Database-Specific Options (CA ACF2)

The following configuration options for the CAACF2_UTF back end are database-specific. This combination of options can be specified multiple times, once per security database being accessed.
cszscss151
The following configuration options for the CAACF2_UTF backend are database specific. This combination of options can be specified multiple times, once per security database being accessed.
  • database CAACF2_UTF
    Begins the database-specific options for the CAACF2_UTF back end. In this case, the database is CA ACF2. This option can be configured multiple times, once for each security database that is accessed.
    Default
    : N/A
  • codeset
    csname
    Specifies the name of an EBCDIC codeset. The CA LDAP Server converts the host fields from UTF-8 to this EBCDIC codeset before passing them to the external security manager. The value
    csname
    must designate a single-byte EBCDIC code system. Possible values of this argument are documented in the IBM
    XL C/C++ Programming Guide
    . Based on the information in this guide,
    csname
    must be one of the values in the FromCode column. The value in the ToCode column is always UTF-8.
    Default
    : IBM-1047
  • CreateAlias
    Specifies that an alias entry should be defined for add and modify CA ACF2 account requests. An alias entry should be defined for the account on the mainframe if the account is being granted TSO access. This option is configured a single time for all users and cannot be set differently for specific users. Specify the user catalog the alias is defined for using the required relate paramter. The catalog parameter is optional and defaults to the master catalog.
    Default:
    disabled
    Example:
    createAlias Relate[catalog]
    The user must be given the following TSO privilege for an alias to be created:
    ACF2
    : TSO
    z/OS UFN
    : GeneralTSOAccess
  • DeleteAlias
    Specifies that when an CA ACF2 account is deleted, the system should attempt to delete the alias entry for the logonid. The system attempts this whether or not the logonid had an entry.
  • disable_lid_details
    When performing scope=one or scope=sub search requests, the CA LDAP Server returns all attributes for an acf2lid object. In Version 2, the CA LDAP Server returned only the DN of the acf2lid object. A subsequent scope=base query was required to retrieve the details. If the previous functionality is desired, add this option.
    Default
    : N/A
  • disable_rule_details
    When performing scope=one or scope=sub search requests, the CA LDAP Server returns all attributes for an acf2rule object. In Version 2, the CA LDAP Server returned only the DN of the acf2lid objec A subsequent scope=base query was required to retrieve the details. If the previous functionality is desired, add this option.
    Default
    : N/A
  • disable_segments
    Specifies that when a one-level search for LIDs occurs, a simple LIST command should be issued without any PROFILE or SEGMENT data on the command. The default behavior is to return PROFILE and SEGMENT data. This option saves time when using the LIST command to search for a high number of LIDs. This is useful if only basic information is needed.
  • enable_groups
    Controls access using individual user ids or group ids when using a product like CA Web Access Control. When controlling access to a resource, sometimes it is easier to control it at a group level. This option gives you the ability to emulate groups using resource rules.
    Default
    : N/A
    Example:
    enable_groups WEBACESS WAC
  • enable_refresh
    Applies recent changes.
    • When altering user profile data, CA ACF2 must have a modify command issued for the changes to take effect. You issue the following command to refresh the user profile data:
      F ACF2,REBUILD(USR),CLASS(P)
    • When altering the OMVS or LINUX user profile data, CA ACF2 must have an additional command issued to have the changes take effect. You issue the following command to activate changes to OMVS user profile records:
      F ACF2,OMVS
    • You issue the following command to activate changes to LINUX user profile records:
      F ACF2,OMVS(LINUX)
    If this option is enabled, the CA LDAP Server issues these commands for an ADD or MODIFY of NDS or LNOTES user profile records. The commands are also issued for the ADD, MODIFY, or DELETE, or OMVS or LINUX user profile records.
    Default:
    Does not issue the modify commands.
  • enable_refresh_xref
    Issues an F ACF2,NEWXREF when configured.
    Default:
    Disabled.
