View
5
Download
0
Category
Preview:
Citation preview
IBM Security Identity ManagerVersion 7.0
DB2 on z/OS Adapter Installation andConfiguration Guide
IBM
IBM Security Identity ManagerVersion 7.0
DB2 on z/OS Adapter Installation andConfiguration Guide
IBM
ii IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Contents
Figures . . . . . . . . . . . . . . . v
Tables . . . . . . . . . . . . . . . vii
Chapter 1. Overview . . . . . . . . . 1Features . . . . . . . . . . . . . . . . 1Architecture . . . . . . . . . . . . . . 1Supported configurations . . . . . . . . . . 2
Chapter 2. Planning. . . . . . . . . . 3Roadmap for IBM Tivoli Directory Integrator basedadapters, for IBM Security Identity Manager 7.x . . 3Prerequisites . . . . . . . . . . . . . . 4Software download . . . . . . . . . . . . 6Installation worksheet . . . . . . . . . . . 6
Chapter 3. Installing . . . . . . . . . 9Installing the dispatcher . . . . . . . . . . 9Installing the adapter binaries or connector . . . . 9Restarting the adapter service . . . . . . . . 10Importing the adapter profile . . . . . . . . 10Creating an adapter service/target. . . . . . . 11Service/Target form details . . . . . . . . . 13Installing the adapter language package . . . . . 15Verifying that the adapter is working correctly . . 15
Chapter 4. Upgrading . . . . . . . . 17Upgrading the dispatcher. . . . . . . . . . 17Upgrading the adapter profile . . . . . . . . 17
Chapter 5. Configuring . . . . . . . . 19Customizing the adapter profile . . . . . . . 19Editing adapter profiles on the UNIX or Linuxoperating system . . . . . . . . . . . . 20
Chapter 6. Troubleshooting . . . . . . 21Techniques for troubleshooting problems . . . . 21Error messages and problem solving . . . . . . 23
Chapter 7. Uninstalling . . . . . . . . 25Deleting the adapter profile . . . . . . . . . 25
Chapter 8. Reference . . . . . . . . 27Adapter attributes . . . . . . . . . . . . 27
Attribute descriptions . . . . . . . . . . 27Adapter attributes by action . . . . . . . . 35
Index . . . . . . . . . . . . . . . 39
iii
iv IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Figures
1. The architecture of the IBM DB2 on z/OSadapter . . . . . . . . . . . . . . 1
2. Example of a single server configuration . . . 23. Example of multiple server configuration 2
v
vi IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Tables
1. Prerequisites to install the adapter . . . . . 52. Required information to install the adapter 73. Warning and error messages . . . . . . . 234. Attributes, descriptions, and corresponding
data types . . . . . . . . . . . . . 275. Add request attributes . . . . . . . . . 36
6. Change request attributes . . . . . . . . 377. Delete request attributes . . . . . . . . 388. Suspend request attributes . . . . . . . 389. Restore attributes . . . . . . . . . . 38
10. Ping attributes . . . . . . . . . . . 3811. Reconciliation attributes . . . . . . . . 38
vii
viii IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Chapter 1. Overview
An adapter is an interface between a managed resource and the IBM® SecurityIdentity server. The IBM DB2 on z/OS adapter enables communication betweenthe IBM Security Identity server and the IBM DB2 on z/OS.
Adapters can be installed on the managed resource. The IBM Security Identityserver manages access to the resource by using the security system. Adaptersfunction as trusted virtual administrators on the target operating system. Theadapter creates, suspends, restores user accounts, and other functions thatadministrators run manually. The adapter runs as a service, independently ofwhether you are logged on to the IBM Security Identity server.
FeaturesThe adapter automates several administrative and management tasks.v Reconciling user accounts and other support datav Adding user accountsv Modifying user account attributesv Suspending, restoring, and deleting user accounts
ArchitectureSeveral components are involved in running and using the adapter. Install all thesecomponents so that the adapter can function correctly.v Dispatcherv Tivoli® Directory Integrator connectorv IBM Security Identity Adapter profile
You need to install the Dispatcher and the adapter profile; however, the TivoliDirectory Integrator connector might already be installed with the base TivoliDirectory Integrator product.
Figure 1 describes the components that work together to complete the user accountmanagement tasks in a Tivoli Directory Integrator environment.
RMI callsIBM SecurityIdentityServer
DispatcherService(an instanceof the IBMTivoliDirectoryIntegrator)
Adapterresource
Figure 1. The architecture of the IBM DB2 on z/OS adapter
1
Supported configurationsThe adapter supports both single and multiple server configurations. There are twoways to configure the IBM DB2 on z/OS adapter. In a single server configuration,the adapter is installed on only one server. In a multiple server configuration, theadapter is installed on several different servers.
There are fundamental components in each environment:v The IBM Security Identity serverv The IBM Tivoli Directory Integrator serverv The managed resourcev The adapter
The adapter must be installed directly on the server that runs the Tivoli DirectoryIntegrator server.
Single server configurationThe IBM Security Identity server, the Tivoli Directory Integrator server, andthe IBM DB2 on z/OS adapter are installed on one server to establishcommunication with the managed resource. The managed resource isinstalled on a different server as described Figure 2.
Multiple server configurationIn multiple server configuration, the IBM Security Identity server, theTivoli Directory Integrator server, and the IBM DB2 on z/OS are installedon different servers. The Tivoli Directory Integrator server and the IBMDB2 on z/OS adapter are installed on the same server as described inFigure 3.
IBM SecurityIdentity Server
Tivoli DirectoryIntegrator Server
Adapter
Managedresource
Figure 2. Example of a single server configuration
IBM SecurityIdentity Managerserver
Security DirectoryIntegrator server Managed
resource
Adapter
Figure 3. Example of multiple server configuration
2 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Chapter 2. Planning
Installing and configuring the adapter involves several steps that you mustcomplete in a specific sequence. Follow the roadmap for the main tasks.
Roadmap for IBM Tivoli Directory Integrator based adapters, for IBMSecurity Identity Manager 7.x
Follow this section when using the guide to install, configure, troubleshoot, oruninstall the adapter.
Pre-installation
Complete these tasks.1. Verify that your environment meets the software and hardware requirements
for the adapter. See Prerequisites.2. Obtain the installation software. See Software downloads.3. Obtain the necessary information for the installation and configuration. See
Installation worksheet.
