Connect CDC SQData Security Authorization Quickstart Version 4.0 Security Authorization Quickstart © 2001, 2021 SQData. All rights reserved. Version 4.0 Last Update: 8/24/2021 2 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart Contents Security Authorization Quickstart ............................................................. 4 Quick Start Approach ........................................................................... 5 Documentation Conventions ............................................................... 6 zOS Security Requirements ................................................................. 7 APF Authorization .......................................................................... 7 TCP/IP Ports ................................................................................... 7 ZFS Variable Directories ................................................................ 7 z/OS LogStreams ........................................................................... 9 Startetd Task Authorizations ......................................................... 9 NaCL Key Pair Generation ........................................................... 11 Administrative User Authorization .............................................. 12 IMS Authorizations ...................................................................... 13 Db2 Authorizations ...................................................................... 13 VSAM Authorizations ................................................................... 14 UNIX Security Requirements ............................................................. 15 Administrative User Authorization .............................................. 15 TCP/IP Ports ................................................................................. 15 Installation Directories ................................................................ 15 Variable Directories .................................................................... 15 NaCL Key Pair Generation ........................................................... 16 UDB (DB2/LUW) Authorizations .................................................. 17 Oracle Authorizations .................................................................. 18 Hadoop HDFS Authorizations ...................................................... 18 Kafka Authorizations ................................................................... 19 Windows Security Requirements ...................................................... 20 TCP/IP .......................................................................................... 20 Apply Engines .............................................................................. 20 Security Authorization Quickstart This document summarizes the security authorizations required to execute the Precisely Connect CDC SQData software on z/OS and Linux. Please visit Precisely https://www.precisely.com/support for assistance. 4 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart Quick Start Approach The Quickstart approach is intended to be a step by step guide to the installation, configuration, testing and operation of Connect CDC SQData Captures on zOS and other platforms as well as the Apply and Replicator Engine components that write to Kafka and HDFS. Each Quickstart includes a "Before You Get Started" section that include prerequisites to specific component configuration and execution that are explained in detail in the various component Reference documents. Often the wait time for various security and permission related activities is the most time consuming aspect of the effort. This document consolidates the detail Security requirements for each component so that it can be initiated as early as possible. Connect CDC SQData Security Authorization Quickstart 5 Security Authorization Quickstart Documentation Conventions The following conventions are used in command and configuration syntax and examples in this document. Convention Explanation Example Regular type Items in regular type must be entered literally using create either lowercase or uppercase letters. Items in Bold type CCSID are usually "commands" or "Actions". Note, uppercase is often used in "z/OS" objects for consistency just as /directory lowercase is often used on other platforms //SYSOUT DD * <variable> Items between < and > symbols represent variables. You <file_name> must substitute an appropriate numeric or text value for the variable. | Bar A vertical Bar indicates that a choice must be made 'yes' | 'no' among items in a list separated by bars. JSON | AVRO [ ] Brackets Brackets indicate that item is optional. A choice may be [alias] made among multiple items contained in brackets. OR [+ | -] -- Double dash Double dashes "--" identify an option keyword. Some --service=<port> keywords may be abbreviated and preceded by a single OR -s <port> dash "-". A double dash in some contexts can be used to indicate the start of a single line comment. OR --apply OR -- this is a comment … Ellipsis An ellipsis indicates that the preceding argument or [expression…] group of arguments may be repeated. Sequence A sequence number indicates that a series of arguments field2 number or values may be specified. The sequence number itself must never be specified. ' ' Single quotes Single quotation marks that appear in the syntax must be IF CODE = 'a' specified literally. 6 Connect CDC SQData Security Authorization Quickstart Security Authorization Quickstart zOS Security Requirements This section summarizes the security authorizations required to execute the Precisely Connect CDC SQData software on z/OS APF Authorization The Connect CDC SQData load library SQDATA.V4nnn.LOADLIB must be APF authorized. Initially, this can be done via the operator’s console via the SETPROG APF command. This APF authorization must then be made a permanent part of the IPL APF authorization procedure. All Connect CDC SQData agents must have read access to this library. TCP/IP Ports · The Daemon (program SQDAEMON) needs access to the designated port number that it will listen on. The default port number is 2626 but it can be any available port reserved on the platform. · All Connect CDC SQData capture, publisher, daemon, Engine and Utility tasks require access to the TCP/IP Stack. ZFS Variable Directories The Controller Daemon, Capture, Storage and Publisher agents require a predefined zFS directory structure used to store a small number of files. While only the configuration directory is required and the location of the agent and daemon directories is optional, we recommend the structure described below, where <home> and a "user" named <sqdata> could be modified to conform to the operating environment and a third level created for the Controller Daemon (see note below): /<home>/<sqdata> - The home directory used by the Connect CDC SQData /<home>/<sqdata>/daemon - The working directory used by the Daemon that also contains two sub directories. /<home>/<sqdata>/daemon/cfg - A configuration directory that contains two configuration files. /<home>/<sqdata>/daemon/logs - A logs directory, though not required, is suggested to store log files used by the controller daemon. Its suggested location below must match the file locations specified in the Global section of the sqdagents.cfg file created in the section "Setup Controller Daemon" later in this document. Additional directories will be create for each Capture/Publisher. We recommend the structures described below: /<home>/<sqdata>/db2cdc - The working directory for the Db2 Capture and CDCStore Storage agents. The Capture and CDCStore configuration (.cab) Files will be maintained in this directory along with small temporary files used to maintain connections to the active agents. /<home>/<sqdata>/db2cdc/data - A data directory is required by the Db2 Capture. Files will be allocated in this directory as needed by the CDCStore Storage Agent when transient data exceeds allocated in-memory storage. The suggested location below must match the "data_path" specified in the Storage agent configuration (.cab file) described later in this chapter. A dedicated File System is required in production with this directory as the "mount point". /<home>/<sqdata>/imscdc - The working directory for the IMS Capture and CDCzLOG Publisher agents. The Capture and Publisher (.cab) Files will be maintained in this directory along with small temporary files used to maintain connections to the active agents. Connect CDC SQData Security Authorization Quickstart 7 Security Authorization Quickstart /<home>/<sqdata>/[vsampub | kfilepub] - The working directory for the VSAM and Keyed File Compare Capture's CDCzLOG Publisher agent. The Publisher configuration (.cab) File will be maintained in this directory along with small temporary files used to maintain connections to the active agents. Notes: 1. Consider changing default umask setting in the /etc/profile file, or in your .cshrc or .login file. 2. While many zFS File systems are configured with /u as the "home" directory, others use /home, the standard on Linux. References in the Connect CDC SQData JCL and documentation will use /home for consistency. Check with your Systems programmer regarding zFS on your systems. 3. The User-ID(s) and/or Started Task under which the Capture and the Controller Daemon will run must be authorized for Read/Write access to the zFS directories. 4. A more traditional "nix" style structure may also be used where "sqdata", the product, would