The TSSLDS server subtask is started by CA Top Secret when the LDS Control Option is enabled. The server subtask communicates with all remote LDAP directories defined to the local system.
TSSLDS executes as a subtask, within the CA Top Secret address space.
To enable LDS journaling, include the LDSJRNL DD statement in the CA Top Secret procedure.
To enable LDS recovery capabilities, include the LDSRCVR DD statement in the CA Top Secret procedure.
LDS uses a journal file to provide a historical record of outbound LDAP requests to LDAP servers. All requests and corresponding messages are journaled. When transmitting a request to an LDAP server, LDS records the image in the LDSJRNL file. Before each request or message is written, a header provides the following details:
Before starting the LDS journal processing, you must ensure that the LDSJRNL DD statement is omitted from your CA Top Secret started task JCL. This setup allows CA Top Secret to dynamically allocate the journal file to SYSOUT after JES becomes active.
Note: If the DD statement is present in the started task JCL, the journal file will not be available if CA Top Secret is started before JES is active.
LDS uses the recovery file to provide recovery capabilities to outbound LDS transmit ions.
All outbound commands:
Remove recovery file records manually from the recovery file with a TSS REM(*LDSRECV) command.
The LDS recovery file is defined in the CA Top Secret procedure using the LDSRCVR DD statement. The recovery file must be created and initialized prior to starting the LDS recovery processing.
To create the LDS recovery file, use the INITLDSR job in the SAMPJCL library. This JCL has BLKSZ=8196, you can change the BLKSZ value to any multiple of 1024.
Important! LDS Recovery File cannot be shared across multiple systems.
If the LDS Recovery File is not defined or the file fails to open, command routing through LDS can still occur but there is no retransmission of unresponded commands.
If the LDS Recovery File becomes temporarily filled, a message is written to the job CA Top Secret LOG and console each time LDS wants to write a message to the file but cannot. The LDS operation continues but, in case of failure, the unwritten command cannot be recovered.
You can remove pending commands from the LDS Recovery File by date and by node.
Examples: remove pending command
This example removes all records for the specified node:
TSS REMOVE(*LDSRECV) NODELIST(ldapnode1,ldapnode2)
This example removes all records up to, and including, the specified date:
TSS REMOVE(*LDSRECV) UNTIL(mm/dd/yy)
The NDT LDSYSID record can define LDS global options for systems sharing the security file. If a system starts up and no LDSYSID record exist in the NDT for that system, LDS global options are retrieved from the startup control options file.
The LDSYSID record is used to define the LDS global options:
The supported keywords for an NDT LDSYSID record are.
If Journaling is enabled, the file specified via JOURNALDSN is dynamically allocated only if no LDSJRNL DD statement exists in the TSS startup JCL.
Example: create an LDSYSID options record
This example creates an LDSYSID options record for system ID= SYS1:
TSS ADD(ndt) LDSYSID(SYS1)
TIMEOUT(10)
RETRY(010)
DEBUG(NO )
JOURNAL(YES)
If remote LDAP servers require SSL authentication of server and client identities, use digital certificates when establishing the connection between the CA Top Secret LDS component and the remote LDAP servers.
All digital certificates used for LDS authentication are grouped in a KEYRING attached to the TSSLDS ACID.
The keyring name is defined in the NDT/LDSYSID options record. The keyring should group:
If CLIENT authentication is required for an LDAP server, the NDT/LDAPNODE record should include the LABLCERT keyword, which defines the LABEL of the PERSONAL certificate.
Examples: set up SSL
This example creates the LDS special ACID:
TSS CREATE(TSSLDS) TYPE(USER)
NAME('LDS STC ACID')
PASS(password,0)
DEPT(OMVSDEPT)
FACILITY(STC)
GROUP(OMVSGRP)
TSS ADD(TSSLDS) DFLTGRP(OMVSGRP)
This example defines the KEYRING name:
TSS ADD(tsslds) KEYRING(ring0001)
This example defines the CERTAUTH certificate if not previously defined:
TSS ADD(tsslds) DIGICERT(certaut1)
DCDSN(user.cert.lds)
TRUST
This example adds the CERTAUTH certificate to the KEYRING:
TSS ADD(tsslds) KEYRING(ring0001)
RINGDATA(tsslds,certaut1)
USAGE(certauth)
This example generates a PERSONAL certificate:
TSS GENCERT(TSSLDS) DIGICERT(certper1)
SUBJECTN(CN=tsslds)
This example adds the PERSONAL certificate to the KEYRING:
TSS ADD(tsslds) KEYRING(ring0001)
RINGDATA(tsslds,certper1)
USAGE(personal)
This example defines the KEYRING in the NDT LDSYSID options record for the local system:
TSS ADD(NDT) LDSYSID(sys1)
KEYRING(ring0001)
This example defines the PERSONAL certificate label name in the NDT LDAPNODE record:
TSS ADD(NDT) LDAPNODE(testnode)
LABLCERT(certper1)
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|