Release Notes
IBM® Security Verify Governance RACF Adapter
Second Edition (Nov 17, 2023)
Copyright International
Business Machines Corporation 2003, 2023.
All rights reserved.
US
Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Table of Contents
Adapter Features and Purpose 1
Known Issues and Limitations 1
Installation and Configuration Notes 1
Corrections and/or additions to the Installation and 1
Configuration sections of the RACF adapter guide. 1
Corrections and/or additions to the Installation and 1
Configuration sections of the zSecure RACF adapter guide. 1
Importing the adapter profile 1
Upgrading to the current release 1
Starting and stopping the adapter 1
Customizing or Extending Adapter Features 1
Welcome to the IBM Security Verify RACF Adapter. This installation package contains 2 adapters that can be installed using the ISPF panels: the standard RACF adapter and the zSecure RACF adapter.
The zSecure RACF adapter requires the zSecure RACF admin product to be installed on the adapter host. Unless we specifically mention zSecure, any reference to the RACF adapter refers to both adapters.
These
Release Notes contain information for the following products that was
not available when the IBM Security Verify Adapter manuals were
created:
IBM Security Verify Governance RACF Adapter Installation and Configuration Guide
IBM Security Verify Governance RACF Adapter Installation and Configuration Guide
IBM Security Verify Governance zSecure RACF Adapter Installation and Configuration Guide
The RACF Adapter is designed to create and manage RACF accounts. The adapter runs in ”agent” mode and must be installed on z/OS. One adapter is installed per RACF Database, but the RACF Adapter may be configured to support a subset of the accounts through the scope of authority feature on the RACF Service Form.
The Security Verify Adapters are powerful tools that require administrator level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Verify server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative permissions.
Review and agree to the terms of the IBM Security Verify product license prior to using this product. The license can be viewed from the "license" folder included in the product package.
Component |
Version |
Release Date |
22/06/2023 |
Adapter Version |
10.0.9 |
Component Versions |
Adapter Build 10.0.009.00 Profile 10.0.009.00 ADK 10.0.004.00 z/OS enRole Resource Management API 10.0.004.00 OpenSSL 3.1.0 |
Documentation |
Please check out the latest documentation on the IBM Documentation Center. Select the latest server release to navigate to the latest version of the adapter documentation. |
Internal # |
RFE /CASE# |
Description |
|
|
Items included in current release |
|
|
No items included |
|
|
Items included in release 10.0.8 |
|
|
No items included |
|
|
Items included in release 10.0.7 |
|
|
No items included |
|
|
Items included in release 10.0.6 |
|
|
No items included |
|
|
Items included in release 10.0.5 |
|
RFE 151566 |
IBM Security Manager RACF adapter support for IBM Multi-Factor Authentication for z/OS |
|
|
Items included in release 10.0.4 |
RTC 189952 |
|
Verify adapters on z/OS 2.5 |
RTC 189953 |
|
Verify zSecure RACF adapter on zSecure 2.5 |
|
|
Items included in release 10.0.3 |
|
|
No items included |
|
|
Items included in release 10.0.2 |
|
N/A |
Deliver RACF and zSecure RACF adapter as one installation. Combine sources and installation package and allow either adapter to be installed using the same part. |
|
N/A |
Document new features in zSecure RACF adapter that are inherited from the RACF adapter as part of the merged sources. |
|
|
|
Historical features RACF adapter
Internal # |
RFE /CASE# |
Description |
|
|
Items included in release 10.0.1 |
RTC 187573 |
N/A |
Rebranding IBM Security Identity to IBM Security Verify |
|
|
Items included in release 7.1.40 |
|
|
No items included |
|
|
Items included in release 7.1.39 |
|
|
No items included |
|
|
Items included in release 7.1.38 |
|
|
No items included |
|
|
Items included in release 7.1.37 |
RTC 55048 |
RFE 122650 |
RACF CSDATA segment support for single account lookup |
|
|
Items included in release 7.1.36 |
|
|
No items included |
|
|
Items included in release 7.1.36 |
182517 |
RFE 127701 |
ISIM RACF Adapter enhancement. |
RTC 182687 |
|
Disallow external calls to agentCfg port. |
|
|
Items included in release 7.1.35 |
RTC 182213 |
|
IGI 5.2.5 support - As an adapter developer for z/OS I need to add support for supporting data and canonical values to the IGI profiles |
|
|
Items included in release 7.1.34 |
|
|
No items included |
|
|
Items included in release 7.1.33 |
|
|
No items included |
|
|
Items included in release 7.1.32 |
RTC 174146 |
RFE 52070 |
Add an option to include “REMOVE <connect_group>” or “CONNECT <connect group>” for PRE MODIFY and POST MODIFY operations to be passed on to ISIMEXIT. |
RTC 174284 |
N/A |
As an adapter for RACF user I want to have an option to run RECOJOB outside of the adapter so that the adapter can instantly start processing the RECOSAVE contents. |
RTC 176712 |
N/A |
Add a registry setting to specify if the adapter should attempt to delete existing data set profiles before deleting an account. |
RTC 174414 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2o to address PSIRT CVE-2018-0739 |
