Chapter 7. Portal security 313
In our example user CHEN was not in RACF, but user JAVA7 was in RACF. We
added the users to the Portal server LDIF by executing the following command:
ldapmodify -a -p 2389 -f ./NAUpdate.ldif -D “cn=CBAdmin” -w
After this we tested that the changes were successful as follows:
We tried to login to Portal server using userid CHEN. This did not succeed due to
an authentication error because userid CHEN was not in RACF.
We logged in successfully to Portal server using userid JAVA7, which was in
RACF, and confirms the successful modification of LDAP with users
authenticating via native authentication.
7.5.6 Mass-exporting RACF users to LDAP
If you are planning on exporting a large amount of RACF userid(s) into LDAP
server as registered Portal users, use the following example.
Exporting from RACF
First, here are the steps for exporting your RACF native userids to a file using the
LDAP Browser which has an LDIF export capability.
You need to sign on to the LDAP Browser with a valid RACFID as shown in
Figure 7-21 on page 310.
Note: The mass-exporting RACF users to LDAP is not a requirement for
Portal Server configuration and installation. This can be part of initial
environment set up for a corporate Portal. Instead of having all employees to
self-register or the RACF, LDAP administrators to register all individual
employees as portal users.
The mass-exporting RACF users to LDAP requires LDAP Native
314 WebSphere Portal on z/OS
Move your mouse to the objectclass “profiletype=user” and click on it. Move
your mouse to the browser’s menu “LDIF” and select “Export”.
Click the “All children” option; expand the “…” folder option on the
upper-right corner and select your desired folder and enter the file name.
Click the “Export” button and the file will be generated.
Running the REXX program
Second, we have prepared and tested a sample REXX program and a template
file with predefined tokens similar to Example 7-5 on page 312 for you to use.
Please refer to Appendix D, “Additional material” on page 339 for details how to
get the files. You will need to unzip the downloaded file. The zip file contains:
A REXX program convldif.rexx (see Example C-1 on page 331).
A template file template.ldif (see Figure 7-23).
A sample exported RACF users list file (see Figure 7-24 on page 315).
A sample merged output file merged.output. (see Figure 7-25 on page 315).
Figure 7-23 Sample LDIF template
Chapter 7. Portal security 315
Figure 7-24 The exported RACFID sample file
Figure 7-25 Merged sample LDIF output file
316 WebSphere Portal on z/OS
You will then need to upload all these four files to the z/OS mainframe area.
Logon to TSO and use ISPF 3.2 to create three new datasets:
“<YourHLQ>.RACFID.INPUT” (RACF userid list file)
“<YourHLQ>.TEMPLATE.INPUT” (Template ldif input file)
“<YourHLQ>.MERGED.OUTPUT”(Merged ldif output file).
The RACF users and the template input datasets should have PS Organization,
RECFM=FB and record length of 80, whereas the merged output dataset should
have PS Organization, RECFM=VB and Record Length of 255.
These three files are used by the sample REXX program convldif.rexx. Also copy
the REXX program convldif.rexx to your Portal Server Installation library (that is,
“<YourHLQ>.JOBS.CNTL”) as the member CONVLDIF. Do the following
The REXX program CONVLDIF
Replace all three <YourHLQ> to match with your selected dataset names.
See Example C-1 on page 331.
This input file contains the begin pattern of ‘racfid=’ and the end pattern ‘,’
that the REXX program CONVLDIF will extract any names specified in
between the two patterns.
The template file contains three recognized token names to be replaced by
the extracted RACF userid names.
– #racfid1 is the default userid name in uppercase
– #racfid2 is the userid name in lowercase
– #racfid3 is the userid name with first letter in upper case
After running the REXX exec, this file will contain the generated output in ldif
format. Make sure the template file format is valid, so the output file will
contain the valid ldif format as well.
To invoke the REXX program, you should logon to TSO, then ISPF and select
option 6, “command”. At the ISPF Command Shell prompt, enter “exec
Note: Only one token per line will be replaced with extracted RACF name and
any line which doesn’t have those three recognized definitions will be
generated as is. You will also need to change the “dc=ibm,dc=com”.