AS400 connector
Important
Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.
The AS400 connector enables you to manage and synchronize users between AS400 and the IDM managed user repository.
Before You Start
These instructions assume you have an AS400 administrator account and you have access to AS400. You need the following information to configure the connector:
- Host Name
The name or IP address of the host where AS400 is running.
- Username
The AS400 Organizational Admin username.
- Password
The AS400 Organizational Admin password.
- Is Secure
Whether or not to enable a secure connection to AS400.
Install the AS400 connector
Download the connector .jar file from the ForgeRock BackStage download site.
If you are running the connector locally, place it in the
/path/to/openidm/connectors
directory, for example:mv ~/Downloads/as400-connector-1.5.20.12.jar /path/to/openidm/connectors/
If you are using a remote connector server (RCS), place it in the
/path/to/openicf/connectors
directory on the RCS.
Configure the AS400 connector
Create a connector configuration using the admin UI:
Select Configure > Connectors and click New Connector.
Enter a Connector Name.
Select AS400 Connector - 1.5.20.12 as the Connector Type.
Provide the Base Connector Details.
Click Save.
When your connector is configured correctly, the connector displays as Active in the admin UI.
Alternatively, test that the configuration is correct by running the following command:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/system/as400?_action=test"
{
"name": "as400",
"enabled": true,
"config": "config/provisioner.openicf/as400",
"connectorRef": {
"bundleVersion": "${bundleVersion}",
"bundleName": "org.forgerock.openicf.connectors.as400-connector",
"connectorName": "org.forgerock.openicf.connectors.as400.As400Connector"
},
"displayName": "AS400 Connector",
"objectTypes": [
"__ACCOUNT__",
"__ALL__",
"__GROUP__"
],
"ok": true
}
If the command returns "ok": true
, your connector has been configured correctly, and can authenticate to the AS400 system.
Use the AS400 connector
The following resources are supported by AS400:
ICF Native Type | AS400 Resource Type |
---|---|
__ACCOUNT__ | Users |
__GROUP__ | Groups |
The following filter operators and attributes are supported by AS400:
Object Type | Operators | Attributes |
---|---|---|
__GROUP__ | id filter | Id |
You can perform the following actions with the AS400 connector:
The following example creates a user with all available attributes:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json"\
--request POST \
--data "{
"__NAME__":"BJENSEN",
"__PASSWORD__":"ASDE1234",
"PWDEXP":false,
"__ENABLE__":true,
"USRCLS":"*USER",
"ASTLVL":"*BASIC",
"CURLIB":"*CRTDFT",
"INLPGM":"*NONE",
"INLMNU":"MAIN",
"TEXT":"TEXTFILEDVALUE",
"SPCAUT":["*AUDIT"],
"SPCENV":"*S36",
"DSPSGNINF":"*YES",
"PWDEXPITV":"323",
