Connect CDC SQData

Security Authorization Quickstart

Version 4.0 Security Authorization Quickstart

© 2001, 2021 SQData. All rights reserved.

Version 4.0 Last Update: 8/24/2021

2 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart

Contents

Security Authorization Quickstart ...... 4 Quick Start Approach ...... 5 Documentation Conventions ...... 6 zOS Security Requirements ...... 7 APF Authorization ...... 7 TCP/IP Ports ...... 7 ZFS Variable Directories ...... 7 z/OS LogStreams ...... 9 Startetd Task Authorizations ...... 9 NaCL Key Pair Generation ...... 11 Administrative User Authorization ...... 12 IMS Authorizations ...... 13 Db2 Authorizations ...... 13 VSAM Authorizations ...... 14 UNIX Security Requirements ...... 15 Administrative User Authorization ...... 15 TCP/IP Ports ...... 15 Installation Directories ...... 15 Variable Directories ...... 15 NaCL Key Pair Generation ...... 16 UDB (DB2/LUW) Authorizations ...... 17 Oracle Authorizations ...... 18 Hadoop HDFS Authorizations ...... 18 Kafka Authorizations ...... 19 Windows Security Requirements ...... 20 TCP/IP ...... 20 Apply Engines ...... 20 Security Authorization Quickstart

This document summarizes the security authorizations required to execute the Precisely Connect CDC SQData software on z/OS and Linux. Please visit Precisely https://www.precisely.com/support for assistance.

4 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart

Quick Start Approach

The Quickstart approach is intended to be a step by step guide to the installation, configuration, testing and operation of Connect CDC SQData Captures on zOS and other platforms as well as the Apply and Replicator Engine components that write to Kafka and HDFS. Each Quickstart includes a "Before You Get Started" section that include prerequisites to specific component configuration and execution that are explained in detail in the various component Reference documents. Often the wait time for various security and permission related activities is the most time consuming aspect of the effort. This document consolidates the detail Security requirements for each component so that it can be initiated as early as possible.

Connect CDC SQData Security Authorization Quickstart 5 Security Authorization Quickstart

Documentation Conventions

The following conventions are used in command and configuration syntax and examples in this document.

Convention Explanation Example

Regular type Items in regular type must be entered literally using create either lowercase or uppercase letters. Items in Bold type CCSID are usually "commands" or "Actions". Note, uppercase is often used in "z/OS" objects for consistency just as /directory lowercase is often used on other platforms //SYSOUT DD *

Items between < and > symbols represent variables. You must substitute an appropriate numeric or text value for the variable.

| Bar A vertical Bar indicates that a choice must be made 'yes' | 'no' among items in a list separated by bars. JSON | AVRO

[ ] Brackets Brackets indicate that item is optional. A choice may be [alias] made among multiple items contained in brackets. OR [+ | -]

-- Double dash Double dashes "--" identify an option keyword. Some --service= keywords may be abbreviated and preceded by a single OR -s dash "-". A double dash in some contexts can be used to indicate the start of a single line comment. OR --apply OR -- this is a comment

… Ellipsis An ellipsis indicates that the preceding argument or [expression…] group of arguments may be repeated.

Sequence A sequence number indicates that a series of arguments field2 number or values may be specified. The sequence number itself must never be specified.

' ' Single quotes Single quotation marks that appear in the syntax must be IF CODE = 'a' specified literally.

6 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart zOS Security Requirements

This section summarizes the security authorizations required to execute the Precisely Connect CDC SQData software on z/OS APF Authorization The Connect CDC SQData load library SQDATA.V4nnn.LOADLIB must be APF authorized. Initially, this can be done via the operator’s console via the SETPROG APF command. This APF authorization must then be made a permanent part of the IPL APF authorization procedure. All Connect CDC SQData agents must have read access to this library. TCP/IP Ports · The Daemon (program SQDAEMON) needs access to the designated port number that it will listen on. The default port number is 2626 but it can be any available port reserved on the platform. · All Connect CDC SQData capture, publisher, daemon, Engine and Utility tasks require access to the TCP/IP Stack. ZFS Variable Directories The Controller Daemon, Capture, Storage and Publisher agents require a predefined zFS directory structure used to store a small number of files. While only the configuration directory is required and the location of the agent and daemon directories is optional, we recommend the structure described below, where and a "user" named could be modified to conform to the operating environment and a third level created for the Controller Daemon (see note below): // - The home directory used by the Connect CDC SQData ///daemon - The working directory used by the Daemon that also contains two sub directories. ///daemon/cfg - A configuration directory that contains two configuration files. ///daemon/logs - A logs directory, though not required, is suggested to store log files used by the controller daemon. Its suggested location below must match the file locations specified in the Global section of the sqdagents.cfg file created in the section "Setup Controller Daemon" later in this document.