|
|
Items included in release 7.1.31 |
RTC 52661 RTC 173352 |
115005 |
As an AD for z/OS developer I need to offer the ability to explicitly disable TLS1.0 in all ADK based adapters. |
RTC 173354 |
TS000074249 |
As an ADK for z/OS developer I need to add diagnostic messages to the ADK that allow troubleshooting 2-way ssl connections |
RTC 173351 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2n |
|
|
Items included in release 7.1.30 |
RTC1709009 |
|
Add support for WAEMAIL in WORK segment |
|
|
Items included in previous releases |
RTC 163356 |
|
Enable SSL by default in the ISPF installation panels |
RTC 166577 |
|
Add tooltips to customlabels.properties |
RTC 166584 |
PMR 22151,003,756
|
Registry setting to keep the RECOSAVE export data set
|
RTC158896 |
N/A |
Status tab in IGI target.json, erLastAccessDate in target.json |
RTC154227 |
N/A |
TSO/E 8 Character Userid support |
RTC156626 |
N/A |
Upgrade expat libraries to 2.2.0 |
RTC154238 |
|
Update OpenSSL to release 1.0.2j |
RTC154263
|
PMR 42182,122,000 |
Disable SSLV3 and RC4 ciphers and certify TLS 1.1 / 1.2 is supported by the ADK |
RTC156347 |
IV32546 |
Adapter appears to be running while it was unable to connect to the socket. |
RTC156101 |
IV45711
|
RACF adapter enhancement. How to know what attributes are being modified in a ISIMEXIT. |
RTC154270 |
IV46597 |
Support ROAUDIT attribute in the RACF adapter |
RTC152020 |
|
Include IGI specific profile with JSON in the adapter package |
RTC152021 |
|
Update the adapter panels |
RTC152022 |
|
Include adapter mapping file in the adapter package |
RTC152023 |
|
Include a license folder in the adapter package |
RTC149041 |
|
Add two initial lines to CustomLabels.properties which are required for translation
|
RTC 135237 |
|
Complex Attribute Handler for RACF Connect Groups |
RTC 136795 |
|
ISIM Lookup transaction performance enhancements |
RTC 93081 |
|
Remove APPC protocol dependency |
RTC 74287 |
|
Added support for password phrases |
RTC 35332 |
|
Added support for custom fields (CSDATA) |
RTC 75819 |
|
Changed KERB form: Added AES and changed DESD description |
|
|
Changed
agent behavior: |
Historical features zSecure RACF adapter
Internal # |
RFE /CASE# |
Description |
|
|
Items included in release 10.0.1 |
RTC 187573 |
N/A |
Rebranding IBM Security Identity to IBM Security Verify |
|
|
Items included release 7.1.15 |
RTC 186771 |
N/A |
Add support for the LNOTES RACF segment to the zSecure RACF adapter |
RTC 186772 |
N/A |
Add support for the KERB RACF segment to the zSecure RACF adapter |
RTC 186773 |
N/A |
Add support for the NETVIEW RACF segment to the zSecure RACF adapter |
RTC 186776 |
N/A |
Add support for the NDS RACF segment to the zSecure RACF adapter |
|
|
Items included release 7.1.14 |
|
|
No items included |
|
|
Items included release 7.1.13 |
|
N/A |
Ability to remove resource profile permissions that are assigned directly to an user account using CKGRACF. |
RTC 183116 |
N/A |
Implement connect groups as complex attributes when defining groups as permissions rather than external roles. |
RTC 183456 |
N/A |
Add ISIMEXIT functionality |
RTC 183458 |
N/A |
Delete data set profiles before attempting to delete the matching account |
RTC 183459 |
N/A |
Option to specify language environment dump location (CEEDUMP) |
RTC 183533 |
N/A |
OPMODE unencrypted registry setting to allow the adapter to run in READ-ONLY or READ-ONLY with PASSWORD/PASSPHRASE support mode. |
|
|
Items included release 7.1.12 |
|
|
No items included |
|
|
Items included release 7.1.11 |
RTC 182213 |
|
IGI 5.2.5 support - As an adapter developer for z/OS I need to add support for supporting data and canonical values to the IGI profiles |
RTC 177897 |
|
As an adapter for zSecure RACF user I would like to be able to view and modify user profile attributes from the DCE segment. |
RTC 177898 |
|
As an adapter for zSecure RACF user I would like to be able to view and modify user profile attributes from the DFP segment. |
RTC 177900 |
|
As an adapter for zSecure RACF user I would like to be able to view and modify user profile attributes from the PROXY segment. |
RTC 177901 |
|
As an adapter for zSecure RACF user I would like to be able to view and modify user profile attributes from the WORK segment. |
|
|
Items included release 7.1.10 |
|
|
No items included |
|
|
Items included release 7.1.9 |
RTC 170932 |
|
As an adapter for zSecure RACF user I would like to be able to view and modify user profile attributes from the TSO segment. |
RTC 176018 |
|
As an adapter for zSecure RACF user I would like to be able to view and modify user profile attributes from the OMVS segment. |
RTC 176019 |
|
As an adapter for zSecure RACF user I would like to be able to view and modify user profile attributes from the CICS segment. |
RTC 176019 |
|
As an adapter for zSecure RACF user I would like to be able to view and modify user profile attributes from the LANG segment. |
RTC 176016 |
|
As an adapter for zSecure RACF user I would like to be able to view and modify user profile attributes from the BASE segment. |
RTC 176020 |
|
Add support for the new segments in targetprofile.json |
RTC 175175 |
|
As a zSecure RACF adapter developer I need to upgrade to ADK 6.0.5 / OpenSSL 1.0.2o |