Installation
Complete these tasks.1. Install the dispatcher.2. Install the adapter binaries or connector.3. Install 3rd party client libraries.4. Set up the adapter environment.5. Restart the adapter service.6. Import the adapter profile.7. Create an adapter service/target.8. Install the adapter language package.9. Verify that the adapter is working correctly.
Upgrade
To upgrade the adapter, do a full installation of the adapter. Follow the Installationroadmap.
Configuration
Complete these tasks.1. Configure secure communication between the IBM Security Identity server and
the adapter.a. Configure 1-way authentication.b. Configure 2-way authentication.
2. Configure secure communication between the adapter and the managed target.a. Configure 1-way authentication.b. Configure 2-way authentication.
3
3. Configure the adapter.4. Modify the adapter profiles.5. Customize the adapter.
Troubleshooting
See the following topics.v Techniques for troubleshooting problemsv Configure debuggingv Logsv Error messages and problem solving
Uninstallation
Complete these tasks.1. Stop the adapter service.2. Remove the adapter binaries or connector.3. Remove 3rd party client libraries.4. Delete the adapter service/target.5. Delete the adapter profile.
Reference
See the following topics.v Adapter attributes and object classesv Adapter attributes by operationsv Special attributes
PrerequisitesVerify that your environment meets the software and hardware requirements forthe adapter.
Table 1 on page 5 identifies the software and operating system prerequisites for theadapter installation.
Ensure that you install the adapter on the same workstation as the IBM TivoliDirectory Integrator server.
4 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Table 1. Prerequisites to install the adapter
Prerequisite Description
Directory Integrator v IBM Tivoli Directory Integrator Version 7.1.1+ 7.1.1-TIV-TDI-FP0004 +7.2.0-ISS-SDI-LA0008
v IBM Security Directory Integrator Version 7.2
Note:
v Earlier versions of IBM Tivoli DirectoryIntegrator that are still supported mightfunction properly. However, to resolve anycommunication errors, you must upgradeyour Directory Integrator release to theversions that the adapter officially supports.
v The adapter supports IBM Security DirectoryIntegrator 7.2, which is available only tocustomers who have the correct entitlement.Contact your IBM representative to find outwhether you have the entitlement todownload IBM Security Directory Integrator7.2.
IBM Security Identity server The following servers are supported:
v IBM Security Identity Manager server Version6.0
v IBM Security Identity Manager server Version7.0
v IBM Security Privileged Identity ManagerVersion 2.0
v IBM Security Identity Governance andIntelligence server Version 5.2.2
IBM DB2 on z/OS A z system that runs IBM DB2® with one of thefollowing versions:
v IBM DB2, Version 10 for z/OS®
v IBM DB2, Version 11 for z/OS
IBM DB2 JDBC Driver v db2jcc4.jar
v db2jcc_license_cisuz.jar
Copy the JDBC drivers , which are includedwith the adapter package, to the followinglocation:
Windowsdrive:\Program Files\IBM\TDI\TDI_VERSION\jars\3rdparty\IBM
Unix /opt/IBM/TDI/TDI_VERSION/jars/3rdparty/IBM
Note: Delete the db2jcc.jar, if its present inthe folder
Network Connectivity Install the adapter on a workstation that cancommunicate with the IBM Security IdentityManager service through the TCP/IP network.
System Administrator Authority To complete the adapter installation procedure,you must have system administrator authority.
Chapter 2. Planning 5
Table 1. Prerequisites to install the adapter (continued)
Prerequisite Description
Tivoli Directory Integrator adapterssolution directory
A Tivoli Directory Integrator adapters solutiondirectory is a Tivoli Directory Integrator workdirectory for adapters. See the DispatcherInstallation and Configuration Guide.
IBM DB2 on z/OS Account, for exampledb2admin.
You must provide a IBM DB2 on z/OS accountand password for every IBM DB2 on z/OSinstance that the adapter manages.
The IBM DB2 on z/OS account must have thefollowing IBM DB2 on z/OS privileges:
SYSADMSystem administrator. An ID withSYSADM authority that grants theprivileges to the group ID.
Install the IBM DB2 on z/OS adapter and the appropriate IBM DB2 JDBC driverson the same workstation as the Tivoli Directory Integrator.
For information about the prerequisites and supported operating systems for TivoliDirectory Integrator, see the IBM Tivoli Directory Integrator 7.1: Administrator Guide.
Software downloadDownload the software through your account at the IBM Passport Advantage®
website.
Go to IBM Passport Advantage.
See the corresponding IBM Security Identity server Download Document forinstructions.
Note:
You can also obtain additional adapter information from IBM Support.
Installation worksheetThe installation worksheet lists the information that is required to install andconfigure the adapter. Complete this worksheet before you start the installationprocedure for ease of reference. Make a copy of the worksheet for each adapterinstance you install.
6 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Table 2. Required information to install the adapter
Required information Description Value
IBM Tivoli DirectoryIntegrator HomeDirectory
The ITDI_HOME directory containsthe jars/connectors subdirectory.This subdirectory contains adapterJAR files.
IBM Tivoli DirectoryIntegrator can beautomatically installed withyour IBM Security IdentityManager product.
The following are thedefault directory path thatis used for Tivoli DirectoryIntegrator:
Windows:drive:\ProgramFiles\IBM\TDI\TDI_VERSION
UNIX: /opt/IBM/TDI/TDI_VERSION
Adapters solutiondirectory
When you install the dispatcher, theadapter prompts you to specify a filepath for the adapters solutiondirectory. If you do not specify adirectory, the default directory istimsol.
Windows:drive:\ProgramFiles\IBM\TDI\TDI_VERSION\timsol
UNIX: /opt/IBM/TDI/TDI_VERSION/timsol
Chapter 2. Planning 7
8 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Chapter 3. Installing
Installing the adapter mainly involves importing the adapter profile and creatingan adapter service. Depending on the adapter, several other tasks can be involvedto completely install it.
All IBM Tivoli Directory Integrator based adapters require the Dispatcher for theadapters to function correctly. If the Dispatcher is installed from a previousinstallation, do not reinstall it unless the Dispatcher is upgraded. See DispatcherInstallation Verification.
Depending on your adapter, the Tivoli Directory Integrator connector mightalready be installed as part of the Tivoli Directory Integrator product and nofurther action is required. If the connector is not pre-installed, install it after theDispatcher.
Installing the dispatcherIf this is the first Tivoli Directory Integrator-based adapter installation, you mustinstall the RMI Dispatcher before you install the adapter. Install the RMIDispatcher on the same Tivoli Directory Integrator server where you want to installthe adapter.
