| Oracle® Identity Manager Connector Guide for CA ACF2 Advanced Release 9.0.2 Part Number B32151-01 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for CA ACF2 Advanced Release 9.0.2 Part Number B32151-01 |
|
|
View PDF |
The CA ACF2 Advanced Connector deployment consists of two parts: the tasks that are performed on the Oracle Identity Manager system and the tasks performed on the mainframe. The deployment procedure on the Oracle Identity Manager system includes installing the LDAP Gateway and is described in the following sections:
The Provisioning and Reconciliation Agents are installed on the mainframe. This is covered in the Chapter 3, "Deployment and Configuration: Part 2".
Verify that the system requirements described in the following table are met for deploying the Oracle Identity Manager CA ACF2 Advanced Connector.
|
Note: The LDAP Gateway works seamlessly with Oracle Identity Manager and operates under the user account created for Oracle Identity Manager itself. As a result, it has the same permissions as those granted to the Oracle Identity Manager user account to access and operate with the Provisioning Agent and Reconciliation Agent. |
Between the Oracle Identity Manager and mainframe environments, Oracle Identity Manager supports two different secure message transport layers, TCP/IP and IBM MQ Series.
The MQ Series comes with its own internal setup procedures, which are transparent at the LDAP Gateway level. The primary requirement is that port 1414 is used between Oracle Identity Manager and the mainframe.
Additional configuration is required for the TCP/IP message transport layer. Oracle Identity Manager reserves the following ports for standard message transport layer communication.
In coordination with an enterprise level architecture, port 5790 is used for the Advanced Provisioning Agent. Between the LDAP Gateway and the Reconciliation Agent, Oracle Identity Manager reserves ports 5190 through 5199 as a range of ports for multiple LPARs.
Copy the following connector files to the destinations indicated in the following table:
Configuring the Oracle Identity Manager server involves the following procedures:
|
Note: In a clustered environment, you must perform these steps on each node of the cluster. |
Configuring the Oracle Identity Manager server involves installing the required fonts and setting the required input locale.
To set the input locale:
Open Control Panel.
Double-click Regional Options.
On the Input Locales tab of the Regional Options dialog box, add and switch to the input locale that you want to use.
You must clear the server cache whenever you add a new resource bundle file to the <OIM_home>\xellerate\connectorResources directory or make a change in an existing resource bundle file.
To clear the server cache:
Open a command window, and change to the <OIM_home>/xellerate/bin directory.
Depending on the operating system, run any one of the following commands:
PurgeCache.bat ConnectorResourceBundle
PurgeCache.sh ConnectorResourceBundle
Oracle Identity Manager communicates with a mainframe through the advanced LDAP gateway and LPARs. Use the following guidelines to deploy a connector on a clustered installation of Oracle Identity Manager:
Within the mainframe, multiple LPARs are essentially logical partitions that are tied to a single authentication repository on the mainframe.
Reconcilication is the detection of an event that occurs against a mainframe authentication repository on an individual LPAR. That event will make a change on the mainframe and affect all attached LPARs. All LPARs where identity events occur should have the the Reconciliation Agent installed and tied to a single LDAP gateway.
Reconciliation on different sets of mainframe authentication repositories (with each authentication repository having its own set of LPARs) can be directed to different LDAP gateways.
Provisioning is from the Oracle Identity Manager to the mainframe authentication repository through an LPAR. Since all LPARs attached to the authentication repository will be changed with a provisioning event on a single LPAR, only one LPAR in the group needs to be changed by the LDAP Gateway. If more than one LPAR, in the same group, receives the same change, only the first change will go through and the other changes will give an error because the authentication repository has already been changed.
Some mainframe installations have multiple authentication repositories, but they are all the same type. If the mainframe environment has an internal synchronization process, consult with a mainframe architect or an Oracle Identity Manager Architect on the best way to configure the cluster.
In Release 9.0.2, the CA ACF2 Advanced Connector in a clustered deployment can have only one LDAP Gateway connected to a single mainframe authentication repository (with its attached set of LPARs) in operation at one time. This is a known issue and will be resolved in a future release.
To import the connector XML file into Oracle Identity Manager:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the oimAcf2Connector.xml file, which is in the OIM_HOME\xellerate\XLIntegrations\acf2\xml\ directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the Acf2Resource resource is displayed.
Specify values for the parameters of the Acf2Resource resource. Refer to the table in the Defining IT Resources section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the Acf2Resource IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
|
See Also: If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions. |
Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. You must remove these nodes. To do this, right-click each such node and then select Remove.
Click Import. The connector file is imported into Oracle Identity Manager.
