Copyright International
Business Machines Corporation 2003, 2023.
All rights reserved.
US
Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Welcome
to the IBM Security Verify RACF Adapter. This installation package
contains 2 adapters that can be installed using the ISPF panels: the
standard RACF adapter and the zSecure RACF adapter.
The
zSecure RACF adapter requires the zSecure RACF admin product to be
installed on the adapter host. Unless we specifically mention
zSecure, any reference to the RACF adapter refers to both adapters.
These
Release Notes contain information for the following products that was
not available when the IBM Security Verify Adapter manuals were
created:
IBM
Security Verify Governance
RACF Adapter Installation and Configuration Guide
IBM
Security Verify Governance RACF Adapter Installation and
Configuration Guide
IBM
Security Verify Governance zSecure RACF Adapter Installation and
Configuration Guide
Adapter Features and Purpose
The RACF
Adapter is designed to create and manage RACF accounts. The adapter
runs in ”agent” mode and must be installed on z/OS. One adapter
is installed per RACF Database, but the RACF Adapter may be
configured to support a subset of the accounts through the scope of
authority feature on the RACF Service Form.
The
Security Verify Adapters are powerful tools that require
administrator level authority. Adapters operate much like a human
system administrator, creating accounts, permissions and home
directories. Operations requested from the Verify server will fail if
the adapter is not given sufficient authority to perform the
requested task. IBM recommends that this adapter run with
administrative permissions.
License
Agreement
Review
and agree to the terms of the IBM Security Verify product license
prior to using this product. The license can be viewed from the
"license" folder included in the product package.
Select
the latest server release to navigate to the latest version of the
adapter documentation.
New Features
Internal #
RFE /CASE#
Description
Items
included in current release
No
items included
Items
included in release 10.0.8
No
items included
Items
included in release 10.0.7
No
items included
Items
included in release 10.0.6
No
items included
Items
included in release 10.0.5
RFE 151566
IBM Security Manager RACF
adapter support for IBM Multi-Factor Authentication for z/OS
Items
included in release 10.0.4
RTC
189952
Verify
adapters on z/OS 2.5
RTC
189953
Verify
zSecure RACF adapter on zSecure 2.5
Items
included in release 10.0.3
No
items included
Items
included in release 10.0.2
N/A
Deliver
RACF and zSecure RACF adapter as one installation. Combine sources
and installation package and allow either adapter to be installed
using the same part.
N/A
Document
new features in zSecure RACF adapter that are inherited from the
RACF adapter as part of the merged sources.
Historical features RACF adapter
Internal #
RFE /CASE#
Description
Items
included in release 10.0.1
RTC
187573
N/A
Rebranding
IBM Security Identity to IBM Security Verify
Items
included in release 7.1.40
No
items included
Items
included in release 7.1.39
No
items included
Items
included in release 7.1.38
No
items included
Items
included in release 7.1.37
RTC
55048
RFE
122650
RACF
CSDATA segment support for single account lookup
Items
included in release 7.1.36
No
items included
Items
included in release 7.1.36
182517
RFE
127701
ISIM
RACF Adapter enhancement.
RTC
182687
Disallow
external calls to agentCfg port.
Items
included in release 7.1.35
RTC
182213
IGI
5.2.5 support -
As
an adapter developer for z/OS I need to add support for supporting
data and canonical values to the IGI profiles
Items
included in release 7.1.34
No
items included
Items
included in release 7.1.33
No
items included
Items
included in release 7.1.32
RTC
174146
RFE
52070
Add
an option to include “REMOVE <connect_group>” or
“CONNECT <connect group>” for PRE MODIFY and POST
MODIFY operations to be passed on to ISIMEXIT.
RTC
174284
N/A
As an
adapter for RACF user I want to have an option to run RECOJOB
outside of the adapter so that the adapter can instantly start
processing the RECOSAVE contents.
RTC
176712
N/A
Add a
registry setting to specify if the adapter should attempt to
delete existing data set profiles before deleting an account.
RTC
174414
As an
ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2o to
address PSIRT CVE-2018-0739
Items
included in release 7.1.31
RTC
52661
RTC
173352
115005
As an
AD for z/OS developer I need to offer the ability to explicitly
disable TLS1.0 in all ADK based adapters.
RTC
173354
TS000074249
As an
ADK for z/OS developer I need to add diagnostic messages to the
ADK that allow troubleshooting 2-way ssl connections
RTC
173351
As an
ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2n
Items
included in release 7.1.30
RTC1709009
Add
support for WAEMAIL in WORK segment
Items
included in previous releases
RTC
163356
Enable
SSL by default in the ISPF installation panels
RTC
166577
Add
tooltips to customlabels.properties
RTC
166584
PMR
22151,003,756
Registry
setting to keep the RECOSAVE export data set
RTC158896
N/A
Status
tab in IGI target.json, erLastAccessDate in target.json
RTC154227
N/A
TSO/E
8 Character Userid support
RTC156626
N/A
Upgrade
expat libraries to 2.2.0
RTC154238
Update
OpenSSL to release 1.0.2j
RTC154263
PMR
42182,122,000
Disable
SSLV3 and RC4 ciphers and certify TLS
1.1 / 1.2 is supported by the ADK
RTC156347
IV32546
Adapter
appears to be running while it was unable to connect to the
socket.
RTC156101
IV45711
RACF
adapter enhancement. How to know what attributes are being
modified in a ISIMEXIT.
