OpenFrame/TACF Configuration

This chapter describes configuration items required for OpenFrame/TACF operation.

1. Overview

For operation of OpenFrame/TACF (hereafter TACF), set KEYs of each SECTION in the openframe_tacf.conf file, and then save the system settings by using the ofconfig tool.

Certain KEYs have no default value (NONE). Refer to the Remark for their behaviors when they are not set.

The following are descriptions of each subject’s sections. For further details about setting values of each section’s keys, refer to the corresponding section.

  • tacf

    Configures general information for the TACF system.

    Section Description

    TACF_DEFAULT

    Basic information required for TACF operation.

    AUTH_OPTION

    Options related to TACF users' groups and resource permission check.

    SETROPTS

    Information about the SETROPTS command that sets RACF options.

2. tacf

Configures general information for the TACF system.

2.1. TACF_DEFAULT

Sets basic information required for TACF operation.

2.1.1. HISTORY_COUNT

Maximum number of previously used passwords.

The password history is used to prevent reusing a previously used password. If the maximum number is exceeded, the oldest history is deleted. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Number

Default Value

20

Range

1 to 2147438647

Remark

Integer greater than or equal to 1. If a value less than 1 is specified, the value is set to 1.

2.1.2. UTIL_DIRECTORY

Directory where an output file that is created after executing tacfcopy is saved.

Item Description

Parameter Type

String

Default Value

${OPENFRAME_HOME}/temp

Range

Remark

Actual directory path.

2.1.3. PASSWORD_INTERVAL

Interval at which a password must be changed. If not set when adding a new user, this value is used as the default value. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Number

Default Value

30 (Unit: days)

Range

0 to 2147438647

Remark

0 means that a user’s password can be not changed periodically.

2.1.4. MAX_RETRY_COUNT

Maximum number of attempts for login. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Number

Default Value

10

Range

1 to 2147438647

Remark

Integer greater than or equal to 1. If the password does not match, login is attempted as many times as the value. If the value is reached, the user’s account is locked for a period of time set in ACCOUNT_LOCK_PERIOD.

2.1.5. LOCK_PERIOD_UNIT

Unit for the time to lock a user’s account. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

String

Default Value

HOUR

Range

HOUR, MINUTE

Remark

Used for ACCOUNT_LOCK_PERIOD.

2.1.6. ACCOUNT_LOCK_PERIOD

Period of time (unit: LOCK_PERIOD_UNIT) to lock a user’s account because the number of consecutive failed login attempts exceeded the value set in MAX_RETRY_COUNT. The lock is automatically released after a period of time set in ACOUNT_LOCK_PERIOD. If LOCK_PERIOD_UNIT is not set, the unit is HOUR (the default value). All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Number

Default Value

24

Range

0 to 2147438647 (Integers)

Remark

It is recommended to set to a value greater than or equal to 1.

2.1.7. RETRY_RESET_PERIOD

Period of time to initialize the number of consecutive failed login attempts. The number is reset to 0 after a period of time set in RETRY_RESET_PERIOD. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Number

Default Value

3 (Unit: hours)

Range

0 to 2147438647 (Integers)

Remark

0 means that the account lock is not used.

2.1.8. EXPIRE_WARNING_DAYS

Period of time to show a warning message about password change. For example, when a password is changed on July 5 and the password interval is 10 days, the password expiration date is July 15. If EXPIRE_WARNING_DAYS is set to 3, the warning message is shown from July 12 to July 15 for 3 days. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Number

Default Value

0 (Unit: days)

Range

0 to 2147438647 (Integers)

Remark

0 means that a warning message is not shown.

2.1.9. EXPIRE_INIT_PASSWORD

Option to delete the initial password. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Y_N

Default Value

YES

Range

YES, NO

Remark

  • YES: Deletes the password.

  • NO: Does not delete the password.

2.1.10. RESTRICTED_LOGIN

Option to limitedly allow tacfmgr login. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Y_N

Default Value

NO

Range

YES, NO

Remark

  • YES: Allows only users with special privilege to log in to tacfmgr.

  • NO: Allows general users to log in to tacfmgr.

2.2. AUTH_OPTION

Sets options related to TACF users' groups and resource permission check. TACF users can be included in one or more groups registered in TACF as well as a default group.

2.2.1. OPTION_LGP

Option to check permission for all the groups where a user is included. For example, If set to YES, the permission for accessing a specific data set is checked for all the groups where the user is included as well as the user’s default group. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Y_N

Default Value

NO

Range

YES, NO

Remark

  • YES: Checks permission for all groups where the user is included.

  • NO: Does not check permission for all groups where the user is included.

2.2.2. ENABLE_UNIFYDS

Option to check permission by using the UNIFYDS class. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Y_N

Default Value

NO

Range

YES, NO

Remark

  • YES: Uses the UNIFYDS class to check permission.

  • NO: Does not use UNIFYDS class to check permission.

2.2.3. SECURITY_MODE

Resource permission check mode that determines how to treat the case that there is no permission for a specific resource. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

String

Default Value

NORMAL

Range

NORMAL, WARN

Remark

  • NORMAL: Treats the case as a failure.

  • WARN: Only shows a warning message for the case and does not treat it as a failure.

2.3. SETROPTS

Sets information about the SETROPTS command that sets RACF options.

2.3.1. PROTECTALL

Option to restrict general users' access to all data sets whose profiles are not registered in TACF. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Y_N

Default Value

NO

Range

YES, NO

Remark

  • YES: Restricts their access.

  • NO: Allows their access.

2.3.2. MIXEDCASE

Option to distinguish uppercase and lowercase letters of user ID and password. All nodes in a multi-node environment must use the same configuration.

Item Description

Parameter Type

Y_N

Default Value

YES

Range

YES, NO

Remark

  • YES: Case-sensitive.

  • NO: Case-insensitive.