Connect CDC SQData - Security Authorization Quickstart

Connect CDC SQData

Security Authorization Quickstart

Version 4.0

2 Connect CDC SQData Security Authorization Quickstart


© 2001, 2022 SQData. All rights reserved.

Version 4.0

Last Update: 7/11/2022


Contents

Security Authorization Quickstart ............................................................. 4

Quick Start Approach ........................................................................... 5

Documentation Conventions ............................................................... 6

zOS Security Requirements ................................................................. 7

APF Authorization .......................................................................... 7

TCP/IP Ports ................................................................................... 7

ZFS Variable Directories ................................................................ 7

z/OS LogStreams ........................................................................... 9

Startetd Task Authorizations ....................................................... 10

NaCL Key Pair Generation ........................................................... 11

Administrative User Authorization .............................................. 13

IMS Authorizations ...................................................................... 13

Db2 Authorizations ...................................................................... 13

VSAM Authorizations ................................................................... 14

UNIX Security Requirements ............................................................. 15

Administrative User Authorization .............................................. 15

TCP/IP Ports ................................................................................. 15

Installation Directories ................................................................ 15

Variable Directories .................................................................... 15


UDB (DB2/LUW) Authorizations .................................................. 17

Oracle Authorizations .................................................................. 18

Hadoop HDFS Authorizations ...................................................... 19

Kafka Authorizations ................................................................... 19

Windows Security Requirements ...................................................... 20

TCP/IP .......................................................................................... 20


Apply Engines .............................................................................. 20



This document summarizes the security authorizations required to execute the Precisely Connect CDC SQDatasoftware on z/OS, UNIX (Linux and AIX) and Windows.

Please visit Precisely https://www.precisely.com/support for assistance.

https://www.precisely.com/support

5Connect CDC SQData Security Authorization Quickstart


Quick Start Approach

The Quickstart approach is intended to be a step by step guide to the installation, configuration, testing andoperation of Connect CDC SQData Captures on zOS and other platforms as well as the Apply and Replicator Enginecomponents that write to various target datastores on z/OS, UNIX (Linux and AIX) and Windows.. Each Quickstartincludes a "Before You Get Started" section that include prerequisites to specific component configuration andexecution that are explained in detail in the various component Reference documents. Often the wait time forvarious security and permission related activities is the most time consuming aspect of the effort. This documentconsolidates the detail Security requirements for each component so that it can be initiated as early as possible.



Documentation Conventions

The following conventions are used in command and configuration syntax and examples in this document.

Convention Explanation Example

Regular type Items in regular type must be entered literally usingeither lowercase or uppercase letters. Items in Bold typeare usually "commands" or "Actions". Note, uppercase isoften used in "z/OS" objects for consistency just aslowercase is often used on other platforms

create

CCSID

/directory

//SYSOUT DD *

<variable> Items between < and > symbols represent variables. Youmust substitute an appropriate numeric or text value forthe variable.

<file_name>

| Bar A vertical Bar indicates that a choice must be madeamong items in a list separated by bars.

'yes' | 'no'

JSON | AVRO

[ ] Brackets Brackets indicate that item is optional. Items separatedby a | indicate a choice may be made among multipleitems.

[alias]

OR

[yes | no]

-- Double dash Double dashes "--" are used in two contexts. They mayprecede an option keyword. Many keywords can also be abbreviated and preceded by a single dash "-".

They are also used indicate the start of a single linecomment.

--service=<port>

OR -s <port>

OR --apply

OR -- this is acomment

… Ellipsis An ellipsis indicates that the preceding argument orgroup of arguments may be repeated.

[expression…]

Sequencenumber

A sequence number indicates that a series of argumentsor values may be specified. The sequence number itselfmust never be specified.

field2

' ' Single quotes Single quotation marks that appear in the syntax must bespecified literally.

IF code_value = 'a'



zOS Security Requirements

This section summarizes the security authorizations required to execute the Precisely Connect CDC SQData softwareon z/OS

APF AuthorizationThe Connect CDC SQData load library SQDATA.V4nnn.LOADLIB must be APF authorized. Initially, this can be done viathe operator’s console via the SETPROG APF command. This APF authorization must then be made a permanent partof the IPL APF authorization procedure.

All Connect CDC SQData agents must have read access to this library.

TCP/IP Ports· The Daemon (program SQDAEMON) needs access to the designated port number that it will listen on. The

default port number is 2626 but it can be any available port reserved on the platform.

· All Connect CDC SQData capture, publisher, daemon, Engine and Utility tasks require access to the TCP/IPStack.

Note, AT-TLS secured ports are also supported for connections to z/OS daemons from Apply Engines running on z/OSas well as Apply and Replicator Engines running on Linux (ONLY).

