Skip Headers
Oracle® Identity Manager Connector Guide for IBM RACF Advanced
Release 9.0.4

E10451-21
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Extending the Functionality of the Connector

This chapter discusses the following optional procedures that you can perform to extend the functionality of the connector for addressing your business requirements:

5.1 Adding Custom Fields for Target Resource Reconciliation

Note:

You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

By default, the attributes listed in Table 1-3 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes for target resource reconciliation.

To add a custom field to reconciliation, you must first update the connector reconciliation component you are using, and then update Oracle Identity Manager.This section discusses the following topics:

5.1.1 Adding Custom Fields to the Reconciliation Component

Depending on whether you want to add custom fields for real-time reconciliation or full reconciliation, perform the procedure described in the following sections:

5.1.1.1 Adding Custom Fields for Incremental (Real-Time) Reconciliation

The reconAttrs property, found in the VOYAGER_ID.properties file, contains the list of target system attributes that are mapped for real-time reconciliation with Oracle Identity Manager.

To add a custom field for real-time target resource reconciliation:

  1. In the LDAP_INSTALL_DIR/etc directory, open the .properties file which corresponds to your target resource (by default, this file is called VOYAGER_ID.properties).

  2. Add the custom field name to the reconAttrs property list.

5.1.1.2 Adding Custom Fields for Full Reconciliation

You can add custom fields for full reconciliation by specifying a value for the SingleValueAttributes attribute of the RACF Reconcile All Users reconciliation scheduled task. See Section 4.4.3.1, "RACF Reconcile All Users" for more information.

To add a custom field for scheduled task reconciliation:

  1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 9.1.0.x:

      1. Log in to the Administrative and User Console.

      2. Expand Resource Management, and then click Manage Scheduled Task.

    • For Oracle Identity Manager release 11.1.1:

      1. Log in to the Administrative and User Console.

      2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

      3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

    • For Oracle Identity Manager release 11.1.2.x:

      1. Log in to Oracle Identity System Administration.

      2. In the left pane, under System Management, click Scheduler.

  2. Search for and open the RACF Reconcile All Users scheduled task as follows:

    If you are using Oracle Identity Manager release 9.1.0.x, then:

    1. On the Scheduled Task Management page, enter RACF Reconcile All Users as the search criteria and then click Search.

    2. In the search results table, click Edit to edit column for the scheduled task.

    3. On the Scheduled Task Details page, where the details of the scheduled task are displayed, click Edit.

      If you are using Oracle Identity Manager releases 11.1.1 and 11.1.2.x, then:

      1. On the left pane, in the Search field, enter RACF Reconcile All Users as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

      2. In the search results table on the left pane, click the scheduled job in the Job Name column.

  3. Add the custom field to the list of attributes in the SingleValueAttributes scheduled task attribute.

  4. Click Apply.

5.1.2 Adding Custom Fields to Oracle Identity Manager

After adding the custom field to either the VOYAGER_ID.properties file (if using real-time reconciliation) or the RACF Reconcile All users scheduled task (if using scheduled task reconciliation), you must add the custom field to the Oracle Identity Manager components.

To update Oracle Identity Manager with the custom field:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Add the custom field to the list of reconciliation fields in the resource object as follows:

    1. Expand Resource Management and then double-click Resource Objects.

    2. Search for and open the OIMRacfResourceObject resource object.

    3. On the Object Reconciliation tab, click Add Field.

    4. In the Add Reconciliation Field dialog box, enter the details of the field.

      For example, enter Description in the Field Name field and select String from the Field Type list.

    5. Click Save and close the dialog box.

    6. Click Create Reconciliation Profile. This copies changes made to the resource object into MDS.

    7. Click Save

  3. Add the custom field on the process form as follows:

    1. Expand Development Tools and then double-click Form Designer.

    2. Search for and open the UD_RACF_ADV process form.

    3. Click Create New Version, and then click Add.

    4. Enter the details of the field.

      For example, if you are adding the Description field, then enter UD_RACF_ADV_DESCRIPTION in the Name field, and then enter the rest of the details of this field.

