can be prefixed with multiple blank characters. 
- The end of parameter data occurs at the first blank character following the start of a valid parameter statement. Any data coded after this terminating blank is considered a comment. 
- Parameter statements cannot span multiple card images. 
- If Mainframe Connector encounters duplicate parameters, it keeps the value specified in the first occurrence and ignores the duplicates. 
- If Mainframe Connector encounters an invalid parameter, it ignores the invalid parameter and issues a warning message. 
Parameter descriptions
A set of Mainframe Connector parameters as specified in the PARMLIB DD dataset may include the following:
ADMINID
Use this parameter to specify an administrator id that is to be used for validating Mainframe Connector listener password reset requests, password resetexpire requests, database userid list requests, userid enable requests, userid disable requests, and userid status check requests. A userid of up to seven characters can be specified. If ADMINID validation will be used, the userid must be defined to the security product, it must have a password value associated with it, the password value must not be expired, and the userid must not be in revoked status. If you do not wish to perform the adminid/password cross-validation check on a target Mainframe Connector environment, specify an ADMINID value of N/A.
| Syntax: | ADMINID=userid | 
| Example: | ADMINID=PSADMIN ADMINID=N/A | 
| Default: | PSYNCH | 
DATASPACE
Use this parameter to request dataspace logging of SMF, AUDIT, and/or SYNCHLOG records. These may be interpreted and viewed in real time during Mainframe Connector operation using PICS (Mainframe Connector Parallel Information Communication Service) under TSO/ISPF (see Mainframe Connector ISPF/PDF Interface for details on how to activate and use PICS).
The DATASPACE parameter accepts up to four option values that indicate what logging information is to be captured as well as the size of the supporting dataspace. The four valid option values are:
- SMF - indicates that Mainframe Connector SMF record data is to be captured in the dataspace 
- AUDIT - indicates that AUDIT log information is to be captured in the dataspace 
- SYNCHLOG - indicates that SYNCHLOG log information is to be captured in the dataspace 
- nnnnnn - is a value between 1 and 524,288 indicating the number of 4K blocks that will comprise the dataspace. If the DATASPACE parameter is specified with at least one of the log information values and the dataspace size value is omitted, the default is 100. 
Data will be recorded into the dataspace in "wraparound" fashion - that is, when the dataspace is filled to capacity, recording re-commences at the beginning of the dataspace and continues, overlaying the previous oldest data. Sizing of the dataspace is therefore dependent upon the volume of log information captured, the level of log-generating activity, and the historical "retention" interval desired.
Note
The dataspace and its contents are deleted upon Mainframe Connector termination. The dataspace, therefore, should not constitute the fundamental mechanism upon which a strategy for longer-term retention of Mainframe Connector log data is based.
Dataspace recording of AUDIT and SYNCHLOG information is typically not necessary if the associated output is directed to SYSOUT, as they may be viewed, while active, during Mainframe Connector operation. If the output is being directed elsewhere, for example - to DASD, then viewing the active contents of the output log is not possible. In this case, dataspace recording may be appropriate to permit continuously updated realtime viewing.
The MODIFY command can be used to change the log recording options specified for the DATASPACE parameter. See Modifying the DATASPACE logging options for details on dynamically modifying the DATASPACE log recording options. The size of the dataspace can not be modified while Mainframe Connector is active. To modify the dataspace size, the DATASPACE parameter value must be updated and Mainframe Connector must be restarted.
| Syntax: | DATASPACE=[SMF][,AUDIT][,SYNCHLOG][,nnnnnn] | 
| Example: | DATASPACE=SMF,SYNCHLOG,123 DATASPACE=AUDIT,SYNCHLOG | 
| Default: | none | 
DEBUGLEVEL
Use this parameter to specify a debugging level to be used for the Mainframe Connector network modules. The parameter can be used to produce diagnostic messages regarding logic flow and the contents of inbound and outbound network traffic. Valid values for this parameter are numeric 0 to 9.
| Syntax: | DEBUGLEVEL=n | 
| Example: | DEBUGLEVEL=2 | 
| Default: | 0 | 
Mainframe Connector currently supports four debugging levels as follows:
- 0 indicates no debugging 
- 1 indicates standard level debugging and provides basic feedback on logic flow and diagnostic information on network interface function calls 
- 2 indicates that all debugging from level 1 is to be provided and also includes diagnostic messages for events that occur on a repeating time interval basis 
- 5 indicates that all debugging from levels 1 and 2 is to be provided and also includes diagnostic messages that contain sensitive information such as clear text userids or password values 
Using a DEBUGLEVEL other than 0 should only be necessary under the advisement of Bravura Security technical support.The MODIFY command can be used to change the DEBUGLEVEL value. See Modifying the DEBUGLEVEL for details on dynamically modifying the DEBUGLEVEL value.