ZFS Variable DirectoriesOn z/OS Connect CDC SQData product components and most parameter and configuration data will be installed inpartitioned datasets. Controller Daemon and Capture/Publisher agent configurations will however be stored in thez/OS UNIX Systems Services file system, commonly referred to as zFS. The Controller Daemon, Capture, Storage andPublisher agents require a predefined zFS directory structure used to store a small number of files. While only theconfiguration directory is required and the location of the agent and daemon directories is optional, Preciselyrecommends the structure described below, where <home> and a "user" named <sqdata> could be modified toconform to the operating environment and a third level created for the Controller Daemon:

/<home>/<sqdata> - The home directory used by the Connect CDC SQData

/<home>/<sqdata>/daemon - The working directory used by the Daemon that also contains two subdirectories.

/<home>/<sqdata>/daemon/cfg - A configuration directory that contains two configuration files.

/<home>/<sqdata>/daemon/logs - A logs directory, though not required, is suggested to store log files usedby the controller daemon. Its suggested location below must match the file locations specified in theGlobal section of the sqdagents.cfg file created in the section "Setup Controller Daemon" later in thisdocument.

Additional directories should be created for each Capture/Publisher. Precisely recommend the structures describedbelow:

/<home>/<sqdata>/db2cdc - The working directory for the Db2 Capture and CDCStore Storage agents. TheCapture and CDCStore configuration (.cab) Files will be maintained in this directory along with smalltemporary files used to maintain connections to the active agents.

/<home>/<sqdata>/db2cdc/data - A data directory is required by the Db2 Capture. Files will be allocated in thisdirectory as needed by the CDCStore Storage Agent when transient data exceeds allocated in-memorystorage. The suggested location below must match the "data_path" specified in the Storage agentconfiguration (.cab file) described later in this chapter. A dedicated File System is required in production



with this directory as the "mount point".

/<home>/<sqdata>/imscdc - The working directory for the IMS Capture and CDCzLOG Publisher agents. TheCapture and Publisher (.cab) Files will be maintained in this directory along with small temporary filesused to maintain connections to the active agents.

/<home>/<sqdata>/[vsampub | kfilepub] - The working directory for the VSAM and Keyed File CompareCapture's CDCzLOG Publisher agent. The Publisher configuration (.cab) File will be maintained in thisdirectory along with small temporary files used to maintain connections to the active agents.

Example:

JCL similar to the sample member ALLOCZDR included in the distribution should be used to allocate thenecessary directories. The JCL should be edited to conform to the operating environment.

//ALLOCZDR JOB 1,MSGLEVEL=(1,1),MSGCLASS=H,NOTIFY=&SYSUID//*//*--------------------------------------------------------------------//* Allocate zFS Directories for Daemon and CAB Files//*--------------------------------------------------------------------//* Note: 1) These directories are use by the Controller Daemon,//* CDCStore and CDCzLog based capture agents//*//* 2) The 1st, 2nd and 3rd level directories can be changed but//* we recommend the 2nd Level be a User named sqdata.//*//* 3) Leave /daemon and /daemon/cfg as specified//*//* 4) Your UserID may need to be defined as SUPERUSER to//* successfully run this Job//*//*********************************************************************//*//*------------------------------------------------------------//* Delete Existing Directories//*------------------------------------------------------------//*DELETDIR EXEC PGM=IKJEFT01,REGION=64M,DYNAMNBR=99,COND=(0,LT)//*SYSEXEC DD DISP=SHR,DSN=SYS1.SBPXEXEC//*SYSTSPRT DD SYSOUT=*//*OSHOUT1 DD SYSOUT=*//*SYSTSIN DD *//* OSHELL rm -r /home/sqdata/*//*--------------------------------------------------------------------//* Create New ZFS Directories for Controller Daemon & Captures//*--------------------------------------------------------------------//CREATDIR EXEC PGM=IKJEFT01,REGION=64M,DYNAMNBR=99,COND=(0,LT)//SYSTSPRT DD SYSOUT=*//SYSTSIN DD * PROFILE MSGID WTPMSG MKDIR '/home/sqdata/' + MODE(7,7,5)

MKDIR '/home/sqdata/daemon/' + MODE(7,7,5)

MKDIR '/home/sqdata/daemon/cfg' + MODE(7,7,5)



MKDIR '/home/sqdata/daemon/logs' + MODE(7,7,5)/*// MKDIR '/home/sqdata/db2cdc/' + MODE(7,7,5) MKDIR '/home/sqdata/db2cdc/data/' + MODE(7,7,5)

MKDIR '/home/sqdata/imscdc/' + MODE(7,7,5)

MKDIR '/home/sqdata/vsampub/' + MODE(7,7,5)

MKDIR '/home/sqdata/kfilepub' + MODE(7,7,5)

Notes:

1. Consider changing default umask setting in the /etc/profile file, or in your .cshrc or .login file.

2. While many zFS File systems are configured with /u as the "home" directory, others use /home, the standardon Linux. References in the Connect CDC SQData JCL and documentation will use /home for consistency.Check with your Systems programmer regarding zFS on your systems.