RTC154270
IV46597
Support
ROAUDIT attribute in the RACF adapter
RTC152020
Include
IGI specific profile with JSON in the adapter package
RTC152021
Update
the adapter panels
RTC152022
Include
adapter mapping file in the adapter package
RTC152023
Include
a license folder in the adapter package
RTC149041
Add
two initial lines to CustomLabels.properties which are required
for translation
RTC
135237
Complex
Attribute Handler for RACF Connect Groups
RTC
136795
ISIM
Lookup transaction performance enhancements
RTC
93081
Remove
APPC protocol dependency
RTC
74287
Added
support for password phrases
RTC
35332
Added
support for custom fields (CSDATA)
RTC
75819
Changed
KERB form: Added AES and changed DESD description
Changed
agent behavior:
Setting a boolean flag to blanks is now the
same as setting it to FALSE
Historical features zSecure RACF adapter
Internal #
RFE /CASE#
Description
Items
included in release 10.0.1
RTC
187573
N/A
Rebranding
IBM Security Identity to IBM Security Verify
Items
included release 7.1.15
RTC
186771
N/A
Add
support for the LNOTES RACF segment to the zSecure RACF adapter
RTC
186772
N/A
Add
support for the KERB RACF segment to the zSecure RACF adapter
RTC
186773
N/A
Add
support for the NETVIEW RACF segment to the zSecure RACF adapter
RTC
186776
N/A
Add
support for the NDS RACF segment to the zSecure RACF adapter
Items
included release 7.1.14
No
items included
Items
included release 7.1.13
RTC
183526
N/A
Ability
to remove resource profile permissions that are assigned directly
to an user account using CKGRACF.
RTC
183116
N/A
Implement
connect groups as complex attributes when defining groups as
permissions rather than external roles.
RTC
183456
N/A
Add
ISIMEXIT functionality
RTC
183458
N/A
Delete
data set profiles before attempting to delete the matching account
RTC
183459
N/A
Option
to specify language environment dump location (CEEDUMP)
RTC
183533
N/A
OPMODE
unencrypted registry setting to allow the adapter to run in
READ-ONLY or READ-ONLY with PASSWORD/PASSPHRASE support mode.
Items
included release 7.1.12
No
items included
Items
included release 7.1.11
RTC
182213
IGI
5.2.5 support -
As
an adapter developer for z/OS I need to add support for supporting
data and canonical values to the IGI profiles
RTC
177897
As an
adapter for zSecure RACF user I would like to be able to view and
modify user profile attributes from the DCE segment.
RTC
177898
As an
adapter for zSecure RACF user I would like to be able to view and
modify user profile attributes from the DFP segment.
RTC
177900
As an
adapter for zSecure RACF user I would like to be able to view and
modify user profile attributes from the PROXY segment.
RTC
177901
As an
adapter for zSecure RACF user I would like to be able to view and
modify user profile attributes from the WORK segment.
Items
included release 7.1.10
No
items included
Items
included release 7.1.9
RTC
170932
As an
adapter for zSecure RACF user I would like to be able to view and
modify user profile attributes from the TSO segment.
RTC
176018
As an
adapter for zSecure RACF user I would like to be able to view and
modify user profile attributes from the OMVS segment.
RTC
176019
As an
adapter for zSecure RACF user I would like to be able to view and
modify user profile attributes from the CICS segment.
RTC
176019
As an
adapter for zSecure RACF user I would like to be able to view and
modify user profile attributes from the LANG segment.
RTC
176016
As an
adapter for zSecure RACF user I would like to be able to view and
modify user profile attributes from the BASE segment.
RTC
176020
Add
support for the new segments in targetprofile.json
RTC
175175
As a
zSecure RACF adapter developer I need to upgrade to ADK 6.0.5 /
OpenSSL 1.0.2o
Items
included release 7.1.8
RTC
52661
RTC
173352
115005
As an
AD for z/OS developer I need to offer the ability to explicitly
disable TLS1.0 in all ADK based adapters.
RTC
173354
TS000074249
As an
ADK for z/OS developer I need to add diagnostic messages to the
ADK that allow troubleshooting 2-way ssl connections
RTC
173351
As an
ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2n
Items
included release 7.1.7
RTC
170056
Include
specialFlags in targetprofile.json
Items
included release 7.1.6
RTC
163356
Enable
SSL by default in the ISPF installation panels
RTC
166577
Add
tooltips to customlabels.properties
RTC
166584
PMR
22151,003,756
Registry
setting to keep the RECOSAVE export data set
RTC
166586
Implement
registered prefix IRVxxxxx for shared profile variables
Items
included in release 7.1.5
RTC158896
N/A
Status
tab in IGI target.json, erLastAccessDate in target.json
RTC154227
N/A
TSO/E
8 Character Userid support
RTC156626
N/A
Upgrade
expat libraries to 2.2.0
Items
included in release 7.1.4
RTC154238
Update
OpenSSL to release 1.0.2j
RTC154263
PMR
42182,122,000
Disable
SSLV3 and RC4 ciphers and certify TLS
1.1 / 1.2 is supported by the ADK
RTC156347
IV32546
Adapter
appears to be running while it was unable to connect to the
socket.
