Skip Headers
Oracle® Identity Manager Connector Guide for CA Top Secret Advanced
Release 9.0.1
Part Number B31113-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

5 Testing the Connector

After you deploy the connector, you must test it to ensure that it functions as expected. The CA Top Secret Advanced Connector is composed of a Gateway and two mainframe adapters, requiring both connectivity and use cases testing:

This chapter contains information on the following types of testing:

Note:

In earlier releases of this guide, the connector was referred to as the integration.

This chapter contains the following sections:

Port Connectivity Testing

Within the Oracle Identity Manager Advanced Connector, there are two different message transport layers supported: IBM MQ Series and TCP/IP. Both systems depend on open ports to communicate. This section discusses open port testing for CA Top Secret Advanced connector. Testing of open ports is done on the Oracle Identity Manager server system.

Note:

In enterprise security environments, firewalls may be configured to only allow a ping test from specific machines. Also, please notify your network administrator and the mainframe security manager about the port testing, as this activity may trigger automated network responses and notifications.

The following tests assume that the test will be conducted on the Oracle Identity Manager server, with localhost as the IP name of the Oracle Identity Manager server and [mainframeIP] as the IP address of the mainframe.

  1. Internal to the Oracle Identity Manager server, Oracle Identity Manager and the CA Top Secret Advanced Connector communicate on port 5389.

    ping localhost:5793

  2. For IBM MQ Series messaging, the standard port is 1414. This port will need to be tested for both the Oracle Identity Manager server and the mainframe system.

    ping localhost:1414
ping [mainframeIP]:1414

  3. The TCP/IP message transport layer relies on several different ports. The ports should be matched between each system. For provisioning to CA Top Secret Advanced, run the following test:

    ping [mainframeIP]:5791

    For reconciliation with CA Top Secret Advanced:

    ping localhost:5390
ping [mainframeIP]:5390

Note:

It is common for the mainframe TCP/IP configuration and the CA Top Secret Advanced Connector Adapter JCLs to have the same code set, even if multiple LPARs and connectors are used. As the port traffic passes through a router, the public IP address then becomes different from the private locally assigned machine IP address. This conversion of the private and public IP address can also extend to remapping to the ports.

Running Test Cases

This section focuses on the functional and performance test cases that are associated with this connector. The following table includes information on running test cases on the CA Top Secret Advanced connector:

Test Case Test Type Description/Comment
Test to change CA Top Secret Advanced Password Provisioning A user password is changed, with the change posted to the mainframe through the Advanced Connector.
Test to reset CA Top Secret Advanced Password Provisioning A user password is reset, with the change posted to the mainframe through the Advanced Connector.
Test to create CA Top Secret Advanced User Provisioning A user is created, with the change posted to the mainframe through the Advanced Connector.
Test to revoke/disable CA Top Secret Advanced User Account Provisioning A user ID is revoked, with the change posted to the mainframe through the Advanced Connector.
Test to resume CA Top Secret Advanced User Account Provisioning A user ID is resumed from a revoked status, with the change posted to the mainframe through the Advanced Connector.
Test to List CA Top Secret Advanced Users Provisioning A list of users is retrieved from the mainframe CA Top Secret repository.
Test to Permit CA Top Secret Advanced User Access to Resource Profile Provisioning A user is authorized to access mainframe resources, with change posted to the mainframe through the Advanced Connector.
Test to permit CA Top Secret Advanced User Access to TSO Provisioning A user is provisioned to log on to the mainframe through TSO, with the change posted to the mainframe through the Advanced Connector.
Test to remove CA Top Secret Advanced User Access to Dataset Provisioning A user is removed from access to a mainframe dataset, with the change posted to the mainframe through the Advanced Connector.
Test to remove CA Top Secret Advanced User Access to Resource Profile Provisioning A user is removed from access to a mainframe resource, with the change posted to the mainframe through the Advanced Connector.
Test to detect and report Native CA Top Secret Advanced Password Change Event Reconciliation A native password change is made on the mainframe and subsequently detected by the Advanced Connector.
Test to detect and report Native CA Top Secret Advanced Password Reset Event Reconciliation A native password reset is made on the mainframe and subsequently detected by the Advanced Connector.
Test to detect and report Native CA Top Secret Advanced Create User Data Event Reconciliation A create user is made by an administrator natively on the mainframe and subsequently detected by the Advanced Connector.
Test to detect and report Native CA Top Secret Advanced Revoke User Event Reconciliation A userID password is revoked through native mainframe events, which is subsequently detected by the Advanced Connector.
Test to detect and report Native CA Top Secret Advanced Delete User Event Reconciliation A userID is deleted through native mainframe events, which is subsequently detected by the Advanced Connector.
Test to detect and report Native CA Top Secret Advanced Resume User Event Reconciliation A userID is resumed from a revoke status through native mainframe events, which is subsequently detected by the Advanced Connector.