"PWDCHGBLK":"93",
"LCLPWDMGT":true,
"LMTDEVSSN":"*NO",
"MAXSTG":"10000",
"PTYLMT":8,
"JOBD":"QDFTJOBD",
"OWNER":"*USRPRF",
"ACGCDE":"*BLANK",
"DOCPWD":"W12345",
"MSGQ":"*USRPRF",
"DLVRY":"*HOLD",
"SEV":"50",
"PRTDEV":"*SYSVAL",
"OUTQ":"*DEV",
"ATNPGM":"*ASSIST",
"SRTSEQ":"*HEX",
"LANGID":"ENG",
"CCSID":"*HEX",
"CHRIDCTL":"*DEVD",
"SETJOBATR":["*CCSID"],
"LOCALE":"*C",
"USROPT":["*HLPFULL"],
"UID":"*GEN",
"HOMEDIR":"*USRPRF",
"EIMASSOC":["*NOCHG"],
"USREXPITV":99,
"USREXPDATE":"*USREXPITV",
"LMTCPB":"*YES",
"CNTRYID":"*SYSVAL",
"GRPPRF":"AZURE",
"SUPGRPPRF":["AWS"]
}" \
"{secureHostname}/openidm/system/As400/__ACCOUNT__?_action=create&_prettyprint=true"
{
"_id" : "BJENSEN",
"USROPT" : [ "*HLPFULL" ],
"SEV" : "50",
"USREXPITV" : 99,
"IsAuthCollectionActive" : false,
"HOMEDIR" : "/home/BJENSEN",
"MAXSTG" : "10000",
"UID" : "1277",
"PTYLMT" : 8,
"__NAME__" : "BJENSEN",
"PRTDEV" : "*SYSVAL",
"__ENABLE__" : true,
"LMTDEVSSN" : "*NO",
"__UID__" : "BJENSEN",
"SRTSEQ" : "*HEX",
"DSPSGNINF" : "*YES",
"PWDCHGBLK" : "93",
"GRPPRF" : "AZURE",
"USREXPDATE" : "12/06/22",
"CURLIB" : "*CRTDFT",
"LMTCPB" : "*YES",
"ASTLVL" : "*BASIC",
"SUPGRPPRF" : [ "AWS" ],
"MSGQ" : "/QSYS.LIB/QUSRSYS.LIB/BJENSEN.MSGQ",
"LANGID" : "ENG",
"CCSID" : "65535",
"PWDEXPITV" : "323",
"IsUserEntitlementRequired" : true,
"TEXT" : "TEXTFILEDVALUE",
"JOBD" : "/QSYS.LIB/QGPL.LIB/QDFTJOBD.JOBD",
"ActionAuditLevel" : "*BASIC",
"ObjectAuditValue" : "*NONE",
"PasswordChangedDate" : "Mon Aug 29 05:15:20 IST 2022",
"ATNPGM" : "/QSYS.LIB/QEZMAIN.PGM",
"LCLPWDMGT" : true,
"INLPGM" : "*NONE",
"USRCLS" : "*USER",
"SPCAUT" : [ "*AUDIT" ],
"SETJOBATR" : [ "*CCSID" ],
"SPCENV" : "*S36",
"ACGCDE" : "",
"IsPasswordNone" : false,
"DLVRY" : "*HOLD",
"IsAuthCollectionRepositoryExist" : false,
"UserExpirationAction" : "*DISABLE",
"INLMNU" : "/QSYS.LIB/%LIBL%.LIB/MAIN.MNU",
"LOCALE" : "*C",
"KBDBUF" : "*SYSVAL",
"OWNER" : "*USRPRF",
"PasswordExpireDate" : "Tue Jul 18 00:00:00 IST 2023",
"PWDEXP" : false,
"OUTQ" : "*DEV",
"CNTRYID" : "*SYSVAL",
"CHRIDCTL" : "*DEVD",
"StorageUsed" : "12"
}
Note
When you create a new user, you must specify at least the __NAME__
property. This property can be a maximum of 10 characters. These characters may be:
Any letter
Any digits
The #, $, _, and @ special characters.
If the __NAME__
begins with a digit, it must be prefixed with a Q.
The following example queries all users in the system:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request GET \
"http://localhost:8080/openidm/system/as400/__ACCOUNT__?_queryId=query-all-ids"
{
"result": [
{"_id": "ADAM"},
{"_id": "BJENSEN"},
{"_id": "CHERYL"},
{"_id": "DAVID"},
{"_id": "EDDIE"}
],
"resultCount":5,
"pagedResultsCookie":null,
"totalPagedResultsPolicy":"NONE",
"totalPagedResults":-1,
"remainingPagedResults":-1
}
The following example queries all users in the system:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request GET \