You must specify values for the Acf2Resource IT resource parameters listed in the following table.
| Parameter Name | Parameter Value (Default) |
|---|---|
| Resource Asset Name | Acf2Resource |
| Resource Asset Type | LDAP Server |
| Admin Id | uid=idfAcf2Admin,ou=People,dc=acf2,dc=com |
| Admin Password | idfAcf2Pwd |
| Server Address | localhost |
| Root DN | dc=acf2,dc=com |
| Port | 5389 |
| Is the resource asset to be used to call a method on an API, which resides on a machine that is external to Xellerate? | No |
After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.
The following adapters are imported into Oracle Identity Manager when you import the connector XML file. You must compile these adapters before you can use them to provision accounts on the target system.
CreateAcf2User
ResetAcf2Password
ChangeAcf2UserPassword
DeleteAcf2User
RevokeAcf2User
ResumeAcf2User
ModifyAcf2User
AddAcf2UserToGroup
RemoveAcf2UserFromGroup
GrantAcf2UserTso
AssignACF2UserToDataset
To compile adapters by using the Adapter Manager form:
Open the Adapter Manager form.
To compile all the adapters that you have imported into the current database, select the Compile All option.
To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select the Compile Selected option.
Click Start. Oracle Identity Manager compiles the adapters that you specify.
If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_home\xellerate\Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes. Then, restart each node.
To view detailed information about an adapter:
To install the LDAP Gateway, navigate to the OIM_HOME/etc/LDAP Gateway/ (<LDAP_install_directory>) directory and do the following:
Edit the run.cmd or run.sh file located at <LDAP_install_dir>/bin directory, set the JAVA_HOME variable to match your Java install directory (j2sdk1.4.2 or later), and save the file.
Extract the idfserver.jar file and edit the beans.xml file located under <LDAP_install_dir>/dist/. Edit the port property of the server and specify the port used for communication between the Gateway and the mainframe LPAR that you use for the connector installation. For example, the port property is set to 5389 in the following code:
<bean id="listener" class= "com.identityforge.ximserver.nio.Listener"> <constructor-arg><ref bean="bus"/></constructor-arg> <property name="admin"><value>false</value></property> <property name="config"> <value>../conf/listener.xml</value></property> <property name="port" value="5389"/> </bean>
If you are using IBM MQ Series for the message transport layer, you must copy the following files to the <LDAP_install_directory>/lib directory:
com.ibm.mq.jar
com.ibm.mqbind.jar
com.ibm.mqjms.jar
fscontext.jar
providerutil.jar
To configure Oracle Identity Manager LDAP Gateway to use the Provisioning functionality:
Open the ximserver.jar and edit the beans.xml file located under <LDAP_install_directory>/dist/ximserver.jar.
Find the <bean name = "ACF2"> tag and edit the properties highlighted in the following code in bold:
<bean name="ACF2" singleton="true"class="com.identityforge.ximserver.backend.ACF2.ACF2Module>
<!-- The following change is optional. If you make this change, also edit
metaengine.xml-->
<property name="suffix" value="dc=ACF2,dc=com"/>
<property name="workingDirectory" value="..ACF2"/>
<!-- The following change is optional -->
<property name="adminUserDN" value="oimACF2Admin,dc=ACF2,dc=com"/>
<property name="adminUserPassword" value="oimACF2Pwd"/>
...
...
<property name="transport">
<map>
<!-- For IBM MQ Series set _type_ value to MQ -->
<entry key="_type_" value="socket"/>
<!-- Set _isencrypted_ to true for 128-bit AES encryption -->
<entry key="_isencrypted_" value="false"/>
<entry key="_host_" value="IP Address of ACF2 System"/>
...
...
</map>
</property>
<property name="Connector" value="false"/>
</bean>
If the domain partition is changed from the default "dc=ACF2,dc=com", open the metaengine.xml file located at <LDAP_install_directory>/conf.
Replace all occurrences of the domain partition "dc=ACF2,dc=com" with the domain partition that is chosen for your installation.
Save the file.
Perform the following steps to configure a connector to interface with multiple target system installations:
Extract the beans.xml file from the LDAP_install_dir/dist/idfserver.jar file.
Open the beans.xml file file in a text editor.
Locate the <property name="backends"> and add a <ref> element that identifies the identify the name of the Java bean for the target system. For example, the following code configures RACF and TopSecret targets in the same connector:
<property name="backends">
<list>
<ref bean="hpbe2"/>
<ref bean="racf"/>
<ref bean="tops"/>
</list>
</property>
Locate the <property name="priority"> and add a <ref> element that identifies the identifies the priority of each Java bean, as follows:
<property name="priority">
<list>
<ref bean="be2"/>
<ref bean="be3"/>
<ref bean="be4"/>
</list>
</property>
Save the beans.xml file and repackage the LDAP_install_dir/dist/idfserver.jar file