|
|
Items included release 7.1.8 |
RTC 52661 RTC 173352 |
115005 |
As an AD for z/OS developer I need to offer the ability to explicitly disable TLS1.0 in all ADK based adapters. |
RTC 173354 |
TS000074249 |
As an ADK for z/OS developer I need to add diagnostic messages to the ADK that allow troubleshooting 2-way ssl connections |
RTC 173351 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2n |
|
|
Items included release 7.1.7 |
RTC 170056 |
|
Include specialFlags in targetprofile.json |
|
|
Items included release 7.1.6 |
RTC 163356 |
|
Enable SSL by default in the ISPF installation panels |
RTC 166577 |
|
Add tooltips to customlabels.properties |
RTC 166584 |
PMR 22151,003,756
|
Registry setting to keep the RECOSAVE export data set
|
RTC 166586
|
|
Implement registered prefix IRVxxxxx for shared profile variables
|
|
|
Items included in release 7.1.5 |
RTC158896 |
N/A |
Status tab in IGI target.json, erLastAccessDate in target.json |
RTC154227 |
N/A |
TSO/E 8 Character Userid support |
RTC156626 |
N/A |
Upgrade expat libraries to 2.2.0 |
|
|
Items included in release 7.1.4 |
RTC154238 |
|
Update OpenSSL to release 1.0.2j |
RTC154263 |
PMR 42182,122,000 |
Disable SSLV3 and RC4 ciphers and certify TLS 1.1 / 1.2 is supported by the ADK |
RTC156347 |
IV32546 |
Adapter appears to be running while it was unable to connect to the socket. |
|
|
Items included in release 7.1.3 |
RTC152014 |
|
Update JSON in the adapter profile |
RTC152018 |
|
Include adapter mapping file in the adapter package |
RTC152019 |
|
Include a license folder in the adapter package |
RTC149041 |
|
Add two initial lines to CustomLabels.properties which are required for translation
|
RTC 151010 |
|
Stickybit set on adapter_readonly_home subfolders |
|
|
Items included in release 7.0.2 |
|
|
Fulfillment: added support for account Add, Delete and Modify |
|
|
Items included in release 7.0.1 |
|
|
IGI 7.0.1 initial release |
Internal # |
APAR/CASE# |
Description |
|
|
Items closed in current release |
SVGAD-247
|
IJ46552
|
Single account lookup fails |
SVGAD-421 |
|
CEEDUMP in UserModify() for delete connect after add connect |
SVGAD-324 |
TS012936062 |
SMF will show 2 PHRASE commands where the adapter should perform a PHRASE and a PASSWORD command. |
|
|
Items closed in release 10.0.8 |
RTC 191079 |
IJ43944 TS010824297 |
Customer facing issue while creating new ID with RACF Adapter |
|
|
Items closed in release 10.0.7 |
RTC 190968 |
TS008612880 |
INVALID GROUP NAME |
|
|
Items closed in release 10.0.6 |
RTC 190602 |
TS008309248 |
Thread:000004 Unable to load private key
|
RTC 190603 |
TS008525284 |
BN_BLINDING_convert_ex |
RTC 190562 |
TS008252493 |
RACF zSecure adapter permision name problem |
RTC 190563 |
TS004169928 |
grpnamelist as permission |
RTC190564 |
TS008612880 |
IGIZSECURE adapter wrong actions |
|
|
Items closed in release 10.0.5 |
|
TS008309248 |
Racf certificate update shows incorrect valid date |
|
|
Items closed in release 10.0.4 |
RTC 189940 |
TS004169928 |
zSecure RACF - Hebrew characters are returned reversed |
RTC 189941 |
TS004946716 |
zSecure RACF - no error returned for failing add or modify request |
RTC 189942 |
TS004169928 |
zSecure RACF - abend after receiving erzsrorgunit modify request |
RTC 189943 |
|
zSecure RACF - error when trying to delete non-existing account |
RTC 189944 |
|
RACF - no error is returned if a required attribute is missing from an ADD request |
RTC 189954 |
|
zSecure RACF - add _CEE_RUNOPTS to start script |
|
|
Items closed in release 10.0.3 |
RTC 189789 |
TS004946716 |
Place and document limitations on Hebrew language support implementation. |
RTC 189790 |
|
CSDATA field delete is not correctly impletented in the RACF adapter |
RTC 189791 |
TS005537447 |
RACF adapter error when creating userid |
RTC 189792 |
|
DEFECT: standard RACF adapter recon does not work in IGI |
|
|
Items closed in release 10.0.2 |
RTC 188446 |
N/A |
Fully qualified generic data set profiles not deleted. |
RTC 188442 |
TS004983508 |
Duplicate values returned for CSDATA attributes |
RTC 188441 |
TS004169928 |
Hebrew returned reversed during reconciliation |
Historical Closed Issues RACF adapter
Internal # |
APAR/CASE# |
Description |
|
|
Items closed in release 10.0.1 |
RTC 187967 |
IJ28450 |
Abend 0C4 after getpwuid() error
|
RTC 187968 |
|
Upgrade to Expat 2.2.10 |
RTC 187569 |
TS004200685 |
Adapter fails to delete profiles if the accounts connection to the group has been revoked. |
|
|
|
|
|
Items closed in release 7.1.40 |
RTC 186766 |
TS003664857 |
AGJB04 writes empty JOBCHAR to registry |
RTC 186767 |
TS003554276 |
ISIM_ADAPTER_CIPHER_LIST variable is not having any effect with RACF adapter 6.0.39 |
RTC 186768 |
TS003680545 |
Error when processing unmodified values in reply message |
RTC 186769 |
TS003568847 |
Abend when processing reconciliation request xmls |
|
|
Items closed in release 7.1.39 |
RTC 186212 |
TS003341275 |
RACF "EDC5112I Resource temporarily unavailable” |
RTC 186218 |
TS002493154 |
Increasing memory allocations for erracconxml values during reconcilitations. |
RTC 186218 |
TS002493154 |
Adapter STC does not abort when running out of memory required for new connection pthreads. |
RTC 186213 |
TS003405510 |
vulnerability CVE-2016-2183(SWEET32) reported on ISIM V6.0.
