After you have installed the various components, you must create a Driver object and configure it for operation.
In iManager, select > , and designate the driver set for the new driver.
Choose > .
Specify driver configuration information.
Driver Name: Specify a name for your driver.
Enable Role-Based Entitlements: Choose whether or not you want this driver configured to use entitlements.
RACF Host Address: Specify the IP address or DNS name the driver should use for its Telnet interface to the RACF system.
If the driver uses the Remote Loader, specify 127.0.0.1, which is the local host.
RACF Telnet Port: Specify the Telnet port number the driver should use. This should normally be 23.
Administrator: Specify the name of the administrative user ID you created for the driver in Step 1.
Administrator Password: Specify the password you specified for the administrative user ID in Step 3.
RACF TSO Name: Specify the APPLID the driver should use on its VTAM logon command to access TSO.
RACF TSO Account Number: Specify the account number information the driver should provide on the TSO logon screen for the administrative user ID.
RACF TSO Procedure: Specify the TSO logon JCL procedure name the driver should provide on the TSO logon screen for the administrative user ID.
Configure Data Flow: Choose the data flow configuration you want set in the filter.
To synchronize in both the Publisher and Subscriber channels, choose Bi-directional.
To synchronize only for the Publisher channel, choose RACF to eDirectory.
To synchronize only for the Subscriber channel, choose eDirectory to RACF.
Polling Interval: Specify the number of seconds the Publisher Channel should wait after processing all available events before issuing the next LDXSERV GETNEXT command to see if new events are available for processing.
Heartbeat Interval: Specify the minimum number of minutes between publication heartbeat documents. To disable heartbeat document publication, set this value to zero.
Users Container: Specify the eDirectory container where users are to be synchronized.
Groups Container: Specify the eDirectory container where groups are to be synchronized.
Default Group: Specify the default group for new RACF users.
Use Default Matching Rules: Choose whether or not the default Matching policies are enabled.
You should not use the preconfigured sample default Matching policies for a production environment without a careful review of installation-dependent considerations.
Install Driver As Remote/Local: Specify whether the driver is to use the Remote Loader or to run local to the eDirectory server.
The following options pertain only to configurations that use the Remote Loader.
Remote Host Name and Port: Specify the IP address or DNS name and TCP port number to be used to access the Remote Loader service.
Driver Password: Specify the driver object password used by the Remote Loader to authenticate itself to the Identity Manager server. It must be the same password that is specified as the Driver Object Password on the Identity Manager Remote Loader.
Remote Password: Specify the Remote Loader password used by Identity Manager to authenticate itself to the Remote Loader. It must be the same password that is specified as the Remote Loader password on the Identity Manager Remote Loader.
Define appropriate Security Equivalences for the Driver object so that it can perform the necessary eDirectory operations.
Exclude Administrative roles from replication.
Restart eDirectory.
Start the driver:
In iManager, select > .
Locate the driver in its driver set.
Click the driver status indicator in the upper right corner of the driver icon and click .
After you have created and configured the Driver object, review the Global Configuration Values settings and customize them as appropriate.
To review and change global configuration values:
In iManager, select > .
Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Click > .
Update the values as desired, then click .
Action on Applying RACF Account Entitlement: Specifies the policy action to be taken for a RACF user when it is granted the RACF Account Entitlement.
Action on Removing RACF Account Entitlement: Specifies the policy action to be taken for a RACF user when its RACF Account Entitlement is removed.
RACF Accepts Passwords from Identity Manager Data Store: Specifies whether or not the policies permit password values to flow from eDirectory to RACF.
Identity Manager Accepts Passwords from RACF: Specifies whether or not the policies permit password values to flow from RACF to eDirectory.
Publish Passwords to NDS Password: Specifies whether or not the policies publish passwords to the NDS password in eDirectory (if Identity Manager accepts passwords from RACF).
Publish Passwords to Distribution Password: Specifies whether or not the policies publish passwords to the eDirectory Distribution Password (if Identity Manager accepts passwords from RACF).
Require Password Policy Validation Before Publishing Passwords: Specifies whether or not eDirectory password policies are enforced for passwords being published from RACF.
IMPORTANT:Ensure that your password policies are compatible with RACF password rules and restrictions before enabling this facility.