3. The User-ID(s) and/or Started Tasks under which the Controller Daemon and Captures will run must beauthorized for Read/Write access to the zFS directories.

4. A more traditional "nix" style structure may also be used where "sqdata", the product, would be a sub-directory in the structure "/var/opt/sqdata/" with the daemon and data sub-directory structures insidesqdata.

5. The BPXPRMxx member used for IPLs should be updated to include the mount point(s) for this zFS directorystructure.

z/OS LogStreamsThe IMS Log Capture, and the zLogc Publisher used by the IMS Capture agent, VSAM Log Replicate and Keyed FileCompare Captured require read/write access to one or more system LogStreams.

The following RACF commands can be used to set access to the system Logstreams by the Capture and Publisheragents.

PERMIT MVSADMIN.LOGR CLASS(FACILITY) ACCESS(ALTER) ID(agent_userid)RDEFINE FACILITY MVSADMIN.LOGR UACC(ALTER)SETROPTS CLASSACT(FACILITY)

The Capture and Publisher components utilize z/OS system Logstreams for their high performance and highreliability. Both DASD Only and CF-Structure based Logstreams are supported. Instructions and sample JCL fordefining the LogStreams can be found in the Capture Reference manuals.



Startetd Task AuthorizationsThe following sample RACF commands outline the authorization required by the various Connect CDC SQData agents.Modify the names, high-level qualifiers, zFS directories, etc. as required by your environment.SQ

Master Controller STC Authorizations – Program SQDAMAST

ADDUSER SQDAMAST DFLTGRP(<stc_group>) OWNER(<owner_name>)ALTUSER SQDAMAST NOPASSWORD NOOIDCARDALTUSER SQDAMAST NAME('STASK, SQDATA')ALTUSER SQDAMAST DATA('FOR SQDATA CONTACT:<sqdata_contact_name>')ALTUSER SQDAMAST WORKATTR(WAACCNT('**NOUID**'))CONNECT SQDAMAST GROUP(<stc_group>) OWNER(<owner_name>)PERMIT 'SQDATA.*' ID(SQDAMAST) ACCESS(READ) GEN

Daemon STC Authorizations – Program SQDAEMON

ADDUSER SQDAEMON DFLTGRP(<stc_group>) OWNER(<owner_name>)ALTUSER SQDAEMON NOPASSWORD NOOIDCARDALTUSER SQDAEMON NAME('STASK, SQDATA')ALTUSER SQDAEMON DATA('FOR SQDATA CONTACT:<sqdata_contact_name>')ALTUSER SQDAEMON WORKATTR(WAACCNT('**NOUID**'))CONNECT SQDAEMON GROUP(<stc_group>) OWNER(<owner_name>)ALTUSER SQDAEMON OMVS(PROGRAM('/bin/sh'))PERMIT 'SQDATA.*' ID(SQDAEMON) ACCESS(READ) GEN

Db2 Capture STC Authorizations – Program SQDDB2C

ADDUSER SQDDB2C DFLTGRP(<stc_group>) OWNER(<owner_name>)ALTUSER SQDDB2C NOPASSWORD NOOIDCARDALTUSER SQDDB2C NAME('STASK, SQDATA')ALTUSER SQDDB2C DATA('FOR SQDATA CONTACT:<sqdata_contact_name>')ALTUSER SQDDB2C WORKATTR(WAACCNT('**NOUID**'))CONNECT SQDDB2C GROUP(<stc_group>) OWNER(<owner_name>)ALTUSER SQDDB2C OMVS(PROGRAM('/bin/sh'))ALTUSER SQDDB2C OMVS(MMAPAREAMAX(262144))PERMIT 'SQDATA.*' ID(SQDDB2C) ACCESS(READ) GEN

IMS Capture, IMS Publisher and VSAM Publisher STC Authorizations – Three (3) Total

ADDUSER SQDZLOGC DFLTGRP(<stc_group>) OWNER(<owner_name>)ALTUSER SQDZLOGC NOPASSWORD NOOIDCARDALTUSER SQDZLOGC NAME('STASK, SQDATA')ALTUSER SQDZLOGC DATA('FOR SQDATA CONTACT:<sqdata_contact_name>')ALTUSER SQDZLOGC WORKATTR(WAACCNT('**NOUID**'))CONNECT SQDZLOGC GROUP(<stc_group>) OWNER(<owner_name>)ALTUSER SQDZLOGC OMVS(PROGRAM('/bin/sh'))PERMIT 'SQDATA.*' ID(SQDZLOGC) ACCESS(READ) GEN