Additional directories will be create for each Capture/Publisher. We recommend the structures described below: ///db2cdc - The working directory for the Db2 Capture and CDCStore Storage agents. The Capture and CDCStore configuration (.cab) Files will be maintained in this directory along with small temporary files used to maintain connections to the active agents.

///db2cdc/data - A data directory is required by the Db2 Capture. Files will be allocated in this directory as needed by the CDCStore Storage Agent when transient data exceeds allocated in-memory storage. The suggested location below must match the "data_path" specified in the Storage agent configuration (.cab file) described later in this chapter. A dedicated File System is required in production with this directory as the "mount point". ///imscdc - The working directory for the IMS Capture and CDCzLOG Publisher agents. The Capture and Publisher (.cab) Files will be maintained in this directory along with small temporary files used to maintain connections to the active agents.

Connect CDC SQData Security Authorization Quickstart 7 Security Authorization Quickstart

///[vsampub | kfilepub] - The working directory for the VSAM and Keyed File Compare Capture's CDCzLOG Publisher agent. The Publisher configuration (.cab) File will be maintained in this directory along with small temporary files used to maintain connections to the active agents. Notes: 1. Consider changing default umask setting in the /etc/profile file, or in your .cshrc or .login file. 2. While many zFS File systems are configured with /u as the "home" directory, others use /home, the standard on Linux. References in the Connect CDC SQData JCL and documentation will use /home for consistency. Check with your Systems programmer regarding zFS on your systems. 3. The User-ID(s) and/or Started Task under which the Capture and the Controller Daemon will run must be authorized for Read/Write access to the zFS directories. 4. A more traditional "nix" style structure may also be used where "sqdata", the product, would be a sub- directory in the structure "/var/opt/sqdata/" with the daemon and data sub-directory structures inside sqdata. 5. The BPXPRMxx member used for IPLs should be updated to include the mount point(s) for this zFS directory structure. JCL similar to the sample member ALLOCZDR included in the distribution should be used to allocate the necessary directories. The JCL should be edited to conform to the operating environment. //ALLOCZDR JOB 1,MSGLEVEL=(1,1),MSGCLASS=H,NOTIFY=&SYSUID //* //*------//* Allocate zFS Directories for Daemon and CAB Files //*------//* Note: 1) These directories are use by the Controller Daemon, //* CDCStore and CDCzLog based capture agents //* //* 2) The 1st, 2nd and 3rd level directories can be changed but //* we recommend the 2nd Level be a User named sqdata. //* //* 3) Leave /daemon and /daemon/cfg as specified //* //* 4) Your UserID may need to be defined as SUPERUSER to //* successfully run this Job //* //********************************************************************* //* //*------//* Delete Existing Directories //*------//*DELETDIR EXEC PGM=IKJEFT01,REGION=64M,DYNAMNBR=99,COND=(0,LT) //*SYSEXEC DD DISP=SHR,DSN=SYS1.SBPXEXEC //*SYSTSPRT DD SYSOUT=* //*OSHOUT1 DD SYSOUT=* //*SYSTSIN DD * //* OSHELL rm -r /home/sqdata /* //*------//* Create New ZFS Directories for Controller Daemon & Captures //*------//CREATDIR EXEC PGM=IKJEFT01,REGION=64M,DYNAMNBR=99,COND=(0,LT) //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * PROFILE MSGID WTPMSG

8 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart

MKDIR '/home/sqdata/' + MODE(7,7,5)

MKDIR '/home/sqdata/daemon/' + MODE(7,7,5)