|
RTC 186214 |
DT040780 TS001615497 |
Memory leak in ConnectionTest operations.
|
|
|
Items closed in release 7.1.38 |
|
|
No items included |
|
|
Items closed in release 7.1.37 |
RTC 184015 |
TS002309740 |
Adapter abend 40D, RC10 with the below messages in the CEEDUMP 5 _ermAlloc +00000076 libErmApi.dll Call 6 ErmSBCSStrtoUCS2Str +000000C0 libErmApi.dll
|
RTC 184017 |
TS002309740 |
Excessive non-ISIM server connections causing abend Starting SSL handshake (OpenSSL)... Handshake failed. Error code: 1 SD_SEND to socket Start SSL cleanup Shutting down SSL server... Received a segmentation violation... |
RTC 183205 |
TS000891911 |
Debug output in agentCfg tool causes DAML protocol configuration issues |
RTC 184018 |
TS002307533 |
Account DELETE continues with ISIMEXIT POST DELETE even if the account can’t be deleted. |
RTC 184019 |
TS002357498 |
<adapter_rw_home>/data/proc.xxx.out files not removed after attempt to delete data set profiles |
|
|
Items closed in release 7.1.36 |
RTC 182687 |
|
Disallow external calls to agentCfg port |
RTC 182516 |
IJ12296 |
Reconciliation doesn't return all accounts. |
RTC 182686 |
|
Upgrade to OpenSSL 1.0.2.q |
|
|
Items closed in release 7.1.35 |
RTC 181312 |
TS001341481 |
RACF adapter returns rc ‘20030’ on account ADD |
RTC 181313 |
|
IKJ567161I when provisioning/modifying a custom attribute |
RTC 181314 |
TS001529597 |
Adapter abends during the reconciliation of CSDATA segment attributes |
RTC 181315 |
|
Upgrade to ADK 6.0.6 |
RTC 181319 |
TS001548171 |
IKJ56702I INVALID USERID returns error for account DELETE where this should return a success as the account no longer exists in RACF |
|
|
Items closed in release 7.1.34 |
RTC 179053 |
TS001248452 |
IKJ56716I when provision/modify a comma-separated CSDATA value |
RTC 179043 |
|
Upgrade to OpenSSL 1.0.2p |
|
|
Items closed in release 7.1.33 |
RTC 177574 |
TS000991007 |
Add an option to continue to use tsocmd to allow authorized TSO/E commands to be executed from ISIMEXIT. |
RTC 177573 |
IJ07503 |
TSO/E STATUS command fails if the JOBNAME contains a $ character. |
RTC 177575 |
TS001115032 |
SURROGATE ID ignored on account MODIFY |
|
|
Items closed in release 7.1.32 |
RTC 174285 |
TS000145251 |
RACF Adapter for ISIM 6.0 - tsoCmd: return code 255 when using ISIMEXEC. |
RTC 175922 |
TS000864011 |
Inconsistent erraculogtime between full and filtered reco |
|
|
Items closed in release 7.1.31 |
RTC 173353 |
TS000114491 |
As an ADK for z/OS developer I need to ensure that manually dropping the DAML_PORT socket doesn't result in a loop |
RTC 173360 |
TS000013259 |
Since installing 6.0.29 customer cannot longer change the DAML password |
RTC 173359 |
|
change the group profile name from RacfGroupProfile to RACFgroupProfile |
RTC 173723 |
|
Attempt to destroy context for invalid socket results in dump in _ermListFree |
|
|
Items closed in release 7.1.30 |
RTC169659 |
|
PSIRT Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735) |
RTC170595 |
TS000026507 |
Report Data Sync does not synchronize RACF Group memberships |
|
|
Items closed in previous releases |
RTC 166463 |
PMR 22742,003,756 |
RSA key length used by certTool increased from 1024 to 4096, which allows it to be NIST compliant beyond 2021. |
RTC 166581 |
PMR 06883,999,724
|
Lock file that is created during reconciliations is not removed when switching between the SURROGATID and the ADAPTERID |
RTC154305 |
|
RACF Adapter Complex Attribute Handler NullPointerException while trying to remove or add a connect group. |
RTC162773 |
PMR 17895,001,862 |
The adapter allowed multiple parallel reconciliation requests without closing pipes and failing the duplicate requests. |
RTC162775 |
IV96644 |
Memory allocation related abends during reconciliation when processing large amounts of connect groups for individual user accounts. |
RTC162776 |
IV97317 |
erraculogtime value is incorrect if the account has not been used after creation. |
RTC156346 |
|
Attribute values following the string PASSWORD are masked in the adapter log |
RTC156842 |
PMR 17895,001,862 |
Heap storage problem in RACF agent CEE3204S The system detected a protection exception (System Completion Code=0C4). From entry point _ermFree at compile unit offset +0000008A at entry offset +0000008A at address 2500BF4A. |
RTC154272 |
PMR 70620,704,704
|
RACF adapter abend CEE0802C
Heap storage control information was damaged.