Administrative Userid Authorization

ADDUSER <admin_user> DFLTGRP(<stc_group>) OWNER(<owner_name>)ALTUSER <admin_user> NOPASSWORD NOOIDCARDALTUSER <admin_user> NAME('STASK, SQDATA')ALTUSER <admin_user> DATA('FOR SQDATA CONTACT:<contact_name>')ALTUSER <admin_user> WORKATTR(WAACCNT('**NOUID**'))CONNECT <admin_user> GROUP(<stc_group>) OWNER(<owner_name>)



ALTUSER <admin_user> OMVS(PROGRAM('/bin/sh'))ALTUSER <admin_user> OMVS(MMAPAREAMAX(262144))PERMIT 'SQDATA.*' ID(<admin_user>) ACCESS(READ) GEN

SETROPTS GENERIC (DATASET ) REFRESH

R/W Access to the SQDATA ZFS File System (only if the FSACCESS RACF class is active)

SETROPTS GENERIC(FSACCESS)RDEFINE FSACCESS SQDATA.** UACC(NONE)PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDAMAST) ACCESS(UPDATE)PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDDB2C) ACCESS(UPDATE)PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDZLOGC) ACCESS(UPDATE)PERMIT SQDATA.** CLASS(FSACCESS) ID(SQDAEMON) ACCESS(UPDATE)PERMIT SQDATA.** CLASS(FSACCESS) ID(<admin_user>) ACCESS(UPDATE)SETROPTS RACLIST(FSACCESS) REFRESH

NaCL Key Pair GenerationAll Agents must have access to the public/private key files. If the files created below are named with the same high-level qualifiers as the other Connect CDC SQData SQD system libraries, they will be in sync with the RACF sampleabove and you should be good to go!

The Controller Daemon uses a Public / Private key mechanism to ensure component communications are valid andsecure. A key pair must be created for the SQDaemon Job System User-ID and the User-ID's of all the Agent Jobs thatinteract with the Controller Daemon. On z/OS, by default, the private key is stored in SQDATA.NACL.PRIVATE and thepublic key in SQDATA.NACL.PUBLIC. These two files will be used by the Daemon in association with a sequential filecontaining a concatenated list of the Public Keys of all the Agents allowed to interact with the Controller Daemon.The Authorized Keys file must contain at a minimum, the public key of the SQDaemon job System User-ID and isusually created with a first node matching the user name running the SQDaemon job, in our exampleSQDATA.NACL.AUTH.KEYS.

The file must also include the Public key's of Engines running on zOS or other platforms. The Authorized Keys file isusually maintained by an administrator using ISPF.

JCL similar to sample member NACLKEYS included in the distribution executes the SQDutil utility program using thekeygen command and should be used to generate the necessary keys and create the Authorized Key List file. The JCLshould be edited to conform to the operating environment and the job must be run under the user-id that will beused when the Controller Daemon job is run.

//NACLKEYS JOB 1,MSGLEVEL=(1,1),MSGCLASS=H,NOTIFY=&SYSUID //* //*--------------------------------------------------------------------//* Generate NACL Public/Private Keys and optionally AKL file //*--------------------------------------------------------------------//* Required DDNAME: //* SQDPUBL DD - File that will contain the generated Public Key //* SQDPKEY DD - File that will contain the generated private Key //* ** This file and its contents are not to be shared//* //* Required parameters: //* PARM - keygen *** In lower case *** //* USER - The system USERID or high level qualifier of the //* SQDATA libraries IF all Jobs will share Private Key. //* //* Notes: //* 1) This Job generates a new Public/Private Key pair, saves //* them to their respective files and adds the Public Key //* to an existing Authorized Key List, allocating a new //* file for that purpose if necessary.