If you already installed the RMI Dispatcher for another adapter, you do not needto reinstall it.
If you have not yet installed the RMI Dispatcher in the Tivoli Directory Integratorenvironment, download the Dispatcher installer from the IBM Passport Advantagewebsite. For more information about the installation, see the Dispatcher Installationand Configuration Guide.
Installing the adapter binaries or connectorThe connector might or might not be available with the base Tivoli DirectoryIntegrator or Security Directory Integrator product. The connector is required toestablish communication between the adapter and the Dispatcher.
Before you begin
The Dispatcher must be installed.
About this task
The adapter uses the IBM Tivoli Directory Integrator JDBC connector. Thisconnector is already available with the base Tivoli Directory Integrator product. Assuch, you just need to install the Dispatcher. See the IBM Security DispatcherInstallation and Configuration Guide.
9
Restarting the adapter serviceVarious installation and configuration tasks might require the adapter to berestarted to apply the changes. For example, you must restart the adapter if thereare changes in the adapter profile, connector, or assembly lines. To restart theadapter, restart the Dispatcher.
The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Security Directory Integrator instance.
See the topic about starting, stopping, and restarting the Dispatcher service in theDispatcher Installation and Configuration Guide.
Importing the adapter profileAn adapter profile defines the types of resources that the IBM Security Identityserver can manage. It is packaged with the IBM Security Identity Adapter. Use theadapter profile to create an adapter service on IBM Security Identity server andestablish communication with the adapter.
Before you beginv You have root or administrator authority on the IBM Security Identity Manager
server.v The file to be imported must be a Java archive (JAR) file. The
<Adapter>Profile.jar file includes all the files that are required to define theadapter schema, account form, service/target form, and profile properties. Ifnecessary, you can extract the files from the JAR file, modify the files, andrepackage the JAR file with the updated files.The JAR file for IBM SecurityIdentity Manager is located in the top level folder of the installation package.
About this task
Service definition files are also called adapter profile files.
If the adapter profile is not installed correctly, the adapter cannot functioncorrectly. You cannot create a service with the adapter profile or open an accounton the service. You must import the adapter profile again.
Procedure1. Log on to the IBM Security Identity Manager server by using an account that
has the authority to perform administrative tasks.2. From the navigation tree, select Configure System > Manage Service Types.
The Manage Service Types page is displayed.3. On the Manage Service Types page, click Import. The Import Service Type page
is displayed.4. On the Import Service Type page, complete these steps:
a. In the Service Definition File field, type the directory location of the<Adapter>Profile.jar file, or click Browse to locate the file. For example, ifyou are installing the IBM Security Identity Adapter for a Windows serverthat runs Active Directory, locate and import the ADProfileJAR file.
b. Click OK to import the file.
10 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Results
A message indicates that you successfully submitted a request to import a servicetype.
What to do nextv The import occurs asynchronously, which means it might take some time for the
service type to load into the IBM Security Identity server from the propertiesfiles and to be available in other pages. On the Manage Service Types page, clickRefresh to see the new service type. If the service type status is Failed, checkthe log files to determine why the import failed.
v If you receive a schema-related error, see the trace.log file for informationabout it. The trace.log file location is specified by the handler.file.fileDirproperty that is defined in the enRoleLogging.properties file. TheenRoleLogging.properties file is in the IBM Security Identity serverHOME\datadirectory. .
Creating an adapter service/targetAfter you import the adapter profile on the IBM Security Identity server, create aservice/target so that IBM Security Identity server can communicate with themanaged resource.
Before you begin
Complete “Importing the adapter profile” on page 10.
About this task
You must create an administrative user account for the adapter on the managedresource. You can provide the account information such as administrator name andpassword when you create the adapter service. Ensure that the account hassufficient privileges to administer the users. For information about creating anadministrative account, see the documentation for the managed resource.
To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.The service name and description that you provide for each service are displayedon the console. Therefore, it is important to provide values that make sense to yourusers and administrators.
Procedure1. From the navigation tree, click Manage Services. The Select a Service page is
displayed.2. On the Select a Service page, click Create. The Create a Service wizard is
displayed.3. On the Select the Type of Service page, click Search to locate a business unit.
The Business Unit page is displayed.4. On the Business Unit page, complete these steps:
a. Type information about the business unit in the Search information field.b. Select a business type from the Search by list, and then click Search. A list
of business units that matches the search criteria is displayed.If the table contains multiple pages, you can do the following tasks:
Chapter 3. Installing 11
v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.
c. In the Business Units table, select business unit in which you want tocreate the service, and then click OK. The Select the Type of Service pageis displayed, and the business unit that you specified is displayed in theBusiness unit field.
5. On the Select the Type of Service page, select a service type, and then clickNext.If the table contains multiple pages, you can do the following tasks:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.
6. On either the Service Information or General Information page, specify theappropriate values for the service instance. The content of the GeneralInformation page depends on the type of service that you are creating. Thecreation of some services might require more steps.
7. On the Authentication page, configure authentication (either password-basedor key-based) for the service, and then click Next or Finish. TheAuthentication page is displayed only if you are creating a POSIX serviceinstance.
8. On the Dispatcher Attributes page, specify information about the dispatcherattributes, and then click Next or OK. The Dispatcher Attributes page isdisplayed only for IBM Security Directory Integrator based services.
9. Optional: On the Access Information page, select the Define an Access checkbox to activate the access definition fields. Select the type of access you wantto enable. Specify the expected access information and any other optionalinformation such as description, search terms, more information, or badges.
10. On the Status and Information page, view information about the adapter andmanaged resource, and then click Next or Finish. The adapter must berunning to obtain the information.
11. On the Configure Policy page, select a provisioning policy option, and thenclick Next or Finish. The provisioning policy determines the ownership typesavailable for accounts. The default provisioning policy enables only Individualownership type accounts. Additional ownership types can be added bycreating entitlements on the provisioning policy.
Note: If you are creating a service for an identity feed, the Configure Policypage is not displayed.
12. Optional: On the Reconcile Supporting Data page, either do an immediatereconciliation for the service, or schedule a supporting data reconciliation, andthen click Finish. The Reconcile Supporting Data page is displayed for allservices except for identity feed services.The supporting data only reconciliation option retrieves only the supportingdata for accounts. The supporting data includes groups that are defined onthe service. The type of supporting data is defined in the adapter guide.
13. Optional: On the Service Information or General Information page, click TestConnection to validate that the data in the fields is correct, and then clickNext or Finish. If the connection fails, contact the analyst who is responsiblefor the computer on which the managed resource runs.