Items
included in release 7.1.3
RTC152014
Update
JSON in the adapter profile
RTC152018
Include
adapter mapping file in the adapter package
RTC152019
Include
a license folder in the adapter package
RTC149041
Add
two initial lines to CustomLabels.properties which are required
for translation
RTC
151010
Stickybit
set on adapter_readonly_home subfolders
Items
included in release 7.0.2
Fulfillment:
added support for account Add, Delete and Modify
Items
included in release 7.0.1
IGI
7.0.1 initial release
Closed Issues
Internal #
APAR/CASE#
Description
Items
closed in current release
SVGAD-247
IJ46552
Single
account lookup fails
SVGAD-421
CEEDUMP
in UserModify() for delete connect after add connect
SVGAD-324
TS012936062
SMF will show 2 PHRASE commands where the adapter should perform a PHRASE and a PASSWORD command.
Items
closed in release 10.0.8
RTC
191079
IJ43944
TS010824297
Customer
facing issue while creating new ID with RACF Adapter
Items
closed in release 10.0.7
RTC
190968
TS008612880
INVALIDGROUPNAME
Items
closed in release 10.0.6
RTC
190602
TS008309248
Thread:000004
Unable to load private key
RTC
190603
TS008525284
BN_BLINDING_convert_ex
RTC
190562
TS008252493
RACF
zSecure adapter permision name problem
RTC
190563
TS004169928
grpnamelist
as permission
RTC190564
TS008612880
IGIZSECURE
adapter wrong actions
Items
closed in release 10.0.5
TS008309248
Racf
certificate update shows incorrect valid date
Items
closed in release 10.0.4
RTC
189940
TS004169928
zSecure
RACF - Hebrew characters are returned reversed
RTC
189941
TS004946716
zSecure
RACF - no error returned for failing add or modify request
RTC
189942
TS004169928
zSecure
RACF - abend after receiving erzsrorgunit modify request
RTC
189943
zSecure
RACF - error when trying to delete non-existing account
RTC
189944
RACF
- no error is returned if a required attribute is missing from an
ADD request
RTC
189954
zSecure
RACF - add _CEE_RUNOPTS to start script
Items
closed in release 10.0.3
RTC
189789
TS004946716
Place
and document limitations on Hebrew language support
implementation.
RTC
189790
CSDATA
field delete is not correctly impletented in the RACF adapter
RTC
189791
TS005537447
RACF
adapter error when creating userid
RTC
189792
DEFECT:
standard RACF adapter recon does not work in IGI
Items
closed in release 10.0.2
RTC
188446
N/A
Fully qualified generic data set profiles not deleted.
RTC
188442
TS004983508
Duplicate values returned for CSDATA attributes
RTC
188441
TS004169928
Hebrew returned reversed during reconciliation
Historical Closed
Issues RACF adapter
Internal #
APAR/CASE#
Description
Items
closed in release 10.0.1
RTC
187967
IJ28450
Abend 0C4 after getpwuid() error
RTC
187968
Upgrade
to Expat 2.2.10
RTC
187569
TS004200685
Adapter
fails to delete profiles if the accounts connection to the group
has been revoked.
Items
closed in release 7.1.40
RTC
186766
TS003664857
AGJB04
writes empty JOBCHAR to registry
RTC
186767
TS003554276
ISIM_ADAPTER_CIPHER_LIST
variable is not having any effect with RACF adapter 6.0.39
RTC
186768
TS003680545
Error
when processing unmodified values in reply message
RTC
186769
TS003568847
Abend
when processing reconciliation request xmls
Items
closed in release 7.1.39
RTC
186212
TS003341275
RACF
"EDC5112I Resource temporarily unavailable”
RTC
186218
TS002493154
Increasing
memory allocations for erracconxml values during reconcilitations.
RTC
186218
TS002493154
Adapter
STC does not abort when running out of memory required for new
connection pthreads.
RTC
186213
TS003405510
vulnerability
CVE-2016-2183(SWEET32) reported on ISIM V6.0.
RTC
186214
DT040780
TS001615497
Memory
leak in ConnectionTest operations.
Items
closed in release 7.1.38
No
items included
Items
closed in release 7.1.37
RTC
184015
TS002309740
Adapter abend 40D, RC10
with the below messages in the CEEDUMP
5
_ermAlloc +00000076 libErmApi.dll
Call
6
ErmSBCSStrtoUCS2Str
+000000C0
libErmApi.dll
RTC
184017
TS002309740
Excessive
non-ISIM server connections causing abend
Starting
SSL handshake (OpenSSL)...
Handshake
failed. Error code: 1
SD_SEND
to socket
Start
SSL cleanup
Shutting
down SSL server...
Received
a segmentation violation...
RTC
183205
TS000891911
Debug
output in agentCfg tool causes DAML protocol configuration issues
RTC
184018
TS002307533
Account
DELETE continues with ISIMEXIT POST DELETE even if the account
can’t be deleted.
RTC
184019
TS002357498
<adapter_rw_home>/data/proc.xxx.out
files not removed after attempt to delete data set profiles
Items
closed in release 7.1.36
RTC
182687
Disallow
external calls to agentCfg port
RTC
182516
IJ12296
Reconciliation
doesn't return all accounts.
RTC
182686
Upgrade
to OpenSSL 1.0.2.q
Items
closed in release 7.1.35
RTC
181312
TS001341481
RACF
adapter returns rc ‘20030’ on account ADD
RTC
181313
IKJ567161I
when provisioning/modifying a custom attribute
RTC
181314
TS001529597
Adapter
abends during the reconciliation of CSDATA segment attributes
RTC
181315
Upgrade
to ADK 6.0.6
RTC
181319
TS001548171
IKJ56702I
INVALID USERID returns error for account DELETE where this should
return a success as the account no longer exists in RACF
Items
closed in release 7.1.34
RTC
179053
TS001248452
IKJ56716I
when provision/modify a comma-separated CSDATA value
RTC
179043
Upgrade
to OpenSSL 1.0.2p
Items
closed in release 7.1.33
RTC
177574
TS000991007
Add
an option to continue to use tsocmd to allow authorized TSO/E
commands to be executed from ISIMEXIT.