//* //* 2) An optional first step deletes the current set of files //* //* 3) Change the SET parms below for: //* HLQ - high level qualifier of the CDC Libraries //* VER - the 2nd level qualifier of the CDC OBJLIB & LOADLIB //* USER - the High Level Qualifier of the NACL Datasets //*--------------------------------------------------------------------//* // SET HLQ=SQDATA // SET VER=V400 // SET USER=&SYSUID //* //JOBLIB DD DISP=SHR,DSN=SQDATA..&VER..LOADLIB//* //*------------------------------------------------------------------- //* Optional: Delete Old Instance of the NACL Files //*-------------------------------------------------------------------//*DELOLD EXEC PGM=IEFBR14 //*SYSPRINT DD SYSOUT=* //*OLDPUB DD DISP=(OLD,DELETE,DELETE),DSN=&USER..NACL.PUBLIC //*OLDPVT DD DISP=(OLD,DELETE,DELETE),DSN=&USER..NACL.PRIVATE //*OLDAUTH DD DISP=(OLD,DELETE,DELETE),DSN=SQDATA.NACL.AUTH.KEYS //*-------------------------------------------------------------------//* Allocate Public/Private Key Files and Generate Public/Private Keys//*-------------------------------------------------------------------//SQDUTIL EXEC PGM=SQDUTIL //SQDPUBL DD DSN=&USER..NACL.PUBLIC, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), // DISP=(,CATLG,DELETE),UNIT=SYSDA, // SPACE=(TRK,(1,1)) //SQDPKEY DD DSN=&USER..NACL.PRIVATE, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), // DISP=(,CATLG,DELETE),UNIT=SYSDA, // SPACE=(TRK,(1,1)) //SQDPARMS DD * keygen //SYSPRINT DD SYSOUT=* //SYSOUT DD SYSOUT=* //SQDLOG DD SYSOUT=* //*SQDLOG8 DD DUMMY //*-------------------------------------------------------------------//* Allocate the Authorized Key List File --> Used only by the Daemon //*-------------------------------------------------------------------//COPYPUB EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSIN DD DUMMY //SYSUT1 DD DISP=SHR,DSN=&USER..NACL.PUBLIC //SYSUT2 DD DSN=SQDATA.NACL.AUTH.KEYS, // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), // DISP=(MOD,CATLG),UNIT=SYSDA,SPACE=(TRK,(5,5))

Notes:

1. Since the Daemon and Capture Agents and zOS Apply Engines may be running in the same LPAR/system, theyfrequently run under the same System User-ID, in that case they would share the same public/private keypair.

2. Changes are not known to the Daemon until the configuration files are reloaded, using the SQDmon Utility, orthe sqdaemon process is stopped and started.



Administrative User AuthorizationThe Administrative User of Connect CDC SQData requires the following RACF specifications:

ADDUSER admuser DFLTGRP(STCAUTH) OWNER(<owner_name>) ALTUSER admuser NOPASSWORD NOOIDCARD ALTUSER admuser NAME('STASK, SQDATA') ALTUSER admuser DATA('FOR SQDATA CONTACT:JOHN SMITH') ALTUSER SQDDB2C WORKATTR(WAACCNT('**NOUID**')) CONNECT admuser GROUP(STCAUTH) OWNER(<owner_name>) ALTUSER admuser OMVS(PROGRAM('/bin/sh')) ALTUSER admuser OMVS(MMAPAREAMAX(262144)) PERMIT SQDATA.*' ID(SQDDB2C) ACCESS(READ) GEN SETROPTS GENERIC (DATASET ) REFRESH

SETROPTS GENERIC(FSACCESS) RDEFINE FSACCESS SQDATA.** UACC(NONE) PERMIT SQDATA.** CLASS(FSACCESS) ID(USER/GROUP_ID) ACCESS(UPDATE) SETROPTS CLASSACT(FSACCESS) SETROPTS RACLIST(FSACCESS)

SETROPTS RACLIST(FSACCESS) REFRESH

PERMIT MVSADMIN.LOGR CLASS(FACILITY) ACCESS(ALTER) ID(YOUR_USERID) RDEFINE FACILITY MVSADMIN.LOGR UACC(ALTER) SETROPTS CLASSACT(FACILITY)

IMS AuthorizationsThe IMS Log Capture requires the following permisisons:

· The IMS Log Capture (program SQDIMSC) needs read access to the IMS OLDS and SLDS datasets

· The IMS Log Capture also requires read access to the IMS Reslib and IMS RECON datasets

Db2 AuthorizationsThe Db2 Log Reader Capture requires special user privileges and preparation to access and read the Db2 RecoveryLogs using the Db2 Instrumentation Facility Interface (IFI) calls. Version 4 of Connect CDC SQData also requires somesystem tables to be captured to support Schema Evolution.

The following GRANTS are required:

1. GRANT MONITOR2 TO < sqdata_user>;

2. GRANT EXECUTE ON PLAN SQDV4000 TO < sqdata_user>;

3. GRANT SELECT ON SYSIBM.SYSTABLES TO < sqdata_user>;

4. GRANT SELECT ON SYSIBM.SYSCOLUMNS TO < sqdata_user>;

5. GRANT SELECT ON SYSIBM.SYSINDEXES TO < sqdata_user>;

6. GRANT SELECT ON SYSIBM.SYSKEYS TO < sqdata_user>;

7. GRANT SELECT ON SYSIBM.SYSTABLESPACE TO < sqdata_user>;

Db2 Reorg and Load procedures may need to be updated:

· KEEPDICTIONARY=YES parameter must be used by all Db2 REORG and LOAD Utilities. If the CDC process is runasynchronously, for some reason gets behind or is configured to recapture older logs, the proper CompressionDictionary must be available.