MKDIR '/home/sqdata/daemon/cfg' + MODE(7,7,5)

MKDIR '/home/sqdata/daemon/logs' + MODE(7,7,5)

MKDIR '/home/sqdata/db2cdc/' + MODE(7,7,5)

MKDIR '/home/sqdata/db2cdc/data/' + MODE(7,7,5) /* // MKDIR '/home/sqdata/imscdc/' + MODE(7,7,5)

MKDIR '/home/sqdata/vsampub/' + MODE(7,7,5)

MKDIR '/home/sqdata/kfilepub' + MODE(7,7,5) z/OS LogStreams The IMS Log Capture, and the zLogc Publisher used by the IMS Capture agent, VSAM Log Replicate and Keyed File Compare Captured require read/write access to one or more system LogStreams. The following RACF commands can be used to set access to the system Logstreams by the Capture and Publisher agents. PERMIT MVSADMIN.LOGR CLASS(FACILITY) ACCESS(ALTER) ID(agent_userid) RDEFINE FACILITY MVSADMIN.LOGR UACC(ALTER) SETROPTS CLASSACT(FACILITY)

The Capture and Publisher components utilize z/OS system Logstreams for their high performance and high reliability. Both DASD Only and CF-Structure based Logstreams are supported. Instructions and sample JCL for defining the LogStreams can be found in the Capture Reference manuals. Startetd Task Authorizations The following sample RACF commands outline the authorization required by the various Connect CDC SQData agents. Modify the names, high-level qualifiers, zFS directories, etc. as required by your environment.SQ Master Controller STC Authorizations – Program SQDAMAST ADDUSER SQDAMAST DFLTGRP() OWNER() ALTUSER SQDAMAST NOPASSWORD NOOIDCARD ALTUSER SQDAMAST NAME('STASK, SQDATA') ALTUSER SQDAMAST DATA('FOR SQDATA CONTACT:') ALTUSER SQDAMAST WORKATTR(WAACCNT('**NOUID**')) CONNECT SQDAMAST GROUP() OWNER() PERMIT 'SQDATA.*' ID(SQDAMAST) ACCESS(READ) GEN

Daemon STC Authorizations – Program SQDAEMON ADDUSER SQDAEMON DFLTGRP() OWNER()

Connect CDC SQData Security Authorization Quickstart 9 Security Authorization Quickstart

ALTUSER SQDAEMON NOPASSWORD NOOIDCARD ALTUSER SQDAEMON NAME('STASK, SQDATA') ALTUSER SQDAEMON DATA('FOR SQDATA CONTACT:') ALTUSER SQDAEMON WORKATTR(WAACCNT('**NOUID**')) CONNECT SQDAEMON GROUP() OWNER() ALTUSER SQDAEMON OMVS(PROGRAM('/bin/sh')) PERMIT 'SQDATA.*' ID(SQDAEMON) ACCESS(READ) GEN

Db2 Capture STC Authorizations – Program SQDDB2C ADDUSER SQDDB2C DFLTGRP() OWNER() ALTUSER SQDDB2C NOPASSWORD NOOIDCARD ALTUSER SQDDB2C NAME('STASK, SQDATA') ALTUSER SQDDB2C DATA('FOR SQDATA CONTACT:') ALTUSER SQDDB2C WORKATTR(WAACCNT('**NOUID**')) CONNECT SQDDB2C GROUP() OWNER() ALTUSER SQDDB2C OMVS(PROGRAM('/bin/sh')) ALTUSER SQDDB2C OMVS(MMAPAREAMAX(262144)) PERMIT 'SQDATA.*' ID(SQDDB2C) ACCESS(READ) GEN

IMS Capture, IMS Publisher and VSAM Publisher STC Authorizations – Three (3) Total ADDUSER SQDZLOGC DFLTGRP() OWNER() ALTUSER SQDZLOGC NOPASSWORD NOOIDCARD ALTUSER SQDZLOGC NAME('STASK, SQDATA') ALTUSER SQDZLOGC DATA('FOR SQDATA CONTACT:') ALTUSER SQDZLOGC WORKATTR(WAACCNT('**NOUID**')) CONNECT SQDZLOGC GROUP() OWNER() ALTUSER SQDZLOGC OMVS(PROGRAM('/bin/sh')) PERMIT 'SQDATA.*' ID(SQDZLOGC) ACCESS(READ) GEN

