Propagation of changes
Article ID: 115876
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
password change on a sysplex
Question 1: when a password is changed/reset on a sysplex where passwords are propagated via CPF to other sysplexes automatically doe this work the same way when a password was changed via LDAP? Question 2: is there something like TARGET(*) for other commands?
Question 1: when a password is changed/reset on a sysplex where passwords are propagated via CPF to other sysplexes automatically doe this work the same way when a password was changed via LDAP? Question 2: is there something like TARGET(*) for other commands?
Environment
z/os
Resolution
LDS and CPF are similar in concept, but different in implementation CPF has existed in CA TSS for years and can be setup to sync a password or entire ACIDS, between CA TSS nodes only.
LDS (LDAP Directory Services) can be setup to sync password or entire users, using the LDAP protocol to ANY LDAP enabled node.
Meaning that when a password changes in TSS, TSS can send a LDAP Modify of the password to some LDAP node, for example that could be Microsoft Active Directory (MS AD).
The CA Identity management solutions use this feature to send TSS changes from the mainframe to CA IdM, CA IdM then 'syncs' the changes to every node being managed.
CA IdM also has a MS AD hook that sends changes from MS AD to CA IdM, then it syncs to all nodes including CA TSS.
Hope this helps explain where you'd use LDS versus where to use CPF When any operation (add/modify/delete/search) is sent to the LDAP Server, it issues a native TSS command as if it was typed at a TSO prompt via the R_admin() callable service.
TSS will then use whatever CPF propagation rules are in place just like it does for a TSO command. So yes LDAP operations will be propagated via CPF if automatic TARGET() settings are in place.
Can you override this, absolutely.
If you review the objectClass definition for acids/profiles at: https://docops.ca.com/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/en/configuring/configuring-ca-ldap-server/configure- the-catss_utf-backend/user-friendly-name-override-file-ca-top-secret-to-ca-ldap-server/objectclass-tssacid-tssprofile-tssdept-tssdiv- tsszone-tssgroup
You’ll see that the LDAP attribute ‘Target-Nodes-for-Cmds’ maps to the TSS TARGET() field and can be used to pass the value used in the TARGET(xxx) parm.
LDS (LDAP Directory Services) can be setup to sync password or entire users, using the LDAP protocol to ANY LDAP enabled node.
Meaning that when a password changes in TSS, TSS can send a LDAP Modify of the password to some LDAP node, for example that could be Microsoft Active Directory (MS AD).
The CA Identity management solutions use this feature to send TSS changes from the mainframe to CA IdM, CA IdM then 'syncs' the changes to every node being managed.
CA IdM also has a MS AD hook that sends changes from MS AD to CA IdM, then it syncs to all nodes including CA TSS.
Hope this helps explain where you'd use LDS versus where to use CPF When any operation (add/modify/delete/search) is sent to the LDAP Server, it issues a native TSS command as if it was typed at a TSO prompt via the R_admin() callable service.
TSS will then use whatever CPF propagation rules are in place just like it does for a TSO command. So yes LDAP operations will be propagated via CPF if automatic TARGET() settings are in place.
Can you override this, absolutely.
If you review the objectClass definition for acids/profiles at: https://docops.ca.com/ca-system-z-security-communication-servers-dsi-ldap-pam/15-1/en/configuring/configuring-ca-ldap-server/configure- the-catss_utf-backend/user-friendly-name-override-file-ca-top-secret-to-ca-ldap-server/objectclass-tssacid-tssprofile-tssdept-tssdiv- tsszone-tssgroup
You’ll see that the LDAP attribute ‘Target-Nodes-for-Cmds’ maps to the TSS TARGET() field and can be used to pass the value used in the TARGET(xxx) parm.
Feedback
Yes
No
Powered by
