The SECURITY statement controls PowerExchange user authentication and access to resources and commands.
Use the SECURITY statement in the DBMOVER configuration file to configure the following types of security:
User authentication to access PowerExchange
Access to files and data sets by PowerExchange jobs and tasks on z/OS and i5/OS
User authorization to issue infacmd pwx commands to a PowerExchange application service in the Informatica domain
User authorization to issue pwxcmd commands to a PowerExchange process
User authorization to issue PowerExchange Listener LISTTASK and STOPTASK commands from the PowerExchange Navigator
All
DM_RESOURCE, MVSDB2AF, and RACF_CLASS
No
SECURITY=({
0
|1|2}
,{
N
|Y}
[,LDAP]
[,{ORACLE_LDAP|OPEN_LDAP}]
)
The first positional parameter has the following valid values:
{
0
|1|2}
Controls whether PowerExchange requires users to enter a valid operating system user ID and a password or passphrase. Also controls whether PowerExchange checks user-entered credentials to control access to file and database resources and the issuance of certain PowerExchange commands.
Enter one of the following options:
0
.
PowerExchange does not require users to specify a valid operating system user ID and password and ignores any credentials that users supply.
On z/OS and i5/OS, PowerExchange uses the user ID under which the PowerExchange Listener or PowerExchange Condense task runs to control access to file resources. PowerExchange passes this user ID to the database system.
On Linux, UNIX, and Windows, PowerExchange uses the user ID under which the PowerExchange Listener task runs to control access to file resources. RDBMS security controls PowerExchange access to database resources based on the user ID that users specify on the PWX connection or in the PowerExchange Logger CAPTURE_NODE_UID parameter.
On all operating systems, PowerExchange does not check user authorization to issue commands. Any user can issue a command.
1.
On z/OS and i5/OS, PowerExchange requires users to specify a valid operating system user ID and a password or valid PowerExchange passphrase. PowerExchange checks these credentials when a PowerExchange task starts. Thereafter, PowerExchange controls access to file resources in the same manner as for option 0. For file access, PowerExchange uses the user ID under which the PowerExchange Listener or PowerExchange Condense task runs and passes this user ID to the database system.
On Linux, UNIX, and Windows, unless you specify LDAP for the third parameter of the SECURITY statement on supported systems, PowerExchange does not require users to specify a valid operating system user ID and password to access file or database resources and does not check for these credentials. As for option 0, PowerExchange uses the user ID under which the PowerExchange Listener task runs to control access to file resources. RDBMS security controls PowerExchange access to database resources based on the user ID that users specify on the PWX connection or in the PowerExchange Logger CAPTURE_NODE_UID parameter.
On all operating systems, PowerExchange does not check user authorization to issue commands. Any user can issue a command.
2.
Provides the most specific level of security.
On z/OS, Informatica recommends that you use option 2. PowerExchange controls access based on 1) an MVS user ID and a password or valid PowerExchange passphrase and 2) the access control features of your z/OS security product, such as RACF or ACF2.
To read change data from the change stream, the ECCR must use a valid z/OS user ID and password or passphrase. The PowerExchange Listener checks these credentials when the ECCR task or job starts. To access the database to read data, PowerExchange passes the z/OS user ID and password or passphrase to the database system for database-specific security checking. In conjunction with the z/OS security product and MVS System Authorization Facility (SAF), PowerExchange checks the z/OS user ID and password or passphrase against the CAPX.REG.* resource profiles to control access to capture registrations.
To extract change data, run PowerCenter CDC sessions with a PWXPC connection that specifies a valid z/OS user ID and password or passphrase. For the session to access extraction maps, these user credentials must have READ access to the PowerExchange data set that is defined in the DTLCAMAP DD statement of the PowerExchange Listener JCL.
A connection to DB2 for z/OS through the Call Attachment Facility (CAF) runs under the user ID of the PowerExchange Listener regardless of the security settings. DB2 uses the user ID that is specified on the connection only if the connection type is Recoverable Resource Manager Service Attachment Facility (RRSAF) or if offload processing is enabled.
PowerExchange also uses resource profiles to control who can run the following types of commands:
pwxcmd commands for a PowerExchange Listener or PowerExchange Condense process that are issued form a Linux, UNIX, or Windows system
PowerExchange Listener LISTTASK and STOPTASK commands that are issued from the PowerExchange Navigator or the DTLUTSK utility
On i5/OS, PowerExchange requires users to specify a valid operating system user ID and password or passphrase. PowerExchange checks these credentials when a PowerExchange task starts. PowerExchange Listener subtask processes run under the supplied user ID and password or passphrase. PowerExchange uses this user ID and password or passphrase to control access to PowerExchange files. PowerExchange also passes this user ID and password or passphrase to the database system for data access.