    If enable_refresh_xref option is set in the slapd.conf file, the following ACF2 command will be issued when XREF ROL, RGP, or SGP records were added or modified:
    F ACF2,NEWXREF,TYPE(ROL|RGP|SGP)
    Example: Message returned for command using ROL type
    When the NEWXREF,TYPE(ROL) command is issued, you will see the following message on the console:
    ACF79302 ROLE XREF TABLE RE-BUILT
  • enable_role
    Defines a comma-delimited list of sysids.
    Default:
    Disabled.
  • enable_secauth
    Defines a comma-delimited list of sysids.
    Default:
    Disabled.
  • enable_xcf
    Adds XCF(
    sysid_list
    ) to the F ACF2,NEWXREF command when configured.
    • sysid_list
      Defines the sysids that are used for XCF. Use the enable_role to fill out the sysids when refreshing the XREF TYPE(ROL). Use the enable_secauth to fill out the sysids when refreshing the XREF TYPE(SGP).
    Default:
    Disabled.
  • HostUFNOverride file_name
    Specifies a file name that contains overrides for the user-defined fields. HostUFNOverride file_name is a security database-specific parameter. Using this option, the user-defined UFNs can be changed to values of your choice. See the UFNOverride option in the Configure back-end options section to override the base CA ACF2 fields.
    Default:
    N/A
    Example:
    HostUFNOverride ./production_acf2_overrides.conf
  • naming_mode {acf2|im}
    Configures which attribute naming mode the CA LDAP Server is using with the database statement.
    • acf2
      Specifies to run the CA LDAP Server in CA ACF2 naming mode.
    • im
      Specifies to run the CA LDAP Server in CA Web Administrator mode.
    Default:
    acf2
  • preAddLidMessage
    Before issuing the Add Lid command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the Lid id substituted into the string before it is written to the console, enter %s in the string.
    Default:
    A default message
    Example:
    preAddLidMessage “ABC1023I Lid %s about to be added to CA ACF2”
  • postAddLidMessage
    After issuing the Add Lid command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the Lid id substituted into the string before it is written to the console, enter %s in the string.
    Default:
    A default message
    Example:
    postAddLidMessage “ABC1023I Lid %s was added to CA ACF2”
  • preModLidMessage
    Before issuing the Modify Lid command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the Lid id substituted into the string before it is written to the console, enter %s in the string.
    Default:
    A default message
    Example:
    preAddLidMessage “ABC1023I Lid %s about to be modified in CA ACF2”
  • postModLidMessage
    After issuing the Modify Lid command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the Lid id substituted into the string before it’s written to the console, enter %s in the string.
    Default:
    A default message
    Example:
    postModLidMessage “ABC1023I Lid %s was modified in CA ACF2”
  • preDelLidMessage
    Prior to issuing the Delete Lid command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the Lid id substituted into the string before it’s written to the console, enter %s in the string.
    Default:
    A default message
    Example:
    preDelLidMessage “ABC1023I Lid %s about to be deleted from CA ACF2”
  • postDelLidMessage
    After issuing the Delete Lid command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the Lid id substituted into the string before it’s written to the console, enter %s in the string.
    Default:
    A default message
    Example:
    postDelLidMessage “ABC1023I Lid %s was deleted from CA ACF2”
  • ptktappl
    Specifies the application ID (APPLID) that is passed on the RACROUTE VERIFY call. The ESM uses this value to identify the encryption key during PassTickets generation and authentication. The application ID used for the PassTickets generation must be the same as the ID that is used for authentication. When using CA LDAP Server with CA Chorus, set this option to the same value with which CA Chorus is configured. This configuration is important when using IBM PassTickets to authenticate users at a host.
    Default:
    CALDAP
    Example:
    ptktappl CALDAP
  • ptktReqrId
    (Optional) Specifies a server-level user ID that is cached in memory. This user ID is used to authenticate the server for all post-bind operations, allowing the server to request a passticket on behalf of a client logon.
    Example:
    ptktReqrId passgen
  • ptktReqrPwFile
    (Optional) Specifies the relative or fully qualified name of the encrypted password file that corresponds to the slapd.conf ptktReqrId option. The file is generated using the authid command line utility.
