Previous Topic: How to Configure a CA Directory User Directory ConnectionNext Topic: How to Configure an Oracle Directory Server Enterprise Edition User Directory Connection


How to Configure a CA LDAP Server for z/OS User Directory Connection

You can use CA LDAP Server for z/OS as a CA SiteMinder® user store. The following process lists the steps for configuring the user store connection to the Policy Server:

  1. Review the following information:
  2. Configure the Policy Server registry entries for TSS, ACF2, or RACF.
  3. Configure the user directory connection.
CA LDAP Server for z/OS Overview

You can configure a CA LDAP Server for z/OS as a user store by configuring a connection from the Policy Server to the LDAP Server. How you configure the connection from the Policy Server to the LDAP Server depends on the backend option that you are using to secure the LDAP Server:

an illustration describing how backend security is provided.

CA supports the following backend security options for CA LDAP Server:

Become familiar with the objectclass hierarchy for these backend security options before configuring the connection from the Policy Server to the LDAP Server. Also, add the backend-related objectclasses to the Policy Server registries in the LDAP namespace.

Note: z/OS is an IBM operating system for mainframe computers.

SiteMinder Features Not Supported by CA LDAP Server for z/OS (TSS)

CA LDAP Server for z/OS does not support the following CA SiteMinder® features:

Password Services

Password Services is not supported.

Anonymous Binds

When configuring a CA LDAP Server r15 for z/OS as a user store, provide values for the Administrator Credentials in the Create User Directory page.

Characters Not Supported in User Names

The following characters are not supported in user names:

User Groups and Policies

Adding a user group to a policy and attempting to authorize a user in that group fails.

Load Balancing and Failover (For TSS)

Load balancing and failover is not supported.

LDAP Failover and Replication (For RACF and ACF2)

LDAP Failover and Replication is not supported.

CA Top Secret r12 (TSS) Backend Security Option

When you are using TSS to secure the CA LDAP Server for z/OS, complete the following steps before configuring the connection from the Policy Server to the CA LDAP Server:

  1. Become familiar with the TSS objectclass hierarchy.
  2. Add the TSS objectclasses to the Policy Server registries in the LDAP namespace.
TSS Objectclass Hierarchy

The following diagram shows the hierarchy of objectclass entries in the CA Top Secret Directory Information Tree (DIT). Below the diagram is a description of each objectclass.

Graphic showing the TSS objectclass hierarchy

Objectclass host

Object class used to start access to the objectclass hierarchy for a CA Top Secret database.

Objectclass tsssysinfo

Object class used to create branches in the objectclass hierarchy below the host.

Objectclass tssadmingrp

Object class used to create branches in the objectclass hierarchy below the host.

Values:

Objectclass tssacid

Object class used to access the ACID record fields of all user types.

Objectclass tssacidgrp

Object class used to create the branches in the objectclass hierarchy below an acid.

Configure Policy Server Registry Entries for TSS

The CA LDAP Server for z/OS contains different object classes than other LDAP servers. Before configuring a connection from the Policy Server to the CA LDAP Server, add the TSS objectclasses to certain Policy Server registry entries in the LDAP namespace. Substitute the replacement values for the default values of the following Policy Server registry entries:

registry_entry_home

Specifies the following registry entry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds.

default_value

Specifies the default value of the registry entry.

replacement_value

Specifies a new value containing the TSS objectclasses for the registry entry.

Add the following TSS object classes to this registry entry:

TSS Objectclass

Registry Key Type

Data

eTTSSAcidName

REG_DWORD

0x00000001(1)

tssacid

REG_DWORD

0x00000001(1)

tssacidgrp

REG_DWORD

0x00000002(2)

tssadmingrp

REG_DWORD

0x00000003(3)

Note: Some LDAP queries that the Policy Server issues (such as a full list of users) can take up to 60 seconds to complete. Under these conditions most of the queries from the Policy Server-side timeout. To improve connectivity, you can adjust this registry key entry as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Debug]
LDAPPingTimeout = 300; REG_DWORD

Configure CA LDAP Server for z/OS User Directory Connections

You configure the user directory connection to let the Policy Server communicate with the user store.

Note: Load balancing and failover are not supported for this LDAP server.

Follow these steps:

  1. Click Infrastructure, Directory.

    Objects related to user directories appear on the left.

  2. Click User Directories.

    The User Directories screen appears.

  3. Click Create User Directory.

    The Create User Directory screen appears and displays the required settings to configure an LDAP connection.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  4. Complete the required connection information in the General and Directory Setup areas.

    Note: If the Policy Server is operating in FIPS mode and the directory connection is to use a secure SSL connection when communicating with the Policy Server, the certificates used by the Policy Server and the directory store must be FIPS compliant.

  5. Configure the LDAP search and LDAP user DN lookup settings in the LDAP Settings area.

    Note: Be sure to enter 100 in Max Time. The Policy Server requires this amount of time to retrieve data from this LDAP Server.

  6. Do the following in the Administrator Credentials area:
    1. Select the Require Credentials option.
    2. Type the full DN of an administrator in Username.
    3. Type the adminstrator password in Password.

