Skip Headers
Oracle® Identity Manager Connector Guide for IBM RACF Advanced
Release 9.0.4
Part Number E10451-14
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
PDF · Mobi · ePub

5 Extending the Functionality of the Connector

This chapter discusses the following optional procedures that you can perform to extend the functionality of the connector for addressing your business requirements:

5.1 Adding New Attributes for Target Resource Reconciliation

Note:

You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

By default, the attributes listed in Table 1-3 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes for target resource reconciliation.

The reconAttrs property contains the list of target system attributes that are mapped for real-time reconciliation with Oracle Identity Manager. This property found in the VOYAGER_ID.properties file. Attributes mapped for reconciliation are listed as the value of the reconAttrs property. If you want to add an attribute for reconciliation, then copy it from the REMOVED list to the list in the reconAttrs property.

For full reconciliation, the reconciliation scheduled task contains two sections: SingleValueAttributes and MultiValuedAttributes. Attributes that can have multiple values (such as MEMBER_OF containing multiple group names) should be entered as a comma-separated list in the MultiValuedAttributes property. All other attributes should be entered in the SingleValueAttributes property. Attributes entered in the MultiValuedAttributes property should NOT be included in the SingleValueAttributes property and vice versa.

If you are adding a custom target system attribute, then you must also add it to the list of attributes specified as the value of the configAttrs property in the racf.properties file. See Section 2.9, "Installing and Configuring the LDAP Gateway" for information about this property.

5.2 Adding New Attributes for Provisioning

By default, the attributes listed in Table 1-3 are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.

To add a new attribute for provisioning:

See Also:

One of the following guides for detailed information about these steps:

  1. Log in to the Design Console.

  2. Add the new attribute on the process form as follows:

    1. Expand Development Tools.

    2. Double-click Form Designer.

    3. Search for and open the UD_RACF_ADV process form.

    4. Click Create New Version, and then click Add.

    5. Enter the details of the attribute.

    6. Click Save and then click Make Version Active. Figure 5-1 shows the new attribute added to the process form.

      Figure 5-1 New Field Added to the Process Form

      Description of Figure 5-1 follows
      Description of "Figure 5-1 New Field Added to the Process Form"

  3. To enable update of the attribute during provisioning operations, create a process task as follows:

    See Also:

    One of the following guides for detailed information about these steps:

    1. Expand Process Management, and double-click Process Definition.

    2. Search for and open the OIMRACFProvisioningProcess process definition.

    3. Click Add.

    4. On the General tab of the Creating New Task dialog box, enter a name and description for the task and then select the following:

      Conditional

      Required for Completion

      Allow Cancellation while Pending

      Allow Multiple Instances

    5. Click Save. The following screenshot shows the new task added to the process definition:

      Description of new_process_task.gif follows
      Description of the illustration new_process_task.gif

    6. On the Integration tab of the Creating New Task dialog box, click Add.

    7. In the Handler Selection dialog box, select Adapter, click adpMODIFYUSER, and then click the Save icon.

      The list of adapter variables is displayed on the Integration tab. The following screenshot shows the list of adapter variables:

      Description of new_adapter.gif follows
      Description of the illustration new_adapter.gif

    8. To create the mapping for the first adapter variable:

      Double-click the number of the first row.

      In the Edit Data Mapping for Variable dialog box, enter the following values:

      Variable Name: Adapter return value

      Map To: Process Data

      Qualifier: Return status

      Click the Save icon.

    9. To create mappings for the remaining adapter variables, use the data given in the following table:

      Variable Number Variable Name Map To Qualifier
      Second idfResource IT Resource Not applicable
      Third uid Process Data LoginId
      Fourth attrName Literal cn string
      Fifth attrValue Process Data UD_RACF_ADV_NAME string

    10. Click the Save icon in the Editing Task dialog box, and then close the dialog box.

    11. Click the Save icon to save changes to the process definition.

  4. If you are adding a custom attribute, then set values for the _configSegment_ and _configDNames_ properties in the racf.properties file. See Step 3 of Section 2.9, "Installing and Configuring the LDAP Gateway" for information about these properties.