    Example:
    ptktReqrPwFile ./authid.pwd
    Example:
    ptktReqrPwFile /
    ldap_install_directory
    /authid.pwd
  • ruleCacheCount
    Used to configure how many rules are cached per connection to the CA LDAP Server. The CA LDAP Server uses the rule cache to hold the decompilation of a rule so that subsequent requests for a piece of a rule does not force another decompilation.
    Default
    : 1
    Example:
    ruleCacheCount 5
  • acfRescheckClass
    Specifies the class name that CA LDAP Server issues a resource check against to verify that the logged on user id is authorized to use the LOG and STATUS parameters.
    Default:
    CALDAP
    Example:
    acfRescheckClass CALDAP2
  • acfRescheckEntity
    Specifies the entity HLQ name that CA LDAP Server issues a resource check against to verify that the logged on user id is authorized to use the LOG and STATUS parameters.
    Default:
    LDAP
    Example:
    acfRescheckEntity LDAPHLQ
  • siParms
    host port
    [ssl-required | ssl-supported] [cont]
    When accessing a security database on a different host, this option is used to configure the IP/port of the remote CA DSI Server being used to access that security file.
    When you start the CA LDAP Server with an siPARMS parameter specified, a connection is made with the CA DSI Server. If a connection cannot be established, the CA LDAP Server shuts down. If the optional keyword "cont" is specified, the CA LDAP Server continues to start up even if a connection cannot be made to the CA DSI Server. When a request comes in to the CA LDAP Server, the connection to the CA DSI Server is attempted again.
    • host
      Specifies the machine name or TCP/IP address of the remote CA DSI Server.
    • port
      Specifies the port the remote CA DSI Server was started on.
    • ssl-required
      (Optional) Specifies to use a secure connection between the CA LDAP Server on one LPAR and the remote CA DSI Server. If a secure connection cannot be established, it is dropped. This parameter is mutually exclusive with ssl-supported.
    • ssl-supported
      (Optional) Specifies to try and establish a secure connection between the CA LDAP Server on one LPAR and the remote CA DSI Server. If a secure connection cannot be established, it drops back to an unsecured connection. This parameter is mutually exclusive with ssl-required.
    • cont
      (Optional) Specifies that the CA LDAP Server is allowed to start even if it cannot communicate with the remote CA DSI Server. Without this parameter, if the CA LDAP Server cannot communicate to the remote CA DSI Server, it shuts down.
    Default:
    N/A
    Example:
    siParms test-lpar.my.com 390 ssl-supported
    When running in a sysplex environment you can set up multiple CA DSI Servers to provide redundancy. This is accomplished by adding multiple siPARMS configuration statements. For example:
    siPARMS plex-1.my.com 390 ssl-supported siPARMS plex-2.my.com 390 ssl-supported siPARMS plex-3.my.com 390 ssl-supported
    When configured in this way, the CA LDAP Server will try to communicate through plex-1. If a connection cannot be established with plex-1, CA LDAP Server will try to communicate through plex-2 followed by plex-3. Once a connection is established, all transactions are sent to that CA DSI Server. If the connection is broken for any reason, the selection process automatically starts over with plex-1.
  • siTimeOut
    Configures the time out value, in seconds, for the previous siParms statement. When performing TCP/IP communication, you might want a transaction to time out if it cannot reach the other end. Use this option to configure that value.
    Default
    : N/A
    Example:
    siTimeOut 999
  • siTLSCertKeyLabel
    (Optional) Specifies the label of the certificate to use that is in the certificate store specified by TLSKeyringName.
    Default:
    The default certificate in the certificate store is used.
    Example:
    siTLSCertKeyLabel
    label_here
    The value label is the label assigned to the certificate when the certificate was connected to the keyring. If the value contains embedded blanks, it must be enclosed in double quotes. The certificate designated by
    label_here
    must include USAGE PERSONAL.
  • siTLSVerifyClient {on|off}
    (Optional) Specifies whether a client is required to present a certificate when attempting to establish an SSL or TLS connection with the server.
    Default
    : N/A
    The allowed values of
    option
    are as follows:
    • ON
      Server requests a certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
    • OFF
      Server does not request a certificate.
  • suffix
    Specifies the DN that this back end services.
    Default
    : N/A
    Example
    : suffix host=test, o=company, c=us