Client Authentication: Configurations in the Mainframe Connector

SailPoint supports the use of the APPL resource for Mainframe Connector administrator authentication. To configure this, define an APPL resource in the Mainframe security product and provide READ access to the administrator(s). This allows transaction executions on the Mainframe connector.

Perform the following steps to define the APPL resource and permissions:

  1. Define two additional SAFDEF records for the Mainframe Connector APPL class:

    Copy 
    ACF
    SET CONTROL(GSO)
    INSERT SAFDEF.SPAUTH ID(SPAUTH) REP PROGRAM(CTS****) +
    RACROUTE(REQUEST=AUTH,CLASS=APPL)
    INSERT SAFDEF.SPFAST ID(SPFAST) REP PROGRAM(CTS****)  +
    RACROUTE(REQUEST=FASTAUTH,CLASS=APPL)
    F ACF2,REFRESH(SAFDEF)
    END

  2. Define the Mainframe Connector APPL resource to ACF2 and give permission to the ACF2 administrator allowed to execute transactions on the Mainframe Connector.

    Copy 
    ACF
    SET RESOURCE(SAF)
    COMPILE * LIST STORE
    $KEY(<SAILAPPL>) TYPE(SAF)
    UID(*) PREVENT
    UID(****************<lid> ) ALLOW
    END
    F ACF2,REBUILD(SAF)
    END

    where:

    • SAILAPPL is the name of the application defined earlier

    • UID(****************<lid>) is the LID of the ACF2 Administrator allowed to execute transactions on the Mainframe Connector

Parameters in the Mainframe Connector

The Mainframe Connector verifies the administrator credentials received with the transaction before processing the transaction. Before processing the transaction, the Mainframe Connector checks if the administrator has read access to the defined APPL resource.

The following RSSPARM parameters are supported in the Mainframe Connector:

Defines the APPL resource. The syntax is as follows:

RSSNAME APPL_NAME <SAILAPPL>

where <SAILAPPL> is name of the APPL resource defined in the security product for the Mainframe Connector administrator's authentication.

Note
This parameter is optional. The Mainframe Connector verifies that the administrator requesting a transaction is permitted to use the APPL resource defined by this parameter.

Allow administrators to make configuration changes without the need to provide a password

RSSNAME ALLOW_ADMIN_WITHOUT_PSWD Y

The default value for the parameter is N

The RESTRICTED parameter determines whether an administrative User ID provided by SailPoint for the Mainframe Connector can be used without providing a password.

This parameter must be set in RSSPARM to Y when one of the following is true:

  • Administrator User ID is defined in the Security product without a password

  • The mainframe security fix is applied but Identity Security Cloud and the Connector Gateway are not upgraded with the security fix

Note
SailPoint recommends upgrading all the components in the integration and setting ALLOW_ADMIN_WITHOUT_PSWD to N.