12 – Define Connector for ACF2 in ACF2
Sample ACF2 definitions for the following can be found in member CTSACF2 in the INSTALL library. Read carefully the notes in member CTSACF2 and tailor according to site standards before submitting the job or using the commands from this member. After submitting the job or executing the commands, check the whole output and verify that all the commands were processed successfully.
Note
It is assumed that the user who installed Connector for ACF2 has full authority to all Connector for ACF2 files assigned to them at the beginning of the installation process.
12.1 – Define Connector for ACF2 Started Tasks in ACF2
|
Started task |
Description |
|
CTSGATE |
Connector for ACF2 Gateway |
|
CTSACS |
Connector Transaction Server (CS) |
|
CTSACD |
Connector Notification Server (CD) |
|
CTSAONI |
Connector Online Interceptor |
|
CTSAOFI |
Connector Offline Interceptor |
Note
In the list of started tasks used in this section, it is assumed that the default value CTS was accepted for the DEFPARMS parameter PROCPREFS. If you assigned a different value to this parameter, modify the started task names accordingly.
-
Started tasks CTSACS, CTSACD, CTSAONI, and CTSAOFI must have AUDIT, MUSASS and MUSUPDT privileges defined in the logonid record. For additional privileges that must be assigned to support any user-defined fields, see Support User-Defined Fields in the Logonid Record.
-
When you have any user-defined field (USERCFDE) with privileges specified for the authorization operands LIST or ALTER (for example LIST=SECURITY+ACCOUNT), then select one of these privileges and assign it to all of the following Connector for ACF2 started tasks: CTSACS, CTSACD, CTSAONI, and CTSAOFL.
For example, when a user-defined field shows LIST=SECURITY+ACCOUNT, then CTSACS, CTSACD, CTSAONI, and CTSAOFL must be assigned either the ACCOUNT or the SECURITY privilege.
-
Any user-defined field in ACF2 with privileges not assigned to Connector for ACF2 started tasks are not updated in the IdentityIQ database. In the IdentityIQ GUI, these fields will appear empty.
12.2 – Set Permissions to Connector Datasets
Permit READ access for the Connector DIAGLVL and CLIST libraries for your MVS system programmers, z/OS staff, or SailPoint Mainframe support team who should be able to see them.
Important
Do not allow users access to any DIAGLVL or CLIST libraries in the CTSACF2 installation job.
Permit all Connector for ACF2 installation libraries to be accessed by Connector for ACF2 started tasks listed above with read and write authorizations.
12.3 – Protect the Encryption Keys Datasets
Transmitted Data Encryption Keys Dataset
Note
This permission is only required when Transmitted Data Encryption is implemented.
Set ACF2 to permit only Connector for ACF2 servers (CTSACS and CTSACD) READ access to the encryption key dataset ENCREXT created in Procedure "9.4 – Set up Secured Communication" in 11 – Customize Communication Settings. No other accounts, other than the installer User ID, must be authorized to access this dataset (not even READ authorization).
Stored Data Encryption Keys Dataset
Set ACF2to permit only Connector for ACF2 servers (CTSACS and CTSACD) and Connector Interceptors (CTSAONI and CTSAOFI) READ access to the encryption key dataset ENCRINT created in 9 – Format Connector for ACF2 Datasets procedure. No other accounts, other than the installer User ID must be authorized to access this dataset (not even READ authorization).
12.4 – Define an OMVS Segment
Define an OMVS segment for the user ID and group ID associated with the CTSGATE started task. For more information, see details provided within the CTSACF2 member.
12.5 – Grant CTSGATE with Authority to Use TCP/IP Stack
This permission is required only when ACF2 SERVAUTH resource class is defined to protect TCP/IP resources from unauthorized access. For more information, see details provided within the CTSACF2 member.