    5. Click Save and then click Make Version Active.

  4. Create an entry for the field in the AtMap.RACF lookup definition, as follows:

    1. Expand Administration and then double-click Lookup Definition.

    2. Search for and open the AtMap.RACF lookup definition.

    3. Click Add and enter the Code Key and decode values for the field. The Code Key value is the name of the process form field that you created for the custom field in Step 3.d The Decode value is the name of the target system field.

      For example, enter UD_RACF_ADV_DESCRIPTION in the Code Key field and then enter description in the Decode field.

    4. Click Save.

  5. Create a reconciliation field mapping for the custom field in the provisioning process as follows:

    1. Expand Process Management and then double-click Process Definition.

    2. Search for and open the OIMRacfProvisioningProcess process definition.

    3. On the Reconciliation Field Mappings tab of the provisioning process, click Add Field Map.

    4. In the Add Reconciliation Field Mapping dialog box, from the Field Name field, select the value for the field that you want to add.For example, from the Field Name field, select Description.

    5. Double-click the Process Data field, and then select UD_RACF_ADV_DESCRIPTION.

    6. Click Save and close the dialog box.

    7. Click Save.

  6. If you are using Oracle Identity Manager release 11.1.2.x, then create a new UI form and attach it to the application instance to make this new attribute visible. See Section 3.6.1.2, "Creating a New UI Form" and Section 3.6.1.6, "Updating an Existing Application Instance with a New Form" for the procedures.

5.2 Adding Custom Multivalued Fields for Reconciliation

To add a custom multivalued field to reconciliation, you must first update the IDF reconciliation component you are using, and then update Oracle Identity Manager.

5.2.1 Adding Custom Multivalued Fields to the Reconciliation Component

Depending on whether you want to add custom multivalued fields for real-time reconciliation or full reconciliation, perform the procedure described in the following sections:

5.2.1.1 Adding Custom Multivalued Fields for Incremental (Real-Time) Reconciliation

The multiReconAttrs property, found in the VOYAGER_ID.properties file, contains the list of multi-valued target system attributes that are mapped for real-time reconciliation with Oracle Identity Manager.

To add a custom multi-valued field for real-time target resource reconciliation:

  1. In the LDAP_INSTALL_DIR/etc directory, open the .properties file which corresponds to your target resource (by default, this file is called VOYAGER_ID.properties).

  2. Add the custom attribute name to the multiReconAttrs property list.

5.2.1.2 Adding Custom Multivalued Fields for Full Reconciliation

You can add custom multivalued fields for full reconciliation by specifying a value for the MultiValuedAttributes property of the RACF Reconcile All Users reconciliation scheduled task. See Section 4.4.3.1, "RACF Reconcile All Users" for more information.

To add a custom field for scheduled task reconciliation:

  1. Log in to Oracle Identity Manager Administrative and User Console.

  2. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 9.1.0.x

    1. Log in to the Administrative and User Console.

    2. Expand Resource Management, and then click Manage Scheduled Task.

    • For Oracle Identity Manager releases 11.1.1:

    1. Log in to the Administrative and User Console.

    2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

    3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

    • For Oracle Identity Manager release 11.1.2.x:

    1. Log in to Oracle Identity System Administration.

    2. In the left pane, under System Management, click Scheduler.

  3. Search for and open the RACF Reconcile All Users scheduled task as follows:

    • If you are using Oracle Identity Manager release 9.1.0.x, then:

    1. On the Scheduled Task Management page, enter RACF Reconcile All Users as the search criteria and then click Search.

    2. In the search results table, click Edit to edit column for the scheduled task.

    3. On the Scheduled Task Details page, where the details of the scheduled task are displayed, click Edit.

    • If you are using Oracle Identity Manager releases 11.1.1 and 11.1.2.x, then:

    1. On the left pane, in the Search field, enter RACF Reconcile All Users as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

    2. In the search results table on the left pane, click the scheduled job in the Job Name column.

  4. Add the custom field to the list of attributes in the MultiValuedAttributes property.

  5. Click Apply.

5.2.2 Adding Custom Multivalued Fields to Oracle Identity Manager

After adding the custom multi-valued field to either the VOYAGER_ID.properties file (if using real-time reconciliation) or the RACF Reconcile All users scheduled task (if using scheduled task reconciliation), you must add the custom multi-valued field to the Oracle Identity Manager components.To update Oracle Identity Manager with the multi-valued field:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Create a form for the multi-valued field as follows:

