| Oracle® Identity Manager Connector Guide for IBM i5/OS (OS/400) Advanced Release 9.0.3 Part Number B32447-01 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for IBM i5/OS (OS/400) Advanced Release 9.0.3 Part Number B32447-01 |
|
|
View PDF |
The Provisioning and Reconciliation Agent Components of the IBM i5/OS (OS/400) Advanced Connector are deployed on IBM i5/OS (OS/400). This chapter describes the installation and configuration of the Provisioning Agent and Reconciliation Agent in the following sections:
The following table identifies hardware, software, and authorization prerequisites for the installing Provisioning Agent and Reconciliation Agent.
| Item | Requirement |
|---|---|
| i5/OS (OS/400) Operating System | IBM i5/OS (OS/400)
Verify that all current patches are in place. |
| Message Transport Layer | JTOpen |
| i5/OS (OS/400) Identity Repository | Current patch level for i5/OS (OS/400) |
| Target system user account for the Provisioning Agent and Reconciliation Agent | SystemAdministrators privileges on IBM i5/OS (OS/400) |
The Provisioning Agent and the Reconciliation Agent are installed on the i5/OS (OS/400). Both require the installation of a started task. In addition, these agents function under a user account on the i5/OS (OS/400) system. This user account must be created by the i5/OS (OS/400) administrator during the deployment of the Provisioning Agent and the Reconciliation Agent.
Note:
Both the Provisioning Agent and Reconciliation Agent user accounts require
SystemAdministrators group privileges on the i5/OS (OS/400).The Reconciliation Agent operates using user exit technology, outside the i5/OS (OS/400) operating system.
Typical midrange operating system shops install custom exits, for example to maintain a certain password format. The connector exits are engineered to be the last exits called in sequence, allowing existing exits to function normally.
To install the connector on the target IBM i5/OS (OS/400) system, do the following:
Do a binary FTP of the OIMIDFEX.SAVF file to any directory on the target i5/OS (OS/400) system from the following location:
IBM i5 Advanced Connector Rev 9.0.3/etc/Provisioning and Reconciliation Connector/OIMIDFEX.SAVF
For this set of instructions, the directory to which this file is transmitted will be referred to as OIMI5ADV.
To view the saved library and the contained objects, you use the DSPSAVF command, as follows:
DSPSAVF FILE(SAMPLIB/OIMIDFEX)
i5 Screen output from the DSPSAVF command:
==============================================================================
Display Saved Objects - Save File ,
Library saved . . . : ORIGLIB Release level . . . :
V4R5M0
ASP . . . . . . . . : 1 Data compressed . . : No
Save file . . . . . : OIMIDFEX Objects displayed . : 3
Library . . . . . : ORIGLIB Objects saved . . . : 3
Records . . . . . . : 688 Access paths . . . . : 0
Save command . . . . : SAVOBJ
Save active . . . . : *NO
Save date/time . . . : 01/20/07 01:28:35
Type options, press Enter.
5=Display saved data base file members
Opt Object Type Attribute Owner Size (K) Data
XUSRPWD *PGM CLE ORIGLIB 236 YES
NOTIFY *PGM CLE ORIGLIB 68 YES
QCSRC *FILE PF ORIGLIB 24 YES
F3=Exit F12=Cancel
=================================================================================
Now that you know the name and the objects of the saved library, you can restore the objects in the save file using the RSTOBJ (restore object) command. Because the restored objects will be saved in a new target library, you need to use the SAVLIB and RSTLIB parameters. The SAVLIB uses the original library name, and RSTLIB uses the new library that you restore the save file objects to. The syntax for this command is as follows:
RSTOBJ OBJ(*ALL) SAVLIB(ORIGLIB) DEV(*SAVF) SAVF(SAMPLIB/OIMIDFEX) RSTLIB(NEWLIB)
If required, the new library can be a general public library (QGPL).
Note:
The Provisioning Agent does not require any special configuration during the IBM i5/OS (OS/400) Advanced connector deployment. To use the provisioning functionality of this connector, you must ensure that the LDAP Gateway and the message transport layer are configured correctly.After copying the connector save file to the OIMI5ADV library, you install the exits for the reconciliation agent. As mentioned earlier, the connector exits are engineered to be the last exits called in sequence, allowing existing exits to function normally. To install the exits, do the following:
The i5/OS (OS/400) Reconciliation Agent can be installed in either a menu-driven or a command-driven installation protocol. The following instructions assume the use of the menu-driven protocol.
Log on to the i5/OS (OS/400) system as a system administrator.
Ensure that the connector library files and objects are present in the OIMI5ADV library.
See Also:
Step 2: i5/OS (OS/400) Installing the Reconciliation Agent describes the process of copying the connector files to the library.Start the User Exit Registration program WRKREGINF:
Parameters or command
===> WRKREGINF
In i5/OS (OS/400), exit programs are called dynamically. This means that if an exit program was registered with the system, you can replace the program with a new version, without the need to register the exit.
You will primarily work with the CHG_PROFILE (change), CRT_PROFILE (create), and DLT_PROFILE (delete) entries. Deleting a user profile can be a lengthy affair, because a user may own multiple objects, and therefore, be present on many lists and internal tables.
Cleaning up after a user can take a long time to process (many minutes), so a batch job is used for the clean-up process. There are two delete points: before the start of the clean-up job, and at the end of the clean-up job. The Reconciliation Agent monitors only the first delete point (before the clean-up job).
