Migrating Mainframe RACF user identities to Microsoft Entra ID Users

Introduction: 

RACF[Resource Access Control Facility] is one of the most popular identity management software used in the Mainframe world to manage security activities such as Authorization and Authentication. Identity principal migration is a critical prerequisite for any Mainframe modernization to be successful. This applies not just to the migration process but also to post-migration activities such as Co-existence & Hybrid Integration etc.  This article explains different steps of a custom solution to help migrate Mainframe RACF directory principles to Microsoft Entra ID (which was previously called Azure Active Directory [AAD]). 

High-level steps involved in the process:

1. Extract components from the package provided.
2. Move RACF Unload components to the mainframe.
3. Run the RACF Unload utility.
4. FTP output file to Windows VM or Azure Blob.
5. Upload the file to Azure Blob(if the unload file is on a VM).
6. Use the ARM Template in the package to create the ADF pipeline and Logic Apps on Azure.
7. Run the ADF Pipeline to read Blob data and start adding users.
8. Check if users have been added successfully.

Fig 1.1: Overview of the RACF migration process

Custom Tooling & Artifacts: 

Please contact Data Ninja Engineering Team for the custom tool that contains all the required artifacts for this solution.

Step by Step guidance:

1. Move JCLs to Mainframe:

   Use any FTP software available to move the JCLs and Control cards to Mainframe. There will be slight changes needed in the JCL like changes to LOADLIB etc. Please make those changes so that the JCL can run as expected. Most of the changes that need to be made are marked as “XXXXXX”

2. Unload RACF data using Unload Utility: 

           Submit the RACFUNLD, on the mainframe. This job will unload the data from IBM RACF files into a user-defined file which is specified in OUTDD of the JCL. Please make a note of this file, as it will be used later in subsequent steps.

3. FTP output file to on-premise/Azure VM or Azure Blob: 

   FTP the file generated in the previous step to On-premise/Azure VM or to Azure Blob directly. Use any available FTP software to transmit the file to windows. Once the file is transmitted to windows, check that the file format is readable.

    

   To directly transmit the data to Azure blob, use the Azure Data factor's FTP connector as outlined here. 

    

4. Upload File to Blob : 

   Go to Azure portal. Search for Storage account

    

   Create a new Blob Storage Account                                                                                      

    

   Click on “Review + create” and then click on “Create” again. Once the resource is deployed, go to the Storage account resource, and click on Access Keys. Copy and keep the Connection String handy which will be used while deploying ARM template in subsequent steps.

   Go Back to Container and create a new container named "racttoazureadcontainer" 

   
   
   

   Once the container is created, go into the container and click on “upload”, locate the mainframe RACF file in the VM and upload it into the container.

   You should be able to see the file uploaded in the blob. Upload the file with the name as “racf.txt” as the ADF pipeline has been coded with this name.

5.  Deploy ARM template for ADF and Logic Apps : 

   The package from Data SQL Ninja contains two folders one named “ADF template” and “Logic Apps Template”.

   First let us deploy the ADF template.

   Create a blank Data factory as outlined here. Keep the name of this ADF handy as it needs to be entered in a few places in the form.

   Few changes to be made to the template file: Update your domain name which is like “@contoso.onmicrosoft.com” on line 285 in the highlighted area. 

   Go to the resource group where you created the Blob Container, click on “Add” to add a new resources. Search for “Template Deployment,” then click on “Create” 

   Click on “Build your own template  in the editor”  and then on “Load file”. Locate the file name “Mainframe_Racf_to_AAD.json” in the folder “ADF Template” from the GIT repository.

   After loading the file, change the default value of Data Factory name as highlighted below, as it cannot be globally duplicated, and then click on “Save”

   Under “Link Blob Service_connection String “ give the blob connection string which you had copied earlier 

   Click on review and create, and the “Create” again to deploy the ADF pipeline.

   Once the ADF pipeline is deployed, you will need to change the URL details in the last step of pipeline named “Call_Logic_App_for_Each_record”  inside which there is an activity named “Trigger_AddUser_Logic_Apps”.  You will get the URL after you deploy the logic Apps.

   To deploy the logic Apps perform similar steps as above. While doing so, use the file name “RACF to AzureAd Logic Apps” from folder “ Logic App Template”  and click on open and then Create.

   Once the resource is created, go to the resource and click on “Logic App Designer” . You should see something like this.

   Click on the first step. You will see an URL, copy this URL and this will have to be added into the ADF pipeline which we created. 

   Add a step by clicking the + mark after “When a HTTP request is received”  and add an action 

   Search for Azure Ad and select Create user

   You should get a dialog box similar to this. You will need to login to Azure Ad with an account which has access to create a new users in your Azure Ad domain.

   Once your login is successful you will see the below screen.

   Please set below values for each of the field:

   • Account Enabled :  Yes
   • Display name  : @{triggerBody()?['user_name']}
   • Mail Nickname : @{triggerBody()?['mailnickname']}
   • Password: Any complex password. Users will be requested to change the password on the first login
   • User Principal Name : @{triggerBody()?['principal_name']}

   After all the changes, your screen should look something like this:

   Save the Logic App and now we are ready to run end to end process.

6. Run the pipeline : 

   Go to portal https://adf.azure.com/ , choose the ADF name with was specified in the template.

   First Enable “ data flow debug” for 1 hour.

   After this click on the “Debug” button to start migrating the RACF ids.

   Verify-in the output that the requests were successful.

7. Verify the process: 

   Once the pipeline run is complete you can verify is the users have been added to the domain properly or not.

   Got to Azure portal, search for Azure Ad. Under Azure AD click on Users. Newly added users should appear in the list upon search.

   Feedback and Suggestions : 

   If you have feedback or suggestions for improving this asset, please contact the Azure Databases SQL Customer Success Engineering Team. Thanks for your support! Note: For additional information about migrating various source databases to Azure, see the Azure Database Migration Guide.