RTC
177573
IJ07503
TSO/E
STATUS command fails if the JOBNAME contains a $ character.
RTC
177575
TS001115032
SURROGATE
ID ignored on account MODIFY
Items
closed in release 7.1.32
RTC
174285
TS000145251
RACF
Adapter for ISIM 6.0 - tsoCmd: return code 255
when
using ISIMEXEC.
RTC
175922
TS000864011
Inconsistent
erraculogtime between full and filtered reco
Items
closed in release 7.1.31
RTC
173353
TS000114491
As an
ADK for z/OS developer I need to ensure that manually dropping the
DAML_PORT socket doesn't result in a loop
RTC
173360
TS000013259
Since
installing 6.0.29 customer cannot longer change the DAML password
RTC
173359
change
the group profile name from RacfGroupProfile to RACFgroupProfile
RTC
173723
Attempt
to destroy context for invalid socket results in dump in
_ermListFree
Items
closed in release 7.1.30
RTC169659
PSIRT
Malformed X.509 IPAddressFamily could cause OOB read
(CVE-2017-3735)
RTC170595
TS000026507
Report
Data Sync does not synchronize RACF Group memberships
Items
closed in previous releases
RTC
166463
PMR
22742,003,756
RSA
key length used by certTool increased from 1024 to 4096, which
allows
it to be NIST compliant beyond 2021.
RTC
166581
PMR
06883,999,724
Lock
file that is created during reconciliations is not removed when
switching between the SURROGATID and the ADAPTERID
RTC154305
RACF
Adapter Complex Attribute Handler NullPointerException
while trying to remove or add a connect group.
RTC162773
PMR
17895,001,862
The
adapter allowed multiple parallel reconciliation requests without
closing pipes and failing the duplicate requests.
RTC162775
IV96644
Memory
allocation related abends during reconciliation when processing
large amounts of connect groups for individual user accounts.
RTC162776
IV97317
erraculogtime
value is incorrect if the account has not been used after
creation.
RTC156346
Attribute
values following the string PASSWORD are masked in the adapter log
RTC156842
PMR
17895,001,862
Heap
storage problem in RACF agent
CEE3204S
The system detected a protection exception (System Completion
Code=0C4).
From
entry point _ermFree at compile unit offset +0000008A at entry
offset +0000008A at address 2500BF4A.
RTC154272
PMR
70620,704,704
RACF
adapter abend
CEE0802C
Heap storage control information was damaged.
From entry point
_ermAlloc at compile unit offset +00000076 at entry offset
+00000076 at address 2932CDAE.
From entry point
tsocmd_exec at compile unit offset +00002660 at entry offset
+00002660 at address 29113BE0.
CEE0802C Heap storage control
information was damaged.
From entry point _ermFree at compile
unit offset +00000084 at entry offset +00000084 at address
2932CF44.
CEE0802C Heap storage control information was
damaged.
From entry point tsocmd_exec at compile unit offset
+00002660 at entry offset +00002660 at address 29113BE0.
RTC154273
PMR
91447,L6Q,000
RACF
6.0.23 Abend 0c4
RTC154274
PMR
74909,077,649
RACF
agent started task on Z/OS 2.1 abends 0c4
RTC154275
IV92222
RACF
adapter crashes when handling ISIM requests
RTC154298
Adapter
abends when not receiving a connect owner value
RTC156631
PMR
75768,122,000
Abend
U4038
RTC
153442
IV90064
ErRacConXml
changed from string to binary in the IGI specific profile, this
change had to be undone in the standard profile to prevent abends.
KerbIsAES was changed back from KerbisAES128 to KerbIsAES to
prevent errors in existing installations.
RTC
153443
PMR
27999,200,838
Deleting
an account may fail if data set profiles for the account are still
defined in RACF.
RTC
153444
IV90607
The
adapter should first set a password before setting the password
interval when adding a new account.
RTC
151566
PMR
65622,004,000
Reconciliation
runs longer starting release 7.0.23 due to Fix0205 message
improvements
RTC
151007
subattribute
values from ComplexAttributeValue Object reset to default
RTC
151009
PMR
76787,122,000
Lookup
fails due to duplicate erracuname when NAME is specified in the
instdata field
RTC
151010
Stickybit
set on adapter_readonly_home subfolders
RTC
148905
PMR
76787,122,000
ISIMRECO
0C4 on fclose in Fix0205 message
RTC
148907
Lookup:
Connect attributes not updated.
RTC
148908
Error
while modifying BINDDN in PROXY segment
RTC
148909
Erraculogtime
is not returned with the lookup operation
RTC
148910
Accounts
with only BASE segment fail lookup
RTC
148911
Inconsistent
results when supplying AES as encryption parameter in KERB segment
RTC
148912
Reconciliation
and lookup not supported for erracuopmonitor
RTC149034
IV84697
Issue
changing from SURROGAT ID to Agent ID.
RTC 136796
IV79365
"Unload 0102 record is
missing" message during reconciliation.
RTC 141112
PMR 91113,003,756
RACF
Adapter 0C4 (protection exception) socket.
RTC 145789
Adapter uptime on
connectiontest is not updated.
