Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • PowerExchange for CDC and Mainframe 10.4.1
  • All Products

Table of Contents

Search

  1. Preface
  2. Introduction to PowerExchange
  3. DBMOVER Configuration File
  4. Netport Jobs
  5. PowerExchange Message Logs and Destination Overrides
  6. SMF Statistics Logging and Reporting
  7. PowerExchange Security
  8. Secure Sockets Layer Support
  9. PowerExchange Alternative Network Security
  10. PowerExchange Nonrelational SQL
  11. PowerExchange Globalization
  12. Using the PowerExchange ODBC Drivers
  13. PowerExchange Datatypes and Conversion Matrix
  14. Appendix A: DTL__CAPXTIMESTAMP Time Stamps
  15. Appendix B: PowerExchange Glossary

Reference Manual

Reference Manual

Back Next

z/OS Security

z/OS Security

To configure z/OS security, define a SECURITY statement in the DBMOVER configuration member in conjunction with other security methods, such as operating system facilities, resource profiles, and the selective sign-on file.
You can configure the following types of PowerExchange security:
On z/OS, when you set the first parameter in the SECURITY statement to 1 or 2, you must APF-authorize the STEPLIB for the PowerExchange Listener and netport jobs. Otherwise, PowerExchange cannot complete user authentication or control resource access, and instead operates as if you set the first parameter in the SECURITY statement to 0.
  • User authentication
    . Set the first parameter in the SECURITY statement to 1 or 2. PowerExchange uses a valid MVS user ID and password to authenticate users to connect to and use PowerExchange. Instead of a password, you can specify a valid PowerExchange passphrase for z/OS. For information about passphrases, see PowerExchange Passphrases. If you also configure PowerExchange selective sign-on, PowerExchange checks operating system user IDs and passwords or passphrases after successful selective sign-on checking.
  • PowerCenter CDC session access
    . Set the first parameter in the SECURITY statement to 2 to enable PowerCenter CDC sessions to use the z/OS user ID and password that is specified on the PWXPC connection to extract data. The connection user ID and password must have READ access to the data set defined in the DTLCAMAP DD statement of the PowerExchange Listener JCL.
    A connection to DB2 for z/OS through the Call Attachment Facility (CAF) runs under the user ID of the PowerExchange Listener regardless of the security settings. DB2 uses the user ID supplied on the connection only if the connection type is Recoverable Resource Manager Service Attachment Facility (RRSAF) or if offloading is enabled.
    If you offload column-level processing for a z/OS data source to the Linux, UNIX, or Windows system where the Integration Service runs, PowerExchange uses the
    Map Location User
     and
    Map Location Password
     values that are specified on the connection to control access to all resources. This connection is a PWX NRDB CDC application connection or PWX DB2zOS CDC application connection for which offload processing is enabled.
  • Capture registration access
    . Set the first parameter in the SECURITY statement to 2 to require a valid z/OS user ID and password that has READ access to the CAPX.REG.* resource profiles to control user access to capture registrations. If you specify another option, your z/OS security product controls access to capture registrations at the data set level only.
  • Extraction map access
    . Set the first parameter in the SECURITY statement to 2 to require a valid z/OS user ID and password that has READ access to the data set that is defined in the DTLCAMAP DD statement of the PowerExchange Listener JCL to control user access to extraction maps.
  • Data map access
    . Set the first parameter in the SECURITY statement to 2 and enter DM_SUBTASK=Y in the DBMOVER configuration file to have PowerExchange use FACILITY class profiles to control user access to data maps. If you specify another option, your z/OS security product controls access to data maps at the data set level only.
  • PowerExchange Listener commands
    . Set the first parameter in the SECURITY statement to 2 to have PowerExchange use FACILITY class profiles to control user access to PowerExchange Listener commands issued from the PowerExchange Navigator or DTLUTSK utility. If you specify another option, PowerExchange does not control access to commands issued from the PowerExchange Navigator or the DTLUTSK utility.
  • Source database access for change capture
    . To capture data, the z/OS ECCRs must meet database-specific security requirements and run under a valid z/OS user ID and password that passes PowerExchange Listener security checking.
  • z/OS data access for remote PowerExchange Logger for Linux, UNIX, and Windows logging
    . If you log data from z/OS data sources to remote PowerExchange Logger for Linux, UNIX, and Windows log files, set the SECURITY option to 2 in the DBMOVER configuration file on the z/OS system. Ensure that the user ID and password in the PowerExchange Logger for Linux, UNIX, and Windows configuration file, pwxccl, is a valid
    z/OS
     user ID and password that can pass z/OS security checking. Also, to access capture registrations, ensure that this user ID and password has READ access to the CAPX.REG.* resource profiles in the FACILITY class.
  • Adabas file write access
    . In PowerExchange data maps, you can specify passwords for Adabas files. Set the first parameter in the SECURITY statement to 2. PowerExchange uses FACILITY class profiles to control write access to Adabas files. Otherwise, PowerExchange does not control write access to Adabas files.
  • Datacom table read access
    . Set the first parameter in the SECURITY statement to 2 to have PowerExchange use FACILITY class profiles to control read access to Datacom tables. Otherwise, PowerExchange does not control read access to Datacom tables.
  • DB2 for z/OS access
    . Set the first parameter in the SECURITY statement to 2 and enter MVSDB2AF=RRSAF in the DBMOVER configuration member to have PowerExchange use the connection user ID to access DB2 resources. Otherwise, PowerExchange uses the user ID under which the PowerExchange Listener runs.
  • IMS database write access
    . Set the first parameter in the SECURITY statement to 2 to have PowerExchange use FACILITY class profiles to control write access to IMS databases. Otherwise, PowerExchange does not control write access to IMS databases.
  • Authorization for PowerExchange Agent services and commands
    . Set the InitAuthCheck parameter to YES in the AGENTCTL parameter file to have PowerExchange authorize user requests to intialize PowerExchange Agent services or issue PowerExchange Agent commands. For more information, see the
    PowerExchange CDC Guide for z/OS
    .
  • User authentication for the pwxcmd program
    . Set the first parameter in the SECURITY statement to 1 or 2 to have PowerExchange use operating system facilities to authenticate users of the pwxcmd program. If you configure PowerExchange selective sign-on, PowerExchange checks operating system user IDs and passwords after successful selective sign-on checking.
  • Authorization for running pwxcmd commands
    . Set the first parameter in the SECURITY statement to 2 on the system that is the target of a command. PowerExchange checks resource profiles to determine whether the user ID supplied on the pwxcmd program is authorized to run commands. Otherwise, authority to run pwxcmd commands is not checked.
  • Selective sign-on
    . Set the second parameter in the SECURITY statement to Y to have PowerExchange use the selective sign-on file to limit the users that connect to PowerExchange. Otherwise, any operating system user ID can connect to PowerExchange.
0 COMMENTS
We’d like to hear from you!