The Advanced Adapter for ACF2 provides reconciliation functionality through the use of the IdF Voyager reconciliation agent. The Voyager reconciliation agent sends notification events to the IdF Virtual Gateway from the target system (e.g. ACF2) when an identity or authorization event occurs in the native target system.

In addition to the ability to send and request security data from the host platform, the IdF Virtual Gateway is a container for security facility change events which originate on the host (ACF2). These host originating, change events are captured by Voyager reconciliation agent which is integrated with mainframe exit points.

The Voyager reconciliation agent captures this information is based on exit technology. A command execution is passed through an exit, prior to full completion of the command. A common use of this technology is to require userIDs or passwords to be formatted to a proper length or that they must contain at least one letter and one number. If the exit fails, the command fails and returns an error message, allowing the system to not be corrupted. By capturing identity or authentication events at an exit, the Voyager reconciliation agent will listen to these events outside the operating system.

The Voyager reconciliation agent is a mainframe installed component that detects events that occur on the mainframe using ACF2 exit technologies. When an event occurs on a mainframe screen, independent of other Adapter technologies, the event is processed through an appropriate mainframe exit. The Voyager reconciliation agent captures this event and transforms it into a message to update the IdF Virtual Gateway. Because we are using exit technology, we are not placing hooks into the mainframe operating system. The Gateway currently monitors events from user logon, TSO, and batch jobs.

Change event detection on the host

Regardless of the type of the identity repository (RACF, ACF2, or Top Secret), the change begins with a TSO logon, at the TSO command line by an administrator, or through the actions of a batch job. Upon a successful identity repository event, the event is passed to the exit for custom processing. For example, a password change may require that a password contain at least one number, at least one letter, and be eight characters long. This check can be done by a custom exit.

The Voyager reconciliatoin agent exits detect a user ID addition, deletion, status change, or an attribute / field change. The Voyager reconciliation agent also detects a password change, and if instructed, can securely pass the clear text password to the IdF Virtual Gateway for updates by the identity management system. In addition to change passwords, other mainframe generated password information is communicated, such as a warning that a password on the mainframe is about to expire.

In dealing with a mainframe environment, the Voyager reconciliation agent is prepared for large, enterprise wide events. A prime example of this is where a batch job has been programmed to make thousands of changes at once. When the Voyager reconciliation agent starter task is initiated, a memory pool is allocated to handle an anticipated search of message events. 

For example, a batch job to revoke a large volume of user IDs can be processed within short intervals on the mainframe. This actually creates a significant number of change events because both the batch mainframe exit and the exit controlling the identity store are both triggered with a single request. The Voyager reconciliaton agent is prepared for this and every few seconds scoops up all of the message events, filters for duplicates, and then turns the message events into messages which are stored in a message queue. In this example, the IdF Virtual Gateway consumes the messages as fast as the identity management system can process them.

The most important benefit of this architecture is that no change events are lost, providing secure guaranteed delivery. 

Mainframe event monitoring for Audit & Compliance

The Voyager reconciliation agent detects more than simple changes to identity repositories through the mainframe exits. Most of these events are ignored, such as a simple authentication or accessing a mainframe resource. When it is important to monitor these events, the Voyager reconciliation agent can record these actions into a second messaging queue for updates to the Voyager reconciliation agent.  The  IdF Advanced adapter allows you take the generated audit record for the related security events  into a format  that you can use to generate reports you can view and analyze.