RTC 144303
When you send a request to
modify multiple connect groups and all of these connect commands
fail, the adapter should return a failure.
RTC 144305
Change erracunoexpire from
semi-supported to supported
by
re-adding it to the account form.
RTC 144236
IV84697
ISIM 6 RACF adapter acct
creation error after delete / Thread security environment not
reset after using SURROGAT ID.
RTC 141532
PMR 91113,003,756
erracupwinterval
error message bogus.
RTC 141531
PMR 91113,003,756
ADK
bogus characters in Bind message.
RTC
145790
Missing profile
description: update racf2profile and racf2profiledesc
RTC
134668
IV79192
Adapter
ignores erracupwnoexpire on password change
RTC
134667
IV79171
R_Admin
is called during reconciliation when RECOSAVE data set name
contains “CO” characters.
RTC
134666
OpenSSL
upgrade to 1.0.1m
RTC
126656
IV77890
Update
ISIMEXIT to support current TSO/E implementation.
RTC
134037
Agent
abends after single account lookup from PIM server while
processing entries for all accounts defined to RACF
RTC
134036
RACF
recon fails because JOBCHAR(R) does not meet the standard for
jobnames
RTC
134035
IV77890
RACF
DELUSER returns ISIM console success but it fails
RTC
125820
IV74312
RACF
Adapter failed to open output file when processing >1000
simultaneous requests
RTC
124239
IV74312
Clear
text password visible while changing password using ISIM
RTC
121370
IV68067
Recon
failed, adapter didn't wait 99 seconds
RTC
121366
IV68479
RACF
adapter crashes when using PASSEXPIRE is true in combination with
a pass phrase ending with a '$' character.
RTC
121368
IV71138
Reconciliation
fails due to prefixing.
RTC
121369
IV67084
Errors
in CSDATA processing for one-character fields and integer fields.
RTC
121371
IV67900
Help
panel message AMGRA034 should be AGRMA034.
RTC
118499
Pre-Delete
exit does not work
IV65985
Add
account fails if 'KJ56644I
NO VALID TSO USERID, DEFAULT USER ATTRIBUTES USED'
is returned from RACF.
IV65547
RACF
adapter password command formatting errors when creating a new
account.
RTC 117760
AGRCCFG utility not working as expected
IV65076
ISIM RACF 6.0.7
SHORTCONNECT REGISTRY DEFAULT
IV65073
ISIM RACF 6.0.7 ADAPTER
MISSING PERMISSION INFO
RTC
113676
IV63089
Password
is set to EXPIRED on password change although "PASSEXPIRE"
is set to "TRUEADD"
RTC
112167
IV62670
Password not propagated on password change
RTC
109531
IV60839
Erracupwinterval:
Interval 0 not interpreted as NOINTERVAL
RTC
67672
Update
on previous fix: now also includes solution for agentCfg dumping
when entering a 4 character key when starting agentCfg
RTC
99335
AgentCfg
-codepages does not return information
RTC
108483
RacfAgent.dat
overwritten every IPL
RTC
108485
Openssl
upgraded to 10.1.g
RTC
109528
Changed
max thread settings and additional debug messages
RTC
109530
Running
the adapter in -console mode does not open remote socket
RTC
98358
IV52342
Warning
messages CONNECT group: incorrect characters returned in
errorMessage when creating a new account on the ISIM server and
specifying a connect group to which the user can not be added by
the adapter resulting in the following message on the ISIM server:
CTGIMD812E
An error occurred while processing the adapter response
message.
The following error occurred.
Error:
An invalid XML character (Unicode: 0x7) was found in the value of
attribute
"errorMessage" and element is "attr".
RTC
95787
IV47040
Adapter
issue with CONNECT group
RTC
95782
IV42240
Incorrect
characters present in some account attributes
RTC
64756
IV25449
Error
in setting the READ_TIMEOUT parameter.
RTC
67672
IV27957
When
trying to change the ISIM adapter Configuration Key using
agentCfg, a problem is encountered if the length of the new key is
less than 5 characters. If it is 4 characters or less the registry
will be corrupted.
Historical Closed Issues zSecure RACF adapter
Items
closed in release 10.0.1
RTC
187967
IJ28450
Abend 0C4 after getpwuid() error
RTC
187968
Upgrade
to Expat 2.2.10
Items
included in release 7.1.15
RTC
186767
TS003554276
ISIM_ADAPTER_CIPHER_LIST
variable is not having any effect with RACF adapter 6.0.39
RTC
186768
TS003680545
Error
when processing unmodified values in reply message
RTC
186769
TS003568847
Abend
when processing reconciliation request xmls
Items
included in release 7.1.14
RTC
186218
TS003341275
Adapter
STC does not abort when running out of memory required for
new
connection pthreads.
RTC
186213
TS003405510
vulnerability
CVE-2016-2183(SWEET32) reported on ISIM V6.0
RTC
186214
DT040780/TS0
01615497
Memory
leak in ConnectionTest operations.
RTC 186217
DT007148/TS000891911
Hebrew chars not passed to
zSecure adapter
Items
included in release 7.1.13
RTC
184015
TS002309740
Adapter abend 40D, RC10
with the below messages in the CEEDUMP
5
_ermAlloc +00000076 libErmApi.dll
Call
6
ErmSBCSStrtoUCS2Str
+000000C0
libErmApi.dll
RTC
184017
TS002309740
Excessive
non-ISIM server connections causing abend
Starting
SSL handshake (OpenSSL)...
Handshake
failed. Error code: 1
SD_SEND
to socket
Start
SSL cleanup
Shutting
down SSL server...