Note:

To enable Password Interval provisioning, just use literal attrName 'pwdInterval' for the modifyUser task. Value=0=NOINTERVAL

5.3 Removing Attributes Mapped for Target Resource Reconciliation and Provisioning

Note:

You must not remove the uid, cn, password, or defaultGroup attribute. These attributes are mandatory on the target system.

The reconAttrs property contains the list of target system attributes that are mapped for real-time reconciliation and provisioning. This property is found in the VOYAGER_ID.properties file. If you want to remove an attribute mapped for real-time reconciliation and provisioning, then remove it from the reconAttrs property.

The SingleValueAttributes and MultiValuedAttributes properties contain the list of target system attributes that are mapped for initial reconciliation. These properties are found in the RACF Reconcile All Users scheduled task. If you want to remove an attribute mapped for initial reconciliation, then remove it from the SingleValueAttributes or MultiValuedAttributes property.

5.4 Using the Provisioning Agent to Run IBM z/OS Batch Jobs

You can use the Provisioning Agent to run IBM z/OS batch jobs after provisioning operations. This feature provides an interface to the batch environment of IBM z/OS. For example, a CLIST script written in IBM REXX can be called through the standard TSO JCL. When it is called, the CLIST can perform user functions such as calling IBM DB2 UDB for database table updates, calling user programs to handle file updates, and generating reports.

To configure the Provisioning Agent to run IBM z/OS batch jobs:

  1. Open the Provisioning Agent control file in a text editor.

    See Section 3.4.1, "Configuring Pioneer" for information about this file.

  2. In this file, create entries in the following format:

    C=RACF_COMMAND,M=MEMBER_NAME,L=LIBRARY_NAME

    P=USERID(Y),NAME(Y),CSDATA(003)

    If the user wants to perform special post-processing, a new feature has been added to only one parameter of the control file. The following is the definition for the new feature:

    C=DELUSER,M=member-name,L=library_name,DEL=Y  or  DEL=N
DEL=Y  --  execute Rexx clist or z/OS job stream in library L=, M= and Perform the actual deluser via RACF
DEL=N  --  execute Rexx clist or z/OS job stream in library L=,M= and DO NOT issue the deluser to RACF

    In the first line:

    • RACF_COMMAND can be ADDUSER, ALTUSER, DELUSER, CONNECT, or REMOVE.

    • MEMBER_NAME is the name of the IBM z/OS PDS that is submitted for execution in the IBM z/OS batch environment.

    • LIBRARY_NAME is the name of the IBM z/OS PDS library name that contains the member specified by MEMBER_NAME.

      The output of the submitted job is not sent back to the Provisioning Agent of the LDAP Gateway. You must take steps to ensure that the required action is taken based on the status of the operation.

    For example:

    C=ADDUSER,M=ABCD,L=PDS.LIBRARY.ONE
P=USERID(Y),NAME(N)

    The Provisioning Agent fetches the RACF user ID and passes it as a parameter to a REXX clist. The REXX clist must be set up to support parameters or arguments as shown in this example:

    /* rexx */
Arg p1

    Here, p1 is the RACF user ID and it can be used in the REXX clist.

    The same applies for NAME. If NAME(Y) and USERID(Y) are used, then the REXX clist can be similar to the following:

    /*    rexx      */
Arg p1 p2

    Here, p1 is the RACF user ID and p2 is the name.

    If USERID(Y),NAME(N) is used, then only the user ID is passed.

    The csdata field can also be passed. The following example shows how to create and pass this field:

    See Also:

    Target system documentation for more information.

    1. Define a csdata segment. See the IBM RACF System Administrator's Guide for information about the procedure.

    2. To populate a CSDATA segment with one field:

      Altuser IDF004 CSDATA(EMPSER(100100))

      lu idf004 csdata noracf

      USER=IDF004

      CSDATA INFORMATION

      ------------------

      EMPLOYEE SERIAL= 0000100100

    3. To populate a CSDATA segment with multiple fields:

      Altuser idf004 csdata(address('99 Main St, Anywhere, NJ, 08022') Phone(555-555-5555))

      lu idf004 csdata noracf

      USER=IDF004

      CSDATA INFORMATION

      ------------------

      EMPLOYEE SERIAL= 0000100100

      HOME ADDRESS = 99 Main St, Anywhere, NJ, 08022

      HOME PHONE = 555-555-5555

      For example:

      C=ADDUSER,M=ABCD,L=PDS.LIBRARY.ONE

      P=USERID(Y),NAME(N),CSDATA(001)

      The Provisioning Agent fetches the RACF user ID and passes it and the EMPLOYEE SERIAL csdata field to a REXX clist. This format has been changed and on CSDATA, the number of CSDATA fields need to be passed. The passed fields including userID, name and CSDATA cannot exceed 80 bytes. A CSDATA(001) will pass the first CSDATA field defined.