12 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Results
A message is displayed, indicating that you successfully created the serviceinstance for a specific service type.
Service/Target form detailsComplete the service/target form fields.
On the IBM DB2 on z/OS Connection tab:
Service nameSpecify a name that defines the adapter service on the IBMSecurity Identity server.
Note: Do not use forward (/) or backward slashes (\) in theservice name.
Description Optional: Specify a description that identifies the service for yourenvironment.
Tivoli Directory Integrator location
Specify the URL for the IBM Tivoli Directory Integrator instance.The valid syntax for the URL is rmi://ip-address:port/ITDIDispatcher, where ip-address is the IBM Tivoli DirectoryIntegrator host and port is the port number for the RMI Dispatcher.
The default URL for the default SDI1 instance isrmi://localhost:1099/ITDIDispatcher.
IBM DB2 on z/OS Server HostSpecify the host workstation on which the IBM DB2 on z/OSserver is running.
IBM DB2 on z/OS Server PortSpecify the TCP port on which the IBM DB2 on z/OS server isrunning. You can specify 50000 to use the default DB2 port.
IBM DB2 on z/OS Database NameSpecify the database name of the IBM DB2 on z/OS database thatyou want to manage, for example SAMPLE.
IBM DB2 on z/OS Administration User AccountSpecify the name of the user who has access to the IBM DB2 onz/OS resource and who can do administrative operations.
IBM DB2 on z/OS Administration User PasswordSpecify the password for the user.
OwnerOptionally, specify a user as a service owner.
Service PrerequisiteSpecify a service that is prerequisite to this service.
On the Dispatcher Attributes tab:
Disable AL CachingSelect the check box to disable the assembly line caching in thedispatcher for the service. The assembly lines for the add, modify,delete, and test operations are not cached.
Chapter 3. Installing 13
AL File System PathSpecify the file path from where the dispatcher loads the assemblylines. If you do not specify a file path, the dispatcher loads theassembly lines that are received from IBM Security Identity server.
You can specify the following file path to load the assembly linesfrom the profiles directory of the Windows operating system:c:\Files\IBM\TDI\V7.1\profiles.Alternatively, you can specify the following file path to load theassembly lines from the profiles directory of the UNIX and Linuxoperating system: system: /opt/IBM/TDI/V7.1/profiles.
Max Connection CountSpecify the maximum number of assembly lines that the dispatchercan run simultaneously for the service. Enter 10 if you want thedispatcher to run a maximum of 10 assembly lines simultaneouslyfor the service. If you enter 0 in the Max Connection Count field,the dispatcher does not limit the number of assembly lines that arerun simultaneously for the service.
On the Status and information tabContains read only information about the adapter and managed resource.These fields are examples. The actual fields vary depending on the type ofadapter and how the service form is configured. The adapter must berunning to obtain the information. Click Test Connection to populate thefields.
Last status update: DateSpecifies the most recent date when the Status and information tabwas updated.
Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.
Managed resource status Specifies the status of the managed resource that the adapter isconnected to.
Adapter version Specifies the version of the adapter that the service uses toprovision request to the managed resource.
Profile version Specifies the version of the profile that is installed in the IBMSecurity Identity server.
TDI version Specifies the version of the Tivoli Directory Integrator on which theadapter is deployed.
Dispatcher versionSpecifies the version of the dispatcher.
Installation platformSpecifies summary information about the operating system wherethe adapter is installed.
Adapter account Specifies the account that is running the adapter binary file.
14 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Adapter up time: Date Specifies the date when the adapter started.
Adapter up time: Time Specifies the time of the date when the adapter started.
Adapter memory usage Specifies the memory usage for running the adapter.
If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the test request was successfully
sent to the adapter.v Verify the adapter configuration information.v Verify service parameters for the adapter profile. Verify parameters such
as the work station name or the IP address of the managed resource andthe port.
Installing the adapter language packageThe adapters use a separate language package from IBM Security IdentityManager.
See Installing the adapter language pack from the IBM Security Identity Managerproduct documentation.
Verifying that the adapter is working correctlyAfter you install and configure the adapter, verify that the installation andconfiguration are correct.
Procedure1. Test the connection for the service that you created on the IBM Security Identity
server.2. Run a full reconciliation from the IBM Security Identity server.3. Run all supported operations such as add, modify, and delete on one user
account.4. Verify the ibmdi.log file after each operation to ensure that no errors are
reported.5. Verify the trace.log file to ensure that no errors are reported when you run an
adapter operation.
Chapter 3. Installing 15
16 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Chapter 4. Upgrading
Upgrading an IBM Tivoli Directory Integrator-based adapter involves tasks such asupgrading the dispatcher, the connector, and the adapter profile. Depending on theadapter, some of these tasks might not be applicable. Other tasks might also berequired to complete the upgrade.
Upgrading the dispatcherBefore you upgrade the dispatcher, verify the version of the dispatcher.v If the dispatcher version mentioned in the release notes is later than the existing
version on your workstation, install the dispatcher.v If the dispatcher version mentioned in the release notes is the same or earlier
than the existing version, do not install the dispatcher.
Note: Stop the dispatcher service before the upgrading the dispatcher and start itagain after the upgrade is complete.
Upgrading the adapter profileRead the adapter Release Notes for any specific instructions before you import anew adapter profile.
Note: Restart the Dispatcher service after importing the profile. Restarting theDispatcher clears the assembly lines cache and ensures that the dispatcher runs theassembly lines from the updated adapter profile.
17
18 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Chapter 5. Configuring
After you install the adapter, configure it to function correctly. Configuration isbased on your requirements or preference..
See the IBM Security Dispatcher Installation and Configuration Guide for moreconfiguration options such as:v JVM propertiesv Dispatcher filteringv Dispatcher propertiesv Dispatcher port numberv Logging configurationsv Secure Sockets Layer (SSL) communication
Customizing the adapter profileTo customize the adapter profile, you must modify the IBM DB2 on z/OS adapterJAR file. You might customize the adapter profile to change the account form orthe service form.
About this task
You can also use the Form Designer or the CustomLabels.properties file to changethe labels on the forms. Each adapter has a CustomLabels.properties file for thatadapter.
The JAR file is included in the IBM DB2 on z/OS adapter compressed file that youdownloaded from the IBM website. The IBM DB2 on z/OS JAR file and the filesthat are contained in the JAR file vary depending on your operating system.
Note: You cannot modify the schema for this adapter. You cannot add or deleteattributes from the schema.