Received
a segmentation violation...
RTC
183205
TS000891911
Debug
output in agentCfg tool causes DAML protocol configuration issues
Items
included in release 7.1.12
RTC
182687
Disallow
external calls to agentCfg port
TS000891911
Hebrew
codepage aliases not checked and reading direction incorrect.
RTC
182516
IJ12296
Reconciliation
doesn't return all accounts.
RTC
182686
Upgrade
to OpenSSL 1.0.2.q
Items
included in release 7.1.11
RTC
181308
Upgrade
to ICU 3.6
RTC
181306
TS000891911
Hebrew
writing direction
RTC
181301
Incorrect
entry in adapter log for EXPORT data set
RTC
181302
TS001548171
IKJ56702I
INVALID USERID returns error for account DELETE where this should
return a success as the account no longer exists in RACF
RTC
181310
Upgrade
to Expat 2.2.6
RTC
181303
Upgrade
to z/OS ADK 6.0.6
Items
included in release 7.1.10
RTC
179043
Upgrade
to OpenSSL 1.0.2p
Items
included in release 7.1.9
RTC
174414
As an
ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2o to
address PSIRT CVE-2018-0739
Items
included in release 7.1.8
RTC
173353
TS000114491
As an
ADK for z/OS developer I need to ensure that manually dropping the
DAML_PORT socket doesn't result in a loop
RTC
173360
TS000013259
Customer
cannot longer change the DAML password
RTC
173723
Attempt
to destroy context for invalid socket results in dump in
_ermListFree
Items
included in release 7.1.7
RTC170060
IJ02050
Abend 0C4 when modifying a single connect group for an account.
RTC170061
Error
returned for SURROGAT ID during account modify
RTC170055
PSIRT
Malformed X.509 IPAddressFamily could cause OOB read
(CVE-2017-3735)
Items
included in release 7.1.6
RTC
166463
PMR
22742,003,756
RSA
key length used by certTool increased from 1024 to 4096, which
allows
it to be NIST compliant beyond 2021.
Items
included in release 7.1.5
None
Items
included in release 7.1.4
RTC156346
Attribute
values following the string PASSWORD are masked in the adapter log
RTC156842
PMR
17895,001,862
Heap
storage problem in RACF agent
CEE3204S
The system detected a protection exception (System Completion
Code=0C4).
From
entry point _ermFree at compile unit offset +0000008A at entry
offset +0000008A at address 2500BF4A.
Items
included in release 7.1.3
None
Items
included in release 7.0.2
RTC
136791
Increase
length for erZsrResource and erZsrAccess
RTC
138813
PMR
54401,004,000 IBM
IGI zSecure RACF Adapter creates IGI-only roles
RTC
131691
ConnectionTest
requires CKGRACF for zSecure Version in service form
Known Issues and Limitations
Internal #
APAR #
PMR # / Description
N/A
This
release of the RACF Adapter does not support FIPS.
N/A
The
lookup operation will not return UAUDIT settings for an account
when the ADAPTER ID does not have the AUDIT attribute.
N/A
This
version of the zSecure RACF adapter does not support:
Attribute
modifications for resource profile access permissions: all RACF
resource profile access related data is presented readonly.
Reconciliation
of management access related attributes and values such as access
through system privileges (special, group-special, operations,
etc..), universal access or other permissions representing any
userid.
Reconciliation
of access to Unix files.
Data
from the following classes: GLOBAL,GROUP,CDT,CFIELD,NODES,
RACFVARS,RDATALIB,REALM,SECLABEL,STARTED,CSDATA
Any
account attributes or operations not specifically mentioned as
included in the adapter guide.
N/A
In
ISVG, when specifying RACF GROUPS as EXTERNAL ROLES, all CONNECT
commands will be limited to include the value “USE”, no rights
outside “USE” are included in the command the adapter issues
as ISVG does not support RIGHTS for EXTERNAL ROLES.
It
is possible to import the profile from the Profile_as_permission
folder in the installation package. This profile defines RACF
GROUPS as IGI PERMISSONS and will allow rights to be defined. If
RACF GROUPS are defined as permissions, RESOURCE PROFILE
permissions will no longer be associated to the GROUPS (zSecure
RACF only).
N/A
In
the current Security Verify Governance release it is NOT possible
to assign RESOURCE PROFILE permissions to an account or external
role. It is also not possible to remove resource profile
permissions from an external role. It is possible to remove
resource profile permissions from an account.
N/A
Resource
classes, profiles and permissions are not available in the
standard RACF adapter. The adapter does however accept server
requests that adhere to the following standards:
<?xml
version="1.0" encoding="UTF-8"?>
<LDAPMessage
ID="7056732228">
<BindRequest
Name="*****" Version="2.0">
<SimpleAuthentication
Password="*****">
</SimpleAuthentication>
</BindRequest>
<ModifyRequest
DN="eruid=IBMUSER">
<Modification
Operation="add">
<attr
name="erracprofaccesslist">
<value>FACILITY/IRR.RADMIN.LISTUSER/READ</value>
<value>FACILITY/IRR.RADMIN.ADDUSER/READ</value>
<value>DATASET/IBMUSER.**/READ</value>
</attr>
</Modification>
<Modification
Operation="delete">
<attr
name="erracprofaccesslist">
<value>FACILITY/IRR.RADMIN.LISTUSER/READ</value>
<value>FACILITY/IRR.RADMIN.ADDUSER/READ</value>
<value>DATASET/IBMUSER.**/READ</value>
</attr>
</Modification>
</ModifyRequest>
</LDAPMessage>
Support
for the configuration of the server request and/or reconciliation
of the involved permissions is currently not supported.