From entry point
_ermAlloc at compile unit offset +00000076 at entry offset
+00000076 at address 2932CDAE. |
RTC154273 |
PMR 91447,L6Q,000 |
RACF 6.0.23 Abend 0c4 |
RTC154274 |
PMR 74909,077,649 |
RACF agent started task on Z/OS 2.1 abends 0c4
|
RTC154275 |
IV92222
|
RACF adapter crashes when handling ISIM requests |
RTC154298 |
|
Adapter abends when not receiving a connect owner value |
RTC156631 |
PMR 75768,122,000 |
Abend U4038 |
RTC 153442 |
IV90064
|
ErRacConXml changed from string to binary in the IGI specific profile, this change had to be undone in the standard profile to prevent abends. KerbIsAES was changed back from KerbisAES128 to KerbIsAES to prevent errors in existing installations. |
RTC 153443 |
PMR 27999,200,838 |
Deleting an account may fail if data set profiles for the account are still defined in RACF. |
RTC 153444 |
IV90607
|
The adapter should first set a password before setting the password interval when adding a new account. |
RTC 151566 |
PMR 65622,004,000 |
Reconciliation runs longer starting release 7.0.23 due to Fix0205 message improvements
|
RTC 151007 |
|
subattribute values from ComplexAttributeValue Object reset to default |
RTC 151009 |
PMR 76787,122,000 |
Lookup fails due to duplicate erracuname when NAME is specified in the instdata field |
RTC 151010 |
|
Stickybit set on adapter_readonly_home subfolders |
RTC 148905 |
PMR 76787,122,000 |
ISIMRECO 0C4 on fclose in Fix0205 message |
RTC 148907 |
|
Lookup: Connect attributes not updated. |
RTC 148908 |
|
Error while modifying BINDDN in PROXY segment |
RTC 148909 |
|
Erraculogtime is not returned with the lookup operation |
RTC 148910 |
|
Accounts with only BASE segment fail lookup |
RTC 148911 |
|
Inconsistent results when supplying AES as encryption parameter in KERB segment |
RTC 148912 |
|
Reconciliation and lookup not supported for erracuopmonitor |
RTC149034 |
IV84697 |
Issue changing from SURROGAT ID to Agent ID. |
RTC 136796 |
IV79365 |
"Unload 0102 record is missing" message during reconciliation. |
RTC 141112
|
|
PMR 91113,003,756 RACF Adapter 0C4 (protection exception) socket. |
RTC 145789 |
|
Adapter uptime on connectiontest is not updated.
|
RTC 144303 |
|
When you send a request to modify multiple connect groups and all of these connect commands fail, the adapter should return a failure. |
RTC 144305 |
|
Change erracunoexpire from semi-supported to supported by re-adding it to the account form. |
RTC 144236 |
IV84697
|
ISIM 6 RACF adapter acct creation error after delete / Thread security environment not reset after using SURROGAT ID. |
RTC 141532 |
|
PMR 91113,003,756 erracupwinterval error message bogus. |
RTC 141531 |
|
PMR 91113,003,756 ADK bogus characters in Bind message. |
RTC 145790 |
|
Missing profile description: update racf2profile and racf2profiledesc |
RTC 134668 |
IV79192 |
Adapter ignores erracupwnoexpire on password change |
RTC 134667 |
IV79171
|
R_Admin is called during reconciliation when RECOSAVE data set name contains “CO” characters. |
RTC 134666 |
|
OpenSSL upgrade to 1.0.1m |
RTC 126656 |
IV77890 |
Update ISIMEXIT to support current TSO/E implementation. |
RTC 134037 |
|
Agent abends after single account lookup from PIM server while processing entries for all accounts defined to RACF |
RTC 134036 |
|
RACF recon fails because JOBCHAR(R) does not meet the standard for jobnames |
RTC 134035 |
IV77890 |
RACF DELUSER returns ISIM console success but it fails |
RTC 125820 |
IV74312 |
RACF Adapter failed to open output file when processing >1000 simultaneous requests |
RTC 124239 |
IV74312 |
Clear text password visible while changing password using ISIM |
RTC 121370 |
IV68067 |
Recon failed, adapter didn't wait 99 seconds |
RTC 121366 |
IV68479 |
RACF adapter crashes when using PASSEXPIRE is true in combination with a pass phrase ending with a '$' character. |
RTC 121368 |
IV71138 |
Reconciliation fails due to prefixing. |
RTC 121369 |
IV67084 |
Errors in CSDATA processing for one-character fields and integer fields. |
RTC 121371 |
IV67900 |
Help panel message AMGRA034 should be AGRMA034. |
RTC 118499 |
|
Pre-Delete exit does not work |
|
IV65985 |
Add account fails if 'KJ56644I NO VALID TSO USERID, DEFAULT USER ATTRIBUTES USED' is returned from RACF. |
|
IV65547 |
RACF adapter password command formatting errors when creating a new account. |
RTC 117760 |
|
AGRCCFG utility not working as expected |
|
IV65076 |
ISIM RACF 6.0.7 SHORTCONNECT REGISTRY DEFAULT |
|
IV65073 |
ISIM RACF 6.0.7 ADAPTER MISSING PERMISSION INFO |
RTC 113676 |
IV63089 |
