The Advanced Adapter for CA Top Secret is comprised of the Pioneer provisioning agent and the IdF Voyager reconciliation agent. Both components in conjunction with the IdF Virtual Gateway enable the IdF Advanced Adapter for Top Secret the ability to provide for bi-directional support for transformation of native Top Secret commands to LDAP. Additionally, it provides for robust reconciliation features between distributed applications, directory’s, databases and modern identity management systems with Top Secret.  

The IdF Advanced Adapter for Top Secret provides its provisioning functionality through the use of its Pioneer provisioning agent technology. The Pioneer provisioning agent receives Identity and Authorization change events, effectuating requested changes upon the target system (e.g. Top Secret). The Pioneer provisioning agent is a mainframe installed component that executes Top Secret requests that are sent from the Identity Forge LDAP Gateway. 

The Advanced Adapter for Top Secret provides reconciliation functionality through the use of the IdF Voyager reconciliation agent. The Voyager reconciliation agent sends notification events to the IdF Virtual Gateway from the target system (e.g. Top Secret) when an identity or authorization event occurs in the native target system.

In addition to the ability to send and request security data from the host platform, the IdF Virtual Gateway is a container for security facility change events which originate on the host (Top Secret). These host originating, change events are captured by Voyager reconciliation agent which is integrated with mainframe exit points.

The Voyager reconciliation agent captures this information is based on exit technology. A command execution is passed through an exit, prior to full completion of the command. A common use of this technology is to require userIDs or passwords to be formatted to a proper length or that they must contain at least one letter and one number. If the exit fails, the command fails and returns an error message, allowing the system to not be corrupted. By capturing identity or authentication events at an exit, the Voyager Command Processor will listen to these events outside the operating system.

The Voyager CP is a mainframe installed component that detects events that occur on the mainframe using Top Secret exit technologies. When an event occurs on a mainframe screen, independent of other Adapter technologies, the event is processed through an appropriate mainframe exit. The Voyager reconciliation agent captures this event and transforms it into a message to update the IdF Virtual Gateway. Because we are using exit technology, we are not placing hooks into the mainframe operating system. The Gateway currently monitors events from user logon, TSO, and batch jobs.

Change event detection on the host

Regardless of the type of the identity repository (RACF, ACF2, or Top Secret), the change begins with a TSO logon, at the TSO command line by an administrator, or through the actions of a batch job. Upon a successful identity repository event, the event is passed to the exit for custom processing. For example, a password change may require that a password contain at least one number, at least one letter, and be eight characters long. This check can be done by a custom exit.

The Voyager reconciliation agent detect's a user ID addition, deletion, status change, or an attribute / field change. The Voyager reconciliation agent also detects a password change, and if instructed, can securely pass the clear text password to the IdF Virtual Gateway for updates by the identity management system. In addition to change passwords, other mainframe generated password information is communicated, such as a warning that a password on the mainframe is about to expire.

In dealing with a mainframe environment, the Voyager reconciliation agent is prepared for large, enterprise wide events. A prime example of this is where a batch job has been programmed to make thousands of changes at once. When the Voyager reconciliation starter task is initiated, a memory pool is allocated to handle an anticipated search of message events. 

For example, a batch job to revoke a large volume of user IDs can be processed within short intervals on the mainframe. This actually creates a significant number of change events because both the batch mainframe exit and the exit controlling the identity store are both triggered with a single request. The reconciliation agent CP is prepared for this and every few seconds scoops up all of the message events, filters for duplicates, and then turns the message events into messages which are stored in a message queue. In this example, the IdF Virtual Gateway consumes the messages as fast as the identity management system can process them.

The most important benefit of this architecture is that no change events are lost, providing secure guaranteed delivery. 

Mainframe event monitoring for Audit & Compliance

The Voyager reconciliation agent detects more than simple changes to identity repositories through the mainframe exits. Most of these events are ignored, such as a simple authentication or accessing a mainframe resource. When it is important to monitor these events, the Voyager reconciliation can record these actions into a second messaging queue for updates to the Voyager reconciliation.
The  IdF Advanced adapter allows you take the generated audit record for the related security events  into a format  that you can use to generate reports you can view and analyze.