The adapter JAR file includes the following files:v CustomLabels.properties
v erZDB2Account.xml
v erZDB2Service.xml
v schema.dsml
v service.def
v ZDB2AddUserAL.xml
v ZDB2DeleteUserAL.xml
v ZDB2ModifyUserAL.xml
v ZDB2SearchUserAL.xml
v ZDB2TestAL.xml
Procedurev To edit the JAR file, take these steps:
1. Log on to the workstation where the IBM DB2 on z/OS adapter is installed.
19
2. On the Start menu, click Programs → Accessories → Command Prompt.3. Copy the JAR file into a temporary directory.4. Extract the contents of the JAR file into the temporary directory by running
the following command. The following example applies to the IBM DB2 onz/OS adapter profile. Type the name of the JAR file for your operatingsystem.cd c:\tempjar -xvf ZDB2AdapterProfile.jar
The jar command extracts the files into the directory.5. Edit the file that you want to change
After you edit the file, you must import the file into the IBM SecurityIdentity server for the changes to take effect.
v To import the file, take these steps:1. Create a JAR file by using the files in the \temp directory. Run the following
commands:cd c:\tempjar -cvf ZDB2AdapterProfile.jar ZDB2AdapterProfile
2. Import the JAR file into the IBM Security Identity Manager applicationserver.
3. Stop and start the IBM Security Identity server4. Restart the adapter service.
Editing adapter profiles on the UNIX or Linux operating systemThe adapter profile .jar file might contain ASCII files that are created by using theMS-DOS ASCII format.
About this task
If you edit an MS-DOS ASCII file on the UNIX operating system, you might see acharacter ^M at the end of each line. These characters indicate new lines of text inMS-DOS. The characters can interfere with the running of the file on UNIX orLinux systems. You can use tools, such as dos2unix, to remove the ^M characters.You can also use text editors, such as the vi editor, to remove the charactersmanually.
Example
You can use the vi editor to remove the ^M characters. From the vi commandmode, run the following command and press Enter::%s/^M//g
When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V CtrlM sequentially. The ^v instructs the vi editor to use the next keystroke instead ofissuing it as a command.
20 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Chapter 6. Troubleshooting
Troubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. This topic provides information and techniques foridentifying and resolving problems that are related to the adapter, includingtroubleshooting errors that might occur during the adapter installation.
Techniques for troubleshooting problemsCertain common techniques can help with the task of troubleshooting. The firststep in the troubleshooting process is to describe the problem completely.
Problem descriptions help you and the IBM technical-support representative findthe cause of the problem. This step includes asking yourself basic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?
The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.
What are the symptoms of the problem?
When you start to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance
degradation, or incorrect result?
Where does the problem occur?
Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.
The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one operating system, or is it common across multiple
operating systems?v Is the current environment and configuration supported?v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?
21
If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration. Many problems can betraced back to incompatible levels of software that are not intended to run togetheror are not fully tested together.
When does the problem occur?
Develop a detailed timeline of events that lead up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you use the first suspicious event that you find in adiagnostic log.
To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or
installing software or hardware?
Responding to these types of questions can give you a frame of reference in whichto investigate the problem.
Under which conditions does the problem occur?
Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being done?v Is a certain sequence of events required for the problem to occur?v Do any other applications fail at the same time?
Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might occur around the same time, the problems arenot necessarily related.
Can the problem be reproduced?
From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Problems that you canreproduce are often easier to debug and solve.
However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?
22 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
v Do multiple users or applications have the same type of problem?v Can the problem be re-created by running a single command, a set of
commands, or a particular application?
Error messages and problem solvingA warning or error message might be displayed in the user interface to provideinformation about the adapter or when an error occurs.
A warning or error might be displayed in the user interface to provide informationthat you must know about the adapter or about an error. Table 3 contains warningsor errors that might be displayed in the user interface if the IBM DB2 on z/OSadapter is installed on your system.
Table 3. Warning and error messages
Message code Warning or error message Remedial action
CTGIMT001E The following error occurred. Error:Either the IBM DB2 on z/OS servicename is incorrect or the service is notup.
Ensure that the IBM DB2 on z/OS service name givenon IBM Security Identity Manager service form isrunning.
CTGIMT001E The following error occurred. Error:Either the IBM DB2 on z/OS host orport is incorrect.
Verify that the host workstation name or the port forthe IBM DB2 on z/OS service is correctly specified.
CTGIMT002E The login credential is missing orincorrect.
Verify that you provided correct login credential onservice form.
CTGIMT001E The following error occurred. Error:No suitable JDBC driver found.
Ensure that the correct version of the JDBC driver iscopied onto the workstation where the adapter isinstalled. Ensure that the path for the driver isincluded in the system CLASSPATH variable.
CTGIMT600E An error occurred while establishingcommunication with the IBM TivoliDirectory Integrator server.
IBM Security Identity Manager cannot establish aconnection with IBM Tivoli Directory Integrator. To fixthis problem, ensure that:
v IBM Tivoli Directory Integrator is running.
v The URL specified on the service form for the IBMTivoli Directory Integrator is correct.
CTGIMT003E The account already exists. Use a different name for the user to be added.
CTGIMT015E An error occurred while deleting theAccount_Name account because theaccount does not exist.
The user you trying to delete does not exist. Ensurethat you are deleting only an existing account.
Chapter 6. Troubleshooting 23
24 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Chapter 7. Uninstalling
To remove an adapter from the IBM Security Identity server for any reason, youmust remove all the components that were added during installation. Uninstallingan IBM Tivoli Directory Integrator based adapter mainly involves removing theconnector file, and the adapter profile from the IBM Security Identity server.Depending on the adapter, some of these tasks might not be applicable, or therecan be other tasks.
Deleting the adapter profileRemove the adapter service/target type from the IBM Security Identity server.Before you delete the adapter profile, ensure that no objects exist on the IBMSecurity Identity server that reference the adapter profile.
Objects on the IBM Security Identity server that can reference the adapter profile:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts
Note: The Dispatcher component must be installed on your system for adapters tofunction correctly in a Tivoli Directory Integrator environment. When you deletethe adapter profile, do not uninstall the Dispatcher.
For specific information about how to delete the adapter profile, see the IBMSecurity Identity Manager product documentation.
25
26 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Chapter 8. Reference
Reference information is organized to help you locate particular facts quickly, suchas adapter attributes, registry settings, and environment variables.