      Note:

      A hyphen must be added between the two names in this example and the length must be provided.

      The REXX clist must be set up to support parameters or arguments as shown in the following example:

      /* rexx */
Arg p1 p2

      Here, p1 is the RACF user ID and p2 is Employee-Serial.

      Note:

      In this release of the Provisioning Agent, there is an 80-byte limit on the size of the field value that is passed. For example, if the user ID, name, and Employee-Serial are together over 80 bytes, one or two of these values must be removed so that the 80-byte limit is not exceeded.

  3. Save and close the file.

The following sequence of steps takes place after a provisioning operation:

  1. The Provisioning Agent opens the control file and reads the association between provisioning functions and the members specified in the file.

  2. If there is an entry for the provisioning operation that was performed, then the corresponding member is submitted to the IBM z/OS batch environment.

    For example, suppose you had added the following entry in the control file:

    C=ALTUSER,M=MY_MEMBER,L=MY_LIBRARY

    At the end of a Modify User provisioning operation on the target system, the Provisioning Agent runs the MY_MEMBER member. This member performs the required operation on IBM z/OS.

5.5 Configuring the Connector for Provisioning to Multiple Installations of the Target System

You can configure the connector for multiple installations of the target system. You can also configure the connector for a scenario in which multiple logical partitions (LPARs), which are not associated with the first LPAR, are configured in the target system.

For each installation of the target system, you create an IT resource and configure an additional instance of the LDAP Gateway.

To configure the connector for the second installation of the target system:

Note:

Perform the same procedure for all installations of the target system.

  1. Create an IT resource based on the OIMLDAPGatewayResourceType IT resource type.

    See one of the following guide for information about creating IT resources.

    See Section 2.5, "Configuring the IT Resource" for information about the parameters of the IT resource.

  2. Copy the current LDAP_INSTALL_DIR directory, including all the subdirectories, to a new location on the Oracle Identity Manager computer.

  3. Extract the contents of the LDAP_INSTALL_DIR/dist/idfserver.jar file.

  4. In the beans.xml file, change the value of the port in the <property name="port" value="xxxx"/> line to specify a port that is different from the port used for the first instance of the LDAP Gateway. The default port number is shown in the following example:

    <bean id="listener" class="com.identityforge.idfserver.nio.Listener">
<constructor-arg><ref bean="bus"/></constructor-arg>
<property name="admin"><value>false</value></property>
<property name="config"><value>../conf/listener.xml</value></property>
<property name="port" value="5389"/>
</bean>

    When you change the port number, you must make the same change in the value of the idfServerPort parameter of the IT resource that you create by performing Step 1.

  5. Save and close the beans.xml file.

  6. Open the LDAP_INSTALL_DIR/conf/racf.properties file and edit the following parameters:

    • _host_= Enter the IP address or host name of the mainframe.

    • _port_= Enter the port number for the second instance of the Provisioning agent.

    • _agentPort_= Enter the port number for the second instance of the Reconciliation agent.

      Note:

      The value of the _agentPort_ parameter must not be the same as that of the first instance if a second LPAR, which is not associated with the first LPAR, is configured in the target system. This value can be the same as the value of the idfServerPort parameter if you have two mainframe servers with IBM RACF running on each server.

  7. Save and close the racf.properties file.

  8. Open the LDAP_INSTALL_DIR/etc/VOYAGER_ID.properties file and edit the following property:

    _itResource_= Enter the name of the IT resource for the second LDAP Gateway.

