Microsoft KB Archive/925048

= A software update is available that enables the Host Access Management Agent for MIIS 2003 Feature Pack 2 to submit custom commands to mainframe security systems =

Article ID: 925048

Article Last Modified on 2/12/2007

-

APPLIES TO


 * Microsoft Identity Integration Server 2003 Host Access Management Agent Feature Pack 2

-



INTRODUCTION
This article discusses a software update that enables the Host Access Management Agent for Microsoft Identity Integration Server (MIIS) 2003 to submit custom commands. Custom commands can be useful when you must provision, de-provision, and update user accounts and groups on any of the following mainframe security systems:
 * IBM Resource Access Control Facility (IBM RACF) security database
 * eTrust Computer Associates ACF2 (CA-ACF2)
 * eTrust Computer Associates Top Secret (CA-Top Secret)

Before you apply this software update, the Host Access Management Agent can only submit commands that are specifically defined within the management agent.



MORE INFORMATION
This software update adds support for submitting host commands that were not previously supported in the Host Access Management Agent Feature Pack 2.

This feature is useful in environments in which you must issue specific commands in addition to the commands that are already supported by management agents (MAs) during add, replace, or delete operations.

Software update information
A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically require it. This feature may receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next release of Microsoft Identity Integration Server 2003 Host Access Management Agent that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

File information
The English version of this software update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Note Because of file dependencies, the most recent software update that contains these files may also contain additional files.

Command configuration information
After you apply the software update, you must configure the custom commands that you want to use. To do this, use a configuration file that is named Miiserver.exe.config. You must copy the Miiserver.exe.config file to the Bin folder. This folder is located under the MIIS installation folder. For example, this folder is usually located in the following path:

C:\Program Files\Microsoft Identity Integration Server\Bin

Note When you copy the Miiserver.exe.config file to this folder, you make sure that the MIIS and the Host Access Management Agent can read the file. If the file does not exist in this location, you must use a text editor to manually create the file.

Supported elements and attributes in the Miiserver.exe.config file
The Miiserver.exe.config file contains a CommandConfiguration element. This element supports the following three elements:
 * RACFMA
 * ACF2MA
 * TopSecret

These elements correspond to the three MAs that are supported in Host Access Management Agent Feature Pack 2. Each element corresponds to one of these three MAs. Each MA element supports the following three elements:
 * Add
 * Replace
 * Delete

Each of these elements corresponds to the supported MIIS operations. Each operation element supports a Command element. The Command element contains the custom command configuration. The Command element supports the following three attributes:
 * name

This attribute defines a unique identifier for each command. The MA uses this identifier internally to distinguish each configured command.
 * command

This attribute defines the actual command that is submitted to the mainframe security system. If you want to use attribute values that are present at the time of the operation, you can enclose the attribute name within percent (%) characters. If a value for the attribute is flowed into the MA, the MA tries to replace the attribute name with the appropriate value.
 * issueAfterMACommands

You can definite this attribute together with a value of true or false. When the value is true, the individual command is issued before any of the commands that the MA currently supports. Otherwise, the commands are issued after the MA has finished issuing all the commands that it issues during the particular operation, such as add, replace, and delete.

Note These three attributes are required when you use the Command element. None of the attributes have default values. Therefore, you must specify a value for each attribute.

Additionally, the Delete element supports the deleteDataSetProfiles attribute. You can define this attribute together with a value of true or false. By default, the value of this attribute is false. If this attribute is present and the value is true, the MA tries to delete all the dataset profiles that are assigned to the user object that is currently being processed. In this case, the RACF MA issues the following command:

SEARCH MASK(uid)

For each dataset that is returned, the RACF MA issues the following command:

dd  g

Currently, the deleteDataSetProfiles attribute is only supported by the RACF MA.

Sample command scenario
Consider the following scenario in which the following command information is added to the Miiserver.exe.config file:      In this scenario, the following behavior occurs during an add operation:  The RACF MA reads and processes the command by trying to replace the %CLASS% value with the value that was flowed in for the CLASS attribute. Then, the RACF MA replaces the %uid% value with the correct uid value for the object for which this operation is running. The issueAfterMACommands attribute is set to true. Therefore, the RACF MA tries to issue the commands that are usually supported during an add operation. If all these commands succeed, the RACF MA tries to issue the following command:

PERMIT CICS_TRAN_CODE_ID CLASS ACCESS(READ) ID

In this command,  is the value that is flowed in for the CLASS attribute. is the uid value of the object for which this operation is running. If the command succeeds, a success indicator is returned. Otherwise, the RACF MA reports the appropriate exception that contains the error that was returned by IBM RACF.

Sample Miiserver.exe.config file
The following code listing illustrates a sample Miiserver.exe.config file that was created by using a text editor. <pre class="fixed_text"><?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot; ?> <configSections> <sectionGroup name=&quot;managementAgents&quot;> <section name=&quot;CommandConfiguration&quot; type=&quot;Microsoft.MetadirectoryServices.Host.MACommandSectionHandler, ConfigurationHandler&quot; /> </sectionGroup> </configSections> <managementAgents> <CommandConfiguration>   <Command name='Permit' command='PERMIT CICS_TRAN_CODE_ID CLASS(CLASS1) ACCESS(READ) ID(%uid%)' issueAfterMACommands='true' /> </Add> <Replace> <Command name='Permit' command='PERMIT CICS_TRAN_CODE_ID CLASS(CLASS1) ACCESS(READ) ID(%uid%)' issueAfterMACommands='true' /> </Replace> <Delete deleteDataSetProfiles='true'> <Command name='Permit' command='PERMIT CICS_TRAN_CODE_ID CLASS(CLASS1) ACCESS(READ) ID(%uid%)' issueAfterMACommands='false' /> </Delete> </RACFMA> <ACF2MA>  <Command name='Permit' command='PERMIT CICS_TRAN_CODE_ID CLASS(CLASS1) ACCESS(READ) ID(%uid%)' issueAfterMACommands='true' /> </Add> <Replace> <Command name='Permit' command='PERMIT CICS_TRAN_CODE_ID CLASS(CLASS1) ACCESS(READ) ID(%uid%)' issueAfterMACommands='true' /> </Replace> </ACF2MA> </CommandConfiguration> </managementAgents> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Additional query words: HAMA

Keywords: kbhotfixserver kbpubtypekc kbqfe kbinfo KB925048

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.