DEBUGMAX
Use this parameter to specify the maximum DEBUGLEVEL that will be accepted either through the DEBUGLEVEL=n parameter specified in the Mainframe Connector PARMLIB dataset or through the F mfc,DEBUGLEVEL=n modify operator command.
This command can be used to prevent inadvertent use of the DEBUGLEVEL option.
| Syntax: | DEBUGMAX=n | 
| Example: | DEBUGMAX=1 | 
| Default: | 9 | 
DNS
Use this parameter to define the Bravura Security Fabric server. This is a required parameter. The value can be specified as the Bravura Security Fabric server host name (the MVS system must make use of Domain Name Services for host name to be used) or the dotted decimal TCP/IP address.
| Syntax: | DNS=pwdidman.server.name | 
| Example: | DNS=corporate.pwdman.server DNS=155.13.2.7 | 
| Default: | none | 
ENCRYPTION
Use this parameter to define the encryption technique that will be used for encrypting the data that will be exchanged by Mainframe Connector and the Bravura Security Fabric server. This is an optional parameter however if it is not specified, Mainframe Connector will use 128-bit AES encryption.
| Syntax: | ENCRYPTION={IDEA/AES} | 
| Example: | ENCRYPTION=AES | 
| Default: | AES | 
ENTROPYFALLBACK
Use this parameter to indicate whether or not a weak source of randomness can be used as the basis for encryption.
| Syntax: | ENTROPYFALLBACK={YES/NO} | 
| Example: | ENTROPYFALLBACK=NO | 
| Default: | YES | 
HOSTID
Use this parameter to specify a host name by which the Bravura Security Fabric server will know this system. It should be unique across multiple specified or defaulted HOSTID values when Mainframe Connector is running on multiple systems or if multiple Mainframe Connector started tasks are running on the same z/OS image. The HOSTID value is an arbitrary identifier, but if the z/OS system will be used as a transparent password synchronization trigger system, this value MUST match to a hostid value in a Bravura Security Fabric server host definition entry.
| Syntax: | HOSTID=hostname | 
| Example: | HOSTID=OS390SYSA | 
| Default: | MVS SMF sysid | 
KEY
Use this parameter to set the communication encryption key value that will permit connection handshake with the Bravura Security Fabric server. The key value should be unique for accessing a Bravura Security Fabric server (one Mainframe Connector cannot be targeted by two different targets or instances using different keys). The key value is a 32-digit hexadecimal number, so please use the first 32 characters of the unencrypted COMMKEY ) configured on the Bravura Security Fabric server. This is a required parameter."
| Syntax: | KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | 
| Example: | KEY=A538B72CE1F0F47D961A20B6379D284A | 
| Default: | none | 
KEYDISPLAY
Use this parameter to indicate to Mainframe Connector whether or not the key value supplied in the KEY= parameter is displayed as specified or masked in Mainframe Connector console messages that contain the key value.
| Syntax: | KEYDISPLAY={ASIS/MASK} | 
| Example: | KEYDISPLAY=MASK | 
| Default: | ASIS | 
KEYENCRYPT
Use this parameter to indicate to Mainframe Connector that the key value supplied in the KEY= parameter is an encrypted key and that internal decryption will be necessary before a successful key exchange can occur with a Bravura Security Fabric server. Setting KEYENCRYPT=YES will cause Mainframe Connector to effectively function with KEYDISPLAY=MASK regardless how this parameter value has been specified.
| Syntax: | KEYENCRYPT={YES/NO} | 
| Example: | KEYENCRYPT=YES | 
| Default: | NO | 
LISTCHECK
Use this parameter to determine how the contents of an INLIST or an EXLIST will be used. Include or exclude list checking can be activated for outbound or inbound password reset events. If include or exclude list checking is to be active only for inbound reset events, a LISTCHECK value of INBOUNDONLY would be used. If include or exclude list checking is to be active only for z/OS trigger password reset events, a LISTCHECK value of OUTBOUNDONLY would be used. If the contents of the include or exclude list are to be checked for both inbound and outbound events, a LISTCHECK value of INOUT would be used. The MODIFY command can be used to change the LISTCHECK value. See Modifying the LISTCHECK value for details on dynamically modifying the LISTCHECK value.