    1. Expand Development Tools and double-click Form Designer.

    2. Create a form by specifying a table name and description, and then click Save.

    3. Click Add and enter the details of the field.

    4. Click Save and then click Make Version Active. Figure 5-1 shows the multivalued field added on a new form.

      Figure 5-1 Multivalued Field Added on a New Form

      Surrounding text describes Figure 5-1 .
  3. Add the form created for the multi-valued field as a child form of the process form as follows:

    1. Search for and open the UD_RACF_ADV process form.

    2. Click Create New Version.

    3. Click the Child Table(s) tab.

    4. Click Assign.

    5. In the Assign Child Tables dialog box, select the newly created child form, click the right arrow, and then click OK.

    6. Click Save and then click Make Version Active. Figure 5-2 shows the child form added to the process form.

      Figure 5-2 Child Form Added to the Process Form

      Surrounding text describes Figure 5-2 .
  4. Add the new multi-valued field to the list of reconciliation fields in the resource object as follows:

    1. Expand Resource Management and then double-click Resource Objects.

    2. Search for and open the OIMRacfResourceObject resource object.

    3. On the Object Reconciliation tab, click Add Field.

    4. In the Add Reconciliation Field dialog box, enter the details of the field.

      For example, enter phoneNumber in the Field Name field and select Multi-Valued Attribute from the Field Type list.

    5. Click Save and close the dialog box.

    6. Right-click the newly created field and select Define Property Fields.

    7. In the Add Reconciliation Fields dialog box, enter the details of the newly created field.

      For example, enter phonenumber in the Field Name field and select String from the Field Type list.

    8. Click Save, and then close the dialog box. Figure 5-3 shows the new reconciliation field added in the resource object.

      Figure 5-3 New reconciliation Field Added in the resource Object

      Surrounding text describes Figure 5-3 .
    9. Click Create Reconciliation Profile. This copies changes made to the resource object into MDS.

  5. Create an entry for the field in the AtMap.RACF lookup definition, as follows:

    1. Expand Administration and then double-click Lookup Definition.

    2. Search for the AtMap.RACF lookup definition.

    3. Click Add and enter the Code Key and decode values for the field. The Code Key value is the name of the process form field that you created for the multivalued custom field in Step 3.d. The Decode value is the name of the target system field.

      For example, enter UD_PHONENUM_PHONENUMBER in the Code Key field and then enter phonenumber in the Decode field. Figure 5-4 shows the lookup code added to the lookup definition.

      Figure 5-4 Entry Added in the Lookup Definition

      Surrounding text describes Figure 5-4 .
    4. Click Save.

  6. Create a reconciliation field mapping for the new multivalued field as follows:

    1. Expand Process Management and then double-click Process Definition.

    2. Search for and open the OIMRacfProvisioningProcess process definition.

    3. On the Reconciliation Field Mappings tab of the provisioning process, click Add Table Map.

    4. In the Add Reconciliation Table Mapping dialog box, select the field name and table name from the list, click Save, and then close the dialog box.

    5. Right-click the newly created field and select Define Property Field Map.

    6. In the Field Name field, select the value for the field that you want to add.

    7. Double-click the Process Data field, and then select UD_PHONENUM_PHONENUMBER.

    8. Select Key Field for Reconciliation Field Matching and click Save. Figure 5-5 shows the new reconciliation field mapped to a process data field in the process definition.

      Figure 5-5 New Reconciliation Field Mapped to a Process Data Field

      Surrounding text describes Figure 5-5 .

5.3 Adding Custom Fields for Provisioning

By default, the attributes listed in Table 1-3 are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.

To add a new attribute for provisioning:

See Also:

One of the following guides for detailed information about these steps:
  1. Log in to the Oracle Identity Manager Design Console.

  2. Add the new field on the process form as follows:

    If you have added the field on the process form by performing Step 5 of Section 5.1.2, "Adding Custom Fields to Oracle Identity Manager," then you need not add the field again. If you have not added the field, then:

    1. Expand Development Tools.

    2. Double-click Form Designer.

    3. Search for and open the UD_RACF_ADV process form.

    4. Click Create New Version, and then click Add.

    5. Enter the details of the attribute.

      For example, if you are adding the Description field, enter UD_RACF_ADV_DESCRIPTION in the Name field, and then enter the rest of the details of this field.