"http://localhost:8080/openidm/system/as400/__ACCOUNT__/BJENSEN?prettyprint=true"
{
"_id" : "BJENSEN",
"USROPT" : [ "*HLPFULL" ],
"SEV" : "50",
"USREXPITV" : 99,
"IsAuthCollectionActive" : false,
"HOMEDIR" : "/home/BJENSEN",
"MAXSTG" : "10000",
"UID" : "1277",
"PTYLMT" : 8,
"__NAME__" : "BJENSEN",
"PRTDEV" : "*SYSVAL",
"__ENABLE__" : true,
"LMTDEVSSN" : "*NO",
"__UID__" : "BJENSEN",
"SRTSEQ" : "*HEX",
"DSPSGNINF" : "*YES",
"PWDCHGBLK" : "93",
"GRPPRF" : "AZURE",
"USREXPDATE" : "12/06/22",
"CURLIB" : "*CRTDFT",
"LMTCPB" : "*YES",
"ASTLVL" : "*BASIC",
"SUPGRPPRF" : [ "AWS" ],
"MSGQ" : "/QSYS.LIB/QUSRSYS.LIB/BJENSEN.MSGQ",
"LANGID" : "ENG",
"CCSID" : "65535",
"PWDEXPITV" : "323",
"IsUserEntitlementRequired" : true,
"TEXT" : "TEXTFILEDVALUE",
"JOBD" : "/QSYS.LIB/QGPL.LIB/QDFTJOBD.JOBD",
"ActionAuditLevel" : "*BASIC",
"ObjectAuditValue" : "*NONE",
"PasswordChangedDate" : "Mon Aug 29 05:15:20 IST 2022",
"ATNPGM" : "/QSYS.LIB/QEZMAIN.PGM",
"LCLPWDMGT" : true,
"INLPGM" : "*NONE",
"USRCLS" : "*USER",
"SPCAUT" : [ "*AUDIT" ],
"SETJOBATR" : [ "*CCSID" ],
"SPCENV" : "*S36",
"ACGCDE" : "",
"IsPasswordNone" : false,
"DLVRY" : "*HOLD",
"IsAuthCollectionRepositoryExist" : false,
"UserExpirationAction" : "*DISABLE",
"INLMNU" : "/QSYS.LIB/%LIBL%.LIB/MAIN.MNU",
"LOCALE" : "*C",
"KBDBUF" : "*SYSVAL",
"OWNER" : "*USRPRF",
"PasswordExpireDate" : "Tue Jul 18 00:00:00 IST 2023",
"PWDEXP" : false,
"OUTQ" : "*DEV",
"CNTRYID" : "*SYSVAL",
"CHRIDCTL" : "*DEVD",
"StorageUsed" : "12"
}
You can modify an existing user with a PUT request, including all attributes of the account in the request. You can use the AS400 connector to modify the following attributes:
PASSWORD
PWDEXP
STATUS
USRCLS
ASTLVL
CURLIB
INLPGM
INLMNU
LMTCPB
TEXT
SPCAUT
SPCENV
DSPSGNINF
PWDEXPITV
PWDCHGBLK
LCLPWDMGT
LMTDEVSSN
KBDBUF
MAXSTG
PTYLMT
JOBD
OWNER
ACGCDE
DOCPWD
MSGQ
DLVRY
SEV
PRTDEV
OUTQ
ATNPGM
SRTSEQ
LANGID
CNTRYID
CCSID
CHRIDCTL
SETJOBATR
LOCALE
USROPT
UID
HOMEDIR
USREXPDATE
USREXPITV
EIMASSOC
GRPPRF
SUPGRPPRF
The following request updates a user:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=1.0" \
--header "If-Match: *" \
--request PUT \
--data "{
"__PASSWORD__":"ASDE1234",
"PWDEXP":false,
"__ENABLE__":true,
"USRCLS":"*USER",
"ASTLVL":"*BASIC",
"CURLIB":"*CRTDFT",
"INLPGM":"*NONE",
"INLMNU":"MAIN",
"TEXT":"TEXTFILEDVALUE",
"SPCAUT":["*AUDIT"],
"SPCENV":"*S36",
"DSPSGNINF":"*YES",
"PWDEXPITV":"323",
"PWDCHGBLK":"93",
"LCLPWDMGT":true,
"LMTDEVSSN":"*NO",
"MAXSTG":"10000",
"PTYLMT":8,
"JOBD":"QDFTJOBD",
"OWNER":"*USRPRF",
"ACGCDE":"*BLANK",
"DOCPWD":"W12345",
"MSGQ":"*USRPRF",
"DLVRY":"*HOLD",
"SEV":"50",
"PRTDEV":"*SYSVAL",
"OUTQ":"*DEV",
"ATNPGM":"*ASSIST",
"SRTSEQ":"*HEX",
"LANGID":"ENG",
"CCSID":"*HEX",
"CHRIDCTL":"*DEVD",
"SETJOBATR":["*CCSID"],
"LOCALE":"*C",
"USROPT":["*HLPFULL"],
"UID":"*GEN",