| Syntax: | LISTCHECK={INOUT/INBOUNDONLY/OUTBOUNDONLY} | 
| Example: | LISTCHECK=INOUT | 
| Default: | INBOUNDONLY | 
LISTENMAX
Use this parameter to set the maximum number of concurrent listener tasks that will be supported by this Mainframe Connector subsystem. The MODIFY command can be used to change the LISTENMAX value. See Modifying the LISTENMAX value for details on dynamically modifying the LISTENMAX value.
| Syntax: | LISTENMAX=nn (nn is from 1 to 99) | 
| Example: | LISTENMAX=10 | 
| Default: | 5 | 
LISTENPORT#
Use this parameter to set the Mainframe Connector listener TCP socket port number. This is the port number that this system will use to detect incoming Mainframe Connector password synchronization requests. This is a required parameter.
| Syntax: | LISTENPORT#=nnnnn (nnnnn is from 1 to 65535) | 
| Example: | LISTENPORT#=8000 | 
| Default: | none | 
LISTENONLY
Use this parameter to set Mainframe Connector into listen only mode. This parameter is useful for sites that have yet to determine if they will be using their z/OS system as a trigger system for Bravura Pass . The security product’s "new password" exit provided by Mainframe Connector can be installed without being effectively activated by specifying L ISTENONLY=YES . The use of LISTENONLY=YES effectively disables the PASSIVESTART parameter described later. The MODIFY command can be used to change the LISTENONLY value. See Modifying the LISTENONLY value for details on dynamically modifying the LISTENONLY value.
| Syntax: | LISTENONLY={YES/NO} | 
| Example: | LISTENONLY=YES | 
| Default: | NO | 
OUTBOUNDPWCASE
If Mainframe Connector is being used as a transparent password synchronization trigger system, use this parameter to indicate how the password value will be sent to the target Bravura Pass server. Three possible options can be specified for OUTBOUNDPWCASE . If OUTBOUNDPWCASE=ASIS is specified, the password value received by the security product’s "new password" exit is passed through to the Bravura Pass server in its raw state (case sensitivity is maintained). If OUTBOUNDPWCASE=LOWER is specified, the alpha characters for the password value received by the security product’s "new password" exit are passed through to the Bravura Pass server as lower case values. If OUTBOUNDPWCASE=UPPER is specified, the alpha characters for the password value received by the security product’s "new password" exit are passed through to the Bravura Pass server as upper case values.
The MODIFY command can be used to change the OUTBOUNDPWCASE value. See Modifying the OUTBOUNDPWCASE for details on dynamically modifying the OUTBOUNDPWCASE value.
| Syntax: | OUTBOUNDPWCASE={ASIS/LOWER/UPPER} | 
| Example: | OUTBOUNDPWCASE=LOWER | 
| Default: | ASIS | 
PASSIVESTART
Use this parameter to indicate to Mainframe Connector whether or not repetitive attempts should be made to successfully handshake with the Bravura Pass server during startup. A parameter value of NO indicates that one attempt will be made to communicate with the Bravura Pass server at startup. If this communication is successful, Mainframe Connector will continue with initialization. If not, Mainframe Connector will terminate. A parameter value of YES indicates that Mainframe Connector will attempt to establish communication with the Bravura Pass server at five minute intervals until either a connection is established or an operator command to stop Mainframe Connector is entered.
| Syntax: | PASSIVESTART={YES/NO} | 
| Example: | PASSIVESTART=YES | 
| Default: | NO | 
REPORTSYSID
Use this parameter to indicate to Mainframe Connector whether or not the z/OS SMF system id should be included as a prefix on the log messages issued to AUDIT or SYNCHLOG . A parameter value of NO indicates that the SMF system id will not be used as a log message prefix. A parameter value of YES indicates that the SMF system id will be used as a log message prefix.
| Syntax: | REPORTSYSID={YES/NO} | 
| Example: | REPORTSYSID=YES | 
| Default: | NO | 
RESETAUTH
Use this parameter to indicate to Mainframe Connector what authority level is to be used for password reset events and userid resume/revoke requests. A parameter value of APF indicates that password reset requests or userid resume/revoke requests will function at the highest administrator authority level. A parameter value of STCID indicates that those requests will occur under the authority level of the userid being used for the Mainframe Connector started task.
Note
This parameter is valid for RACF or ACF2 environments and has no impact in TopSecret environments (Mainframe Connector in a TopSecret environment runs RESETAUTH=STCID at all times).