    6. Click Save and then click Make Version Active.

  3. Create an entry for the field in the lookup definition for provisioning as follows:

    1. Expand Administration and then double-click Lookup Definition.

    2. Search for and open the AtMap.RACF lookup definition.

    3. Click Add and then enter the Code Key and Decode values for the field. The Code Key is the name of the form field that you created in Step 2.e. The Decode value must be the name of the field on the target system.

      For example, enter UD_RACF_ADV_DESCRIPTION in the Code Key field and then enter description in the Decode field.

  4. Click Save.

  5. Enable update provisioning operation on the custom fields as follows:

    1. In the provisioning process, add a new task for updating the field as follows:

    2. Expand Process Management, and double-click Process Definition.

    3. Search for and open the OIMRacfProvisioningProcess process definition.

    4. Click Add, and enter the task name and task description. The following are sample values: Task Name: Description Updated Task Description: Process Task for handling update of the description field.

    5. In the Task Properties section, select the following:

      Conditional

      Required for Completion

      Disable Manual Insert

      Allow Cancellation while Pending

      Allow Multiple Instances

    6. Click Save.

    7. In the provisioning process, select the adapter name in the Handler Type section as follows:

    8. Go to the Integration tab and click Add.

    9. In the Handler Selection dialog box, select Adapter.

    10. From the Handler Name column, select adpMODIFYUSER.

    11. Click Save and close the dialog box.

    12. In the Adapter Variables region, click the idfResource variable.

    13. In the dialog box that is displayed, create the following mapping:

      Variable Name: idfResource

      Map To: Process Data

      Qualifier: LDAP_SERVER

    14. Click Save and close the dialog box.

    15. Repeat Steps 5.l through 5.n for the remaining variables listed in the Adapter Variables region. Table 5-1 lists values that you must select from the Map To, Qualifier, and Literal Value lists for each variable.

      Table 5-1 Values for the Map To, Qualifier, and Literal Value lists for each variable

      Variable Map To Qualifier Notes

      Adapter Return Variable

      Response Code

      NA

       

      uid

      Process Data

      String

       

      attrName

      Literal

      String

      Enter the LDAP attribute name in the Literal Value field.Example: description

      attrValue

      Process Data

      DESCRIPTION

      Select the process form field from the drop-down list.


    16. On the Responses tab, click Add to add at least the SUCCESS response code, with Status C. This ensures that if the custom task is successfully run, then the status of the task is displayed as Completed.

    17. Click the Save icon and close the dialog box.

    18. Save the process definition.

    Note:

    To enable Password Interval provisioning, use literal attrName "pwdInterval" for the modifyUser task. Value=0=NOINTERVAL
  6. If you are using Oracle Identity Manager release 11.1.2.x or later, create a new UI form and attach it to the application instance to make this new attribute visible. See Section 3.6.1.2, "Creating a New UI Form," and Section 3.6.1.6, "Updating an Existing Application Instance with a New Form" for the procedures.

5.4 Using the Provisioning Agent to Run IBM z/OS Batch Jobs

You can use the Provisioning Agent to run IBM z/OS batch jobs after provisioning operations. This feature provides an interface to the batch environment of IBM z/OS. For example, a CLIST script written in IBM REXX can be called through the standard TSO JCL. When it is called, the CLIST can perform user functions such as calling IBM DB2 UDB for database table updates, calling user programs to handle file updates, and generating reports.

To configure the Provisioning Agent to run IBM z/OS batch jobs:

  1. Open the Provisioning Agent control file in a text editor.

    See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for information about this file.

  2. In this file, create entries in the following format:

    C=RACF_COMMAND,M=MEMBER_NAME,L=LIBRARY_NAME

    P=USERID(Y),NAME(Y),CSDATA(003)

    If the user wants to perform special post-processing, a new feature has been added to only one parameter of the control file. The following is the definition for the new feature:

    C=DELUSER,M=member-name,L=library_name,DEL=Y  or  DEL=N
    DEL=Y  --  execute Rexx clist or z/OS job stream in library L=, M= and Perform the actual deluser via RACF
    DEL=N  --  execute Rexx clist or z/OS job stream in library L=,M= and DO NOT issue the deluser to RACF
    

    In the first line:

    • RACF_COMMAND can be ADDUSER, ALTUSER, DELUSER, CONNECT, or REMOVE.

