z/Os LDAP Custom install configuration Experience

Source: Internet
Author: User
Tags define db2 file system ldap connect new features

Noun Explanation:

Ldap:light Directory Access Protocol Lightweight directory accessing protocol

Dsconfig: is a tool for production configuration files at LDAP installations

With the development of z/OS hosts, more and more customers have chosen the z/OS LDAP server to provide user authentication and directory access control services. It features a powerful, diverse network topology that offers a variety of possible solutions while providing more and more new features in the new version. This article will introduce the difference between the customer environment and the lab test environment, and install the customized installation according to the customer's environment.

In the implementation of the installation phase, according to the customer's environment, and management requirements for customization. LDAP first defines profile files based on customer's environment parameters, then generates LDAP server configuration file with Dsconfig tool, the jobs that need to be submitted are generated in the dataset of DSCONIFG output. For the detailed installation configuration process, refer to the fourth "Configuring an LDAP server using the Dsco" in "IBM Tivoli Directory Server administration and using for z/OS" Nfig Utility ". The customer environment is managed separately by different functional departments, which can be divided into 4 types of job roles, LDAP installation operators, RACF administrators, z/OS system administrators, DB2 administrators, functional division please refer to the table below, depending on the actual situation may be changed.

Job role

Functional Division

Install operator Responsible for LDAP installation operation, modify profile, run LDAP, modify LDAP PDS configuration file, run LDAP procedure
RACF Administrator Manage the authorization of z/OS users, groups, and resources
z/OS system administrator Manage networks, storage devices, dataset usage, Catalog,alias
DB2 Administrator Create DB2 database, table, DB2 resources authorization

Installing an LDAP server interacts with these job roles, and during installation, you need to coordinate roles and prioritize and define the sequence and dependencies of each step. Can be divided into the following 3 steps, System environment check, run Dsconfig before running Dsconfig.

Step Division

Work content

System Environment Check Understand system environment, authority control and system parameters.
Before running Dsconfig Prepare Omvs file system and directory for Dsconfig input profile file, and Dsconfig output LDAP Configuration Dataset.
After running Dsconfig By the installation operator, the RACF administrator, the z/OS system administrator, the DB2 administrator submits the JCL job of the dsconfig production respectively.

After running Dsconfig, an LDAP Configuration Dataset is generated that contains the following multiple members: Apf,dbcli,dsconfig,dsenvvar,dsnaoini,gldsrv,prgmctrl, Progsuffix,racf,tdbspufi,gdbspufi. For example, an LDAP user and user group will be created in the RACF job, and a DB2 database, a table, and a user and user group Authorization for LDAP will be created in Tdbspufi, so to define the order of submission, the RACF administrator submits the RACF job first, Tdbspufi is submitted by the DB2 administrator.

In addition, in the customer's environment, generally do not authorize individual users, the system will have a lot of user groups, the user group to authorize, and then connect the user in the way of connecting to the user group, complete the authorization.

CONNECT gldpsrv GROUP (@DB2xxx) OWN (@DB2xxx)

GRANT select,update,insert,delete on TABLE gldsrv. Dir_replica to @DB2xxx;

In the installation implementation, it is necessary to note that in the original Dsconfig generation LDAP configuration file RACF member in the Authorization for class Dsnr, defined Class Dsnr RACF will help DB2 control of permissions, if DB2 and RACF are separately managed , you do not need to do this authorization.

PERMIT DSN9. BATCH +

CLASS (Dsnr) ID (gldsrv) +

ACCESS (READ)

Setropts classact (Dsnr) raclist (Dsnr)

Setropts raclist (Dsnr) REFRESH

In conclusion, I would like to share some of the experience in the implementation of the customer environment, I hope you can understand the IBM Development test environment and the real customer environment, LDAP server installation implementation of some need to pay attention to. Some of the more in-depth topics, will be in the follow-up posting and share.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/OS/other/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.