Overview#

The ZOS BIDIRECTIONAL DRIVER is a DirXML Driver that provides connectivity to provision and manage users and groups to the z/OS operating system.

External Security Managers (ESM)#

On z/OS there are three primary External Security Managers (ESM):
  • RACF - IBM
  • Top Secret - CA Technologies
  • ACF2 (Access Control Facility) is a commercial, discretionary access control software security system developed for the MVS (z/OS), VSE (z/VSE) and VM (z/VM) IBM mainframe operating systems CA Technologies now (2012) markets ACF2 as CA ACF2

The ZOS BIDIRECTIONAL DRIVER will work with each of the ESM above.

Migrate#

When migrating with the driver, you should specify the scope of the driver to be "USER\" or "GROUP\". If you do not, the driver will query for Groups and return all entries inspecting every entry to see if it is a group and discard it if not. This means all users would be included in the search.

Remote Loader#

The ZOS BIDIRECTIONAL DRIVER must use the provided embedded remote loader. This was not the case in previous releases.

Recommended Process#

It is recommended that the remote loader be used with the ZOS BIDIRECTIONAL DRIVER. The reasoning ias as follows:
  • the connection to the RACF host can be easily secured.
  • the processing for the shim of the driver is off-loaded from the eDirectory host running the IDM engine.
  • A failure in the shim will not "hurt" the eDirectory host running the IDM engine.
  • Better scalability

Accessing the Remote Loader#

There will be times when the IDM team will need to access the remote loader on the RACF host.

If you have a TSO ID on the RACF, you might be able to use the ID used for the driver, you would probably have read access to the log files through OMVS. This usually requires that you use a TN3270 terminal or an TN3270 emulator. Once you get this setup you can use some of the Linux/UNIX commands. We have been using the Vista TN3270 as it is not very expensive ($30) and works on Windows. The Vista TN3270 also supports IND$FILE.

Typically, "tail", more, and page would be useful. One exception to note is that you CAN'T use vi under OMVS. That’s because you’re using a 3270 interface and full screen applications, like vi, are not supported. If you want to view a file, use the obrowse command (this, plus the oedit command, is unique to OMVS).

Since obrowse is based on the ISPF browse function, you use the standard ISPF PF keys/commands to navigate in the file:

  • PF8 scrolls forward
  • PF7 scrolls backwards
  • PF3 exits the browse session.
If you want to go to the bottom of the file without hitting PF8 over and over, type an M on the command line and then hit PF8 (the M implies you want to scroll the Maximum amount).

To find a string, use the Find command (abbreviated F) on the command line: F 12/01/09.

File Transfer Between PC and Host#

IND$FILE Utility Program for VSE, MVS, and VM/CMS

zos_config.txt#

The log file is zos_trace.log and the config file is zos_config.txt. The zos_config.txt file contains:
 
-commandport 64330                                                      
-connection "port=64331"                                                
-trace 3
-tracefilemax 5M                                                              
-tracefile ./zos_trace.log                                               
-class com.Omnibond.nds.dirxml.driver.MVSDriver.RACFDriver.RACFDriverShim

LOG Files on Remote Loader#

In the "zos_config.txt" always set the "tracefilemax" on the remote loader so the files will archive and not grow to an unmanageable size.
-tracefilemax 5M
This will roll the logs when they reach the size 5M and append a _N (1-9) to the file.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-25) was last changed on 01-Apr-2015 13:49 by jim