"HOMEDIR":"*USRPRF",
"EIMASSOC":["*NOCHG"],
"USREXPITV":99,
"USREXPDATE":"*USREXPITV",
"LMTCPB":"*YES",
"CNTRYID":"*SYSVAL",
"GRPPRF":"AZURE","SUPGRPPRF":["AWS"]
}" \
"{secureHostname}/openidm/system/As400/__ACCOUNT__/BJENSEN_prettyprint=true"
{
"_id" : "BJENSEN",
"USROPT" : [ "*HLPFULL" ],
"SEV" : "50",
"USREXPITV" : 99,
"IsAuthCollectionActive" : false,
"HOMEDIR" : "/home/BJENSEN",
"MAXSTG" : "10000",
"UID" : "1277",
"PTYLMT" : 8,
"__NAME__" : "BJENSEN",
"PRTDEV" : "*SYSVAL",
"__ENABLE__" : true,
"LMTDEVSSN" : "*NO",
"__UID__" : "BJENSEN",
"SRTSEQ" : "*HEX",
"DSPSGNINF" : "*YES",
"PWDCHGBLK" : "93",
"GRPPRF" : "AZURE",
"USREXPDATE" : "12/06/22",
"CURLIB" : "*CRTDFT",
"LMTCPB" : "*YES",
"ASTLVL" : "*BASIC",
"SUPGRPPRF" : [ "AWS" ],
"MSGQ" : "/QSYS.LIB/QUSRSYS.LIB/BJENSEN.MSGQ",
"LANGID" : "ENG",
"CCSID" : "65535",
"PWDEXPITV" : "323",
"IsUserEntitlementRequired" : true,
"TEXT" : "TEXTFILEDVALUE",
"JOBD" : "/QSYS.LIB/QGPL.LIB/QDFTJOBD.JOBD",
"ActionAuditLevel" : "*BASIC",
"ObjectAuditValue" : "*NONE",
"PasswordChangedDate" : "Mon Aug 29 05:15:20 IST 2022",
"ATNPGM" : "/QSYS.LIB/QEZMAIN.PGM",
"LCLPWDMGT" : true,
"INLPGM" : "*NONE",
"USRCLS" : "*USER",
"SPCAUT" : [ "*AUDIT" ],
"SETJOBATR" : [ "*CCSID" ],
"SPCENV" : "*S36",
"ACGCDE" : "",
"IsPasswordNone" : false,
"DLVRY" : "*HOLD",
"IsAuthCollectionRepositoryExist" : false,
"UserExpirationAction" : "*DISABLE",
"INLMNU" : "/QSYS.LIB/%LIBL%.LIB/MAIN.MNU",
"LOCALE" : "*C",
"KBDBUF" : "*SYSVAL",
"OWNER" : "*USRPRF",
"PasswordExpireDate" : "Tue Jul 18 00:00:00 IST 2023",
"PWDEXP" : false,
"OUTQ" : "*DEV",
"CNTRYID" : "*SYSVAL",
"CHRIDCTL" : "*DEVD",
"StorageUsed" : "12"
}
To reset the password for an AS400 user account, you can use the connector to change the user’s password:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=1.0" \
--header "If-Match: *" \
--request PUT \
--data "{
"__PASSWORD__":"newpassword123"
}" \
"{secureHostname}/openidm/system/as400/__ACCOUNT__/BJENSEN_prettyprint=true"
{
"_id" : "BJENSEN",
"USROPT" : [ "*HLPFULL" ],
"SEV" : "50",
...
}
The following example activates a user:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=1.0" \
--header "If-Match: *" \
--request PUT \
--data "{
"__ENABLE__": true
}
"{secureHostname}/openidm/system/as400/__ACCOUNT__/BJENSEN_prettyprint=true"
{
"_id" : "BJENSEN",
...
"__ENABLE__": true
...
}
The following example deactivates a user:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=1.0" \
--header "If-Match: *" \
--request PUT \
--data "{"
""__ENABLE__": false
}" \
"{secureHostname}/openidm/system/as400/__ACCOUNT__/BJENSEN_prettyprint=true"
{
"_id" : "BJENSEN",
...
"__ENABLE__": false
...
}
The following example deletes a user:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=1.0" \
--request DELETE \
"{secureHostname}/openidm/system/as400/__ACCOUNT__/BJENSEN_prettyprint=true"
{
"_id" : "BJENSEN",
...
