DCAS parameters for DCAS/RACF/JDBC Credential Mapper plug-in
Required DCAS parameters: Some combination of the following parameters is required to allow the credential mapper plug-in to connect to the DCAS server securely:
- CMPI_DCAS_TRUSTSTORE
- This parameter contains the name of the keystore file to be used to look up the ZIETrans DCAS client certificate and the DCAS server certificate. If CMPI_DCAS_USE_DEFAULT_TRUSTSTORE is set to true, the JSSE default keystore file is used instead of the keystore file specified by this parameter.
- CMPI_DCAS_TRUSTSTORE_PASSWORD
- This parameter contains the password of the keystore file specified by CMPI_DCAS_TRUSTSTORE.
- CMPI_DCAS_TRUSTSTORE_TYPE
- This parameter contains the type of the keystore file specified by CMPI_DCAS_TRUSTSTORE. Valid values are pkcs12, jceks, and jks.
- CMPI_DCAS_USE_DEFAULT_TRUSTSTORE
- This parameter indicates whether the JSSE default keystore file
should be used to look up the ZIETrans DCAS client certificate and
the DCAS server certificate. The default is false.
If specified as true, this keystore file
is used instead of the keystore file specified by the CMPI_DCAS_TRUSTSTORE
parameter.
Note: The search order to locate the JSSE default keystore file is:
- the location specified by the javax.net.ssl.trustStore system property, then
- <java-home>/lib/security/jssecacerts, then
- <java-home>/lib/security/cacerts
The following parameters are designed to work with your JDBC database credential mapper. Using this type of network-accessible database provides you with a flexible and secure means of associating user's network IDs to their host IDs. By storing all the relevant access information, you can configure access to an existing database or point to a newly created database. The level of security for the database varies according to database vendor.
- CMPI_DCAS_DB_ADDRESS
- This is a URL string that provides the address of the database.
- CMPI_DCAS_DB_NET_DRIVER
- This string contains the name of the class that acts as the network database driver. An example of this string is COM.ibm.db2.jdbc.net.DB2Driver. The location of this class is assumed to be in the existing class path.
- CMPI_DCAS_DB_USERID
- This is the ID of the user account to use when accessing the database.
- CMPI_DCAS_DB_CASE_SENSITIVE
- This parameter specifies whether the DCAS plug-in converts the application ID and network ID of the user to lowercase characters and then uses the lcase() method to make SQL queries to the HCM database. This parameter should be set to true when using SQL applications that do not support the lcase() method.
- CMPI_DCAS_DB_PASSWORD
- This is the password of the user account to use when accessing the database.
- CMPI_DCAS_DB_TABLE
- This entry identifies the table to use for the needed query.
The following four parameter values should match the column names in your credential mapper database and should clearly indicate the contents of the columns. With some databases, such as IBM® DB2®, the four column headings in the database must be in all upper case, for example, NETWORKID, HOSTADDRESS, APPLICATIONID, and HOSTID.
- CMPI_DCAS_DB_NETID_COL_NAME
- This entry identifies the name of the column that contains the network ID value (NETWORKID).
- CMPI_DCAS_DB_HOSTADDR_COL_NAME
- This entry identifies the name of the column that contains the host address value (HOSTADDRESS).
- CMPI_DCAS_DB_HOSTAPP_COL_NAME
- This entry identifies the name of the column that contains the
host application value (APPLICATIONID).
Note: Application ID is only used for 3270 host types.
- CMPI_DCAS_DB_HOSTID_COL_NAME
- This entry identifies the name of the column that contains the user's host identification value (HOSTID).
Based on the information provided by the parameters above, you can make an SQL query of the database to get the host ID. This query uses the network ID, the host address, and the host application as keys for the query. The result is identified in the Host Identification column. Assuming that the query is successful, a call is made to the DCAS server to request the passticket.
Optional DCAS parameters: The following DCAS parameters are optional:
- CMPI_DCAS_DB_PRESERVE_WHITESPACE
- This parameter indicates whether to trim white space from the credential request parameters or not. If true, the white space is not trimmed. The default is false.
- CMPI_DCAS_HOST_ADDRESS
- The default DCAS host address is determined based on the destination host specified for the ZIETrans connection.
- CMPI_DCAS_HOST_PORT
- The DCAS host address is determined based on the destination host specified in the request. The default port address of 8990 is used, but you may override it using this parameter.
- CMPI_DCAS_NO_FIPS
- If set to true, this parameter indicates that the FIPS security provider should not be used. The default security provider will be used instead. The default is false.
- CMPI_DCAS_REQUEST_TIMEOUT
- This parameter specifies the passticket request timeout in milliseconds. It should be less than the macro timeout value. The default is 50000.
- CMPI_DCAS_TRACE_LEVEL
- This parameter specifies the trace level for the DCAS plug-in.
The trace messages are logged to the ZIETrans trace file. Trace level
values include the following settings:
- 0 = None: No tracing. This is the default.
- 1 = Minimum: Trace APIs and parameters, return values, and errors.
- 2 = Normal: Trace Minimum plus internal APIs and parameters and informational messages.
- 3 = Maximum: Trace Normal plus Java™ exceptions.
- CMPI_DCAS_USE_NETID_AS_HOSTID
- If set to true, the database lookup for the host ID is skipped. Use this if the network ID is also the RACF® ID. The default is false.
- CMPI_DCAS_VERIFY_SERVER_NAME
- This parameter indicates if the server host name in the certificate must be verified in addition to the certificate validation. The default is false.