In addition, each exit point has an exit point format associated with it. The format that is passed to the exit program determines the format of the other information passed to it. In the following example, option 8 is selected for these exit points, either as a group or one at a time. The following exits will be changed:
QIBM_QSY_CHG_PROFILE CHGP0100 *YES Change User Profile QIBM_QSY_CRT_PROFILE CRTP0100 *YES Create User Profile QIBM_QSY_DLT_PROFILE DLTP0200 *YES Delete User Profile - before QIBM_QSY_RST_PROFILE RSTP0100 *YES Restore User Profile QIBM_QSY_VLD_PASSWRD VLDP0100 *YES Validate Password
You also need the RST_PROFILE (restore) exit point, which is used when user profiles are restored from a save file during otherwise normal operation (and not during a restore of the whole system from scratch).
You also need to use the VLD_PASSWRD exit point, which is called when the password is changed by the user. This exit point is not called when a user profile is created with the initial password or when the security administrator changes the password for a user.
Note:
This IBM design limitation has been fixed in IBM i5/OS (OS/400) V5R4 by introducing another exit point calledQIBM_QSY_CHK_PASSWRD.You need to register the XUSRPWD exit program with QIBM_QSY_CHG_PROFILE. However, when you try to do this, you might find that there is an existing exit program registered for this point. In the following code snippet, this is QGLDPUEXIT in the main system library QSYS. This implies that the i5/OS (OS/400) system itself uses this exit point to extend its functionality.
You must also consider the Exit Program Number, which determines the order in which the exit programs will run. The system exit program is typically the last to run in the processing order, hence it has a very large Exit Program Number (2147483647). Fill in the Oracle Identity Manager custom user exit program and select option 1 for Add:
Exit
Program Exit
Opt Number Program Library
1 XUSRPWD OIMI5ADV
2147483647 QGLDPUEXIT QSYS
Press the Enter key, and the Add screen appears. The screen should have the following values:
Exit point . . . . . . . . . > QIBM_QSY_CHG_PROFILE Exit point format . . . . . > CHGP0100 Name Program number . . . . . . . > 1 1-2147483647, *LOW, *HIGH Program . . . . . . . . . . > XUSRPWD Name Library . . . . . . . . . > OIMI5ADV Name, *CURLIB Threadsafe . . . . . . . . . *UNKNOWN *UNKNOWN, *NO, *YES Multithreaded job action . . *SYSVAL *SYSVAL, *RUN, *MSG, *NORUN Text 'description' . . . . . *BLANK
Press the Enter key to add the program, then the F5 key to refresh the system to view the result of the procedure.
Note:
An exit program runs in the environment (called an activation group) of the job or user issuing the command that causes the exit program to be called. Therefore, the current library (*CURLIB) value changes often and the system might not be able to locate the exit program. The library from where the system can find the exit program is usually hard coded into the exit program registration as shown in the preceding screen output.Proceed with the remaining exit points as follows:
Program Exit
Opt Number Program Library
1 XUSRPWD OIMI5ADV
2147483647 QGLDPUEXIT QSYS
Exit point: QIBM_QSY_CHG_PROFILE Format: CHGP0100
Exit point: QIBM_QSY_CRT_PROFILE Format: CRTP0100
Exit point: QIBM_QSY_DLT_PROFILE Format: DLTP0200
Exit point: QIBM_QSY_RST_PROFILE Format: RSTP0100
Exit point: QIBM_QSY_VLD_PASSWRD Format: VLDP0100
Note:
On IBM i5/OS (OS/400) V5R4, you also register theCHK_PASSWRD exit point.Before the General Registration Facility was introduced, a password validation program was used. This was handled through the system value settings. The command WRKSYSVAL allows you to work with the system values that control most of the system configuration. Enter the command WRKSYSVAL and scroll down to the following line:
QPWDVLDPGM *SEC Password validation program
Select option 2 for QPWDVLDPGM.
After the XUSRPWD exit program is added to the various exit points, the NOTIFY exit program must be added as well. The NOTIFY exit program needs to be defined with Program Number 2, because it must be triggered after the XUSRPWD exit program. The NOTIFY exit program needs to be registered only for the CHGP0100, CRTP0100, and DLTP0200 exits.
This completes the installation of the reconciliation agent exits.
Note:
If an exit program is specified instead of *REGFAC, do not continue, as you will interfere with an existing validation program. This way of specifying a validation program is now obsolete. The calling format is different from that of the registered programs and is no longer found in recent documentation. The IBM i5/OS (OS/400) Advanced connector code does not support the old-style validation program.
The QSECURITY system value determines the security level of the system. The highest (most secure) level is level 50. The Oracle Identity Manager i5/OS (OS/400) Advanced Connector has been designed for and has been successfully tested on level 50, the highest security level.
To configure the message transport layer on the i5/OS (OS/400) system, you configure the Notify exit IP address.
The Notify exit takes the IP address and port number parameters for the LDAP Gateway (installed on the Oracle Identity Manager server) from the QCSRC/IPPARMS file.
To specify the IP address and the port number of the LDAP Gateway, open the QCSRC/IPPARMS file for editing.
The standard port number is 5490. This must be entered as a 6-digit number with zeros preceding the actual port number. For example, 5490 must be entered as 005490.
The port number is followed by the colon (:) symbol, the LDAP Gateway server IP, and then an additional colon symbol.
For example:
005490:10.0.0.1:
Save the QCSRC/IPPARMS file. This change for the IBM i5/OS (OS/400) does not require an IPL.
Note:
The port number must take up the first six character positions, with leading zeros in the number. A colon is in the seventh character position. The IP address starts at the eight character position and its size can vary, but it must be followed by a colon.