Bravura Security Mainframe Connector is robust z/OS software that is capable of bi-directional communication with a Bravura Security Fabric server.
In client mode, Mainframe Connector can capture z/OS initiated password change requests, using security product exits. It then forwards these requests to a Bravura Pass server. Depending upon return conditions from the Bravura Pass server, Mainframe Connector will indicate to the host security product to either accept the new password value or deny it and start over.
In server mode, Mainframe Connector will listen for Bravura Security Fabric server initiated events and act accordingly. A number of inbound events are supported including:
- Verify a user’s current password.
- Administratively reset a user’s password, with or without setting the flag to force a password change at next login.
- Return the status of a userid (is a userid currently revoked or active?).
- Expire the password for a userid.
- Revoke a userid.
- Resume a userid.
- Obtain a userid list.
- Create a new userid.
- Delete an existing userid.
- Obtain a list of attributes associated with a userid.
- Update attributes associated with a userid.
The core of Mainframe Connector is the Mainframe Connector started task. Mainframe Connector is set up to communicate with a TCP/IP stack on z/OS. Startup parameters are provided to Mainframe Connector to indicate the target Bravura Security Fabric server’s IP address or DNS hostname, the TCP/IP port numbers that will be used for both the client and server components, a shared encryption key and a userid that will be used for command validation. Other parameters that can be specified include:
- An optional SMF record number for log data collection.
- A parameter to indicate whether Mainframe Connector should run in both client and server mode or server mode only.
- A parameter to indicate if an optional background data space collector should be created.
- A parameter to indicate the internal debugging level.
- A parameter to indicate the selected encryption technique.
The Mainframe Connector started task must run with a userid capable of interfacing with a z/OS TCP/IP stack (i.e. - the started task userid must have an OMVS security segment and it must belong to a default group that also has an OMVS security segment). The load modules for Mainframe Connector must reside in an APF authorized library.
The behaviour of Mainframe Connector can be customized:
- Optional include or exclude lists, to indicate userids for which inbound requests should be either permitted (include list) or denied (exclude list).
- Mainframe Connector exit points to allow organizations to customize inbound:
- Reset password requests – e.g., for additional logging.
- Account list requests – e.g., to filter returned data.
- Account resume requests – e.g., to determine whether a userID was administratively REVOKE-ed or simply suffered excessive failed authentications.
- Account create requests – e.g., to create ancillary records for new accounts.
- Account delete requests – e.g., to cleanly dispose of records associated with the old account.
- A number of z/OS operator commands allow the behavior of Mainframe Connector to be altered dynamically, without the need to restart the started task.
Mainframe Connector can interface with RAC/F, ACF2 or TopSecret. It can use either the IBM TCP/IP or the CA TCPaccess stack.
Mainframe Connector can function in multiple LPAR environments with or without shared security product databases. The number of Mainframe Connector images in multi-LPAR environments will be dependent on:
- The number of security databases.
- The desired level of redundancy.
- The level of cross-system security information sharing provided by either RRSF for RAC/F, CPF for ACF2 or CPF for TopSecret.