| Oracle® Identity Manager Connector Guide for CA Top Secret Advanced Release 9.0.1 Part Number B31113-01 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for CA Top Secret Advanced Release 9.0.1 Part Number B31113-01 |
|
|
View PDF |
This appendix describes the CA Top Secret Advanced Connector functionality in detail in the following sections:
The architecture for Oracle Identity Manager Advanced Connector begins with the Oracle Identity Manager LDAP Gateway. The LDAP Gateway is built on Java 1.4.2, allowing for portability among different platforms and operating systems with complete integration to the Oracle Identity Manager system.
The LDAP Gateway works transparently with Oracle Identity Manager to communicate with CA Top Secret facilities in a z/OS environment. The LDAP Gateway is installed along with the Oracle Identity Manager on the same server. In addition, the Reconciliation Connector enables the LDAP Gateway server to become a subscriber to security and identity events from CA Top Secret.
Oracle Identity Manager maps mainframe authentication repositories by the LDAP DN. By changing the LDAP DN, different authentication repositories and different mainframe resources can be addressed.
The Provisioning Connector is a mainframe component, receiving native mainframe CA Top Secret provisioning commands from the LDAP Gateway. These requests are processed against the CA Top Secret authentication repository with the response parsed and returned to the LDAP Gateway.
The Provisioning Connector includes LDAP bind and authorization requests. In addition to traditional provisioning functions, the Provisioning Connector can also build the necessary TSO logon functions, including the building CLIST files, and working to replicate existing mainframe user profile scenarios. Provisioning Connector can also extend authorization to data sets, groups, and resources through enterprise rules set in by Oracle Identity Manager.
Internal to mainframe architecture is significant conversation of connector resources and internal mainframe memory subpools for enterprise loads at peak times, supporting over a million transactions per day. The entire Provisioning Connector is protected by AES 128 encryption and APF authorized resources.
The Provisioning connector receives Identity and Authorization change events, and effects requested changes on the z/OS mainframe authentication repository, CA Top Secret. The Provisioning Connector is a mainframe-installed component that receives native mainframe requests from the LDAP Gateway.
An important architectural feature of the Provisioning Connector is that provisioning updates are made from the LDAP Gateway to the CA Top Secret authentication repository. As such, the Provisioning Connector needs to be installed on at least one z/OS LPAR. Provisioning commands sent from the Oracle Identity Manager then change authentication and authorization across all LPARS serviced by the CA Top Secret authentication repository. Within this framework, multiple CA Top Secret systems which are not externally synchronized will require a second Provisioning Connector.
While most provisioning commands are designed around direct access to CA Top Secret, some LDAP provisioning commands are executed in multiple mainframe commands. For example, to provision for TSO access, some systems require modification to a CLIST profile. The type of command depends on which mainframe process is to be accessed.
While not within the scope of standard Oracle Identity Management provisioning, the Provisioning Connector can extend control to TSO commands, CICS commands, batch jobs, and other mainframe resources.
When an event occurs on the mainframe, independent of any custom installed technology, the event is processed through an appropriate mainframe exit. Because the Reconciliation Connector uses exit technology, there are no hooks in the z/OS mainframe operating system.
Identity events that arise from a user at TSO login, changes by an administrator from the command prompt, or events resulting from batch jobs are detected and notification messages are securely sent in real time. The Reconciliation Connector captures changes to user attributes (any ALTUSER change), changes to a user account (REVOKE, RESUME), and certain changes to user authorization for groups and resources. If a user account is created or deleted on the mainframe, the Provisioning Connector will notify Oracle Identity Manager and even create a corresponding account in the distributive environment.
Passwords fall into a special category. If business rules permit, a password change will be passed to the Oracle Identity Manager in clear text and real time. In a testing environment, it is almost immediate. Within other business rules, only a notification that the password has been changed will be passed.
Internal to mainframe architecture is significant conversation of connector resources and internal mainframe memory subpools for enterprise loads at peak times. The Reconciliation Connector was specifically designed to handle peak loads from a mainframe batch job. By allocating one meg mainframe memory to the messaging subpools, 50,000 identity event messages can be held as fast as the batch job can produce them (about 8 minutes). These messages are then spooled to the LDAP Gateway, which supplies the messages to the Oracle Identity Manager for subsequent processing (typically over the next hour). The entire Reconciliation Connector is protected by AES 128 encryption and APF authorized resources.
The Reconciliation Connector sends notification events to the Oracle Identity Manager LDAP Gateway from the z/OS mainframe. This architecture does not originate with CA Top Secret, but captures the events just outside the operating system using exit technology, in real time.
A command execution is passed through an exit, just before full completion of the native mainframe command. A common use of this technology is to require user IDs or passwords to be formatted to a proper length or that they must contain at least one letter and one number. If the exit fails, the command fails and returns an error message. By capturing identity or authentication events at an exit, the Reconciliation Connector captures these events outside the operating system, just prior to completing the command and storing the results in the CA Top Secret authentication repository.
As with the Provisioning Connector, there is an architectural dependence based on the LPAR. When a user ID is created, is authorized to something, or works on the mainframe, they do this on an LPAR. Since all actions are within the LPAR and the Reconciliation Connector detected events from an LPAR exit, the Reconciliation Connector must be installed on each LPAR. This is a scheduled event, usually done with a maintenance schedule, because the an LPAR exit change is only recognized after an IPL.
The message transport layer is the process where the messages are exchanged between the LDAP Gateway and the CA Top Secret Provisioning and Reconciliation Connector.
IBM MQ Series
Some IBM shops use the IBM MQ Series messaging system as their primary digital communication system. MQ Series is a secure and reliable message transport layer, utilizing internal encryption, conservation of resources, and guaranteed message delivery. The LDAP Gateway supports this message protocol.
TCP/IP
The LDAP Gateway also uses TCP/IP as a message transport layer to the Provisioning and Reconciliation Connector. This protocol is layered with an internal Advanced Encryption Standard (AES) encryption using 128-bit cryptographic keys. This encryption protocol is internal between the LDAP Gateway and Provisioning / Reconciliation Connector, not depending platform-specific programs or libraries.
The LDAP Gateway, Provisioning Connector, and Reconciliation Connector all coordinate bidirectional synchronization to a single CA Top Secret authentication repository. Internally, the LDAP Gateway has 20 AES cryptographic keys which are randomly selected for a given message, 10 of which are dedicate for bidirectional messages between the Provisioning Connector and the other 10 are used for the Reconciliation Connector.
Messages between the LDAP Connector and the Provisioning Connector have a very short life span. The provisioning process that arises for the Oracle Identity Manager expects a pass or fail LDAP message quickly. Typical logging and auditing protocols exist here and are usually all that are required.
Messages originating from the Reconciliation Connector require the same level of security and guaranteed delivery as MQ Series provides. Within this context, the Reconciliation Connector has been engineered for the following:
If the TCP/IP connection has not been established between the Reconciliation Connector and the LDAP Gateway, up to 50,000 messages are kept in a secure mainframe memory subpool prior to message processing.
During the message generation process, the Reconciliation Connector places both a time stamp and a sequential serial number to each message. An archive of the message is kept in an encrypted format in an APF authorized VSIM file, with both serial and time/date stamps.
Once transmitted, the messages are logged internally within the LDAP Connector, again in an encrypted format.
Overall, the entire TCP/IP message transport layer approaches the performance and security level of the IBM MQ Series. The Oracle Identity Manager TCP/IP message transport layer is included at no additional charge.