Administrative Userid Authorization ADDUSER DFLTGRP() OWNER() ALTUSER NOPASSWORD NOOIDCARD ALTUSER NAME('STASK, SQDATA') ALTUSER DATA('FOR SQDATA CONTACT:') ALTUSER WORKATTR(WAACCNT('**NOUID**')) CONNECT GROUP() OWNER() ALTUSER OMVS(PROGRAM('/bin/sh')) ALTUSER OMVS(MMAPAREAMAX(262144)) PERMIT 'SQDATA.*' ID() ACCESS(READ) GEN

SETROPTS GENERIC (DATASET ) REFRESH

R/W Access to the SQDATA ZFS File System (only if the FSACCESS RACF class is active) SETROPTS GENERIC(FSACCESS) RDEFINE FSACCESS SQDATA.** UACC(NONE) PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDAMAST) ACCESS(UPDATE) PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDDB2C) ACCESS(UPDATE) PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDZLOGC) ACCESS(UPDATE) PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDAEMON) ACCESS(UPDATE) PERMIT SQDATA.** CLASS(FSACCESS) ID() ACCESS(UPDATE) SETROPTS RACLIST(FSACCESS) REFRESH

10 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart

NaCL Key Pair Generation All Agents must have access to the public/private key files. If the files created below are named with the same high- level qualifiers as the other Connect CDC SQData SQD system libraries, the will be in sync with the RACF sample above and you should be good to go! The Controller Daemon uses a Public / Private key mechanism to ensure component communications are valid and secure. A key pair must be created for the SQDaemon Job System User-ID and the User-ID's of all the Agent Jobs that interact with the Controller Daemon. On z/OS, by default, the private key is stored in SQDATA.NACL.PRIVATE and the public key in SQDATA.NACL.PUBLIC. These two files will be used by the Daemon in association with a sequential file containing a concatenated list of the Public Keys of all the Agents allowed to interact with the Controller Daemon. The Authorized Keys file must contain at a minimum, the public key of the SQDaemon job System User-ID and is usually created with a first node matching the user name running the SQDaemon job, in our example SQDATA.NACL.AUTH.KEYS. The file must also include the Public key's of Engines running on zOS or other platforms. The Authorized Keys file is usually maintained by an administrator using ISPF. JCL similar to sample member NACLKEYS included in the distribution executes the SQDutil utility program using the keygen command and should be used to generate the necessary keys and create the Authorized Key List file. The JCL should be edited to conform to the operating environment and the job must be run under the user-id that will be used when the Controller Daemon job is run. //NACLKEYS JOB 1,MSGLEVEL=(1,1),MSGCLASS=H,NOTIFY=&SYSUID //* //*------//* Generate NACL Public/Private Keys and optionally AKL file //*------//* Required DDNAME: //* SQDPUBL DD - File that will contain the generated Public Key //* SQDPKEY DD - File that will contain the generated private Key //* ** This file and its contents are not to be shared //* //* Required parameters: //* PARM - keygen *** In lower case *** //* USER - The system USERID or high level qualifier of the //* SQDATA libraries IF all Jobs will share Private Key. //* //* Notes: //* 1) This Job generates a new Public/Private Key pair, saves //* them to their respective files and adds the Public Key //* to an existing Authorized Key List, allocating a new //* file for that purpose if necessary. //* //* 2) An optional first step deletes the current set of files //* //* 3) Change the SET parms below for: //* HLQ - high level qualifier of the CDC Libraries //* VER - the 2nd level qualifier of the CDC OBJLIB & LOADLIB //* USER - the High Level Qualifier of the NACL Datasets //*------//* // SET HLQ=SQDATA // SET VER=V400 // SET USER=&SYSUID //* //JOBLIB DD DISP=SHR,DSN=SQDATA..&VER..LOADLIB //*

Connect CDC SQData Security Authorization Quickstart 11 Security Authorization Quickstart