N/A
The
zSecure RACF adapter now also supports single account lookups from
IBM Security Verifty Governance Identity Manager. For a single
account lookup for which it does NOT use zSecure functionality,
instead it uses IRRXUTIL.
N/A
The
current IBM Security Verifty Governance and Governance Identity
Manager releases do not support connect groups as complex
attributes for the zSecure RACF adapter.
N/A
This
release of the RACF adapter does not support MFA
N/A
This
release of the adapter only offers limited language support. If
the IBM-424 code page is set, all space separated character based
string values will be considered to be Hebrew values. These values
will be reversed before applying a modification in RACF or in the
Verify Governance server to restore the writing direction and word
order. The only exception to this rule is the implementation of
numeric values, provided they are space-separated from
character-based string values.
N/A
Limited
compatibility with erracexecvar and erracexecname is available on
demand. Contact IBM Support for more details. Please include your
current ISIMEXIT and ISIMEXEC code in your request for support.
Installation and Configuration Notes
See your
products specific RACF Adapter or zSecure RACF Adapter Installation
and Configuration Guide for detailed instructions.
Corrections and/or additions to the Installation and
Configuration sections of the RACF adapter guide.
Chapter 1: Overview
No updates for the current
release
Chapter 2: Planning
No updates for the current
release
Chapter 3: Installing
Running the ISPF dialog
Update
JOBCHAR
Optional. Specifies the character to be added to the RECOJOB job
name when submitted. A JOBCHAR is required either in the JOBNAME in
the JCL or in the JOBCHAR registry setting if you change the name of
the JOB from RECOJOB to the name of an existing User ID. See The
JOB statement.
To:
Update
JOBCHAR
Optional. Specifies the character to be added to the RECOJOB job
name when submitted. A JOBCHAR is required either in the JOBNAME in
the JCL or in the JOBCHAR registry setting if you change the name of
the JOB from RECOJOB to the name of an existing User ID. See The
JOB statement.
If used, the adapterID or
surrogatID are not allowed to exceed 7 characters.
Chapter 4: Upgrading
No updates for the current
release
Chapter 5: Configuring
No updates for the current
release
Chapter 6: Troubleshooting
No updates for the current
release
Chapter 7: Reference
No
updates for the current release
Corrections and/or additions to the Installation and
Configuration sections of the zSecure RACF adapter guide.
Chapter 1: Overview
No
updates for the current release
Chapter 2: Planning
No
updates for the current release
Chapter 3: Installing
Communication
configuration
Importing
the adapter profile
About this task
Service
definition files are also called adapter profile files.
If the
adapter profile is not installed correctly, the adapter cannot
function correctly. You cannot create a service with the adapter
profile or open an account on the service. You must import the
adapter profile again.
Profiles contained in this
package:
There are 3 profiles contained in this
package. Two in the StandardProfiles folder: zSecRacfProfile.jar and
racf2profile.jar
These are the main profiles for the zSecure
RACF and the RACF adapters.
Another zSecRacfprofile.jar can be
found in the Profile_as_permission folder.
The difference
between the two profiles is described in the paragraph below.
Standard profile
The standard profile
in the main folder of the adapter package configures resource profile
permissions as external roles.
AGC
RACF groups are
defined as entitlements that can be granted to users. In the picture
below you will fined that RACF user CHUCK is connected to the SYSPROG
group.
This profile, which uses external roles, does not support rights. You
can not defined the connect rights to the group.
This profile does
provide an overview of the Entitlement hierarchy.
In the picture below
you can see that group ZTDEPT61 is a subgroup of ZTDEPT60 , which in
turn is a subgroup of ZSTWEAK , which is a subgroup of ZSTARGET,
which is a subgroup of ZSECURE.
ZSECURE has several
resource profile permissions assigned to it.
The resource profile
permissions are defined as external roles, which can be validated in
the Roles tab as depicted below.
An overview of the
resource profile permissions that are granted to a RACF group is also
provided in the Roles tab. In the picture below it shows the
resource profile permissions that are granted to RACF group ZSECURE.
In this structure
there are no rights that can be defined for RACF groups. If you
assign a user to a group, the adapter will only set the default USE
authority.
Service Center
In the service
center users can request a connect to a RACF group as an external
role.
In the picture below
you can see RACF user ZTU001 is entitled to use RACF group ZTDEPT61,
which is defined as an external role.
T
he
RACF user CHUCK is entitled to use RACF group SYSPROG as an external
role , to which he has the default USE authority.
Profile_as_permission
The profile that is
contained in Profile_as_permission folder in the adapter installation
package must be used to be able configure the rights for RACF connect
groups. To enable this, the RACF groups are imported as permissions.
It is not possible
to view the resource profile permissions that are granted to the
groups when using this profile. The hierarchy that links resource
profile permissions to groups requires the groups to be defined as
external roles. External roles however can not have rights.
The following
screenshots provide an overview of the settings that are available if
the profile from the Profile_as_permission folder is installed.
AGC
User CHUCK is a
member of the group SYSPROG
User CHUCK only has
AUTHORITY USE on the SYSPROG group
User ZSTU is
connected to three groups: ZDEPT61, ZDEPT31 and ZPACC02.
This user has the
authority to USE these groups.
In the Roles
overview the rights for each group can be reviewed.