If RESETAUTH=STCID is used in a RACF environment, the RACF started task must be running for password reset requests and resume/revoke requests to be successful. As well, if userid create, userid delete, userid attribute extract, userid attribute update, userid group add, or userid group delete requests are processed by Mainframe Connector in a RACF environment, they will be processed as if RESETAUTH=STCID regardless of how the parameter is specified.
| Syntax: | RESETAUTH={APF/STCID} | 
| Example: | RESETAUTH=STCID | 
| Default: | APF | 
SMFREC
Use this parameter to specify if Mainframe Connector SMF recording is to take place. If SMF recording is active, Mainframe Connector will create an SMF record for the supported Mainframe Connector events. You can examine the SMF record mapping in SMF Record Mapping to determine all events for which SMF records will be recorded.
If the parameter is omitted, no SMF recording will occur.
| Syntax: | SMFREC=nnn (nnn is from 200 to 255) | 
| Example: | SMFREC=245 | 
| Default: | no SMF recording | 
SOCKETCLOSEWAIT
Use this parameter to delay the socket close operation that occurs following the transmission of the last data block for a transaction with a Bravura Security Fabric server. If the value is specified, it indicates the number of seconds that Mainframe Connector should wait prior to initiating the socket close. Valid values for this parameter are numeric 0 to 5.
The MODIFY command can be used to change the SOCKETCLOSEWAIT value. See Modifying the SOCKETCLOSEWAIT for details on dynamically modifying the SOCKETCLOSEWAIT value.
| Syntax: | SOCKETCLOSEWAIT=n | 
| Example: | SOCKETCLOSEWAIT=2 | 
| Default: | 0 | 
SUBSYSNAME
Use this parameter to specify a unique subsystem name to be used exclusively by the Mainframe Connector subsystem address space. The name is up to four characters. This is a required parameter. See Defining the Subsystem Name for techniques that can be used to define subsystem names to z/OS.
| Syntax: | SUBSYSNAME=cccc | 
| Example: | SUBSYSNAME=MFCS | 
| Default: | none | 
TCPPORT#
Use this parameter to set the Bravura Security Fabric server TCP socket port number. This is a required parameter.
| Syntax: | TCPPORT#=nnnnn (nnnnn is from 1 to 65535) | 
| Example: | TCPPORT#=3333 | 
| Default: | none | 
TIMEOUT
Use this parameter to specify a timeout limit for the maximum time (in seconds) a request will wait for a response from the Bravura Pass server. This value is only used for timeout situations associated with transparent password synchronization operations and as such, has no applicability to Bravura Identity operations. Values from 20 to 120 are acceptable.
The MODIFY command can be used to change the TIMEOUT value. See Modifying the TIMEOUT value for details on dynamically modifying the TIMEOUT value.
| Syntax: | TIMEOUT=nnn | 
| Example: | TIMEOUT=45 | 
| Default: | 20 | 
TSSTARGET#
Use this parameter to specify a TopSecret command default TARGET indicator. Valid values for this parameter are special characters '=' or '*'.
| Syntax: | TSSTARGET=spch (spch is '=' or '*') | 
| Example: | TSSTARGET== | 
| Default: | * | 
USERIDFASTDEL
Use this parameter to set the userid fast delete option. This parameter is used only in RACF security product environments and if it is active, it causes Mainframe Connector to remove only the bare minimum of the RACF profile definitions that will permit a userid to be deleted. Setting this parameter may result in orphaned entries being left in the RACF database. This is an optional parameter.
| Syntax: | USERIDFASTDEL={YES/NO} | 
| Example: | USERIDFASTDEL=YES | 
| Default: | NO | 
Optional Run-time parameters
This section describes the optional include or exclude list that can be specified to the Mainframe Connector subsystem at startup. These lists are indicated to the Mainframe Connector subsystem at startup through the presence of either an INLIST or EXLIST DD statement in the Mainframe Connector subsystem JCL.
The INLIST and E XLIST DD statements are mutually exclusive, but if both DD statements are detected the INLIST will be processed and the EXLIST will be ignored.
The dataset used for either the INLIST DD or the EXLIST DD is a standard z/OS PARMLIB dataset. The dataset can be either a sequential dataset or a member of a partitioned dataset. In either case, the dataset should have the following characteristics:
LRECL=80 RECFM=FB BLKSIZE=multiple of 80
- An " * " coded in column one indicates that the corresponding statement is to be treated as a comment. 
- Parameter statements can be prefixed with multiple blank characters. 
- The end of parameter data occurs at the first blank character following the start of a valid parameter statement. Any data coded after this terminating blank is considered a comment. 
- Parameter statements cannot span multiple card images. 