Schema Evolution Requires DATA CAPTURE CHANGES on Two (2) Catalog Tables:

1. SYSIBM.SYSTABLES

2. SYSIBM.SYSCOLUMNS

Notes:

· A common database request module (DBRM) SQDDDB2D ships as part of the product distribution and a Bindmust be performed on the SQDV4000 Package and Plan. Use the BINDSQD member in the CNTL Library to bindthe Package and Plan to Db2.

· Each Db2 table to be captured also requires:

ALTER TABLE <schema.tablename> DATA CAPTURE CHANGES;

VSAM AuthorizationsThere are no additional security requirements specifically related to the VSAM Log Replicate Capture.



UNIX Security Requirements

This section summarizes the security authorizations required to execute the Precisely Connect CDC SQData softwareon AIX and Linux.

Administrative User AuthorizationThe level of privileges required by the Connect CDC SQData Administrative User depends on the location chosen forthe base product installation. Most Connect CDC SQData for UNIX customers utilize a special system accountestablished for sqdata_user rather than an individual user account because it usually needs elevated privilegesdesignated for configuring and executing the capture and apply processes. If necessary have the systemadministrator create that account.

TCP/IP Ports· The Daemon (program sqdaemon) needs access to the designated port number that it will listen on. The

default port number is 2626 but it can be any available port reserved on the platform.

· All Connect CDC SQData capture, publisher, daemon, Engine and Utility tasks require access to the TCP/IPStack.

Installation DirectoriesOn UNIX based machines, executables are typically installed in /opt under a folder named for the product. /opt isusually owned by root, so the Administrator privileges would be required to create the sqdata folder anddecompress the package into this location. To allow multiple users to access the package without giving access toeveryone, the system administrator can define an sqdata group and grant permissions on the package to the group.

MKDIR '/opt/sqdata/' MODE(7,7,5)

Alternatively, the product can be installed into the system account <sqdata_name> user's home directory,eg: /home/sqdata/sqdata. No other special privileges are needed required and the system account user can grantpermissions on it’s own directories and files to a group of individual users and/or everyone else withoutadministrator privileges.

MKDIR '/home/sqdata_user/sqdata' MODE(7,7,5)

Variable DirectoriesOnce Linux, UNIX and Windows source and target systems and datastores have been identified, the configuration ofthe Capture Agents, Apply Engines and their Controller Daemon's can begin. That will require the creation ofdirectories and files for variable portions of the configuration. At this point we assume the base Connect CDC SQDataproduct has already been installed according to the instructions in the Installation Guide and the Operating Systemsspecific $Start_Here_<operating_systems>.pdf. The recommended location and Environment Variable values for thisstatic data were:

/opt/sqdata or

/home/<sqdata_user>/sqdata

If an Environment Variable will be used to reference the installation location, the recommended value is:

<SQDATA_DIR>

Controller Daemons, Capture Agents and Engines require the creation of directories and files for variable portions oftheir configurations. Just as the location of the base product installation can be modified, the location of variabledirectories can be adjusted conform to the operating system and to accommodate areas of responsibility, includingthe associated "application" and "environments" such as Test and Production. This document will refer to the



location most commonly used on Linux, AIX and Windows:

/var/opt/sqdata[/<application>[/<environment>]] or

/home/<sqdata_user>[/<application>[/<environment>]] or simply

/home/sqdata[/<application>[/<environment>]]

If an Environment Variable will be used to reference the location of variable portions of the configuration, therecommended value is:

<SQDATA_VAR_DIR>

While only the base variable directory is required and the location of the daemon directory is optional, werecommend the structure described below:

<SQDATA_VAR_DIR>/daemon - The working directory used by the Daemon that also contains two subdirectories.

<SQDATA_VAR_DIR>/daemon/cfg - A configuration directory that contains two configuration files.

<SQDATA_VAR_DIR>/daemon/logs A logs directory, though not required, is suggested to store logfiles used by the controller daemon. Its suggested location below must match the filelocations specified in the Global section of the sqdagents.cfg file created in the section"Setup Controller Daemon" later in this document..

Additional directories should be created for each Capture agent running on the system. Precisely recommend thestructures described below:

<SQDATA_VAR_DIR>/<type>cdc The working directory of each capture agent where type might be ORA(Oracle), UDB (Db2/LUW)

<SQDATA_VAR_DIR>/<type>cdc/data - A data directory is also required by each Capture agents. Fileswill be allocated in this directory as needed by the CDCStore Storage Agent when transientdata exceeds allocated in-memory storage. The suggested location below must match the"data_path" specified in the Storage agent configuration (.cab file) described in the CaptureReferences. A dedicated File System is required in production with this directory as the"mount point".

