RACF Commands Translated To CA Top Secret Equivalents For Informatica Product.

Document ID : KB000052913
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The following is from the Informatica documentation:

Capture Registration and Extraction Map Security
This function provides security for defining, changing, and using capture registrations and extraction maps. The PowerExchange Navigator GUI provides the USER information by means of a user ID and password. Security checking is performed on the backend of the MVS platform. This feature is available only on MVS.

RACF Definitions
By default, PowerExchange uses RACF class FACILITY for the change data capture resource profiles. You can specify that PowerExchange use a different class for these resource profiles using the DBMOVER configuration file parameter RACF_CLASS. If you specify a different class in this parameter, the class must exist in RACF. If a new RACF class is created, the maximum length of a resource name has to be specified. The maximum length is 128 bytes which is also the default.

You can create the definition by using the following sample:

**********************************************************************
* *
* RACF ROUTER TABLE *
* *
**********************************************************************
* *
ICHRFR01 CSECT
PowerExchange ICHRFRTB CLASS=DETAIL,ACTION=RACF
ENDTAB ICHRFRTB TYPE=END
The resources used as part of the RACF definitions cannot exceed the maximum
length.END ICHRFR01

You can define the resources as generic resources to minimize the number of RACF definitions. For example:
Resources in Class
Registration Where:

Parameter Valid Values Description 
dbtype IMS 
DB2 
ADA 
VSM 
DCM 
IDM IMS 
DB2 
Adabas 
VSAM 
Datacom 
IDMS 
dbid Character string Instance value, Database ID, or Collection ID that is 
specified in the registration group containing the capture registration. 
registration_ name Character string Capture registration name. 
table_ name Character string Capture registration table name. 
 
Access to Resource 
Example Registration Definitions 
CAPX.REG.ADA.* (G) 
CAPX.REG.DB2.ADA200.RACF001 
CAPX.REG.DB2.ADA200.RACF002 
CAPX.REG.DB2.ADA200.* (G) 
CAPX.REG.DB2.ADA6531.* (G) 
CAPX.REG.DB2.DSN1.* (G) 
CAPX.REG.DB2.DS1G.STU* (G) 
CAPX.REG.DB2.DS1G.* (G) 
CAPX.REG.DB2.* (G) 
CAPX.REG.IMS.* (G) 
Example Extraction Definitions 
CAPX.CND.ADA200.* (G) 
CAPX.CND.ADA6531.* (G) 
CAPX.CND.DSN1.STU* (G) 
CAPX.CND.DSN1.* (G) 
CAPX.CND.DS1G.STU* (G)

What are the CA Top Secret equivalents of the above?

Solution:

For sites that want to use the RACF FACILITY class as the resource class checked, the CA Top Secret equivalent class is IBMFAC.

With IBMFAC, only up to 8 characters are allowed in the TSS ADD command. (Up to 39 characters are allowed in the TSS PERMIT command for IBMFAC.) So, first own the resource via:

TSS ADD(dept) IBMFAC(CAPX.)

Then permit the resource via:

TSS PERMIT(acid) IBMFAC(CAPX.) or a more specific (longer) resource name.

If you want to use a different resource class, specify the class you want to use in the DBMOVER configuration file parameter RACF_CLASS.

  1. Define this resource class to the CA Top Secret RDT mimicking the IBMFAC resource class via:

    TSS ADD(RDT) RESCLASS(classname) RESCODE(nn) -
    ACLST(NONE=0000,CONTROL=6400,UPDATE=6000,READ=4000,WRITE=2000,ALL=FFFF) -
    DEFACC(READ) MAXLEN(39) ATTRIBUTE(ACCESS,PRIVPGM)

  2. Then, do a TSS ADD and PERMIT commands above for this resource class instead of IBMFAC.

Since users sign on to Informatica, the following should also be done:

  1. Define a facility to be used for Informatica.

    TSS MODIFY(FACILITY(USERnn=INFORMAT))
    TSS MODIFY(FACILITY(INFORMAT=xxxx)) for any control options to be set other than the defaults.

    The TSS MODIFY command is only valid until the next recycle of CA Top Secret. To make these changes permanent, the corresponding statements must be added to the CA Top Secret parameter file.

    FACILITY(USERnn=INFORMAT)
    FACILITY(INFORMAT=xxxx)

  2. Create a region acid.

    TSS CREATE(acid) PASS(xxxx,0) DEPT(dept) TYPE(USER) NAME('Informatica Region ACID')
    TSS ADD(acid) FAC(STC)

    The region acid needs to be authorized to all resources accessed at start up of the region. This can be done by adding bypass attributes like NODSNCHK and NORESCHK or by permitting the resources to the region acid.

    It is recommended that all started task (STC) ACIDs be given a password and OPTIONS(4) be set in the CA Top Secret parameter file. OPTIONS(4) will eliminate the prompt for a password when the STC starts, but if someone tries to signon with the STC ACID, that person will need to know the password.

  3. Add a MASTFAC of the facility in step 1 to the region acid.

    TSS ADD(acid) MASTFAC(fac)

  4. Add the proc to the started task table via:

    TSS ADD(STC) PROCNAME(informaticproc) ACID(acid)

    where 'informaticproc' is the proc that starts Informatica and 'acid' is the region acid defined in step #2.

  5. Add the facility to the users that need it:

    TSS ADD(acid) FAC(facility)

    where 'acid' is the user acid, an attached profile, or the ALL record
    'facility' is the facility defined in step 1.

    Some of the resource names in the RACF documentation have an * at the end of the name. The IBMFAC resource class is distributed as NOMASK, so the '*' should not be used for those resource names:
    CAPX.REG.ADA.*
    CAPX.REG.DB2.ADA200.*
    CAPX.REG.DB2.ADA200.*
    CAPX.REG.DB2.ADA6531.*
    CAPX.REG.DB2.DSN1.*
    CAPX.REG.DB2.DS1G.STU*
    CAPX.REG.DB2.DS1G.*
    CAPX.REG.DB2.*
    CAPX.REG.IMS.*
    Example Extraction Definitions
    CAPX.CND.ADA200.*
    CAPX.CND.ADA6531.*
    CAPX.CND.DSN1.STU*
    CAPX.CND.DSN1.*
    CAPX.CND.DS1G.STU*

    (Nor should the (G) be specified.) The permits are generic, so the '*' is not needed anyway in CA Top Secret.