//*------//* Optional: Delete Old Instance of the NACL Files //*------//*DELOLD EXEC PGM=IEFBR14 //*SYSPRINT DD SYSOUT=* //*OLDPUB DD DISP=(OLD,DELETE,DELETE),DSN=&USER..NACL.PUBLIC //*OLDPVT DD DISP=(OLD,DELETE,DELETE),DSN=&USER..NACL.PRIVATE //*OLDAUTH DD DISP=(OLD,DELETE,DELETE),DSN=SQDATA.NACL.AUTH.KEYS //*------//* Allocate Public/Private Key Files and Generate Public/Private Keys //*------//SQDUTIL EXEC PGM=SQDUTIL //SQDPUBL DD DSN=&USER..NACL.PUBLIC, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), // DISP=(,CATLG,DELETE),UNIT=SYSDA, // SPACE=(TRK,(1,1)) //SQDPKEY DD DSN=&USER..NACL.PRIVATE, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), // DISP=(,CATLG,DELETE),UNIT=SYSDA, // SPACE=(TRK,(1,1)) //SQDPARMS DD * keygen //SYSPRINT DD SYSOUT=* //SYSOUT DD SYSOUT=* //SQDLOG DD SYSOUT=* //*SQDLOG8 DD DUMMY //*------//* Allocate the Authorized Key List File --> Used only by the Daemon //*------//COPYPUB EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSIN DD DUMMY //SYSUT1 DD DISP=SHR,DSN=&USER..NACL.PUBLIC //SYSUT2 DD DSN=SQDATA.NACL.AUTH.KEYS, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), // DISP=(MOD,CATLG),UNIT=SYSDA,SPACE=(TRK,(5,5))

Notes: 1. Since the Daemon and Capture Agents and zOS Apply Engines may be running in the same LPAR/system, they frequently run under the same System User-ID, in that case they would share the same public/private key pair. 2. Changes are not known to the Daemon until the configuration files are reloaded, using the SQDmon Utility, or the sqdaemon process is stopped and started. Administrative User Authorization The Administrative User of Connect CDC SQData requires the following RACF specifications: ADDUSER admuser DFLTGRP(STCAUTH) OWNER() ALTUSER admuser NOPASSWORD NOOIDCARD ALTUSER admuser NAME('STASK, SQDATA') ALTUSER admuser DATA('FOR SQDATA CONTACT:JOHN SMITH') ALTUSER SQDDB2C WORKATTR(WAACCNT('**NOUID**')) CONNECT admuser GROUP(STCAUTH) OWNER() ALTUSER admuser OMVS(PROGRAM('/bin/sh')) ALTUSER admuser OMVS(MMAPAREAMAX(262144)) PERMIT SQDATA.*' ID(SQDDB2C) ACCESS(READ) GEN SETROPTS GENERIC (DATASET ) REFRESH

12 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart

SETROPTS GENERIC(FSACCESS) RDEFINE FSACCESS SQDATA.** UACC(NONE) PERMIT SQDATA.** CLASS(FSACCESS) ID(USER/GROUP_ID) ACCESS(UPDATE) SETROPTS CLASSACT(FSACCESS) SETROPTS RACLIST(FSACCESS) SETROPTS RACLIST(FSACCESS) REFRESH