PowerExchange uses security objects to control who can run the following types of commands:
pwxcmd commands for a PowerExchange Listener or PowerExchange Condense process that are issued form a Linux, UNIX, or Windows system
PowerExchange Listener LISTTASK and STOPTASK commands that are issued from the SNDLSTCMD interface, the PowerExchange Navigator, or the DTLUTSK utility
On Linux, UNIX, and Windows, unless you specify LDAP for the third parameter of the SECURITY statement on supported systems, PowerExchange does not require users to specify an operating system ID and password to access PowerExchange files or a database. PowerExchange uses the user ID and password under which the PowerExchange Listener runs or that PowerExchange Logger for Linux, UNIX, and Windows uses to control access to PowerExchange files. RDBMS security controls access to the database.
However, you must specify a valid operating system user ID and password to run the following types of commands:
An infacmd pwx command to a PowerExchange application service in the Informatica domain
A pwxcmd command to a PowerExchange process
PowerExchange checks these user credentials against the USER and AUTHGROUP COMMANDS statements in the sign-on file to determine if a user is authorized to issue an infacmd pwx or pwxcmd command. In this case, the second positional parameter in the SECURITY statement is ignored.
Default is 0.
The second positional parameter has the following valid values:
{
N
|Y}
Controls use of PowerExchange selective sign-on file to authorize users to connect to the PowerExchange Listener.
Enter one of the following options:
N
.
PowerExchange does not use the selective sign-on file.
Y.
PowerExchange uses the USER statement with the ALLOW and IP subparameters in the selective sign-on file to restrict users who can connect to the PowerExchange Listener.
If you specify Y and also set the first parameter in the SECURITY statement to 1, PowerExchange uses the TASKCNTRL parameter in the USER statements in the sign-on file to control access to PowerExchange Listener LISTTASK and STOPTASK commands that are issued from the PowerExchange Navigator.
Default is N.
The optional third positional parameter has the following valid value:
LDAP
If you specify LDAP for the third positional parameter and specify 1 or 2 as the first positional parameter, PowerExchange uses LDAP authentication on supported Linux, UNIX, and Windows systems.
If you do not include the third parameter, PowerExchange does not use LDAP authentication.
The fourth positional parameter has the following valid values:
{
ORACLE_LDAP
|OPEN_LDAP}
If you specify LDAP for the third positional parameter, specifies which set of LDAP client libraries to load.
Enter one of the following options:
ORACLE_LDAP
.
PowerExchange loads the Oracle LDAP client libraries.
Select this option only if you have an Oracle LDAP installation. PowerExchange does not provide the Oracle LDAP client libraries.
OPEN_LDAP.
PowerExchange loads the OpenLDAP client libraries.
Default is ORACLE_LDAP.
In the z/OS Installation Assistant, if you click
Advanced Parms
on the
General Parameters
page, you can define the SECURITY_LEVEL and SECURITY_PWX parameters. The SECURITY_LEVEL parameter corresponds to the first parameter in the SECURITY statement. The SECURITY_PWX parameter corresponds to the second parameter in the SECURITY statement.
On z/OS, when you set the first parameter of the SECURITY statement to 1 or 2, you must
APF-authorize
the STEPLIB for the PowerExchange Listener and netport jobs. Otherwise, PowerExchange cannot complete user authentication or control resource access, and instead operates as if you set this parameter to 0.
If you offload column-level processing for a
z/OS
data source to the Linux, UNIX, or Windows system where the PowerCenter Integration Service runs, PowerCenter CDC sessions use the
Map Location User
and
Map Location Password
values that you specify on the connection to control access to all resources. The connection must be a PWX NRDB CDC application connection or PWX DB2zOS CDC application connection for which offload processing is enabled.
If you log data from z/OS data sources to remote PowerExchange Logger for Linux, UNIX, and Windows log files, set the SECURITY option to 2 in the DBMOVER configuration member on z/OS. Ensure that the user ID and password in the PowerExchange Logger for Linux, UNIX, and windows configuration file, pwxccl, is a valid z/OS user ID and password that can pass z/OS security checking. To read captured data from the PowerExchange Logger for z/OS log files, these user credentials must have READ access to CAPX.REG.* resources profiles in the FACILITY class, which are managed by your z/OS security product. Also, for CDC sessions to extract data from the log files, the PWXPC connection must specify the z/OS user ID and password in the
Map Location User
and
Map Location Password
connection attributes. These user credential needs READ access to the CAPX.CND.* resource profiles.