    • MEMBER_NAME is the name of the IBM z/OS PDS that is submitted for execution in the IBM z/OS batch environment.

    • LIBRARY_NAME is the name of the IBM z/OS PDS library name that contains the member specified by MEMBER_NAME.

      The output of the submitted job is not sent back to the Provisioning Agent of the LDAP Gateway. You must take steps to ensure that the required action is taken based on the status of the operation.

    For example:

    C=ADDUSER,M=ABCD,L=PDS.LIBRARY.ONE
    P=USERID(Y),NAME(N)
    

    The Provisioning Agent fetches the RACF user ID and passes it as a parameter to a REXX clist. The REXX clist must be set up to support parameters or arguments as shown in this example:

    /* rexx */
    Arg p1
     
    

    Here, p1 is the RACF user ID and it can be used in the REXX clist.

    The same applies for NAME. If NAME(Y) and USERID(Y) are used, then the REXX clist can be similar to the following:

    /*    rexx      */
    Arg p1 p2
     
    

    Here, p1 is the RACF user ID and p2 is the name.

    If USERID(Y),NAME(N) is used, then only the user ID is passed.

    The csdata field can also be passed. The following example shows how to create and pass this field:

    See Also:

    Target system documentation for more information
    1. Define a csdata segment. See the IBM RACF System Administrator's Guide for information about the procedure.

    2. To populate a CSDATA segment with one field:

      Altuser IDF004 CSDATA(EMPSER(100100))

      lu idf004 csdata noracf

      USER=IDF004

      CSDATA INFORMATION

      ------------------

      EMPLOYEE SERIAL= 0000100100

    3. To populate a CSDATA segment with multiple fields:

      Altuser idf004 csdata(address('99 Main St, Anywhere, NJ, 08022') Phone(555-555-5555))

      lu idf004 csdata noracf

      USER=IDF004

      CSDATA INFORMATION

      ------------------

      EMPLOYEE SERIAL= 0000100100

      HOME ADDRESS = 99 Main St, Anywhere, NJ, 08022

      HOME PHONE = 555-555-5555

      For example:

      C=ADDUSER,M=ABCD,L=PDS.LIBRARY.ONE

      P=USERID(Y),NAME(N),CSDATA(001)

      The Provisioning Agent fetches the RACF user ID and passes it and the EMPLOYEE SERIAL csdata field to a REXX clist. This format has been changed and on CSDATA, the number of CSDATA fields need to be passed. The passed fields including userID, name and CSDATA cannot exceed 80 bytes. A CSDATA(001) will pass the first CSDATA field defined.

      Note:

      A hyphen must be added between the two names in this example and the length must be provided.

      The REXX clist must be set up to support parameters or arguments as shown in the following example:

      /* rexx */
      Arg p1 p2 
      

      Here, p1 is the RACF user ID and p2 is Employee-Serial.

      Note:

      In this release of the Provisioning Agent, there is an 80-byte limit on the size of the field value that is passed. For example, if the user ID, name, and Employee-Serial are together over 80 bytes, one or two of these values must be removed so that the 80-byte limit is not exceeded.
    4. Save and close the file.

The following sequence of steps takes place after a provisioning operation:

  1. The Provisioning Agent opens the control file and reads the association between provisioning functions and the members specified in the file.

  2. If there is an entry for the provisioning operation that was performed, then the corresponding member is submitted to the IBM z/OS batch environment.

    For example, suppose you had added the following entry in the control file:

    C=ALTUSER,M=MY_MEMBER,L=MY_LIBRARY
    

    At the end of a Modify User provisioning operation on the target system, the Provisioning Agent runs the MY_MEMBER member. This member performs the required operation on IBM z/OS.

5.5 Configuring the Connector for Provisioning to Multiple Installations of the Target System

You can configure the connector for multiple installations of the target system. You can also configure the connector for a scenario in which multiple logical partitions (LPARs), which are not associated with the first LPAR, are configured in the target system.