- If Mainframe Connector encounters an invalid parameter, it ignores the invalid parameter and issues a warning message. 
You can specify an include user with the INCLUDEUSER= control card. Data for an INCLUDEUSER must not exceed eight characters and can be a specific userid or a userid with masked characters. An ' * ' can be used to match any single character. A ' - ' indicates a match on the remainder of the userid. For example:
- INCLUDEUSER=DBA*10would match userid’s DBAR10 and DBA010 but not DBA100 or DBA010A.
- INCLUDEUSER=DBA-would match DBA5 , DBA050 , DBAPROD
You can specify an include group with the INCLUDEGROUP= control card. Data for an INCLUDEGROUP must not exceed eight characters and must represent a complete group name (masking is not supported for group names).
If a password reset request is identified for a userid specified in an INCLUDEUSER= control card, or the userid is a member of one of the groups specified on an INCLUDEGROUP= control card, the password reset will occur. Otherwise, the password reset will be rejected.
You can specify an exclude user with the EXCLUDEUSER= control card. Data for an EXCLUDEUSER must not exceed eight characters and can be a specific userid or a userid with masked characters. An ' * ' can be used to match any single character. A ' - ' indicates a match on the remainder of the userid. For example:
EXCLUDEUSER=DBA*10 would match userid’s DBAR10 and DBA010 but not DBA100 or DBA010A .
EXCLUDEUSER=DBA- would match DBA5 , DBA050 , DBAPROD
You can specify an exclude group with the EXCLUDEGROUP= control card. Data for an EXCLUDEGROUP must not exceed eight characters and must represent a complete group name (masking is not supported for group names).
If a password reset request is identified for a userid specified in an EXCLUDEUSER= control card, or the userid is a member of one of the groups specified on an EXCLUDEGROUP= control card, the password reset will be rejected. Otherwise, the password reset will be accepted.
Modifying the INLIST list and Modifying the EXLIST list describe a full range of operator commands that can be used to modify the contents of the include or exclude list.
This section describes the optional administrator ID list that can be specified to the Mainframe Connector subsystem at startup. This list is indicated to the Mainframe Connector subsystem at startup through the presence of an ADMINIDS DD statement in the Mainframe Connector subsystem JCL.
The dataset used for either the ADMINIDS DD is a standard z/OS PARMLIB dataset. The dataset can be either a sequential dataset or a member of a partitioned dataset. In either case, the dataset should have the following characteristics:
LRECL=80 RECFM=FB BLKSIZE=multiple of 80
The ADMINIDS DD statement should be included in your Mainframe Connector subsystem JCL if you want to limit the administrator IDs that can forward password resets to the Bravura Pass server. When the ADMINIDS DD statement is used, only the specified administrators will have their password reset events sent to the Bravura Pass server for validation and password synchronization.
This does not affect the password reset process on the z/OS host as that event will continue through its normal course.
If the ADMINIDS DD statement is not included in the Mainframe Connector JCL, no administrative password resets will be forwarded to the Bravura Pass server. If the ADMINIDS DD statement is used, the following rules are applied.
- An " * " coded in column one indicates that the corresponding statement is to be treated as a comment. 
- Parameter statements can be prefixed with multiple blank characters. 
- The end of parameter data occurs at the first blank character following the start of a valid parameter statement. Any data coded after this terminating blank is considered a comment. 
- Parameter statements cannot span multiple card images. 
- If Mainframe Connector encounters an invalid parameter, it ignores the invalid parameter and issues a warning message. 
You can specify a specific administrator ID with the ADMINID= control card. Data for an ADMINID must not exceed eight characters and must be a specific userid. Masking is not used for specific administrator IDs. Valid control cards would have the following format:
ADMINID=DBAADM ADMINID=TECHADM ADMINID=MVSADM
If you want all administrator IDs to have the ability to forward password reset events to the Bravura Pass server for validation and synchronization, an ADMINIDS DD statement should be included in the Mainframe Connector subsystem JCL. The dataset should contain one control card entry with the following format:
ADMINID=-
This indicates that all administrator IDs will have password reset events that they have initiated on behalf of other users forwarded to the Bravura Pass server.
Modifying the ADMINIDS list describes a full range of operator commands that can be used to modify the contents of the administrator id list.
Static host name resolution
If host name resolution is to be used to determine the IP address of the Bravura Security Fabric server, a number of techniques are available. Using the SYSTCPD DD in the Mainframe Connector startup JCL has been suggested earlier, however alternate methods are available.
Your z/OS TCP/IP administrator can indicate the best option for host name resolution within your environment.