Service Center
In the Service
Center the groups are presented as permissions that can be requested
and assigned as entitlements for a user.
Chapter 4: Upgrading
No updates for the current
release
Chapter 5: Configuring
No updates for the current
release
Chapter 6: Troubleshooting
No updates for the current
release
Chapter 7: Reference
No updates for the current
release
Upgrading to the current release
Upgrading
to the current release of adapter requires a full install of the
adapter.
Starting and stopping the adapter
Before
you start the adapter, ensure that TCP/IP is active.
Customizing or Extending Adapter Features
The IBM
Security Verify Adapters can be customized and/or extended. The type
and method of this customization may vary from adapter to adapter.
Getting Started
Customizing
and extending adapters requires a number of additional skills. The
developer must be familiar with the following concepts and skills
prior to beginning the modifications:
LDAP
schema management
Working
knowledge of scripting language appropriate for the installation
platform
Working
knowledge of LDAP object classes and attributes
Working
knowledge of XML document structure
Note:
This adapter supports customization only through the use of pre-Exec
and post-Exec scripting. The RACF adapter has REXX scripting options.
Please see the RACF Installation and Configuration guide for
additional details
Select
the latest server release to navigate to the latest version of the
adapter documentation.
Supported Configurations
Installation Platform
The IBM
Security Verify Adapter supports any combination of the following
product versions.
Adapter
Installation Platform:
z/OS
V2.4
z/OS
V2.5
z/OS
V3.1
Managed
Resource:
IBM
Security Server (RACF) for z/OS
zSecure
RACF specfic:
IBM
Security zSecure RACF V2.4.0 with applied 2020 Q2 SEE and higher.
IBM
Security zSecure RACF V2.5.x
IBM
Security Verify Governance:
IBM
Security Verify Governance v10.x
IBM
Security Verify Governance Identity Manager:
IBM
Security Verify Governance Identity Manager v10.x
Notices
This
information was developed for products and services offered in the
U.S.A. IBM may not offer the products, services, or features
discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently
available in your area. Any reference to an IBM product, program, or
service is not intended to state or imply that only that IBM product,
program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual
property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM
product, program, or service.
IBM may
have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not
give you any license to these patents. You can send license
inquiries, in writing, to:
IBM
Director of Licensing
IBM
Corporation
North
Castle Drive
Armonk,
NY 10504-1785 U.S.A.
For
license inquiries regarding double-byte (DBCS) information, contact
the IBM Intellectual Property Department in your country or send
inquiries, in writing, to:
IBM
World Trade Asia Corporation
Licensing
2-31
Roppongi 3-chome, Minato-ku
Tokyo
106-0032, Japan
The
following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION
"AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Some states do not allow disclaimer of express or implied
warranties in certain transactions, therefore, this statement may not
apply to you.
This
information could include technical inaccuracies or typographical
errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the
publication. IBM may make improvements and/or changes in the
product(s) and/or the program(s) described in this publication at any
time without notice.
Any
references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of
those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your
own risk.
IBM may
use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees
of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently
created programs and other programs (including this one) and (ii) the
mutual use of the information which has been exchanged should
contact:
IBM
Corporation
2ZA4/101
11400
Burnet Road
Austin,
TX 78758 U.S.A.
Such
information may be available, subject to appropriate terms and
conditions, including in some cases, payment of a fee.
The
licensed program described in this information and all licensed
material available for it are provided by IBM under terms of the IBM
Customer Agreement, IBM International Program License Agreement, or
any equivalent agreement between us.
Any
performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating
environments may vary significantly. Some measurements may have been
made on development-level systems and there is no guarantee that
these measurements will be the same on generally available systems.
Furthermore, some measurements may have been estimated through
extrapolation. Actual results may vary. Users of this document should
verify the applicable data for their specific environment.
Information
concerning non-IBM products was obtained from the suppliers of those
products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to
non-IBM products. Questions on the capabilities of non-IBM products
should be addressed to the suppliers of those products.
Trademarks
The following terms are
trademarks or registered trademarks of International Business
Machines Corporation in the United States, other countries, or both:
IBM
IBM logo
RACF
IBM
Security Systems
Adobe,
Acrobat, Portable Document Format (PDF), and PostScript are either
registered trademarks or trademarks of Adobe Systems Incorporated in
the United States, other countries, or both.
Cell
Broadband Engine and Cell/B.E. are trademarks of Sony Computer
Entertainment, Inc., in the United States, other countries, or both
and is used under license therefrom.
Java and
all Java-based trademarks are trademarks of Sun Microsystems, Inc. in
the United States, other countries, or both.
Microsoft,
Windows, Windows NT®, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel®,
Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino™,
Intel Centrino logo, Celeron®, Intel Xeon™, Intel SpeedStep®,
Itanium®, and Pentium® are trademarks or registered trademarks of
Intel Corporation or its subsidiaries in the United States and other
countries.
UNIX is
a registered trademark of The Open Group in the United States and
other countries.
Linux is
a trademark of Linus Torvalds in the U.S., other countries, or both.
ITIL®
is a registered trademark, and a registered community trademark of
the Office of Government Commerce, and is registered in the U.S.
Patent and Trademark Office.
IT
Infrastructure Library® is a registered trademark of the Central
Computer and Telecommunications Agency which is now part of the
Office of Government Commerce.
Other
company, product, and service names may be trademarks or service
marks of others.
he
RACF user CHUCK is entitled to use RACF group SYSPROG as an external
role , to which he has the default USE authority.
