Table of Contents

Search

  1. Preface
  2. Introduction to PowerExchange
  3. DBMOVER Configuration File
  4. Netport Jobs
  5. PowerExchange Message Logs and Destination Overrides
  6. SMF Statistics Logging and Reporting
  7. PowerExchange Security
  8. Secure Sockets Layer Support
  9. PowerExchange Alternative Network Security
  10. PowerExchange Nonrelational SQL
  11. PowerExchange Globalization
  12. Using the PowerExchange ODBC Drivers
  13. PowerExchange Datatypes and Conversion Matrix
  14. DTL__CAPXTIMESTAMP Time Stamps
  15. PowerExchange Glossary

z/OS Security

z/OS Security

To configure z/OS security, define a SECURITY statement in the DBMOVER configuration member in conjunction with other security methods, such as operating system facilities, resource profiles, and the selective sign-on file.
You can configure the following types of PowerExchange security:
On z/OS, when you set the first parameter in the SECURITY statement to 1 or 2, you must APF-authorize the STEPLIB for the PowerExchange Listener and netport jobs. Otherwise, PowerExchange cannot complete user authentication or control resource access, and instead operates as if you set the first parameter in the SECURITY statement to 0.
  • User authentication
    . Set the first parameter in the SECURITY statement to 1 or 2. PowerExchange uses a valid MVS user ID and password to authenticate users to connect to and use PowerExchange. Instead of a password, you can specify a valid PowerExchange passphrase for z/OS. For information about passphrases, see PowerExchange Passphrases. If you also configure PowerExchange selective sign-on, PowerExchange checks operating system user IDs and passwords or passphrases after successful selective sign-on checking.
  • PowerCenter CDC session access
    . Set the first parameter in the SECURITY statement to 2 to enable PowerCenter CDC sessions to use the z/OS user ID and password that is specified on the PWXPC connection to extract data. The connection user ID and password must have READ access to the data set defined in the DTLCAMAP DD statement of the PowerExchange Listener JCL.
    A connection to DB2 for z/OS through the Call Attachment Facility (CAF) runs under the user ID of the PowerExchange Listener regardless of the security settings. DB2 uses the user ID supplied on the connection only if the connection type is Recoverable Resource Manager Service Attachment Facility (RRSAF) or if offloading is enabled.
    If you offload column-level processing for a z/OS data source to the Linux, UNIX, or Windows system where the Integration Service runs, PowerExchange uses the
    Map Location User
    and
    Map Location Password
    values that are specified on the connection to control access to all resources. This connection is a PWX NRDB CDC application connection or PWX DB2zOS CDC application connection for which offload processing is enabled.
  • Capture registration access
    . Set the first parameter in the SECURITY statement to 2 to require a valid z/OS user ID and password that has READ access to the CAPX.REG.* resource profiles to control user access to capture registrations. If you specify another option, your z/OS security product controls access to capture registrations at the data set level only.
  • Extraction map access
    . Set the first parameter in the SECURITY statement to 2 to require a valid z/OS user ID and password that has READ access to the data set that is defined in the DTLCAMAP DD statement of the PowerExchange Listener JCL to control user access to extraction maps.
  • Data map access
    . Set the first parameter in the SECURITY statement to 2 and enter DM_SUBTASK=Y in the DBMOVER configuration file to have PowerExchange use FACILITY class profiles to control user access to data maps. If you specify another option, your z/OS security product controls access to data maps at the data set level only.
  • PowerExchange Listener commands
    . Set the first parameter in the SECURITY statement to 2 to have PowerExchange use FACILITY class profiles to control user access to PowerExchange Listener commands issued from the PowerExchange Navigator or DTLUTSK utility. If you specify another option, PowerExchange does not control access to commands issued from the PowerExchange Navigator or the DTLUTSK utility.
  • Source database access for change capture
    . To capture data, the z/OS ECCRs must meet database-specific security requirements and run under a valid z/OS user ID and password that passes PowerExchange Listener security checking.
  • z/OS data access for remote PowerExchange Logger for Linux, UNIX, and Windows logging
    . If you log data from z/OS data sources to remote PowerExchange Logger for Linux, UNIX, and Windows log files, set the SECURITY option to 2 in the DBMOVER configuration file on the z/OS system. Ensure that the user ID and password in the PowerExchange Logger for Linux, UNIX, and Windows configuration file, pwxccl, is a valid
    z/OS
    user ID and password that can pass z/OS security checking. Also, to access capture registrations, ensure that this user ID and password has READ access to the CAPX.REG.* resource profiles in the FACILITY class.
  • Adabas file write access
    . In PowerExchange data maps, you can specify passwords for Adabas files. Set the first parameter in the SECURITY statement to 2. PowerExchange uses FACILITY class profiles to control write access to Adabas files. Otherwise, PowerExchange does not control write access to Adabas files.
  • Datacom table read access
    . Set the first parameter in the SECURITY statement to 2 to have PowerExchange use FACILITY class profiles to control read access to Datacom tables. Otherwise, PowerExchange does not control read access to Datacom tables.
  • DB2 for z/OS access
    . Set the first parameter in the SECURITY statement to 2 and enter MVSDB2AF=RRSAF in the DBMOVER configuration member to have PowerExchange use the connection user ID to access DB2 resources. Otherwise, PowerExchange uses the user ID under which the PowerExchange Listener runs.
  • IMS database write access
    . Set the first parameter in the SECURITY statement to 2 to have PowerExchange use FACILITY class profiles to control write access to IMS databases. Otherwise, PowerExchange does not control write access to IMS databases.
  • Authorization for PowerExchange Agent services and commands
    . Set the InitAuthCheck parameter to YES in the AGENTCTL parameter file to have PowerExchange authorize user requests to intialize PowerExchange Agent services or issue PowerExchange Agent commands. For more information, see the
    PowerExchange CDC Guide for z/OS
    .
  • User authentication for the pwxcmd program
    . Set the first parameter in the SECURITY statement to 1 or 2 to have PowerExchange use operating system facilities to authenticate users of the pwxcmd program. If you configure PowerExchange selective sign-on, PowerExchange checks operating system user IDs and passwords after successful selective sign-on checking.
  • Authorization for running pwxcmd commands
    . Set the first parameter in the SECURITY statement to 2 on the system that is the target of a command. PowerExchange checks resource profiles to determine whether the user ID supplied on the pwxcmd program is authorized to run commands. Otherwise, authority to run pwxcmd commands is not checked.
  • Selective sign-on
    . Set the second parameter in the SECURITY statement to Y to have PowerExchange use the selective sign-on file to limit the users that connect to PowerExchange. Otherwise, any operating system user ID can connect to PowerExchange.