Connect CDC SQData
Security Authorization Quickstart
Version 4.0 Security Authorization Quickstart
© 2001, 2021 SQData. All rights reserved.
Version 4.0 Last Update: 8/24/2021
2 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart
Contents
Security Authorization Quickstart ...... 4 Quick Start Approach ...... 5 Documentation Conventions ...... 6 zOS Security Requirements ...... 7 APF Authorization ...... 7 TCP/IP Ports ...... 7 ZFS Variable Directories ...... 7 z/OS LogStreams ...... 9 Startetd Task Authorizations ...... 9 NaCL Key Pair Generation ...... 11 Administrative User Authorization ...... 12 IMS Authorizations ...... 13 Db2 Authorizations ...... 13 VSAM Authorizations ...... 14 UNIX Security Requirements ...... 15 Administrative User Authorization ...... 15 TCP/IP Ports ...... 15 Installation Directories ...... 15 Variable Directories ...... 15 NaCL Key Pair Generation ...... 16 UDB (DB2/LUW) Authorizations ...... 17 Oracle Authorizations ...... 18 Hadoop HDFS Authorizations ...... 18 Kafka Authorizations ...... 19 Windows Security Requirements ...... 20 TCP/IP ...... 20 Apply Engines ...... 20 Security Authorization Quickstart
This document summarizes the security authorizations required to execute the Precisely Connect CDC SQData software on z/OS and Linux. Please visit Precisely https://www.precisely.com/support for assistance.
4 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart
Quick Start Approach
The Quickstart approach is intended to be a step by step guide to the installation, configuration, testing and operation of Connect CDC SQData Captures on zOS and other platforms as well as the Apply and Replicator Engine components that write to Kafka and HDFS. Each Quickstart includes a "Before You Get Started" section that include prerequisites to specific component configuration and execution that are explained in detail in the various component Reference documents. Often the wait time for various security and permission related activities is the most time consuming aspect of the effort. This document consolidates the detail Security requirements for each component so that it can be initiated as early as possible.
Connect CDC SQData Security Authorization Quickstart 5 Security Authorization Quickstart
Documentation Conventions
The following conventions are used in command and configuration syntax and examples in this document.
Convention Explanation Example
Regular type Items in regular type must be entered literally using create either lowercase or uppercase letters. Items in Bold type CCSID are usually "commands" or "Actions". Note, uppercase is often used in "z/OS" objects for consistency just as /directory lowercase is often used on other platforms //SYSOUT DD *
| Bar A vertical Bar indicates that a choice must be made 'yes' | 'no' among items in a list separated by bars. JSON | AVRO
[ ] Brackets Brackets indicate that item is optional. A choice may be [alias] made among multiple items contained in brackets. OR [+ | -]
-- Double dash Double dashes "--" identify an option keyword. Some --service=
… Ellipsis An ellipsis indicates that the preceding argument or [expression…] group of arguments may be repeated.
Sequence A sequence number indicates that a series of arguments field2 number or values may be specified. The sequence number itself must never be specified.
' ' Single quotes Single quotation marks that appear in the syntax must be IF CODE = 'a' specified literally.
6 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart zOS Security Requirements
This section summarizes the security authorizations required to execute the Precisely Connect CDC SQData software on z/OS APF Authorization The Connect CDC SQData load library SQDATA.V4nnn.LOADLIB must be APF authorized. Initially, this can be done via the operator’s console via the SETPROG APF command. This APF authorization must then be made a permanent part of the IPL APF authorization procedure. All Connect CDC SQData agents must have read access to this library. TCP/IP Ports · The Daemon (program SQDAEMON) needs access to the designated port number that it will listen on. The default port number is 2626 but it can be any available port reserved on the platform. · All Connect CDC SQData capture, publisher, daemon, Engine and Utility tasks require access to the TCP/IP Stack. ZFS Variable Directories The Controller Daemon, Capture, Storage and Publisher agents require a predefined zFS directory structure used to store a small number of files. While only the configuration directory is required and the location of the agent and daemon directories is optional, we recommend the structure described below, where
Additional directories will be create for each Capture/Publisher. We recommend the structures described below: /
/