Example:

The following commands will create the directories described above:

$ mkdir -p <SQDATA_VAR_DIR>/daemon --mode=775$ mkdir -p <SQDATA_VAR_DIR>/daemon/cfg --mode=775$ mkdir -p <SQDATA_VAR_DIR>/daemon/log --mode=775

$ mkdir -p <SQDATA_VAR_DIR>/<type>cdc --mode=775$ mkdir -p <SQDATA_VAR_DIR>/<type>cdc/data --mode=775

Note, the User-ID(s) under which the Capture and Engine agents and the Controller Daemon will run must beauthorized for Read/Write access to these directories.



NaCL Key Pair GenerationThe Controller Daemon uses a Public / Private key mechanism to ensure component communications are valid andsecure. A key pair must be created for the sqdaemon process User-ID and the User-ID's of all the Agent processesthat interact with the Controller Daemon. By default on UNIX, the private key is generated in ~/.nacl.id_nacl and thepublic key in ~/.nacl/id_nacl.pub. These two files will be used by the daemon in association with a sequential filecontaining a concatenated list of the Public Keys of all the Agents allowed to interact with the Controller Daemon.The Authorized Keys file must contain at a minimum, the public key of the sqdaemon process User-ID and is usuallynamed nacl_auth_keys and placed in the <SQDATA_VAR_DIR>/daemon directory.

The file must also include the Public key's of Engines, running on the same or another platform, that connect to theController Daemon. The Authorized Keys file is usually maintained by a Systems Administrator.

The sqdutil utility program using the keygen command is used to generate the necessary keys. The command mustbe run under the User-ID that will be used to run the Controller Daemon process.

$ sqdutil keygen

Notes:

1. If the Daemon, Capture Agent and Apply Engine are running on the same system, they may optionally rununder the same User-ID, in which case they would share the same public/private key pair.


UDB (DB2/LUW) AuthorizationsThe Db2/LUW (UDB) Log Reader Capture requires special user privileges and preparation to access and read the Db2Recovery Logs using the Db2/LUW (UDB) Instrumentation Facility Interface (IFI) calls. Version 4 of Connect CDCSQData also requires some system tables to be captured to support Schema Evolution.


· GRANT DBADM ON DATABASE TO < sqdata_user>;

· GRANT EXECUTE ON PACKAGE sqdddb2d TO < sqdata_user>;

· GRANT SELECT ON SYSIBM.SYSTABLES TO < sqdata_user>;

· GRANT SELECT ON SYSIBM.SYSCOLUMNS TO < sqdata_user>;

· GRANT SELECT ON SYSIBM.SYSDATAPARTITIONS TO < sqdata_user>;

Db2 Reorg and Load procedures may need to be updated:

· KEEPDICTIONARY=YES parameter must be used by all Db2 REORG and LOAD Utilities. If the CDC process is runasynchronously, for some reason gets behind or is configured to recapture older logs, the proper CompressionDictionary must be available.

Schema Evolution Requires DATA CAPTURE CHANGES on Two (2) Catalog Tables:

1. SYSIBM.SYSTABLES

2. SYSIBM.SYSCOLUMNS

Notes:

· A common database request module (DBRM)sqddd2b.bnd ships as part of the product distribution and a Bind



must be performed on the Package:

bind <SQDATA_DIR>/bnd/ sqdddb2d.bnd grant public

· Each Db2/LUW (UDB) table to be captured also requires:

ALTER TABLE <schema.tablename> DATA CAPTURE CHANGES;

Oracle AuthorizationsThe Oracle LogMiner Capture requires special user privileges and preparation to access and read the Oracle RecoveryLogs using the Oracle LogMiner API.

Enable LogMiner functionality

· ALTER DATABASE ADD SUPPLEMENTAL LOG DATA provides the minimal level of database metadata required bythe Oracle LogMiner.


1. GRANT LOGMINING TO <sqdata_user>; (only required for Oracle 12 and above)

2. EXECUTE authority:

a. GRANT EXECUTE_CATALOG_ROLE TO <sqdata_user>;

b. GRANT EXECUTE DBMS_LOGMNR TO <sqdata_user>;

c. GRANT EXECUTE DBMS_LOGMNR_D TO <sqdata_user>;

