Platform Services for OS/400 consists of two major components.
System Intercept: The System Intercept provides password change information to the core driver. The System Intercept is implemented through the Password Validation Program Exit specified with the QPWDVLDPGM system value.
Platform Receiver: The Platform Receiver requests provisioning events from Event Journal Services and runs a Receiver script to carry out the appropriate action for each event as it is received.
The driver must be informed of changes made to passwords in order to support password replication. The System Intercept for OS/400 provides information to the core driver about password changes made on the platform. (Information about password changes to a user in eDirectory™ are received by the OS/400 platform as provisioning events and are processed by the Platform Receiver.)
The System Intercept must be configured to connect directly to core drivers using the DIRECTTOAUTHENTICATION statement in the platform configuration file. For details about the platform configuration file, see the Platform Services Planning Guide and Reference.
The Platform Receiver processes provisioning events received from the Event Journal Services component of the core driver.
The Platform Receiver communicates with Event Journal Services using Secure Sockets Layer (SSL). Data is encoded using UTF-8, which is converted to EBCDIC.
Run the Platform Receiver on a schedule that is appropriate for your requirements. For details about Platform Receiver operation, see the Platform Services Planning Guide and Reference.
The Platform Receiver reads its configuration information from ASAM/data/asamplat.conf, the platform configuration file. For details about the platform configuration file, see the Platform Services Planning Guide and Reference.
The OS/400 Platform Receiver uses the Attribute Name Mapping file, /usr/local/ASAM/data/attrmap.conf, to convert attribute names obtained from Event Journal Services to the Profile and System Distribution Directory field names for use by the Receiver scripts. For more information about the Attribute Name Mapping file, see The Attribute Name Mapping File.
The OS/400 Platform Receiver logs messages to the standard joblog facility.
Receiver scripts for OS/400 platforms are implemented as Control Language (CL) programs. The Platform Receiver runs the programs from the ASAM library.
Provisioning events are received as groupings of name-value pairs as shown in the following example:
enterpriseUserName bob
The Platform Receiver calls a Receiver script whenever it is necessary to obtain information about users or groups on the platform and whenever it is appropriate to take an action for a user or group on the platform.
When the Platform Receiver calls a Receiver script, it maps the name-value pairs and stores them in a user space. Procedures are provided for setting and retrieving these values.
User names and group names are checked for validity before they are mapped. A utility Receiver script is called to perform the validity checking.
Receiver scripts are called as appropriate to determine group affiliations for user events and group membership for group events.
Receiver scripts are called to take the necessary actions.
For more information about Receiver scripts, see the Platform Services Planning Guide and Reference and the scripts themselves.
Authentication Services for OS/400 does not redirect authentication requests to eDirectory, but instead replicates passwords between the OS/400 system and eDirectory.
When a password is changed on the OS/400 system, the System Intercept sends a change password notification to a core driver for processing.
When a password for a user associated with an OS/400 system is changed in eDirectory, a provisioning event is generated by the core driver and given to the Platform Receiver for processing. By default, the core driver converts passwords to lowercase before sending them to the Platform Receiver. For more information about password case, see the Maintain Password Case configuration parameter in the Core Driver Administration Guide.
Because password replication information travels in both directions, it is affected by the Include/Exclude lists of both Authentication Services and Identity Provisioning. It is important therefore, to configure both sets of Include/Exclude lists symmetrically.