For each installation of the target system, you create an IT resource and configure an additional instance of the LDAP Gateway.

To configure the connector for the second installation of the target system:

Note:

Perform the same procedure for all installations of the target system.
  1. Create an IT resource based on the OIMLDAPGatewayResourceType IT resource type.

    See one of the following guide for information about creating IT resources.

    See Section 3.5, "Configuring the IT Resource" for information about the parameters of the IT resource.

  2. Copy the current LDAP_INSTALL_DIR directory, including all the subdirectories, to a new location on the Oracle Identity Manager computer.

  3. Extract the contents of the LDAP_INSTALL_DIR/dist/idfserver.jar file.

  4. In the beans.xml file, change the value of the port in the <property name="port" value="xxxx"/> line to specify a port that is different from the port used for the first instance of the LDAP Gateway. The default port number is shown in the following example:

    <bean id="listener" class="com.identityforge.idfserver.nio.Listener">
    <constructor-arg><ref bean="bus"/></constructor-arg>
    <property name="admin"><value>false</value></property>
    <property name="config"><value>../conf/listener.xml</value></property>
    <property name="port" value="5389"/>
    </bean>
    

    When you change the port number, you must make the same change in the value of the idfServerPort parameter of the IT resource that you create by performing Step 1.

  5. Save and close the beans.xml file.

  6. Open the LDAP_INSTALL_DIR/conf/racf.properties file and edit the following parameters:

    • _host_= Enter the IP address or host name of the mainframe.

    • _port_= Enter the port number for the second instance of the Provisioning agent.

    • _agentPort_= Enter the port number for the second instance of the Reconciliation agent.

      Note:

      The value of the _agentPort_ parameter must not be the same as that of the first instance if a second LPAR, which is not associated with the first LPAR, is configured in the target system. This value can be the same as the value of the idfServerPort parameter if you have two mainframe servers with IBM RACF running on each server.
  7. Save and close the racf.properties file.

  8. If using real-time reconciliation, open the LDAP_INSTALL_DIR/etc/VOYAGER_ID.properties file and edit the following property:

    _itResource_= Enter the name of the IT resource for the second LDAP Gateway.

  9. Save and close the VOYAGER_ID.properties file.

  10. In a Linux or Solaris environment, if there are not enough socket file descriptors to open up all the ports needed for the server, then:

    1. In a text editor, open the run script from the LDAP_INSTALL_DIR/bin directory.

    2. Add the following line in the file:

      -Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.PollSelectorProvider
      
    3. Save and close the file.

When you perform provisioning operations:

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the IBM RACF installation to which you want to provision the user.

5.6 Configuring the Connector for Reconciliation of Multiple Installations of the Target System

You can configure the connector for reconciling multiple installations of the target system. For each installation of the target system, you create a corresponding .properties file in the /ldapgateway/etc/ directory.

To configure the connector for the second installation of the target system:

Note:

Perform the same procedure for all installations of the target system.
  1. Make of copy of the current LDAP_INSTALL_DIR/etc/.properties file, saving it in the /etc/ directory. The default name for this file is VOYAGER_ID.propeties; otherwise, select the .properties file whose name matches the VOYAGER_ID of the target system you would like to configure for reconciliation.

  2. Open the copied file and set a value for the following properties:

    • _itResource__= Enter the name of the IT resource

    • _userStatus_ _= Enter either Provisioned or Enabled depending on the status that must be set for accounts that are created through target resource reconciliation

    • _xlAdminId_ = Enter the user ID of a user belonging to the SYSTEM ADMINISTRATORS group.

    • _xlAdminPwd_ = Enter the password of the user whose user ID you specified as the value of the xlAdminId property. This property is used only on Oracle Identity Manager releases 11.1.1. and 11.1.2.x. If required, you can encrypt the password for security purposes using the propertyEncrypt script located in the scripts directory of the installation media. The procedure to use the script is given in Section 3.9, "Installing and Configuring the LDAP Gateway". After you run the script, copy the encrypted password as the value of the xladminPwd property.