Adapter attributesAs part of the adapter implementation, a dedicated account that allows IBMSecurity Identity Manager to access the IBM DB2 on z/OS is created on the IBMDB2 on z/OS.
The adapter consists of files and directories that are owned by the IBM SecurityIdentity Manager account. These files establish communication with the IBMSecurity Identity server.
Attribute descriptionsThe IBM Security Identity server communicates with the adapter by usingattributes, which are included in transmission packets that are sent over a network.
The combination of attributes depends on the type of action that the IBM SecurityIdentity Manager server requests from the adapter.
Table 4 lists the account form attributes that the adapter uses.
Table 4. Attributes, descriptions, and corresponding data types
Attribute Directory server attribute Description Data format
Administration User Account erRmiZDBAdminName Specify the user ID thatis used to connect to theIBM DB2 on z/OS. Thevalue of this key mustbe the administratoruser of the Catalogeddatabase.
Administration UserAccount is the requiredfield.
String
Administration User Password erServicePwd1 Specify the password forthe user ID that is usedto connect to the IBMDB2 on z/OS. The valueof this key must be thepassword of theadministrator user of theCataloged database.
Administration UserPassword is the requiredfield.
String
System privileges erRmiZOSSysPriv Specifies the list ofsystem privileges.
String
27
Table 4. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data format
System privileges with grantoption
erRmiZOSSysPrivGrant Specifies the list ofsystem privileges withgrant option
String
PrivCreateinSchema erRmiZDBPrivCreateinSchema Specifies all schemas onwhich the privilege tocreate objects in theschema is granted to theuser.
It is multivalued.
String
erRmiZDBPrivWGrCreateinSchema erRmiZDBPrivWGrCreateinSchema Specifies all schemas onwhich the privilege tocreate objects in theschema is granted to theuser.
It is multivalued.
String
PrivAlterinSchema erRmiZDBPrivAlterinSchema Specifies all schemas onwhich the privilege toalter objects in theschema is granted to theuser.
It is multivalued.
String
PrivWGrAlterinSchema erRmiZDBPrivWGrAlterinSchema Specifies all schemas onwhich the privilege toalter objects in theschema with grantoption is granted to theuser.
It is multivalued
String
ZDBPrivDropinSchema erRmiZDBPrivDropinSchema Specifies all schemas onwhich the privilege todrop objects in theschema is granted to theuser.
It is multivalued.
String
ZDBPrivWGrDropinSchema erRmiZDBPrivWGrDropinSchema Specifies all schemas onwhich the privilege todrop objects in theschema with grantoption is granted to theuser.
It is multivalued.
String
PrivSelectTab erRmiZDBPrivSelectTab Specifies all tables onwhich the selectprivilege is granted tothe user.
It is multivalued.
String
28 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Table 4. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data format
PrivWGrSelectTab erRmiZDBPrivWGrSelectTab Specifies all tables onwhich the selectprivilege with grantoption is granted to theuser.
It is multivalued.
String
PrivInsertTab erRmiZDBPrivInsertTab Specifies all tables onwhich the insertprivilege is granted tothe user. It ismultivalued.
String
PrivWFRInsertTab erRmiZDBPrivWGrInsertTab Specifies all tables onwhich the Insertprivilege with grantoption is granted to theuser.
It is multivalued.
String
PrivUpdateTab erRmiZDBPrivUpdateTab Specifies all tables onwhich the Updateprivilege is granted tothe user.
It is multivalued.
String
PrivWGrUpdateTab erRmiZDBPrivWGrUpdateTab Specifies all tables onwhich the Updateprivilege with grantoption is granted to theuser.
It is multivalued.
String
PrivDeleteTab erRmiZDBPrivDeleteTab Specifies all tables onwhich the Deleteprivilege is granted tothe user.
It is multivalued.
String
PrivWGrDeleteTab erRmiZDBPrivWGrDeleteTab Specifies all tables onwhich the Deleteprivilege with grantoption is granted to theuser.
It is multivalued.
String
PrivAlterTab erRmiZDBPrivAlterTab Specifies all tables onwhich the Alter privilegeis granted to the user.
It is multivalued.
String
Chapter 8. Reference 29
Table 4. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data format
PrivWGrAlterTab erRmiZDBPrivWGrAlterTab Specifies all tables onwhich the Alter privilegewith grant option isgranted to the user.
It is multivalued.
String
PrivIndexTab erRmiZDBPrivIndexTab Specifies all tables onwhich the Indexprivilege is granted tothe user.
It is multivalued.
String
PrivWGrIndexTab erRmiZDBPrivWGrIndexTab Specifies all tables onwhich the Indexprivilege with grantoption is granted to theuser.
It is multivalued.
String
PrivRefTab erRmiZDBPrivRefTab Specifies all tables onwhich the Referencesprivilege is granted tothe user.
It is multivalued.
String
PrivWGrRefTab erRmiZDBPrivWGrRefTab Specifies all tables onwhich the Referencesprivilege with grantoption is granted to theuser.
It is multivalued.
String
PrivUseTabSpace erRmiZDBPrivUseTabSpace Specifies all schemas onwhich the use privilegeis granted to the user.
It is multivalued.
String
PrivWGrUseTabSpace erRmiZDBPrivWGrUseTabSpace Specifies all schemas onwhich the use privilegewith grant option isgranted to the user.
It is multivalued.
String
PrivSelectView erRmiZDBPrivSelectView Specifies all views onwhich the selectprivilege is granted tothe user. It ismultivalued.
String
PrivWGrSelectView erRmiZDBPrivWGrSelectView Specifies all views onwhich the selectprivilege with grantoption is granted to theuser.
It is multivalued.
String
30 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Table 4. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data format
PrivInsertView erRmiZDBPrivInsertView Specifies all views onwhich the Insertprivilege is granted tothe user.
It is multivalued.
String
PrivWGrInsertView erRmiZDBPrivWGrInsertView Specifies all views onwhich the Insertprivilege with grantoption is granted to theuser.
It is multivalued.
String
PrivUpdateView erRmiZDBPrivUpdateView Specifies all views onwhich the Updateprivilege is granted tothe user.
It is multivalued.
String
PrivWGrUpdateView erRmiZDBPrivWGrUpdateView Specifies all views onwhich the Updateprivilege with grantoption is granted to theuser.
It is multivalued.
String
PrivVwDeleteView erRmiZDBPrivVwDeleteView Specifies all views onwhich the Deleteprivilege is granted tothe user.
It is multivalued.
String
PrivWgrVwDeleteView erRmiZDBPrivWGrVwDeleteView Specifies all views onwhich the Deleteprivilege with grantoption is granted to theuser.
