Skip to content

Database Specific Options (CA Top Secret)

Last update July 25, 2016

The following configuration options for the CATSS_UTF back end are database-specific. This combination of options can be specified multiple times, once per security database being accessed.

  • database CATSS_UTF
    Begins the database-specific options for the CATSS_UTF back end. In this case, the database is CA Top Secret. This option can be configured multiple times, once for each security database that is accessed.
    Default: N/A
  • codeset csname
    Specifies the name of an EBCDIC codeset. The CA LDAP Server converts the host fields from UTF-8 to this EBCDIC codeset before passing them to the external security manager. The value csname must designate a single-byte EBCDIC code system. Possible values of this argument are documented in the XL C/C++ Programming Guide. Based on the information in this guide, csname must be one of the values in the FromCode column. The value in the ToCode column is always UTF-8.
    Default: IBM-1047
  • CreateAlias
    Specifies an alias entry should be defined for the account on the mainframe if the account is being granted TSO access. This option applies to add and modify CA Top Secret account requests. This option is configured a single time for all users and cannot be set differently for specific users. The relate parameter is required and specifies the user catalog the alias is being defined for. The catalog parameter is optional and defaults to the master catalog.
    Default: disabled
    Example: createAlias Relate[catalog]
    The user must be given one the following TSO privileges for an alias to be created:
TSS Keyword z/OS UFN
TSOCOMMAND TSO-Logon-Command
TSOUNIT TSO-Unit
TSODEFPRFG TSO-Performance-Grp
TSODEST TSO-Output-Destination
TSOHCLASS TSO-Hold-Class
TSOJCLASS TSO-Job-Class
TSOLACCT TSO-Logon-Account
TSOLPROC TSO-Logon-Proc
TSOLSIZE TSO-Region-Size
TSOMCLASS TSO-Message-Class
TSOMSIZE TSO-Max-Region-Size
TSOOPT TSO-Options
TSOSCLASS TSO-Sysout-Clas
TSOUDATA TSO-User-Data
  • DeleteAlias
    Indicates that the system attempts to delete the alias entry for the logonid when a CA Top Secret account is deleted. The system will do this whether or not the logonid had an entry.
    Example: DeleteAlias
  • disable_acid_details
    Returns all attributes for a tssacid object when performing scope=one or scope=sub search requests. Version 2 only returned the DN of the tssacid object. A subsequent scope=base query was required to retrieve the details. If the previous functionality is desired, add this option.
    Default: N/A
  • disable_dept_details
    Returns all attributes for a tssdept object when performing scope=one or scope=sub search requests. If only the DN is to be returned, add this option.
    Default: N/A
  • disable_div_details
    Returns all attributes for a tssdiv object when performing scope=one or scope=sub search requests. If only the DN is to be returned, add this option.
    Default: N/A
  • disable_group_details
    Returns all attributes for a tssgroup object when performing scope=one or scope=sub search requests. If only the DN is to be returned, add this option.
    Default: N/A
  • disable_profile_details
    Returns all attributes for a tssprofile object when performing scope=one or scope=sub search requests. Version 2 returned only the DN of the tssprofile object. A subsequent scope=base query was required to retrieve the details. If the previous functionality is desired, add this option.
    Default: N/A
  • disable_segments
    Indicates that when a one-level search for Acids occurs, that a simple TSS LIST(acid) DATA(BASIC) command should be issued instead of a DATA(ALL) command. This saves time when you search for a high number of ACIDs and only need the information output from the DATA(BASIC) command on the request.
    Default: DATA(ALL) command is issued
  • disable_zone_details
    Returns all attributes for a tsszone object when performing scope=one or scope=sub search requests. If only the DN is to be returned, add this option.
    Default: N/A
  • disable_list_acids
    Disables the execution of LDAP search operations when a TSS LIST(ACIDS) command would be required to fulfill them. The option helps ensure that runaway searches are not issued to CA Top Secret.
    Default: off (do not stop TSS LIST(ACIDS))
  • enable_refresh
    Enables CA LDAP Server to issue the TSS MODIFY(OMVSTABS) command. When performing add or modify of ACID data, if the UID or GID fields are modified, CA Top Secret requires a modify command be issued for changes to take effect. This option allows CA LDAP Server to issue this command, when needed, for the CA LDAP Server client application.
    Default: Does not issue the refresh command.
  • HostUFNOverride
    Specifies a file name that contains overrides for the user-defined fields. HostUFNOverride file_name is a security database-specific parameter. Using this option, the user-defined UFNs can be changed to values of your choice. See the UFNOverride option in the Configure Global Option section to override the base CA Top Secret fields.
    Default: N/A
    Example: HostUFNOverride ./production_tss_overrides.conf
  • naming_mode {tss|im}
    Configures which attribute naming mode the CA LDAP Server is using with the database statement.
    • tss
      Specifies to run the CA LDAP Server in CA Top Secret naming mode.
    • im
      Specifies to run the CA LDAP Server in CA Web Administrator mode.
    Default: tss
  • password_truncate
    Truncates the password to 8 bytes before logon.
    Default: disabled
  • preAddAcidMessage
    Before issuing the Add ACID command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the ACID substituted into the string before it is written to the console, enter %s in the string.
    Default: A default message
    Example: preAddAcidMessage “ABC1023I Acid %s about to be added to CA Top Secret”
  • postAddAcidMessage
    After issuing the Add ACID command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the ACID ID substituted into the string before it is written to the console, enter %s in the string.
    Default: A default message
    Example: postAddAcidMessage “ABC1023I Acid %s was added to CA Top Secret”
  • preModAcidMessage
    Before issuing the Modify Acid command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the ACID ID substituted into the string before it is written to the console, enter %s in the string.
    Default: A default message
    Example: preAddAcidMessage “ABC1023I Acid %s about to be modified in CA Top Secret”
  • postModAcidMessage
    After issuing the Modify ACID command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the ACID ID substituted into the string before it is written to the console, enter %s in the string.
    Default: A default message
    Example: postModAcidMessage “ABC1023I Acid %s was modified in CA Top Secret”
  • preDelAcidMessage
    Before issuing the Delete Acid command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the ACID ID substituted into the string before it is written to the console, enter %s in the string.
    Default: A default message
    Example: preDelAcidMessage “ABC1023I Acid %s about to be deleted from CA Top Secret”
  • postDelAcidMessage
    After issuing the Delete ACID command, write the following string to the system console. If the string contains any spaces, enclose the string in double quotes. If you want to have the ACID ID substituted into the string before it is written to the console, enter %s in the string.
    Default: A default message
    Example: postDelAcidMessage “ABC1023I Acid %s was deleted from CA Top Secret”
  • ptktappl
    Specifies the application ID (APPLID) that is passed on the RACROUTE VERIFY call. The ESM uses this value to identify the encryption key during PassTickets generation and authentication. The application ID used for the PassTickets generation must be the same as the ID that is used for authentication. When using CA LDAP Server with CA Chorus, set this option to the same value with which CA Chorus is configured. This configuration is important when using IBM PassTickets to authenticate users at a host.
    Default: CALDAP
    Example: ptktappl CALDAP
    ptktReqrId(Optional) Specifies a server-level user ID that is cached in memory. This user ID is used to authenticate the server for all post-bind operations, allowing the server to request a passticket on behalf of a client logon.Example: ptktReqrId passgenptktReqrPwFile(Optional) Specifies the relative or fully qualified name of the encrypted password file that corresponds to the slapd.conf ptktReqrId option. The file is generated using the authid command line utility. Example: ptktReqrPwFile ./authid.pwd Example: ptktReqrPwFile /ldap_install_directory/authid.pwd\
  • tssRescheckClass
    Specifies the class name that CA LDAP Server issues a resource check against to verify that the logged on user id is authorized to use the LOG and STATUS parameters.
    Default: CALDAP
    Example: tssRescheckClass CALDAP2
  • tssRescheckEntity
    Specifies the entity HLQ name that CA LDAP Server issues a resource check against to verify that the logged on user id is authorized to use the LOG and STATUS parameters.
    Default: LDAP
    Example: tssRescheckEntity LDAPHLQ
  • siParms host port [ssl-required | ssl-supported] [cont]
    When accessing a security database on a different host, this option is used to configure the IP/port of the remote CA DSI Server being used to access that security file.
    When you start the CA LDAP Server with an siPARMS parameter specified, a connection is made with the CA DSI Server. If a connection cannot be established, the CA LDAP Server shuts down. If the optional keyword "cont" is specified, the CA LDAP Server continues to start up even if a connection cannot be made to the CA DSI Server. When a request comes in to the CA LDAP Server, the connection to the CA DSI Server is attempted again.
    • host
      Specifies the machine name or TCP/IP address of the remote CA DSI Server.
    • port
      Specifies the port the remote CA DSI Server was started on.
    • ssl-required
      (Optional) Specifies to use a secure connection between the CA LDAP Server on one LPAR and the remote CA DSI Server. If a secure connection cannot be established, it is dropped. This parameter is mutually exclusive with ssl-supported.
    • ssl-supported
      (Optional) Specifies to try and establish a secure connection between the CA LDAP Server on one LPAR and the remote CA DSI Server. If a secure connection cannot be established, it drops back to an unsecured connection. This parameter is mutually exclusive with ssl-required.
    • cont
      (Optional) Specifies that the CA LDAP Server is allowed to start even if it cannot communicate with the remote CA DSI Server. Without this parameter, if the CA LDAP Server cannot communicate to the remote CA DSI Server, it shuts down.