Connect CDC SQData Security Authorization Quickstart 7 Security Authorization Quickstart
/
8 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart
MKDIR '/home/sqdata/' + MODE(7,7,5)
MKDIR '/home/sqdata/daemon/' + MODE(7,7,5)
MKDIR '/home/sqdata/daemon/cfg' + MODE(7,7,5)
MKDIR '/home/sqdata/daemon/logs' + MODE(7,7,5)
MKDIR '/home/sqdata/db2cdc/' + MODE(7,7,5)
MKDIR '/home/sqdata/db2cdc/data/' + MODE(7,7,5) /* // MKDIR '/home/sqdata/imscdc/' + MODE(7,7,5)
MKDIR '/home/sqdata/vsampub/' + MODE(7,7,5)
MKDIR '/home/sqdata/kfilepub' + MODE(7,7,5) z/OS LogStreams The IMS Log Capture, and the zLogc Publisher used by the IMS Capture agent, VSAM Log Replicate and Keyed File Compare Captured require read/write access to one or more system LogStreams. The following RACF commands can be used to set access to the system Logstreams by the Capture and Publisher agents. PERMIT MVSADMIN.LOGR CLASS(FACILITY) ACCESS(ALTER) ID(agent_userid) RDEFINE FACILITY MVSADMIN.LOGR UACC(ALTER) SETROPTS CLASSACT(FACILITY)
The Capture and Publisher components utilize z/OS system Logstreams for their high performance and high reliability. Both DASD Only and CF-Structure based Logstreams are supported. Instructions and sample JCL for defining the LogStreams can be found in the Capture Reference manuals. Startetd Task Authorizations The following sample RACF commands outline the authorization required by the various Connect CDC SQData agents. Modify the names, high-level qualifiers, zFS directories, etc. as required by your environment.SQ Master Controller STC Authorizations – Program SQDAMAST ADDUSER SQDAMAST DFLTGRP(
Daemon STC Authorizations – Program SQDAEMON ADDUSER SQDAEMON DFLTGRP(
Connect CDC SQData Security Authorization Quickstart 9 Security Authorization Quickstart
ALTUSER SQDAEMON NOPASSWORD NOOIDCARD ALTUSER SQDAEMON NAME('STASK, SQDATA') ALTUSER SQDAEMON DATA('FOR SQDATA CONTACT:
Db2 Capture STC Authorizations – Program SQDDB2C ADDUSER SQDDB2C DFLTGRP(
IMS Capture, IMS Publisher and VSAM Publisher STC Authorizations – Three (3) Total ADDUSER SQDZLOGC DFLTGRP(
Administrative Userid Authorization ADDUSER
SETROPTS GENERIC (DATASET ) REFRESH
R/W Access to the SQDATA ZFS File System (only if the FSACCESS RACF class is active) SETROPTS GENERIC(FSACCESS) RDEFINE FSACCESS SQDATA.** UACC(NONE) PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDAMAST) ACCESS(UPDATE) PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDDB2C) ACCESS(UPDATE) PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDZLOGC) ACCESS(UPDATE) PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDAEMON) ACCESS(UPDATE) PERMIT SQDATA.** CLASS(FSACCESS) ID(
10 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart
NaCL Key Pair Generation All Agents must have access to the public/private key files. If the files created below are named with the same high- level qualifiers as the other Connect CDC SQData SQD system libraries, the will be in sync with the RACF sample above and you should be good to go! The Controller Daemon uses a Public / Private key mechanism to ensure component communications are valid and secure. A key pair must be created for the SQDaemon Job System User-ID and the User-ID's of all the Agent Jobs that interact with the Controller Daemon. On z/OS, by default, the private key is stored in SQDATA.NACL.PRIVATE and the public key in SQDATA.NACL.PUBLIC. These two files will be used by the Daemon in association with a sequential file containing a concatenated list of the Public Keys of all the Agents allowed to interact with the Controller Daemon. The Authorized Keys file must contain at a minimum, the public key of the SQDaemon job System User-ID and is usually created with a first node matching the user name running the SQDaemon job, in our example SQDATA.NACL.AUTH.KEYS. The file must also include the Public key's of Engines running on zOS or other platforms. The Authorized Keys file is usually maintained by an administrator using ISPF. JCL similar to sample member NACLKEYS included in the distribution executes the SQDutil utility program using the keygen command and should be used to generate the necessary keys and create the Authorized Key List file. The JCL should be edited to conform to the operating environment and the job must be run under the user-id that will be used when the Controller Daemon job is run. //NACLKEYS JOB 1,MSGLEVEL=(1,1),MSGCLASS=H,NOTIFY=&SYSUID //* //*------//* Generate NACL Public/Private Keys and optionally AKL file //*------//* Required DDNAME: //* SQDPUBL DD - File that will contain the generated Public Key //* SQDPKEY DD - File that will contain the generated private Key //* ** This file and its contents are not to be shared //* //* Required parameters: //* PARM - keygen *** In lower case *** //* USER - The system USERID or high level qualifier of the //* SQDATA libraries IF all Jobs will share Private Key. //* //* Notes: //* 1) This Job generates a new Public/Private Key pair, saves //* them to their respective files and adds the Public Key //* to an existing Authorized Key List, allocating a new //* file for that purpose if necessary. //* //* 2) An optional first step deletes the current set of files //* //* 3) Change the SET parms below for: //* HLQ - high level qualifier of the CDC Libraries //* VER - the 2nd level qualifier of the CDC OBJLIB & LOADLIB //* USER - the High Level Qualifier of the NACL Datasets //*------//* // SET HLQ=SQDATA // SET VER=V400 // SET USER=&SYSUID //* //JOBLIB DD DISP=SHR,DSN=SQDATA..&VER..LOADLIB //*