It is multivalued.
String
DBCreateTab erRmiDBCreateTab Specifies all Databaseson which the Create Tabprivilege is granted tothe user.
It is multivalued.
String
DBWGrCreateTab erRmiDBWGrCreateTab Specifies all Databaseson which the Create Tabprivilege with grantoption is granted to theuser.
It is multivalued.
String
Chapter 8. Reference 31
Table 4. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data format
DBCreateTs erRmiDBCreateTs Specifies all Databaseson which the Createsprivilege is granted tothe user.
It is multivalued.
String
DBWGrCreateTs erRmiDBWGrCreateTs Specifies all Databaseson which the CreateTsprivilege with grantoption is granted to theuser.
It is multivalued.
String
DBDrop erRmiDBDrop Specifies all Databaseson which the dropdbprivilege is granted tothe user.
It is multivalued.
String
DBWgrDrop erRmiDBWgrDrop Specifies all Databaseson which the dropdbprivilege with grantoption is granted to theuser.
It is multivalued.
String
DBDisplayDb erRmiDBDisplayDb Specifies all Databaseson which the displaydbprivilege is granted tothe user.
It is multivalued.
String
DBWgrDisplayDb erRmiDBWgrDisplayDb Specifies all Databaseson which the displaydbprivilege with grantoption is granted to theuser.
It is multivalued.
String
DbImagCopy erRmidbImagCopy Specifies all Databaseson which the imagcopyprivilege is granted tothe user.
It is multivalued.
String
DbWgrImagCopy erRmidbWgrImagCopy Specifies all Databaseson which the imagcopyprivilege with grantoption is granted to theuser.
It is multivalued.
String
32 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Table 4. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data format
DBLoad erRmiDBLoad Specifies all Databaseson which the loadprivilege is granted tothe user.
It is multivalued.
String
DBWgrLoad erRmiDBWgrLoad Specifies all Databasesonwhich the loadprivilege with grantoption is granted to theuser.
It is multivalued.
String
DBRecoverDb erRmiDBRecoverDb Specifies all Databaseson which the recoverprivilege is granted tothe user.
It is multivalued.
String
DBWgrRecoverDb erRmiDBWgrRecoverDb Specifies all Databasesonwhich the recoverprivilege with grantoption is granted to theuser.
It is multivalued.
String
DBReorg erRmiDBReorg Specifies all Databaseson which the reorgprivilege is granted tothe user.
It is multivalued.
String
DBWgrReorg erRmiDBWgrReorg Specifies all Databasesonwhich the reorgprivilege with grantoption is granted to theuser.
It is multivalued.
String
DBStartDb erRmiDBStartDb Specifies all Databaseson which the startdbprivilege is granted totheu ser. It ismultivalued.
String
DBWgrStartDb erRmiDBWgrStartDb Specifies all Databasesonwhich the startdbprivilege with grantoption is granted to theuser. It is multivalued.
String
Chapter 8. Reference 33
Table 4. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data format
DBRepair erRmiDBRepair Specifies all Databaseson
which the repairprivilege is granted totheuser. It ismultivalued.
String
DBWgrRepair erRmiDBWgrRepair Specifies all Databasesonwhich the repairprivilege with grantoption is granted to theuser. It is multivalued.
String
DBStats erRmiDBStats Specifies all Databaseson
which the stats privilegeis granted to theuser. Itis multivalued.
String
DBWgrStats erRmiDBWgrStats Specifies all Databasesonwhich the statsprivilege with grantoption is granted to theuser. It is multivalued.
String
DBStopdb erRmiDBStopdb Specifies all Databaseson
which the stopdbprivilege is granted totheuser. It ismultivalued.
String
DBWgrStopdb erRmiDBWgrStopdb Specifies all Databasesonwhich the stopdbprivilege with grantoption is granted to theuser.
It is multivalued.
String
DBDbadm erRmiDBDbadm Specifies all Databaseson
which the dbadmprivilege is granted totheuser.
It is multivalued.
String
DBWgrDbadm erRmiDBWgrDbadm Specifies all Databasesonwhich the dbadmprivilege with grantoption is granted to theuser.
It is multivalued.
String
34 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Table 4. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data format
DBCtrl erRmiDBCtrl Specifies all Databaseson which the dbctrlprivilege is granted tothe user.
It is multivalued.
String
DBWgrCtrl erRmiDBWgrCtrl Specifies all Databasesonwhich the dbctrlprivilege with grantoption is granted to theuser.
It is multivalued.
String
DBMaint erRmiDBMaint Specifies all Databaseson which the dbmaintprivilege is granted tothe user.
It is multivalued.
String
DBWgrMaint erRmiDBWgrMaint Specifies all Databasesonwhich the dbmaintprivilege with grantoption is granted to theuser.
It is multivalued.
String
Adapter attributes by actionThe following lists describe typical adapter actions that are organized by theirfunctional transaction group. The lists include more information about requiredand optional attributes that are sent to the adapter to complete that action.
Database login addA database login add is a request to create a user account with the specifiedattributes.
Chapter 8. Reference 35
Table 5. Add request attributes
Requiredattribute Optional attribute
eruid
erRmiZOSSysPriv
erRmiZOSSysPrivGrant
erRmiZDBPrivCreateinSchema
erRmiZDBPrivWGrCreateinSchema
erRmiZDBPrivAlterinSchema
erRmiZDBPrivWGrAlterinSchema
erRmiZDBPrivDropinSchema
erRmiZDBPrivWGrDropinSchema
erRmiZDBPrivSelectTab
erRmiZDBPrivWGrSelectTab
erRmiZDBPrivInsertTab
erRmiZDBPrivWGrInsertTab
erRmiZDBPrivUpdateTab
erRmiZDBPrivWGrUpdateTab
erRmiZDBPrivDeleteTab
erRmiZDBPrivWGrDeleteTab
erRmiZDBPrivAlterTab
erRmiZDBPrivWGrAlterTab
erRmiZDBPrivIndexTab
erRmiZDBPrivWGrIndexTab
erRmiZDBPrivRefTab
erRmiZDBPrivWGrRefTab
erRmiZDBPrivUseTabSpace
erRmiZDBPrivWGrUseTabSpace
erRmiZDBPrivSelectView
erRmiZDBPrivWGrSelectView
erRmiZDBPrivInsertView
erRmiZDBPrivWGrInsertView
erRmiZDBPrivUpdateView
erRmiZDBPrivWGrUpdateView
erRmiZDBPrivVwDeleteView
erRmiZDBPrivWGrVwDeleteView
erRmiDBCreateTab
erRmiDBWGrCreateTab
erRmiDBCreateTs
erRmiDBWGrCreateTs
erRmiDBDrop
erRmiDBWgrDrop
erRmiDBDisplayDb
erRmiDBWgrDisplayDb
erRmidbImagCopy
erRmidbWgrImagCopy
erRmiDBLoad
erRmiDBWgrLoad
erRmiDBRecoverDb
erRmiDBWgrRecoverDb
erRmiDBReorg
erRmiDBWgrReorg
erRmiDBStartDb
erRmiDBWgrStartDb
erRmiDBRepair
erRmiDBWgrRepair
erRmiDBStats
erRmiDBWgrStats
erRmiDBStopdb
erRmiDBWgrStopdb
erRmiDBDbadm
erRmiDBWgrDbadm
erRmiDBCtrl
erRmiDBWgrCtrl
erRmiDBMaint
erRmiDBWgrMaint
Database login changeA database login change is a request to change one or more attributes for thespecified users.