Password is set to EXPIRED on password change although "PASSEXPIRE" is set to "TRUEADD" |
RTC 112167 |
IV62670 |
Password not propagated on password change |
RTC 109531 |
IV60839 |
Erracupwinterval: Interval 0 not interpreted as NOINTERVAL |
RTC 67672 |
Update on previous fix: now also includes solution for agentCfg dumping when entering a 4 character key when starting agentCfg |
|
RTC 99335 |
AgentCfg -codepages does not return information |
|
RTC 108483 |
RacfAgent.dat overwritten every IPL |
|
RTC 108485 |
Openssl upgraded to 10.1.g |
|
RTC 109528 |
Changed max thread settings and additional debug messages |
|
RTC 109530 |
Running the adapter in -console mode does not open remote socket |
|
RTC 98358 |
IV52342 |
Warning messages CONNECT group: incorrect characters returned in errorMessage when creating a new account on the ISIM server and specifying a connect group to which the user can not be added by the adapter resulting in the following message on the ISIM server: CTGIMD812E An error occurred while processing the adapter response message. The following error occurred. Error: An invalid XML character (Unicode: 0x7) was found in the value of attribute "errorMessage" and element is "attr". |
RTC 95787 |
IV47040 |
Adapter issue with CONNECT group |
RTC 95782 |
IV42240 |
Incorrect characters present in some account attributes |
RTC 64756 |
IV25449 |
Error in setting the READ_TIMEOUT parameter. |
RTC 67672 |
IV27957 |
When trying to change the ISIM adapter Configuration Key using agentCfg, a problem is encountered if the length of the new key is less than 5 characters. If it is 4 characters or less the registry will be corrupted. |
Historical Closed Issues zSecure RACF adapter
|
|
Items closed in release 10.0.1 |
RTC 187967 |
IJ28450 |
Abend 0C4 after getpwuid() error
|
RTC 187968 |
|
Upgrade to Expat 2.2.10 |
|
|
Items included in release 7.1.15 |
RTC 186767 |
TS003554276 |
ISIM_ADAPTER_CIPHER_LIST variable is not having any effect with RACF adapter 6.0.39 |
RTC 186768 |
TS003680545 |
Error when processing unmodified values in reply message |
RTC 186769 |
TS003568847 |
Abend when processing reconciliation request xmls |
|
|
Items included in release 7.1.14 |
RTC 186218 |
TS003341275 |
Adapter STC does not abort when running out of memory required for new connection pthreads. |
RTC 186213 |
TS003405510 |
vulnerability CVE-2016-2183(SWEET32) reported on ISIM V6.0 |
RTC 186214 |
DT040780/TS0 01615497 |
Memory leak in ConnectionTest operations. |
RTC 186217 |
DT007148/TS000891911 |
Hebrew chars not passed to zSecure adapter |
|
|
Items included in release 7.1.13 |
RTC 184015 |
TS002309740 |
Adapter abend 40D, RC10 with the below messages in the CEEDUMP 5 _ermAlloc +00000076 libErmApi.dll Call 6 ErmSBCSStrtoUCS2Str +000000C0 libErmApi.dll
|
RTC 184017 |
TS002309740 |
Excessive non-ISIM server connections causing abend Starting SSL handshake (OpenSSL)... Handshake failed. Error code: 1 SD_SEND to socket Start SSL cleanup Shutting down SSL server... Received a segmentation violation... |
RTC 183205 |
TS000891911 |
Debug output in agentCfg tool causes DAML protocol configuration issues |
|
|
Items included in release 7.1.12 |
RTC 182687 |
|
Disallow external calls to agentCfg port |
|
TS000891911 |
Hebrew codepage aliases not checked and reading direction incorrect. |
RTC 182516 |
IJ12296 |
Reconciliation doesn't return all accounts. |
RTC 182686 |
|
Upgrade to OpenSSL 1.0.2.q |
|
|
Items included in release 7.1.11 |
RTC 181308 |
|
Upgrade to ICU 3.6 |
RTC 181306 |
TS000891911 |
Hebrew writing direction |
RTC 181301 |
|
Incorrect entry in adapter log for EXPORT data set |
RTC 181302 |
TS001548171 |
IKJ56702I INVALID USERID returns error for account DELETE where this should return a success as the account no longer exists in RACF |
RTC 181310 |
|
Upgrade to Expat 2.2.6 |
RTC 181303 |
|
Upgrade to z/OS ADK 6.0.6 |
|
|
Items included in release 7.1.10 |
RTC 179043 |
|
Upgrade to OpenSSL 1.0.2p |
|
|
Items included in release 7.1.9 |
RTC 174414 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2o to address PSIRT CVE-2018-0739 |
|
|
Items included in release 7.1.8 |
RTC 173353 |
TS000114491 |
As an ADK for z/OS developer I need to ensure that manually dropping the DAML_PORT socket doesn't result in a loop |
RTC 173360 |
TS000013259 |
Customer cannot longer change the DAML password |
RTC 173723 |
|
Attempt to destroy context for invalid socket results in dump in _ermListFree |
|
|
Items included in release 7.1.7 |
RTC170060 |
IJ02050
|
Abend 0C4 when modifying a single connect group for an account.