    • _xlAdminPwdEncrypt_ = Enter true as the value of the xlAdminPwdEncrypt property if you have set an encrypted password as the value of the xlAdminPwd property. Otherwise, enter false. This property is used on Oracle Identity Manager release 11.1.1 and 11.1.2.x.

    • _xlJndiUrl_ = This property is only used on Oracle Identity Manager release 11.1.1

    • To determine the JNDI URL:

    • In a text editor, open the following file:

    • OIM_DC_HOME/xlclient/Config/xlconfig.xml

    • Here, OIM_DC_HOME is the name and full path of the directory in which you install the Oracle Identity Manager Design Console.

    • Copy the value of the java.naming.provider.url element.

    • Set the value for the xlJndiUrl property.

    • Sample value: t3://localhost:14000/oim

    • _xlJndiFactory_ = The default value is weblogic.jndi.WLInitialContextFactory. Do not change this default value. This property is used only on Oracle Identity Manager release 11.1.1. and 11.1.2.x.

  3. The Voyager reconciliation agent sends a unique identifier value, called VOYAGER_ID, each time a reconciliation event occurs. This value must match the name of the .properties file being used by the racf-adv-agent-recon.jar for reconciliation.

    Rename the copied field to match the VOYAGER_ID property. For example, if the Voyager agent control file has VOYAGER_ID = VOYAGER14, then the .properties file should be named VOYAGER14.properties.

5.7 Initial LDAP Gateway Population and Full Reconciliation

Instead of reconciling directly from the target system to OIM (which can be slow on large systems), the LDAP gateway offers an internal LDAP store that can be populated with target system users by using a single transaction to the mainframe. Oracle Identity Manager then reconciles user data from the LDAP store instead of the target system.

Reconciling user or group extract file requires the following procedure:

5.7.1 Reconcile User Extract File

This feature will perform full reconciliation 30% - 50% faster than the normal OOTB Scheduled Task that reconciles all users. This requires coordination with configuration changes for the Pioneer Mainframe Agent.

  1. Have Mainframe Team configure the Pioneer agent to use a generated file. (See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF"). Run the IRRXUTIL to use the EXTRACT USER or GROUP command that will generate the file of all users and data.

  2. After file has completed above, open the LDAP_INSTALL_DIR/conf/racf.properties file.Set the value for the _internalEnt_ property to true.Save and close the property file.Log into the Oracle Identity Manager Administrative and User Console.Search for and open the RACF Reconcile Users To Internal LDAP scheduled task. Enter values for the scheduled task properties.

    Table 5-2 describes the attributes of the scheduled task.

    Table 5-2 Attributes of the Reconcile User to internal LDAP Scheduled Task

    Attribute Description

    IT Resource

    Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource

    Domain OU

    Enter the name of the internally-configured directory in the LDAP store where the contents of event changes will be stored.

    Sample value: racf


  3. Run the scheduled task. This task will initially populate the internal LDAP store with all user profiles.

  4. Once the task has completed, search for and open the RACF Reconcile All LDAP Users scheduled task.

  5. Enter values for the scheduled task properties.

    Table 5-3 describes the attributes of the scheduled task.

    Table 5-3 Attributes of the Reconcile LDAP Users to OIM Scheduled Task

    Attribute Description

    IT Resource

    Enter the name of the IT resource that was configured for the target system.Sample value: RacfResource

    Resource Object

    Enter the name of the resource object against which the reconciliation run will be performed.

    Sample value: OIMRacfResourceObject

    Domain OU

    Enter the name of the internally-configured directory in the LDAP store where the target system users will be retrieved.

    Sample value: racf

    Trusted Resource Object

    Enter the name of the resource object against which trusted reconciliation runs will be performed.

    Sample value: Xellerate User

    MultiValuedAttributes

    Enter a comma-separated list of multi-valued attributes that you want to reconcile. Do not include a space after each comma.

    Sample value: attributes,memberOf

    SingleValueAttributes

    Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field.

    Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize

    Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.

    TrustedReconciliation

    Enter whether the target system should be treated as a trusted source.

    Sample value: true

    LDAP Time Zone

    Enter the time zone ID for the server on which the LDAP gateway is hosted.Sample value: EST

    uidcase

    Enter whether the user ID should be displayed in uppercase or lowercase. Sample value: upper

    R2

    Enter whether the release of Oracle Identity Manager being used is 11.1.2.x.

