E. Add the required DCAS client parameters for the CMPIDCASPlugin.

Add the required DCAS client parameters to allow the HCM database to map the user ID to the host ID and get a passticket from the DCAS application running on the host. A passticket is a credential that is similar to a password, however a passticket expires after a certain amount of time and is used only one time. DCAS requires a Security Access Facility (SAF)-compliant server product, such as an IBM Resource Access Control Facility (RACF) security server, that supports passticket generation.


	Starting with Host On-Demand V9.03, the CMPI_DCAS_KEYRING_FILE and CMPI_DCAS_KEYRING_PASSWORD are deprecated and should not be used. Instead, CMPI_DCAS_TRUSTSTORE, CMPI_DCAS_TRUSTSTORE_PASSWORD, and CMPI_DCAS_TRUSTSTORE_TYPE should be used. However, CMPI_DCAS_KEYRING_FILE and CMPI_DCAS_KEYRING_PASSWORD will continue to work in lieu of CMPI_DCAS_TRUSTSTORE and CMPI_DCAS_TRUSTSTORE_PASSWORD, and the type pkcs12 will be assumed when these deprecated parameters are used.


	For non-Certificate-based Web Express Logon, use DCAS.xml located in the WAR file as a reference for adding parameters when editing the web.xml file. For Certificate-based Web Express Logon, use DCASELF.xml as a reference.

Add the following HCM database parameters to allow the client to connect to the DCAS securely:

CMPI_DCAS_KEYRING_FILE

This parameter references an SSL keyring database file that provides access to the DCAS client certificate as well as the DCAS server's certificate. The certificates establish a client-authenticated, secure connection with the DCAS server. The DCAS plug-in serves as the DCAS client. You will create a keyring database file called HODDCAS.p12 in Step 3: Create the SSL key database..

Code example:

<init-param> 
    <param-name>CMPI_DCAS_KEYRING_FILE</param-name> 
    <param-value>C:\Program Files\IBM\Host On-Demand\HOD\HODDCAS.p12
		</param-value>
</init-param>

CMPI_DCAS_KEYRING_PASSWORD

This parameter specifies the password for the keyring database.


	This parameter should be encrypted using the password encryption tool. It is decrypted by the HCM before using it. For more information about the password encryption tool, refer to Password encryption tool.

Code example:

<init-param>
	  <param-name>CMPI_DCAS_KEYRING_PASSWORD</param-name>
	  <param-value>45ie8WciVu</param-value> 
</init-param>

CMPI_DCAS_TRUSTSTORE

This parameter is required unless CMPI_DCAS_USE_DEFAULT_TRUSTSTORE or CMPI_DCAS_USE_WELLKNOWN_KEYS is true. This parameter contains the name of the truststore to be used by JSSE to lookup the DCAS certificates.

CMPI_DCAS_TRUSTSTORE_TYPE

This parameter is required unless CMPI_DCAS_USE_DEFAULT_TRUSTSTORE or CMPI_DCAS_USE_WELLKNOWN_KEYS is true. This parameter contains the type of the truststore specified by CMPI_DCAS_TRUSTSTORE. Valid values are pkcs12, jceks, and jks.

CMPI_DCAS_TRUSTSTORE_PASSWORD

This parameter is required unless CMPI_DCAS_USE_DEFAULT_TRUSTSTORE or CMPI_DCAS_USE_WELLKNOWN_KEYS is true. This parameter contains the password of the truststore specified by CMPI_DCAS_TRUSTSTORE.

The following parameters contain all the relevant information needed to connect to your HCM database, which in this example is a JDBC database table. You can either configure access to an existing database or point to a newly created database. The level of security for the database varies according to database vendor. Refer to the database application's documentation for details.


	The following parameters are not used for Certificate-based Web Express Logon: CMPI_DCAS_DB_ADDRESS CMPI_DCAS_DB_NET_DRIVER CMPI_DCAS_DB_USERID CMPI_DCAS_DB_TABLE CMPI_DCAS_DB_PASSWORD

CMPI_DCAS_DB_ADDRESS

This is a URL string that provides the address of the database. An example of this string is jdbc:db2://dtagw:6789/HODSSO.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_ADDRESS</param-name>
	 <param-value>jdbc:db2://dtagw.raleigh.ibm.com:6789/HODSSO
		</param-value> 
</init-param>

CMPI_DCAS_DB_NET_DRIVER

This string contains the name of the class that acts as the network database driver. An example of this string is COM.ibm.db2.jdbc.net.DB2Driver. The location of this class is assumed to be in the existing class path.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_NET_DRIVER</param-name> 
   <param-value>COM.ibm.db2.jdbc.net.DB2Driver</param-value> 
</init-param>

CMPI_DCAS_DB_USERID

This is the ID of the user account to use when accessing the database.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_USERID</param-name> 
   <param-value>admin</param-value> 
</init-param>

CMPI_DCAS_DB_PASSWORD

This is the password of the user account to use when accessing the database.


	This parameter should be encrypted using the encrypt password tool. It is decrypted by the HCM plug-in before using it. For more information about the password encryption tool, refer to Password encryption tool.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_PASSWORD</param-name> 
   <param-value>tuBu9v8lHiJi1jt08UgHzA==</param-value> 
</init-param>

CMPI_DCAS_DB_TABLE

This entry identifies the table to use for the needed query.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_TABLE</param-name> 
   <param-value>HACP</param-value> 
</init-param>

The following parameters should correspond directly to the column headings in your HCM database and should clearly indicate the contents of the columns. With some databases, such as IBM DB2, the column headings must be in all upper-case letters, for example, NETWORKID, HOSTADDRESS, APPLICATIONID, and HOSTID.

Based on the information provided by the first three of these parameters (network ID, host address, and the host application ID), you can make a SQL query of the database to get the host ID. The result of the query is entered in the host ID (HOSTID) column. Assuming that the query is successful, a call is made to the DCAS to request the passticket.


	The following parameters are not used for Certificate-based Web Express Logon: CMPI_DCAS_DB_NETID_COL_NAME CMPI_DCAS_DB_HOSTADDR_COL_NAME CMPI_DCAS_DB_HOSTAPP_COL_NAME CMPI_DCAS_DB_HOSTID_COL_NAME

CMPI_DCAS_DB_NETID_COL_NAME

This entry identifies the name of the column that contains the network ID value (NETWORKID).

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_NETID_COL_NAME</param-name> 
   <param-value>NETWORKID</param-value> 
</init-param>

CMPI_DCAS_DB_HOSTADDR_COL_NAME

This entry identifies the name of the column that contains the host address value (HOSTADDRESS).

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_HOSTADDR_COL_NAME</param-name> 
   <param-value>HOSTADDRESS</param-value> 
</init-param>

CMPI_DCAS_DB_HOSTAPP_COL_NAME

This entry identifies the name of the column that contains the host application value (APPLICATIONID).

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_HOSTAPP_COL_NAME</param-name> 
   <param-value>APPLICATIONID</param-value> 
</init-param>

CMPI_DCAS_DB_HOSTID_COL_NAME

This entry identifies the name of the column that contains the user's host identification value (HOSTID).

Code example:

<init-param> 
   <param-name>CMPI_DCAS_DB_HOSTID_COL_NAME</param-name> 
   <param-value>HOSTID</param-value> 
</init-param>

CMPI_DCAS_USE_NETID_AS_HOSTID

This entry when set to True identifies the network ID as the RACF ID without performing any mapping.

Code example:

<init-param> 
   <param-name>CMPI_DCAS_USE_NETID_AS_HOSTID</param-name> 
   <param-value>False</param-value> 
</init-param>