|
RTC170061 |
|
Error returned for SURROGAT ID during account modify |
RTC170055 |
|
PSIRT Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735) |
|
|
Items included in release 7.1.6 |
RTC 166463 |
PMR 22742,003,756 |
RSA key length used by certTool increased from 1024 to 4096, which allows it to be NIST compliant beyond 2021. |
|
|
Items included in release 7.1.5 |
|
|
None |
|
|
Items included in release 7.1.4 |
RTC156346 |
|
Attribute values following the string PASSWORD are masked in the adapter log |
RTC156842 |
PMR 17895,001,862 |
Heap storage problem in RACF agent CEE3204S The system detected a protection exception (System Completion Code=0C4). From entry point _ermFree at compile unit offset +0000008A at entry offset +0000008A at address 2500BF4A. |
|
|
Items included in release 7.1.3 |
|
|
None |
|
|
Items included in release 7.0.2 |
RTC 136791 |
|
Increase length for erZsrResource and erZsrAccess |
RTC 138813 |
|
PMR 54401,004,000 IBM IGI zSecure RACF Adapter creates IGI-only roles |
RTC 131691 |
|
ConnectionTest requires CKGRACF for zSecure Version in service form |
Internal # |
APAR # |
PMR # / Description |
|
N/A |
This release of the RACF Adapter does not support FIPS.
|
|
N/A |
The lookup operation will not return UAUDIT settings for an account when the ADAPTER ID does not have the AUDIT attribute. |
|
N/A |
This version of the zSecure RACF adapter does not support:
|
|
N/A |
In ISVG, when specifying RACF GROUPS as EXTERNAL ROLES, all CONNECT commands will be limited to include the value “USE”, no rights outside “USE” are included in the command the adapter issues as ISVG does not support RIGHTS for EXTERNAL ROLES. It is possible to import the profile from the Profile_as_permission folder in the installation package. This profile defines RACF GROUPS as IGI PERMISSONS and will allow rights to be defined. If RACF GROUPS are defined as permissions, RESOURCE PROFILE permissions will no longer be associated to the GROUPS (zSecure RACF only).
|
|
N/A |
In the current Security Verify Governance release it is NOT possible to assign RESOURCE PROFILE permissions to an account or external role. It is also not possible to remove resource profile permissions from an external role. It is possible to remove resource profile permissions from an account. |
|
N/A |
Resource classes, profiles and permissions are not available in the standard RACF adapter. The adapter does however accept server requests that adhere to the following standards:
<?xml version="1.0" encoding="UTF-8"?> <LDAPMessage ID="7056732228"> <BindRequest Name="*****" Version="2.0"> <SimpleAuthentication Password="*****"> </SimpleAuthentication> </BindRequest> <ModifyRequest DN="eruid=IBMUSER"> <Modification Operation="add"> <attr name="erracprofaccesslist"> <value>FACILITY/IRR.RADMIN.LISTUSER/READ</value> <value>FACILITY/IRR.RADMIN.ADDUSER/READ</value> <value>DATASET/IBMUSER.**/READ</value> </attr> </Modification> <Modification Operation="delete"> <attr name="erracprofaccesslist"> <value>FACILITY/IRR.RADMIN.LISTUSER/READ</value> <value>FACILITY/IRR.RADMIN.ADDUSER/READ</value> <value>DATASET/IBMUSER.**/READ</value> </attr> </Modification> </ModifyRequest> </LDAPMessage> Support for the configuration of the server request and/or reconciliation of the involved permissions is currently not supported.
|
|
N/A |
The zSecure RACF adapter now also supports single account lookups from IBM Security Verifty Governance Identity Manager. For a single account lookup for which it does NOT use zSecure functionality, instead it uses IRRXUTIL. |
|
N/A |
The current IBM Security Verifty Governance and Governance Identity Manager releases do not support connect groups as complex attributes for the zSecure RACF adapter. |
|
N/A |
This release of the RACF adapter does not support MFA |
|
N/A |
This release of the adapter only offers limited language support. If the IBM-424 code page is set, all space separated character based string values will be considered to be Hebrew values. These values will be reversed before applying a modification in RACF or in the Verify Governance server to restore the writing direction and word order. The only exception to this rule is the implementation of numeric values, provided they are space-separated from character-based string values. |
|
N/A |
Limited compatibility with erracexecvar and erracexecname is available on demand. Contact IBM Support for more details. Please include your current ISIMEXIT and ISIMEXEC code in your request for support. |
See your products specific RACF Adapter or zSecure RACF Adapter Installation and Configuration Guide for detailed instructions.