}
The following example queries all AS400 Groups by their IDs:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
"http://localhost:8080/openidm/system/as400/__GROUP__?_queryId=query-all-ids&_prettyprint=true"
{
{
"result": [
{"_id": "AWS"},
{"_id": "AZURE"},
{"_id": "CLOUD"}
],
"resultCount" : 3,
"pagedResultsCookie" : null,
"totalPagedResultsPolicy" : "NONE",
"totalPagedResults" : -1,
"remainingPagedResults" : -1
}
The following example queries a single AS400 group by its ID:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ "http://localhost:8080/openidm/system/as400/__GROUP__/AWS?_prettyprint=true"
{ "_id" : "AWS", "GID" : "116", "__NAME__" : "AWS", "GRPAUT" : "*NONE", "GRPAUTTYP" : "*PRIVATE", "__UID__" : "AWS" }
Account attributes
The following account attributes are supported by the AS400 connector:
Attribute | Description |
---|---|
| User Profile Name |
| The password used to log in. |
| The previous sign-on date. |
| The last date the password was changed. |
| Whether or not the password is *NONE. |
| The user expiration action. |
| The storage used. |
| A value used for auditing the object. |
| The Action Audit Level. |
| When the user’s password is set to expire. |
| The user’s status. Permitted values are |
| The special access control for the user. |
| Specifies which user interface to use. |
| Specifies the name of the current library associated with the job. |
| The initial program. |
| The initial menu. |
| Whether or not user entitlement is required. |
| Whether or not authority collection is active. |
| Limit capabilities. |
| A free-form text field. |
| The special access permissions for the user. |
| The special environment. |
| The display sign-on information. |
| The password expiration interval. |
| Whether or not to block password change. |
| Local password management. |
| Limit device session. |
| Keyboard buffering. |
| Maximum allowed storage. |
| Highest schedule priority. |
| Job description. |
| The owner of the user profile. |
| The accounting code. |
| The document password. |
| The message queue. |
| Delivery. |
| The severity code. |
| The print device. |
| The output queue. |
| The attention program. |
| The sort sequence. |
| The language ID. |
| The country or region ID. |
| The Coded Character Set ID. |
| The character identifier control. |
| The local job attributes. |
| The locale. |
| The user options. |
| The user ID number. |
| The home directory. |
| The user’s expiration date. |
| The user’s expiration interval. |
| Authority. |
| The EIM association. |
| The date the password expires. |
| Specifies the user’s group profile name whose authority is used when there is no job-specific authority given to the user. |
| Specifies the user’s supplemental group profiles. Used with |
OpenICF Interfaces Implemented by the AS400 Connector
The AS400 Connector implements the following OpenICF interfaces.
- Create
Creates an object and its
uid
.- Delete
Deletes an object, referenced by its
uid
.- Schema
Describes the object types, operations, and options that the connector supports.
- Script on Connector
Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics:
The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.
The script has access to a
connector
variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.The script has access to any script-arguments passed in by the application.
- Search
Searches the target resource for all objects that match the specified object class and filter.
- Test
Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.
This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).
You can invoke the test operation before a connector configuration has been validated.
- Update
Updates (modifies or replaces) objects on a target resource.
AS400 Connector Configuration
The AS400 Connector has the following configurable properties.
Configuration properties
Property | Type | Default | Encrypted [a] | Required [b] |
---|---|---|---|---|
hostName | String | null | ||
Host name or IP address of As400 | ||||
| ||||
userName | String | null | ||
The username to login As400 | ||||
| ||||
password | GuardedString | null | ||
The password to login As400 | ||||
| ||||
isSecure | boolean | true | ||
Enable or not secure connection to As400 | ||||
| ||||
[a] Indicates whether the property value is considered confidential, and therefore encrypted in OpenIDM. [b] A list of operations in this column indicates that the property is required for those operations. |
Basic configuration properties
Property | Type | Default | Encrypted [a] | Required [b] |
---|---|---|---|---|
maximumConnections | Integer | 10 | ||
Provide the maximum connections | ||||
| ||||
connectionTimeout | Integer | 300000 | ||
Provide the maximum connection timeout in milliseconds | ||||
| ||||
[a] Indicates whether the property value is considered confidential, and therefore encrypted in OpenIDM. [b] A list of operations in this column indicates that the property is required for those operations. |