Connect CDC SQData Security Authorization Quickstart 11 Security Authorization Quickstart
//*------//* Optional: Delete Old Instance of the NACL Files //*------//*DELOLD EXEC PGM=IEFBR14 //*SYSPRINT DD SYSOUT=* //*OLDPUB DD DISP=(OLD,DELETE,DELETE),DSN=&USER..NACL.PUBLIC //*OLDPVT DD DISP=(OLD,DELETE,DELETE),DSN=&USER..NACL.PRIVATE //*OLDAUTH DD DISP=(OLD,DELETE,DELETE),DSN=SQDATA.NACL.AUTH.KEYS //*------//* Allocate Public/Private Key Files and Generate Public/Private Keys //*------//SQDUTIL EXEC PGM=SQDUTIL //SQDPUBL DD DSN=&USER..NACL.PUBLIC, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), // DISP=(,CATLG,DELETE),UNIT=SYSDA, // SPACE=(TRK,(1,1)) //SQDPKEY DD DSN=&USER..NACL.PRIVATE, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), // DISP=(,CATLG,DELETE),UNIT=SYSDA, // SPACE=(TRK,(1,1)) //SQDPARMS DD * keygen //SYSPRINT DD SYSOUT=* //SYSOUT DD SYSOUT=* //SQDLOG DD SYSOUT=* //*SQDLOG8 DD DUMMY //*------//* Allocate the Authorized Key List File --> Used only by the Daemon //*------//COPYPUB EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSIN DD DUMMY //SYSUT1 DD DISP=SHR,DSN=&USER..NACL.PUBLIC //SYSUT2 DD DSN=SQDATA.NACL.AUTH.KEYS, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), // DISP=(MOD,CATLG),UNIT=SYSDA,SPACE=(TRK,(5,5))
Notes: 1. Since the Daemon and Capture Agents and zOS Apply Engines may be running in the same LPAR/system, they frequently run under the same System User-ID, in that case they would share the same public/private key pair. 2. Changes are not known to the Daemon until the configuration files are reloaded, using the SQDmon Utility, or the sqdaemon process is stopped and started. Administrative User Authorization The Administrative User of Connect CDC SQData requires the following RACF specifications: ADDUSER admuser DFLTGRP(STCAUTH) OWNER(
12 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart
SETROPTS GENERIC(FSACCESS) RDEFINE FSACCESS SQDATA.** UACC(NONE) PERMIT SQDATA.** CLASS(FSACCESS) ID(USER/GROUP_ID) ACCESS(UPDATE) SETROPTS CLASSACT(FSACCESS) SETROPTS RACLIST(FSACCESS) SETROPTS RACLIST(FSACCESS) REFRESH
PERMIT MVSADMIN.LOGR CLASS(FACILITY) ACCESS(ALTER) ID(YOUR_USERID) RDEFINE FACILITY MVSADMIN.LOGR UACC(ALTER) SETROPTS CLASSACT(FACILITY) IMS Authorizations The IMS Log Capture requires the following permisisons: · The IMS Log Capture (program SQDIMSC) needs read access to the IMS OLDS and SLDS datasets · The IMS Log Capture also requires read access to the IMS Reslib and IMS RECON datasets Db2 Authorizations The Db2 Log Reader Capture requires special user privileges and preparation to access and read the Db2 Recovery Logs using the Db2 Instrumentation Facility Interface (IFI) calls. Version 4 of Connect CDC SQData also requires some system tables to be captured to support Schema Evolution. The following GRANTS are required: 1. GRANT MONITOR2 TO < sqdata_user>; 2. GRANT EXECUTE ON PLAN SQDV4000 TO < sqdata_user>; 3. GRANT SELECT ON SYSIBM.SYSTABLES TO < sqdata_user>; 4. GRANT SELECT ON SYSIBM.SYSCOLUMNS TO < sqdata_user>; 5. GRANT SELECT ON SYSIBM.SYSINDEXES TO < sqdata_user>; 6. GRANT SELECT ON SYSIBM.SYSKEYS TO < sqdata_user>; 7. GRANT SELECT ON SYSIBM.SYSTABLESPACE TO < sqdata_user>; Db2 Reorg and Load procedures may need to be updated: · KEEPDICTIONARY=YES parameter must be used by all Db2 REORG and LOAD Utilities. If the CDC process is run asynchronously, for some reason gets behind or is configured to recapture older logs, the proper Compression Dictionary must be available. Schema Evolution Requires DATA CAPTURE CHANGES on Two (2) Catalog Tables: 1. SYSIBM.SYSTABLES 2. SYSIBM.SYSCOLUMNS Notes: · A common database request module (DBRM) SQDDDB2D ships as part of the product distribution and a Bind must be performed on the SQDV4000 Package and Plan. Use the BINDSQD member in the CNTL Library to bind the Package and Plan to Db2. · Each Db2 table to be captured also requires:
ALTER TABLE
Connect CDC SQData Security Authorization Quickstart 13 Security Authorization Quickstart
VSAM Authorizations There are no additional security requirements specifically related to the VSAM Log Replicate Capture.