PERMIT MVSADMIN.LOGR CLASS(FACILITY) ACCESS(ALTER) ID(YOUR_USERID) RDEFINE FACILITY MVSADMIN.LOGR UACC(ALTER) SETROPTS CLASSACT(FACILITY) IMS Authorizations The IMS Log Capture requires the following permisisons: · The IMS Log Capture (program SQDIMSC) needs read access to the IMS OLDS and SLDS datasets · The IMS Log Capture also requires read access to the IMS Reslib and IMS RECON datasets Db2 Authorizations The Db2 Log Reader Capture requires special user privileges and preparation to access and read the Db2 Recovery Logs using the Db2 Instrumentation Facility Interface (IFI) calls. Version 4 of Connect CDC SQData also requires some system tables to be captured to support Schema Evolution. The following GRANTS are required: 1. GRANT MONITOR2 TO < sqdata_user>; 2. GRANT EXECUTE ON PLAN SQDV4000 TO < sqdata_user>; 3. GRANT SELECT ON SYSIBM.SYSTABLES TO < sqdata_user>; 4. GRANT SELECT ON SYSIBM.SYSCOLUMNS TO < sqdata_user>; 5. GRANT SELECT ON SYSIBM.SYSINDEXES TO < sqdata_user>; 6. GRANT SELECT ON SYSIBM.SYSKEYS TO < sqdata_user>; 7. GRANT SELECT ON SYSIBM.SYSTABLESPACE TO < sqdata_user>; Db2 Reorg and Load procedures may need to be updated: · KEEPDICTIONARY=YES parameter must be used by all Db2 REORG and LOAD Utilities. If the CDC process is run asynchronously, for some reason gets behind or is configured to recapture older logs, the proper Compression Dictionary must be available. Schema Evolution Requires DATA CAPTURE CHANGES on Two (2) Catalog Tables: 1. SYSIBM.SYSTABLES 2. SYSIBM.SYSCOLUMNS Notes: · A common database request module (DBRM) SQDDDB2D ships as part of the product distribution and a Bind must be performed on the SQDV4000 Package and Plan. Use the BINDSQD member in the CNTL Library to bind the Package and Plan to Db2. · Each Db2 table to be captured also requires:

ALTER TABLE DATA CAPTURE CHANGES;

Connect CDC SQData Security Authorization Quickstart 13 Security Authorization Quickstart

VSAM Authorizations There are no additional security requirements specifically related to the VSAM Log Replicate Capture.

14 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart

UNIX Security Requirements

This section summarizes the security authorizations required to execute the Precisely Connect CDC SQData software on AIX and Linux. Administrative User Authorization The level of privileges required by the Connect CDC SQData Administrative User depends on the location chosen for the base product installation. Most Connect CDC SQData for UNIX customers utilize a special system account established for sqdata_user rather than an individual user account because it usually needs elevated privileges designated for configuring and executing the capture and apply processes. If necessary have the system administrator create that account. TCP/IP Ports · The Daemon (program sqdaemon) needs access to the designated port number that it will listen on. The default port number is 2626 but it can be any available port reserved on the platform. · All Connect CDC SQData capture, publisher, daemon, Engine and Utility tasks require access to the TCP/IP Stack. Installation Directories On UNIX based machines, executables are typically installed in /opt under a folder named for the product. /opt is usually owned by root, so the Administrator privileges would be required to create the sqdata folder and decompress the package into this location. To allow multiple users to access the package without giving access to everyone, the system administrator can define an sqdata group and grant permissions on the package to the group.

MKDIR '/opt/sqdata/' MODE(7,7,5)

Alternatively, the product can be installed into the system account user's home directory, eg: /home/sqdata/sqdata. No other special privileges are needed required and the system account user can grant permissions on it’s own directories and files to a group of individual users and/or everyone else without administrator privileges.

MKDIR '/home/sqdata_user/sqdata' MODE(7,7,5)

Variable Directories Once source and target systems and datastores have been identified, the configuration of the Capture Agents, Apply Engines and their Controller Daemon's can begin. That will require the creation of directories and files for variable portions of the configuration. At this point we assume the base Connect CDC SQData product has already been installed according to the instructions in the Installation Guide and the Operating Systems specific $Start_Here_.pdf. The recommended location and Environment Variable values for this static data were:

/opt/sqdata or

/home//sqdata

If you would like to use an Environment Variable to reference the installation location, the recommended value is:

Controller Daemons, Capture Agents and Engines require the creation of directories and files for variable portions of their configurations. Just as the location of the base product installation can be modified, the location of variable directories can be adjusted conform to the operating system and to accommodate areas of responsibility, including the associated "application" and optionally Testing or Production environments. This document will refer to the

Connect CDC SQData Security Authorization Quickstart 15 Security Authorization Quickstart location most commonly used on Linux, AIX and Windows: /var/opt/sqdata[/[/]] or

/home/[/[/]] or simply

/home/sqdata[/[/]]

If you like to use an Environment Variable to reference the location of variable portions of the configuration, the recommended value is:

While only the base variable directory is required and the location of the daemon directory is optional, we recommend the structure described below: /daemon - The working directory used by the Daemon that also contains two sub directories.