  9. Save and close the VOYAGER_ID.properties file.

  10. In a Linux or Solaris environment, if there are not enough socket file descriptors to open up all the ports needed for the server, then:

    1. In a text editor, open the run script from the LDAP_INSTALL_DIR/bin directory.

    2. Add the following line in the file:

      -Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.PollSelectorProvider

    3. Save and close the file.

When you perform provisioning operations:

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the IBM RACF installation to which you want to provision the user.

5.6 Configuring the Connector for Reconciliation of Multiple Installations of the Target System

You can configure the connector for reconciling multiple installations of the target system. For each installation of the target system, you create a corresponding .properties file in the /ldapgateway/etc/ directory.

To configure the connector for the second installation of the target system:

Note:

Perform the same procedure for all installations of the target system.

  1. Make of copy of the current LDAP_INSTALL_DIR/etc/.properties file, saving it in the /etc/ directory. The default name for this file is VOYAGER_ID.propeties; otherwise, select the .properties file whose name matches the VOYAGER_ID of the target system you would like to configure for reconciliation. See Section 2.5, "Configuring the Started Tasks" for information about the VOYAGER_ID property.

  2. Open the copied file and set a value for the following properties:

    • _itResource__= Enter the name of the IT resource

    • _userStatus_ _= Enter either Provisioned or Enabled depending on the status that must be set for accounts that are created through target resource reconciliation

    • _xlAdminId_ = Enter the user ID of a user belonging to the SYSTEM ADMINISTRATORS group.

    • _xlAdminPwdEncrypt_ = Enter the password of the user whose user ID you specified as the value of the xlAdminId property. This property is used only on Oracle Identity Manager release 11.1.1. If required, you can encrypt the password for security purposes using the propertyEncrypt script located in the scripts directory of the installation media. The procedure to use the script is given in Section 2.9, "Installing and Configuring the LDAP Gateway"" from section 2). After you run the script, copy the encrypted password as the value of the xladminPwd property.

    • _xlAdminPwdEncrypt_ = Enter true as the value of the xlAdminPwdEncrypt property if you have set an encrypted password as the value of the xlAdminPwd property. Otherwise, enter false. This property is used only on Oracle Identity Manager release 11.1.1.

    • _xlJndiUrl_ = This property is only used on Oracle Identity Manager release 11.1.1

    • To determine the JNDI URL:

    • In a text editor, open the following file:

    • OIM_DR_HOME/xlclient/Config/xlconfig.xml

    • Here, OIM_DC_HOME is the name and full path of the directory in which you install the Oracle Identity Manager Design Console.

    • Copy the value of the java.naming.provider.url element.

    • Set the value for the xlJndiUrl property.

    • Sample value: t3://localhost:14000/oim

    • _xlJndiFactory_ = The default value is weblogic.jndi.WLInitialContextFactory. Do not change this default value. This property is used only on Oracle Identity Manager release 11.1.1.

3. The Voyager reconciliation agent sends a unique identifier value, called VOYAGER_ID, each time a reconciliation event occurs. This value must match the name of the .properties file being used by the racf-adv-agent-recon.jar for reconciliation.

Rename the copied field to match the VOYAGER_ID property. For example, if the target system has VOYAGER_ID = VOYAGER14, then the .properties file should be named VOYAGER14.properties.

5.7 Reconciling User's Datasets

The Find User's Datasets scheduled task allows the administrator to reconcile a user's dataset membership. When you configure this scheduled task, it runs at specified intervals and fetches a user's dataset memberships. These dataset names are then reconciled to the dataset child form.

To configure the Reconcile User's Datasets scheduled task:

  1. Log in to the Oracle Identity Manager Administrative and User Console.

  2. Perform one of the following steps:

    1. If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage Scheduled Task.

    2. If you are using Oracle Identity Manager release 11.1.1, then on the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

  3. Search for and open the scheduled task as follows:

    If you are using Oracle Identity Manager release 9.1.0.x, then:

    1. On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.

    2. In the search results table, click Edit column for the scheduled task.

    3. On the Scheduled Task Details page, where the details of the scheduled task that you selected are displayed, click Edit.