36 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Table 6. Change request attributes
Requiredattribute Optional attribute
eruid erRmiZOSSysPrivGrant
erRmiZOSSysPriv
erRmiZDBPrivCreateinSchema
erRmiZDBPrivWGrCreateinSchema
erRmiZDBPrivAlterinSchema
erRmiZDBPrivWGrAlterinSchema
erRmiZDBPrivDropinSchema
erRmiZDBPrivWGrDropinSchema
erRmiZDBPrivSelectTab
erRmiZDBPrivWGrSelectTab
erRmiZDBPrivInsertTab
erRmiZDBPrivWGrInsertTab
erRmiZDBPrivUpdateTab
erRmiZDBPrivWGrUpdateTab
erRmiZDBPrivDeleteTab
erRmiZDBPrivWGrDeleteTab
erRmiZDBPrivAlterTab
erRmiZDBPrivWGrAlterTab
erRmiZDBPrivIndexTab
erRmiZDBPrivWGrIndexTab
erRmiZDBPrivRefTab
erRmiZDBPrivWGrRefTab
erRmiZDBPrivUseTabSpace
erRmiZDBPrivWGrUseTabSpace
erRmiZDBPrivSelectView
erRmiZDBPrivWGrSelectView
erRmiZDBPrivInsertView
erRmiZDBPrivWGrInsertView
erRmiZDBPrivUpdateView
erRmiZDBPrivWGrUpdateView
erRmiZDBPrivVwDeleteView
erRmiZDBPrivWGrVwDeleteView
erRmiDBCreateTab
erRmiDBWGrCreateTab
erRmiDBCreateTs
erRmiDBWGrCreateTs
erRmiDBDrop
erRmiDBWgrDrop
erRmiDBDisplayDb
erRmiDBWgrDisplayDb
erRmidbImagCopy
erRmidbWgrImagCopy
erRmiDBLoad
erRmiDBWgrLoad
erRmiDBRecoverDb
erRmiDBWgrRecoverDb
erRmiDBReorg
erRmiDBWgrReorg
erRmiDBStartDb
erRmiDBWgrStartDb
erRmiDBRepair
erRmiDBWgrRepair
erRmiDBStats
erRmiDBWgrStats
erRmiDBStopdb
erRmiDBWgrStopdb
erRmiDBDbadm
erRmiDBWgrDbadm
erRmiDBCtrl
erRmiDBWgrCtrl
erRmiDBMaint
erRmiDBWgrMaint
Chapter 8. Reference 37
Database login deleteA database login delete is a request to remove the specified user from the directory.
Table 7. Delete request attributes
Required attribute Optional attribute
erUid None
Database login suspendA database login suspend is a request to disable a user account.
The user is not removed. User attributes are not modified.
Table 8. Suspend request attributes
Required attribute Optional attribute
erUid
erAccountStatus
None
Database login restoreA database login restore is a request to activate a user account that was previouslysuspended.
After an account is restored, the user can access the system by using the sameattributes as the ones before the Suspend function was called.
Table 9. Restore attributes
Required attribute Optional attribute
erUid
erAccountStatus
None
PingUse Ping to verify connection between the adapter and the IBM Security Identityserver. Ping does not require any variables.
Table 10. Ping attributes
Required attribute Optional attribute
None None
ReconciliationThe reconciliation function synchronizes user account information between IBMSecurity Identity Manager and the adapter.
Table 11. Reconciliation attributes
Attribute
All supported attributes
38 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
Index
Aadapter
customization steps 19features 1installation 9
verifying 15installation worksheet 7profile
upgrading 17supported configurations 2uninstall 25upgrading 17
adapter installation 9troubleshooting errors 21warnings 21
adapter overview 1adapters
removing profiles 25add request attributes 36attributes
adapter action, by 35adding 36changing 37deleting 38modifying 37pinging 38restoring 38suspending 38
description 27descriptions 27reconciliation 38
Cchange request attributes 37creating
services 11
Ddelete request attributes 38dispatcher
installation 9upgrading 17
Dispatcher 1download, software 6
Eerror messages 23
Iinstallation
adapter 9adapter software 9first steps 19language pack 15planning roadmaps 3
installation (continued)uninstall 25verification
adapter 15worksheet 7
Llanguage pack
installation 15same for adapters and server 15
Mmessages
error 23warning 23
MS-DOS ASCII characters 20
Ooperating system prerequisites 4overview 1
Pping request attributes 38profile
editing on UNIX or Linux 20
Rreconciliation attributes 38removing
adapter profiles 25request attributes
add 36change 37delete 38ping 38restore 38suspend 38
restore request attributes 38roadmaps
planning 3
Sservice
restart 10start 10stop 10
service, creating 11software
download 6website 6
software requirements 4
supported configurationsadapter 2overview 2
suspend request attributes 38
Ttivoli directory integrator connector 1troubleshooting
error messages 23identifying problems 21techniques for 21warning messages 23
troubleshooting and supporttroubleshooting techniques 21
Uuninstallation 25updating
adapter profile 19upgrades
adapter 17adapter profiles 17dispatcher 17
Vverification
dispatcher installation 9installation 15operating system prerequisites 4operating system requirements 4software prerequisites 4software requirements 4
vi command 20
Wwarning messages 23
39
40 IBM Security Identity Manager: DB2 on z/OS Adapter Installation and Configuration Guide
IBM®
Printed in USA
Recommended