14 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart
UNIX Security Requirements
This section summarizes the security authorizations required to execute the Precisely Connect CDC SQData software on AIX and Linux. Administrative User Authorization The level of privileges required by the Connect CDC SQData Administrative User depends on the location chosen for the base product installation. Most Connect CDC SQData for UNIX customers utilize a special system account established for sqdata_user rather than an individual user account because it usually needs elevated privileges designated for configuring and executing the capture and apply processes. If necessary have the system administrator create that account. TCP/IP Ports · The Daemon (program sqdaemon) needs access to the designated port number that it will listen on. The default port number is 2626 but it can be any available port reserved on the platform. · All Connect CDC SQData capture, publisher, daemon, Engine and Utility tasks require access to the TCP/IP Stack. Installation Directories On UNIX based machines, executables are typically installed in /opt under a folder named for the product. /opt is usually owned by root, so the Administrator privileges would be required to create the sqdata folder and decompress the package into this location. To allow multiple users to access the package without giving access to everyone, the system administrator can define an sqdata group and grant permissions on the package to the group.
MKDIR '/opt/sqdata/' MODE(7,7,5)
Alternatively, the product can be installed into the system account
MKDIR '/home/sqdata_user/sqdata' MODE(7,7,5)
Variable Directories Once source and target systems and datastores have been identified, the configuration of the Capture Agents, Apply Engines and their Controller Daemon's can begin. That will require the creation of directories and files for variable portions of the configuration. At this point we assume the base Connect CDC SQData product has already been installed according to the instructions in the Installation Guide and the Operating Systems specific $Start_Here_
/opt/sqdata or
/home/
If you would like to use an Environment Variable to reference the installation location, the recommended value is:
Controller Daemons, Capture Agents and Engines require the creation of directories and files for variable portions of their configurations. Just as the location of the base product installation can be modified, the location of variable directories can be adjusted conform to the operating system and to accommodate areas of responsibility, including the associated "application" and optionally Testing or Production environments. This document will refer to the
Connect CDC SQData Security Authorization Quickstart 15 Security Authorization Quickstart location most commonly used on Linux, AIX and Windows: /var/opt/sqdata[/
/home/
/home/sqdata[/
If you like to use an Environment Variable to reference the location of variable portions of the configuration, the recommended value is:
While only the base variable directory is required and the location of the daemon directory is optional, we recommend the structure described below:
If this system will include a Change Data Capture agent, we recommend the structure described below:
Note, the User-ID(s) under which the capture CDCStore and the Controller Daemon will run must be authorized for Read/Write access to these directories. The following commands will create the directories described above: $ mkdir -p
$ mkdir -p
NaCL Key Pair Generation The Controller Daemon uses a Public / Private key mechanism to ensure component communications are valid and secure. A key pair must be created for the sqdaemon process User-ID and the User-ID's of all the Agent Jobs that interact with the Controller Daemon. On UNIX, by default, the private key is stored in ~/.nacl.id_nacl and the public key in ~/.nacl/id_nacl.pub. These two files will be used by the daemon in association with a sequential file containing a concatenated list of the Public Keys of all the Agents allowed to interact with the Controller Daemon. The Authorized Keys file must contain at a minimum, the public key of the sqdaemon process User-ID and is usually named nacl_auth_keys and placed in the