    Default: N/A
    Example: siParms test-lpar.my.com 390 ssl-supported
    When running in a sysplex environment you can set up multiple CA DSI Servers to provide redundancy. This is accomplished by adding multiple siPARMS configuration statements. For example:

    siPARMS  plex-1.my.com  390  ssl-supported
    siPARMS  plex-2.my.com  390  ssl-supported
    siPARMS  plex-3.my.com  390  ssl-supported
    

    When configured in this way, the CA LDAP Server will try to communicate through plex-1. If a connection cannot be established with plex-1, CA LDAP Server will try to communicate through plex-2 followed by plex-3. Once a connection is established, all transactions are sent to that CA DSI Server. If the connection is broken for any reason, the selection process automatically starts over with plex-1.

  • siTimeOut
    Configures the time-out value, in seconds, for the previous siParms statement. When performing TCP/IP communication, you might want a transaction to time out if it cannot reach the other end.
    Default: N/A
    Example: siTimeOut 999
  • siTLSCertKeyLabel
    (optional) Specifies the label of the certificate to use that is in the certificate store specified by TLSKeyringName. The value label is the label assigned to the certificate when the certificate was connected to the keyring. If the value contains embedded blanks, it must be enclosed in double quotes. The certificate designated by label_here must include USAGE PERSONAL.
    Default: The default certificate in the certificate store will be used.
    Example: siTLSCertKeyLabel label_here
  • siTLSVerifyClient
    (optional) Specifies whether a client is required to present a certificate when attempting to establish an SSL or TLS connection with the server. The allowed values of option are as follows:
    • ON
      Indicates the server requests a certificate. If no certificate is provided or a bad certificate is provided, the session is immediately terminated.
    • OFF
      Indicates the server does not request a certificate.
    Default: n/A
  • suffix
    Specifies the DN that this back end services.
    Default: N/A
    Example: suffix host=test, o=company, c=us
Was this helpful?

Please log in to post comments.