No updates for the current release
No updates for the current release
Update
JOBCHAR
Optional. Specifies the character to be added to the RECOJOB job name when submitted. A JOBCHAR is required either in the JOBNAME in the JCL or in the JOBCHAR registry setting if you change the name of the JOB from RECOJOB to the name of an existing User ID. See The JOB statement.
To:
Update
JOBCHAR
Optional. Specifies the character to be added to the RECOJOB job name when submitted. A JOBCHAR is required either in the JOBNAME in the JCL or in the JOBCHAR registry setting if you change the name of the JOB from RECOJOB to the name of an existing User ID. See The JOB statement.
adapterID
or
surrogatID
are not allowed to exceed 7 characters.
No updates for the current release
No updates for the current release
No updates for the current release
No updates for the current release
No updates for the current release
No updates for the current release
About this task
Service
definition files are also called adapter profile files.
If the
adapter profile is not installed correctly, the adapter cannot
function correctly. You cannot create a service with the adapter
profile or open an account on the service. You must import the
adapter profile again.
Profiles contained in this
package:
There are 3 profiles contained in this
package. Two in the StandardProfiles folder: zSecRacfProfile.jar and
racf2profile.jar
These are the main profiles for the zSecure
RACF and the RACF adapters.
Another zSecRacfprofile.jar can be
found in the Profile_as_permission folder.
The difference
between the two profiles is described in the paragraph below.
The standard profile in the main folder of the adapter package configures resource profile permissions as external roles.
AGC
RACF groups are defined as entitlements that can be granted to users. In the picture below you will fined that RACF user CHUCK is connected to the SYSPROG group.
This profile, which uses external roles, does not support rights. You can not defined the connect rights to the group.
This profile does provide an overview of the Entitlement hierarchy.
In the picture below you can see that group ZTDEPT61 is a subgroup of ZTDEPT60 , which in turn is a subgroup of ZSTWEAK , which is a subgroup of ZSTARGET, which is a subgroup of ZSECURE.
ZSECURE has several resource profile permissions assigned to it.
The resource profile permissions are defined as external roles, which can be validated in the Roles tab as depicted below.
An overview of the resource profile permissions that are granted to a RACF group is also provided in the Roles tab. In the picture below it shows the resource profile permissions that are granted to RACF group ZSECURE.
In this structure there are no rights that can be defined for RACF groups. If you assign a user to a group, the adapter will only set the default USE authority.
Service Center
In the service center users can request a connect to a RACF group as an external role.
In the picture below you can see RACF user ZTU001 is entitled to use RACF group ZTDEPT61, which is defined as an external role.
T
he
RACF user CHUCK is entitled to use RACF group SYSPROG as an external
role , to which he has the default USE authority.
The profile that is contained in Profile_as_permission folder in the adapter installation package must be used to be able configure the rights for RACF connect groups. To enable this, the RACF groups are imported as permissions.
It is not possible to view the resource profile permissions that are granted to the groups when using this profile. The hierarchy that links resource profile permissions to groups requires the groups to be defined as external roles. External roles however can not have rights.
The following screenshots provide an overview of the settings that are available if the profile from the Profile_as_permission folder is installed.
AGC
User CHUCK is a member of the group SYSPROG
User CHUCK only has AUTHORITY USE on the SYSPROG group
User ZSTU is connected to three groups: ZDEPT61, ZDEPT31 and ZPACC02.
This user has the authority to USE these groups.
In the Roles overview the rights for each group can be reviewed.
Service Center
In the Service Center the groups are presented as permissions that can be requested and assigned as entitlements for a user.
No updates for the current release
No updates for the current release
No updates for the current release
No updates for the current release
Upgrading to the current release of adapter requires a full install of the adapter.
Before you start the adapter, ensure that TCP/IP is active.
The IBM Security Verify Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
LDAP schema management
Working knowledge of scripting language appropriate for the installation platform
Working knowledge of LDAP object classes and attributes
Working knowledge of XML document structure
Note: This adapter supports customization only through the use of pre-Exec and post-Exec scripting. The RACF adapter has REXX scripting options. Please see the RACF Installation and Configuration guide for additional details
.
Please check out the latest documentation on the Verify Governance Knowledge Center. Select the latest server release to navigate to the latest version of the adapter documentation. |
The IBM Security Verify Adapter supports any combination of the following product versions.
Adapter Installation Platform:
z/OS V2.4
z/OS V2.5
z/OS V3.1
Managed Resource:
IBM Security Server (RACF) for z/OS
zSecure RACF specfic:
IBM Security zSecure RACF V2.4.0 with applied 2020 Q2 SEE and higher.
IBM Security zSecure RACF V2.5.x
IBM Security Verify Governance:
IBM Security Verify Governance v10.x
IBM Security Verify Governance Identity Manager:
IBM Security Verify Governance Identity Manager v10.x
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
IBM
IBM logo
RACF
IBM
Security Systems
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino™, Intel Centrino logo, Celeron®, Intel Xeon™, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Other company, product, and service names may be trademarks or service marks of others.
End of Release Notes