16 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart
Controller Daemon. The Authorized Keys file is usually maintained by a Systems Administrator. The sqdutil utility program using the keygen command is used to generate the necessary keys. The command must be run under the User-ID that will be used to run the Controller Daemon process. $ sqdutil keygen
Notes: 1. If the Daemon, Capture Agent and Apply Engine are running on the same system, they may optionally run under the same User-ID, in which case they would share the same public/private key pair. 2. Changes are not known to the Daemon until the configuration files are reloaded, using the SQDmon Utility, or the sqdaemon process is stopped and started. UDB (DB2/LUW) Authorizations The Db2/LUW (UDB) Log Reader Capture requires special user privileges and preparation to access and read the Db2 Recovery Logs using the Db2/LUW (UDB) Instrumentation Facility Interface (IFI) calls. Version 4 of Connect CDC SQData also requires some system tables to be captured to support Schema Evolution. The following GRANTS are required: · GRANT DBADM ON DATABASE TO < sqdata_user>; · GRANT EXECUTE ON PACKAGE sqdddb2d TO < sqdata_user>; · GRANT SELECT ON SYSIBM.SYSTABLES TO < sqdata_user>; · GRANT SELECT ON SYSIBM.SYSCOLUMNS TO < sqdata_user>; · GRANT SELECT ON SYSIBM.SYSDATAPARTITIONS TO < sqdata_user>; Db2 Reorg and Load procedures may need to be updated: · KEEPDICTIONARY=YES parameter must be used by all Db2 REORG and LOAD Utilities. If the CDC process is run asynchronously, for some reason gets behind or is configured to recapture older logs, the proper Compression Dictionary must be available. Schema Evolution Requires DATA CAPTURE CHANGES on Two (2) Catalog Tables: 1. SYSIBM.SYSTABLES 2. SYSIBM.SYSCOLUMNS Notes: · A common database request module (DBRM)sqddd2b.bnd ships as part of the product distribution and a Bind must be performed on the Package:
bind
ALTER TABLE
Connect CDC SQData Security Authorization Quickstart 17 Security Authorization Quickstart
Oracle Authorizations The Oracle LogMiner Capture requires special user privileges and preparation to access and read the Oracle Recovery Logs using the Oracle LogMiner API. Enable LogMiner functionality · ALTER DATABASE ADD SUPPLEMENTAL LOG DATA provides the minimal level of database metadata required by the Oracle LogMiner. The following GRANTS are required: 1. GRANT LOGMINING TO
ALTER TABLE
18 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart
Kafka Authorizations In addition to the installation of the librdkafka library, writing to Kafka requires the following permissions: · Read access to librdkafka libraries · Port access [plaintext, sasl, zookeeper if desired] · Plaintext security – no changes needed · SASL/Kerberos – follow details in librdkafka doc for producer config, client keys, etc.
Connect CDC SQData Security Authorization Quickstart 19 Security Authorization Quickstart
Windows Security Requirements
This section summarizes the security authorizations required to execute the Precisely Connect CDC SQData software on Windows. TCP/IP · The Daemon (sqdaemon) needs access to the designated port number that it will be listening on. Apply Engines The Apply Engine program "sqd" must have the following permissions: · Read, [Read/Write to install], access to the software installation executables. · Read/Write to data directories and files for daemon and apply engine scripts. · Read / Update to the target datastores (i.e. tables, kafka topics, hdfs files, etc.)
20 Connect CDC SQData Security Authorization Quickstart x e d n Index I
SELECT ANY TRANSACTION 18 SELECT authority 18 $ STC Authorizations 9 $V$INSTANCE 18 SYSIBM.SYSCOLUMNS 13 SYSIBM.SYSINDEXES 13 SYSIBM.SYSKEYS 13 A SYSIBM.SYSTABLES 13 ALTER TABLE 13 APF 7 T TCP/IP Stack 15 D DATA CAPTURE CHANGES 13 V V$ARCHIVED_LOG 18 E V$DATABASE 18 EXECUTE authority on DBMS_LOGMNR_D 18 V$LOG 18 EXECUTE authority on the DBMS_LOGMNR 18 V$LOG_HIST 18 EXECUTE_CATALOG_ROLE 18 V$LOGFILE 18 V$LOGMNR_CONTENTS 18 G GRANT 13 Z z/OS system Logstreams 9 M Monitor(2) 13
N NACLKEYS 11
P PLAN 13 Private 11 Public 11 Public / Private key 11
Q Quickstart 5
R RACF 9, 12
S security 4
Connect CDC SQData Security Authorization Quickstart 21 2 Blue Hill Plaza Pearl River, NY 10965 USA precisely.com
© 2001, 2021 SQData. All rights reserved.