Troubleshooting

The following table lists solutions to some commonly encountered issues associated with the CA Top Secret Advanced connector.

Problem Description Solution
Oracle Identity Manager cannot establish a connection to the CA Top Secret Advanced Server.
  • Ensure that the mainframe server is up and running.

  • Check that the necessary ports are working.

  • Due to the nature of the Provisioning Adapter, the Gateway must be started first, and then the mainframe JCL started task must be initiated. This is a requirement based on how TCP/IP operates. Check that the server IP which hosts the Gateway is configured in the Reconciliation Connector JCL.

  • View the Gateway logs to determine if messages are being sent or received.

  • Examine the Oracle Identity Manager configuration to verify that the IP address, admin ID, and admin password are correct.

  • Check with the mainframe platform manager to verify that the mainframe user ID and password have not been changed.
The mainframe does not appear to respond.
  • Ensure that the Oracle Identity Manager mappings are correct.

  • Check the configuration mappings for the Advanced Adapter Gateway.

  • Check that the mainframe JCL jobs have not ABENDED. If so, determine the reason for the ABEND and ask the mainframe administrator to restart the jobs.
A particular use case does not appear to be functioning.
  • Check for the use case event in question on the Gateway Server Log. Then check for the event in the specific log assigned to that Advanced Connector.

  • If the event does not register in either of these two logs, investigate the connection between the Oracle Identity Manager and the Advanced Connector Gateway.

  • If the event is in the log but the command has not had the intended change on a mainframe user profile, check for configuration and connections between the Gateway and the mainframe.

  • Check that TCP/IP is turned on or that the IBM MQ series is operational, depending on the particular message transport layer chosen.

Performance Tests

The Oracle Identity Manager CA Top Secret Advanced architecture has been engineered for enterprise-level performance. When an identity event passes through an exit, the Reconciliation Connector analyzes the event, and then creates a message, allowing the command to complete its routine without loss of time.

A given event will typically fire multiple exits at the same time. For example, a batch job that generates a password change identity event will fire both a batch exit and a password change exit. The Reconciliation Connector captures both events, filters duplicate entries, and passes the result to the Oracle Identity Manager LDAP Gateway.

A batch job to change 50,000 passwords has been tested on a single LPAR to complete within 10 minutes. Because two exits were involved, 100,000 messages were created, filtered, and transformed into MQ messages. The LDAP Gateway then took 30 minutes to retrieve and update the distributive system identity store, with most of that time consumed by the LDAP database.

The LDAP Gateway is engineered to detect when a given event originates from the Oracle Identity Manager, when it passes through the Reconciliation Connector. Provisioning Connector events also create a native exit event that is detected. To prevent a feedback loop, events that originate from the LDAP Gateway are logged, but are not reported again to the Oracle Identity Manager. By contrast, events that originate outside the Oracle Identity Manager are treated as native events, and recorded for future auditing.

The LDAP Gateway and Reconciliation securely capture, filter, and log the identity events from the host system, publishing them for use by Oracle Identity Manager.

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Feedback page
Contact Us