/daemon/cfg - A configuration directory that contains two configuration files.

/daemon/logs A logs directory, though not required, is suggested to store log files used by the controller daemon. Its suggested location below must match the file locations specified in the Global section of the sqdagents.cfg file created in the section "Setup Controller Daemon" later in this document..

If this system will include a Change Data Capture agent, we recommend the structure described below:

/cdc The working directory of the capture agent.

/cdc/data - A data directory is required by the Capture agents. Files will be allocated in this directory as needed by the CDCStore Storage Agent when transient data exceeds allocated in-memory storage. The suggested location below must match the "data_path" specified in the Storage agent configuration (.cab file) described later in this chapter. A dedicated File System is required in production with this directory as the "mount point".

Note, the User-ID(s) under which the capture CDCStore and the Controller Daemon will run must be authorized for Read/Write access to these directories. The following commands will create the directories described above: $ mkdir -p /daemon --mode=775 $ mkdir -p /daemon/cfg --mode=775 $ mkdir -p /daemon/log --mode=775

$ mkdir -p /cdc --mode=775 $ mkdir -p /cdc/data --mode=775

NaCL Key Pair Generation The Controller Daemon uses a Public / Private key mechanism to ensure component communications are valid and secure. A key pair must be created for the sqdaemon process User-ID and the User-ID's of all the Agent Jobs that interact with the Controller Daemon. On UNIX, by default, the private key is stored in ~/.nacl.id_nacl and the public key in ~/.nacl/id_nacl.pub. These two files will be used by the daemon in association with a sequential file containing a concatenated list of the Public Keys of all the Agents allowed to interact with the Controller Daemon. The Authorized Keys file must contain at a minimum, the public key of the sqdaemon process User-ID and is usually named nacl_auth_keys and placed in the /daemon directory. The file must also include the Public key's of Engines, running on the same or another platform, that connect to the

16 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart

Controller Daemon. The Authorized Keys file is usually maintained by a Systems Administrator. The sqdutil utility program using the keygen command is used to generate the necessary keys. The command must be run under the User-ID that will be used to run the Controller Daemon process. $ sqdutil keygen

Notes: 1. If the Daemon, Capture Agent and Apply Engine are running on the same system, they may optionally run under the same User-ID, in which case they would share the same public/private key pair. 2. Changes are not known to the Daemon until the configuration files are reloaded, using the SQDmon Utility, or the sqdaemon process is stopped and started. UDB (DB2/LUW) Authorizations The Db2/LUW (UDB) Log Reader Capture requires special user privileges and preparation to access and read the Db2 Recovery Logs using the Db2/LUW (UDB) Instrumentation Facility Interface (IFI) calls. Version 4 of Connect CDC SQData also requires some system tables to be captured to support Schema Evolution. The following GRANTS are required: · GRANT DBADM ON DATABASE TO < sqdata_user>; · GRANT EXECUTE ON PACKAGE sqdddb2d TO < sqdata_user>; · GRANT SELECT ON SYSIBM.SYSTABLES TO < sqdata_user>; · GRANT SELECT ON SYSIBM.SYSCOLUMNS TO < sqdata_user>; · GRANT SELECT ON SYSIBM.SYSDATAPARTITIONS TO < sqdata_user>; Db2 Reorg and Load procedures may need to be updated: · KEEPDICTIONARY=YES parameter must be used by all Db2 REORG and LOAD Utilities. If the CDC process is run asynchronously, for some reason gets behind or is configured to recapture older logs, the proper Compression Dictionary must be available. Schema Evolution Requires DATA CAPTURE CHANGES on Two (2) Catalog Tables: 1. SYSIBM.SYSTABLES 2. SYSIBM.SYSCOLUMNS Notes: · A common database request module (DBRM)sqddd2b.bnd ships as part of the product distribution and a Bind must be performed on the Package:

bind /bnd/ sqdddb2d.bnd grant public · Each Db2/LUW (UDB) table to be captured also requires:

ALTER TABLE DATA CAPTURE CHANGES;

Connect CDC SQData Security Authorization Quickstart 17 Security Authorization Quickstart

