Client Authentication: Configurations in Mainframe Connector

SailPoint supports the use of the APPL resource for Mainframe Connector administrator authentication. To configure this, define an APPL resource in the Mainframe security product and provide READ access to the administrator(s). This allows transaction executions on the Mainframe connector.

Perform the following steps to define the APPL resource and permissions:

  1. Define the resource as follows:

    RDEFINE APPL <SAILAPPL> UACC(NONE)

    where SAILAPPL is the APPL resource name assigned to the Mainframe Connector

  2. Permit administrator read access to the following resource:

    PERMIT <SAILAPPL> CLASS(APPL) ID(<USERID>) ACCESS(READ)

    where:

    • SAILAPPL is the application name defined earlier

    • USERID is the RACF Administrator ID allowed to execute transactions on Mainframe Connector

  3. Activate the APPL class if not activated earlier:

    SETROPTS CLASSACT(APPL) RACLIST(APPL)

  4. Refresh the in-storage RACLIST profiles for the APPL class:

    SETROPTS REFRESH RACLIST(APPL)

Parameters in the Mainframe Connector

The Mainframe Connector verifies the administrator credentials with the transaction received from SailPoint before processing the it. Before processing the transaction, the Mainframe Connector checks if the administrator has read access to the defined APPL resource.

The following RSSPARM parameters are supported in the Mainframe Connector:

Defines the APPL resource. The syntax is as follows:

RSSNAME APPL_NAME <SAILAPPL>

where <SAILAPPL> is name of the APPL resource defined in the security product for the Mainframe Connector administrator's authentication.

Note
This parameter is optional. The Mainframe Connector verifies that the administrator requesting a transaction is permitted to use the APPL resource defined by this parameter.

Allow administrators to make configuration changes without the need to provide a password

RSSNAME ALLOW_ADMIN_WITHOUT_PSWD Y

The default value for the parameter is N

The PROTECTED parameter determines whether an administrative User ID provided by SailPoint for the Mainframe Connector can be used without providing a password.

This parameter must be set in RSSPARM to Y when one of the following is true:

  • Administrator User ID is defined in the Security product without a password

  • The mainframe security fix is applied but Identity Security Cloud and the Connector Gateway are not upgraded with the security fix

Note
SailPoint recommends upgrading all the components in the integration and setting ALLOW_ADMIN_WITHOUT_PSWD to N.