    Sample value: true


  6. Run the scheduled task. This task will reconcile each user from the internal LDAP store to Oracle Identity Manager.

RACF Advanced Connector – Design/Deployment Review:

Surrounding text describes intial_fulppul.gif.
Surrounding text describes reltim_evntcap.gif.
Surrounding text describes schedule_tskrecon.gif.

5.7.2 Reconcile Group Extract File

This task will perform full reconciliation about 30% - 50% faster than the normal OOTB Scheduled Task that reconciles all groups. This requires coordination with configuration changes for the Pioneer Mainframe Agent. This feature requires 3 different scheduled tasks to be written that will use standard LDAP calls to perform:

See Above. Expect for Groups you will need to write your own Scheduled Task for reconciling them to Oracle Identity Manager.

The RDN would just need to change to ou=Groups.

5.8 Use and Build Custom Real-Time Reconciliation Adapter

The abstract class named RacfAgentReconAdapter.class file has been included in the racf-adv-agent-recon.jar file. You can use this abstract class file and can extend it as a part of the new custom adapter.

Example Class

public class CustomRacfReconImplextends RacfAgentReconAdapter

To extend the abstract class file, the following abstract functions must be implemented:

public abstract void create( String entryId, Attributes attrs )throws NamingException ;
public abstract void update( String entryId, Attributes attrs )throws NamingException;
public abstract void revoke( String entryId, Attributes attrs )throws NamingException;
public abstract void resume( String entryId, Attributes attrs )throws NamingException;
public abstract void resetPassword( String entryId, String userPassword, Attributes attrs )throws NamingException;
public abstract void delete( String entryId, Attributes attrs )throws NamingException ;

public abstract void createGroup( String entryId, Attributes attrs )throws NamingException;
public abstract void updateGroup( String entryId, Attributes attrs )throws NamingException;
public abstract void deleteGroup( String entryId, Attributes attrs )throws NamingException

Note:

When compiling, make sure the /ldapgateway/dist/idfserver.jar is on the classpath.

After creating and compiling the custom class file, perform the following steps:

  1. Add the new class to a jar file and add it to the ldapgateway/etc directory.

  2. Add the new jar file to the /ldapgateway/bin/run.bat(.sh) classpath variable.

  3. Edit the ldapgateway/dist/idfserver.jar file and add it to the <bean name="racf"> that you are using for reconciliation and the reference to this locations using the full package and class name.

<property name="agentAdapters">
<list>
<value>com.custom.CustomRacfAgentReconImpl</value>
</list>
         </property>

5.9 LDAP Reconciliation Supported Queries

User Reconciliation Queries:

  1. All User DN's and "uid" attribute

    1. baseDn= ou=People,dc=racfxxx,dc=com

    2. filter= (objectclass=*)

  2. Single User Search for all data

    1. baseDn=ou=People,dc=racfxxx,dc=com

    2. filter= (uid=idxxx)

Group Reconciliation Queries:

  1. All Group DN's and "cn" attribute

    1. baseDn= ou=Groups,dc=racfxxx,dc=com

    2. filter= (objectclass=*)

  2. Single Group Search for all data

    1. baseDn= ou=Groups,dc=racfxxx,dc=com

    2. filter= (cn=idxxx)

Dataset Profiles for a given USER (uid) Reconciliation Queries:

  1. Dataset Profiles returned for a user

    1. baseDn= ou=Datasets,dc=racfxxx,dc=com

    2. filter= (uniqueMember=uid=idxxx,ou=People,dc=racfxxx,dc=com)i

      OR

    3. Filter= (uid=idxxx)

User-Defined Resources Reconciliation Queries:

  1. Retrieve All User-Defined Resources: SEARCH CLASS (type)

    1. baseDn= ou=Resources,dc=racfxxx,dc=com

    2. Filter= (resourceType="YOUR CLASS TYPE")

      This returns all LDAP DN entries and each entry will contain the Resource ID via the 'cn' LDAP attribute.

  2. Retrieve Single User-Defined Resource: RLIST (cn) ALL

    1. baseDn=ou=Resources,dc=racfxxx,dc=com

    2. Filter= (cn=classID)