Oracle Authorizations The Oracle LogMiner Capture requires special user privileges and preparation to access and read the Oracle Recovery Logs using the Oracle LogMiner API. Enable LogMiner functionality · ALTER DATABASE ADD SUPPLEMENTAL LOG DATA provides the minimal level of database metadata required by the Oracle LogMiner. The following GRANTS are required: 1. GRANT LOGMINING TO ; (only required for Oracle 12 and above) 2. EXECUTE authority: a. GRANT EXECUTE_CATALOG_ROLE TO ; b. GRANT EXECUTE DBMS_LOGMNR TO ; c. GRANT EXECUTE DBMS_LOGMNR_D TO ; 3. SELECT authority: a. GRANT SELECT ON V$LOGFILE TO ; b. GRANT SELECT ON V$ARCHIVED_LOG TO ; c. GRANT SELECT ON V$LOG TO ; d. GRANT SELECT ON V$DATABASE TO ; e. GRANT SELECT ON V$LOG_HIST TO ; f. GRANT SELECT ON V$LOGMNR_CONTENTS TO ; g. GRANT SELECT ON V$INSTANCE TO ; h. GRANT SELECT ON V$THREAD TO ; i. GRANT SELECT ANY TRANSACTION TO ; authority to allow for querying the Oracle FLASHBACK_QUERY_TRANSACTION view j. GRANT SELECT MAX(SCN_BAS) from SYS.SMON_SCN_TIME TO ; (9i only) Notes: · The LogMiner Capture requires Oracle client access (same requirements as sqlplus) · Each Oracle table to be captured also requires:

ALTER TABLE ADD SUPPLEMENTAL LOG DATA (ALL) COLUMNS; Hadoop HDFS Authorizations In addition to the installation of the libhdfs library, writing to Hadoop HDFS requires the following permissions: · Read access to libhdfs.so · Userid running Engine must be owner, authorized or in an HDFS group with read/write privileges · May require hadoop classpath –glob

18 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart

Kafka Authorizations In addition to the installation of the librdkafka library, writing to Kafka requires the following permissions: · Read access to librdkafka libraries · Port access [plaintext, sasl, zookeeper if desired] · Plaintext security – no changes needed · SASL/Kerberos – follow details in librdkafka doc for producer config, client keys, etc.

Connect CDC SQData Security Authorization Quickstart 19 Security Authorization Quickstart

Windows Security Requirements

This section summarizes the security authorizations required to execute the Precisely Connect CDC SQData software on Windows. TCP/IP · The Daemon (sqdaemon) needs access to the designated port number that it will be listening on. Apply Engines The Apply Engine program "sqd" must have the following permissions: · Read, [Read/Write to install], access to the software installation executables. · Read/Write to data directories and files for daemon and apply engine scripts. · Read / Update to the target datastores (i.e. tables, kafka topics, hdfs files, etc.)

20 Connect CDC SQData Security Authorization Quickstart x e d n Index I

SELECT ANY TRANSACTION 18 SELECT authority 18 $ STC Authorizations 9 $V$INSTANCE 18 SYSIBM.SYSCOLUMNS 13 SYSIBM.SYSINDEXES 13 SYSIBM.SYSKEYS 13 A SYSIBM.SYSTABLES 13 ALTER TABLE 13 APF 7 T TCP/IP Stack 15 D DATA CAPTURE CHANGES 13 V V$ARCHIVED_LOG 18 E V$DATABASE 18 EXECUTE authority on DBMS_LOGMNR_D 18 V$LOG 18 EXECUTE authority on the DBMS_LOGMNR 18 V$LOG_HIST 18 EXECUTE_CATALOG_ROLE 18 V$LOGFILE 18 V$LOGMNR_CONTENTS 18 G GRANT 13 Z z/OS system Logstreams 9 M Monitor(2) 13

N NACLKEYS 11

P PLAN 13 Private 11 Public 11 Public / Private key 11

Q Quickstart 5

R RACF 9, 12

S security 4

Connect CDC SQData Security Authorization Quickstart 21 2 Blue Hill Plaza Pearl River, NY 10965 USA precisely.com

© 2001, 2021 SQData. All rights reserved.