3. SELECT authority:

a. GRANT SELECT ON V$LOGFILE TO <sqdata_user>;

b. GRANT SELECT ON V$ARCHIVED_LOG TO <sqdata_user>;

c. GRANT SELECT ON V$LOG TO <sqdata_user>;

d. GRANT SELECT ON V$DATABASE TO <sqdata_user>;

e. GRANT SELECT ON V$LOG_HIST TO <sqdata_user>;

f. GRANT SELECT ON V$LOGMNR_CONTENTS TO <sqdata_user>;

g. GRANT SELECT ON V$INSTANCE TO <sqdata_user>;

h. GRANT SELECT ON V$THREAD TO <sqdata_user>;

i. GRANT SELECT ANY TRANSACTION TO <sqdata_user>; authority to allow for querying the OracleFLASHBACK_QUERY_TRANSACTION view

j. GRANT SELECT MAX(SCN_BAS) from SYS.SMON_SCN_TIME TO <sqdata_user>; (9i only)

Notes:

· The LogMiner Capture requires Oracle client access (same requirements as sqlplus)

· Each Oracle table to be captured also requires:

ALTER TABLE <schema.tablename> ADD SUPPLEMENTAL LOG DATA (ALL) COLUMNS;



Hadoop HDFS AuthorizationsIn addition to the installation of the libhdfs library, writing to Hadoop HDFS requires the following permissions:

· Read access to libhdfs.so

· Userid running Engine must be owner, authorized or in an HDFS group with read/write privileges

· May require hadoop classpath –glob

Note, HDFS targets are only supported by Engines running on Linux

Kafka AuthorizationsIn addition to the installation of the librdkafka library, writing to Kafka requires the following permissions:

· Read access to librdkafka libraries

· Port access [plaintext, sasl, zookeeper if desired]

· Plaintext security – no changes needed

· SASL/Kerberos – follow details in librdkafka doc for producer config, client keys, etc.



Windows Security Requirements

This section summarizes the security authorizations required to execute the Precisely Connect CDC SQData softwareon Windows.

TCP/IP· The Daemon (sqdaemon) needs access to the designated port number that it will be listening on.

NaCL Key Pair GenerationThe Controller Daemon uses a Public / Private key mechanism to ensure component communications are valid andsecure. A key pair must be created for the sqdaemon process User-ID and the User-ID's of all the Agent processesthat interact with the Controller Daemon. By default on UNIX, the private key is generated in ~/.nacl.id_nacl and thepublic key in ~/.nacl/id_nacl.pub. These two files will be used by the daemon in association with a sequential filecontaining a concatenated list of the Public Keys of all the Agents allowed to interact with the Controller Daemon.The Authorized Keys file must contain at a minimum, the public key of the sqdaemon process User-ID and is usuallynamed nacl_auth_keys and placed in the <SQDATA_VAR_DIR>/daemon directory.

The file must also include the Public key's of Engines, running on the same or another platform, that connect to theController Daemon. The Authorized Keys file is usually maintained by a Systems Administrator.

The sqdutil utility program using the keygen command is used to generate the necessary keys. The command mustbe run under the User-ID that will be used to run the Controller Daemon process.

$ sqdutil keygen

Notes:

1. If the Daemon, Capture Agent and Apply Engine are running on the same system, they may optionally rununder the same User-ID, in which case they would share the same public/private key pair.


Apply EnginesThe Apply Engine program "sqd" must have the following permissions:

· Read, [Read/Write to install], access to the software installation executables.

· Read/Write to data directories and files for daemon and apply engine scripts.

· Read / Update to the target datastores (i.e. tables, files etc.)


Index Ind

ex

$$V$INSTANCE 18

AALTER TABLE 13APF 7

DDATA CAPTURE CHANGES 13Db2 13Db2 z/OS 13

Db2/LUW 17

EEXECUTE authority on DBMS_LOGMNR_D 18EXECUTE authority on the DBMS_LOGMNR 18EXECUTE_CATALOG_ROLE 18

GGRANT 13

HHadoop 19HDFS 19

IIMS 13

IMS z/OS 13

KKafka 19

LLibrdkafka 19LUW 17

MMonitor(2) 13

NNACLKEYS 11

OOracle 18

PPLAN 13Private 11Public 11Public / Private key 11

QQuickstart 5

RRACF 9, 13

Ssecurity 4

SELECT ANY TRANSACTION 18SELECT authority 18STC Authorizations 10SYSIBM.SYSCOLUMNS 13

SYSIBM.SYSINDEXES 13SYSIBM.SYSKEYS 13SYSIBM.SYSTABLES 13

TTCP/IP Stack 15

UUDB 17

VV$ARCHIVED_LOG 18V$DATABASE 18

V$LOG 18V$LOG_HIST 18V$LOGFILE 18


Index Ind

ex

V$LOGMNR_CONTENTS 18VSAM 14VSAM z/OS 14

Zz/OS system Logstreams 9

2 Blue Hi l l PlazaPearl River, NY 10965USA

precisely.com

© 2001, 2022 SQData. Al l rights reserved.

Documents

Connect CDC SQData - Security Authorization Quickstart