Reset User’s External System Password to the Identity Manager Password on Failure: Specifies whether or not the RACF password is to be reset from the eDirectory password if an eDirectory password change fails.
IMPORTANT:Ensure that your password policies are compatible with RACF password rules and restrictions before enabling this facility.
Notify the User of Password Synchronization Failure via E-mail: Specifies whether or not message is to be sent to the user if a password synchronization fails.
For information about e-mail notification prerequisites and configuration, see Configuring E-Mail Notification in the Identity Manager 3.6.1 Administration Guide at the Identity Manager 3.6.1 Documentation Web site.
Connected System or Driver Name: Specifies the name to be used to identify the RACF system to the user in password synchronization failure messages.
Users Container: Specifies the eDirectory container where users are to be synchronized.
Groups Container: Specifies the eDirectory container where groups are to be synchronized.
Default TSO Acctnum: Specifies the default TSO accounting information for new RACF users.
Default TSO Maxsize: Specifies the default TSO MAXSIZE value for new RACF users.
Default TSO Procedure: Specifies the default TSO logon procedure name for new RACF users.
Default TSO Size: Specifies the default TSO SIZE value for new RACF users.
Default Group: Specifies the default group for new RACF users.
Use Default Matching Rules: Specifies whether or not the default Matching policies are enabled.
You should not use the preconfigured sample default Matching policy for a production environment without a careful review of installation-dependent considerations.
The default Subscriber Matching policy matches User objects without an association by CN. RACF does not use a hierarchical directory structure and does not provide a globally unique identifier. A pre-existing RACF user profile could be matched with a User object in eDirectory that represents a different person.
Given an appropriate installation management policy, you could implement a Matching policy that requires two attributes to be identical before matching users by CN. For example, you could use the RACF installation-defined data field to contain an employee identification number and populate a corresponding field in eDirectory, such as Employee ID.
You can change the configuration of the driver after setup has been completed.
To change driver parameters:
In iManager, select > .
Select the driver set containing the driver, click the driver icon to see the driver overview, then click the driver icon again to edit driver parameters.
Click > .
Update the parameters as desired, then click .
Driver Module: Select Java or Connect to Remote Loader, as appropriate.
Driver Object Password: Specify the driver object password used by the Remote Loader to authenticate itself to the Identity Manager server. It must be the same password that is specified as the Driver Object Password on the Identity Manager Remote Loader.
Authentication: Common driver authentication information.
Authentication ID: Specify the name of the administrative user ID you created for the driver in Step 1.
Authentication Context: Not used.
Remote Loader Connection Parameters: Specify the IP address or DNS name and TCP port number to be used to access the Remote Loader service. Use the form shown in the following example:
hostname=127.5.222.17 port=8090
Driver Cache Limit: Specify 0.
Application Password: Specify the password you specified for the administrative user ID in Step 3.
Remote Loader Password: Specify the Remote Loader password used by Identity Manager to authenticate itself to the Remote Loader. It must be the same password that is specified as the Remote Loader password on the Identity Manager Remote Loader.
Startup Option: Specify Auto Start for a driver used in production.
Driver Settings: RACF Driver Settings.
RACF Host Address: Specify the IP address or DNS name the driver should use for its Telnet interface to the RACF system.
If the driver uses the Remote Loader, specify 127.0.0.1, which is the local host.
RACF Telnet Port: Specify the Telnet port number the driver should use. This should normally be 23.
RACF TSO Name: Specify the APPLID the driver should use on its VTAM logon command to access TSO.
RACF TSO Account Number: Specify the account number information the driver should provide on the TSO logon screen for the administrative user ID.
RACF TSO Procedure: Specify the TSO logon JCL procedure name the driver should provide on the TSO logon screen for the administrative user ID.
Subscriber Settings: Subscriber channel settings.
Additional Handlers: Not used.
Publisher Settings: Publisher channel settings.
Additional Servlets: Not used.
Publisher Disabled: Specify Yes or No for whether or not the driver suppresses publishing RACF events.
Polling Interval: Specify the number of seconds the Publisher Channel should wait after processing all available events before issuing the next LDXSERV GETNEXT command to see if new events are available for processing.
Heartbeat Interval: Specify the minimum number of minutes between publication heartbeat documents. To disable heartbeat document publication, set this value to zero.