    Note: TSS does not allow anonymous binds to the user store.

  7. (Optional) Specify the user directory profile attributes that are reserved for CA SiteMinder® use in the User Attributes area.
  8. (Optional) Click Create in the Attribute Mapping List area to configure user attribute mapping.
  9. Click Submit.

    The user directory connection is created.

CA LDAP Server r15 for z/OS (ACF2) Backend Security Option

This section describes the settings that are required to configure the CA LDAP Server r15 for z/OS (ACF2) as a user store with the Policy Server.

ACF2 Objectclass Hierarchy

The following illustration shows the hierarchy of objectclass entries in the CA ACF2 Directory Information Tree (DIT). The illustration provides a description of each objectclass.

Diagram showing the hierachy of the object classes in ACF2

Objectclass host

Object class that is used to start access to the objectclass hierarchy for a CA ACF2 database.

Objectclass acf2admingrp

Object class that is used to create branches in the objectclass hierarchy below the host.

Values:
Objectclass acf2lid

Object class that is used to access the LID record fields (user records). The acf2lid is the only objectclass that can be added, modified, and deleted. All other objectclass objects are read-only.

Objectclass acf2lidgrp

Object class that is used to emulate groups in CA ACF2.

Objectclass acf2ruletype

Object class that is used to group like rule types. The acf2ruletype objectclass is read-only and cannot be modified, added, or deleted.

Configure Policy Server Registry Entries for ACF2

The CA LDAP Server r15 for z/OS (ACF2) contains a different set of objectclasses than other LDAP servers. Before configuring a user directory connection from the Policy Server to the CA LDAP Server, add the ACF2 objectclasses to certain Policy Server registry entries in the LDAP namespace. Substitute the replacement values for the default values of the following Policy Server registry entries:

registry_entry_home

Specifies the following registry entry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds.

default_value

Specifies the default value of the registry entry.

replacement_value

Specifies a new value containing the ACF2 objectclasses for the registry entry.

ACF2 Objectclass

Registry Key Type

Data

acf2lid

REG_DWORD

0x00000001(1)

acf2admingrp

REG_DWORD

0x00000002(2)

eTACFLidName

REG_DWORD

0x00000001(1)

ACF2 Objectclass

Registry Key Type

Data

LDAPPingTimeout=

REG_DWORD

300;

Note: The value of this registry key can be changed based on the response time of the CA LDAP Server r15 for z/OS (ACF2).

CA LDAP Server r15 for z/OS (RACF) Backend Security Option

This section describes the settings that are required to configure the CA LDAP Server r15 for z/OS (RACF) as a user store with the Policy Server.

RACF Namespace Hierarchy

The following illustration shows the hierarchy of namespace entries in the RACF Directory Information Tree (DIT). The illustration provides a description of each namespace. The RACF namespace hierarchy is similar to the ACF2 object class hierarchy.

Diagram showing the RACF Namespace Hierarchy

Similar to the ACF2 Server, the top four entries in the hierarchy are reserved, read-only, and generated by the server. The purpose of these reserved entries is to enable a hierarchical representation of RACF users, groups, and connections.

Configure Policy Server Registry Entries for RACF

The CA LDAP Server r15 for z/OS (RACF) contains a different set of objectclasses than other LDAP servers. Before configuring a user directory connection from the Policy Server to the CA LDAP Server, add the RACF objectclasses to certain Policy Server registry entries in the LDAP namespace. Substitute the replacement values for the default values of the following Policy Server registry entries:

registry_entry_home

Specifies the following registry entry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds.

default_value

Specifies the default value of the registry entry.

replacement_value

Specifies a new value containing the RACF objectclasses for the registry entry.

RACF Objectclass

Registry Key Type

Data

eTRACUserid

REG_DWORD

0x00000001(1)

eTRACAdminGrp

REG_DWORD

0x00000002(2)

RACF Objectclass

Registry Key Type

Data

LDAPPingTimeout=

REG_DWORD

300;

Note: The value of this registry key can be changed based on the response time of the CA LDAP Server r15 for z/OS (RACF).

Configure a Connection from the Policy Server to CA LDAP Server for z/OS

To configure a directory connection from the Policy Server to the CA LDAP Server for z/OS (RACF) or CA LDAP Server for z/OS (ACF2), open an existing user directory object in the Administrative UI.

Follow these steps:

  1. Open the User Directory Dialog.
  2. In Directory Setup, select LDAP as the namespace.
  3. Enter the connection information for your LDAP directory.

    Note: Failover is not supported for this LDAP Server.

  4. In the LDAP Search section, in the Max Time field, specify a value of 300 seconds.

    Note: A greater timeout value is required, because the Policy Server takes more time to retrieve data from this LDAP Server.

  5. In Credentials and Connection, specify administrator credentials that the Policy Server uses to connect to this LDAP Server.

    Important! Specifying administrator credentials is mandatory as anonymous binds to the user store are not allowed with CA LDAP Server r15 for z/OS (RACF) and CA LDAP Server r15 for z/OS (ACF2).