    If you are using Oracle Identity Manager release 11.1.1, then:

    1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

    2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

    3. In the search results table on the left pane, click the scheduled job in the Job Name column.

  4. Modify the details of the scheduled task. To do so:

    1. If you are using Oracle Identity Manager release 9.1.0.x, then on the Edit Scheduled Task Details page, modify the following parameters, and then click Continue:

      Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

      Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 0.

      Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

      Frequency: Specify the frequency at which you want the task to run.

    2. If you are using Oracle Identity Manager release 11.1.1, then on the Job Details tab, you can modify the following parameters:

      Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

      Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

      Note:

      See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

      In addition to modifying the job details, you can enable or disable a job.

  5. Specify values for the attributes of the scheduled task as follows:

    Note:

    • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

    • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

    Table 5-1 describes the attributes of the scheduled task.

    Table 5-1 Attributes of the Find User's Datasets Scheduled Task

    Attribute Description

    IT Resource

    Enter the name of the IT resource that was configured for the target system.

    Sample value: RacfResource

    Resource Object

    Enter the name of the resource object against which reconciliation runs must be performed.

    Sample value: OIMRacfResourceObject

    User Name(s)

    Enter the name of the user whose dataset memberships are being reconciled.

    Multiple users can be reconciled by entering the user IDs as a comma-separated list.

    Sample value: AJONES1,RMACK7,PAYROLL4

    Ignored Records

    Enter the name of dataset records that should be ignored in the results. If left blank, all datasets will be checked for the user's membership record. Multiple records can be ignored by entering the IDs as a comma-separated list.

    Sample value: dsn710.a000b1.*,billy.tcuser1,payroll.employees.*

  6. After specifying the attributes, perform one of the following steps:

    1. If you are using Oracle Identity Manager release 9.1.0.x, then click Save Changes to save the changes.

      Note:

      The Stop Execution option is not available in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.

    2. If you are using Oracle Identity Manager release 11.1.1, then click Apply to save the changes.

5.8 Reconcile User Extract File and Reconcile Group Extract File

Reconciling user or group extract file requires the following procedure:

5.8.1 Reconcile User Extract File

This will perform full reconciliation about 30% - 50% faster than the normal OOTB Scheduled Task that reconciles all users. This requires coordination with configuration changes for the Pioneer Mainframe Agent.

This feature requires three different scheduled tasks. Each task is performed using standard LDAP calls.

  1. GENUFILE: Generates a file on the Mainframe of all users along with their associated data attributes.

  2. SRCHLU: Reads the above generated file and returns all users and attribute values in one request/response.

  3. DELUFILE: Deletes the generated file.

GENUFILE Scheduled Task:

The Scheduled Task needs to perform the following functional tasks:

  1. Pass in the correct IT Resource and initialize an LDAP Connection using the LdapOperationsImpl class located in the racf-adv-scheduled-task.jar

    “com.identityforge.racf.util.LdapOperationsImpl”

    try {

    ldapOp = new LdapOperationsImpl(ldapHost, ldapPort, ldapRootContextDn, ldapPrincipalDn, ldapPrincipalwd, ssl, trustStore, trustStorePassword, trustStoreType);

    } catch (Exception e) {

    oimlogger.error("Error while getting LdapOperationsImpl instance... " + e.getMessage());

    e.printStackTrace();

    throw new Exception(e);

    }

  2. Initiate file generation by calling the following LDAP create context:

    ldapOp.setLdapConnection();

    String userId = “file”;

    Attributes attributes = new BasicAttributes(true);

    BasicAttribute ba = new BasicAttribute(Constants.OBJECTCLASS_ATTR);

    ba.add("top");

    ba.add("person");

    ba.add("organizationalperson");

    ba.add("inetorgperson");

    ba.add("idforgperson");

    attributes.put(ba);

    attributes.put("cn", "Generate File");

    attributes.put("uid", userId);

    String dn = "uid=" + userId + ",ou=genufile,dc=racf,dc=com";

    ldapOp.createObject(dn,attributes);

  3. Close the LDAP connection. Do not attempt Oracle Identity Manager reconciliation. This code will generate the file which is then used by the SRCHLU.

    ldapOp.disconnectLdapConnection();

SRCHLU Scheduled Task:

Required Parameters needed for this Scheduled Task: IT Resource, Resource Object, Single & MultiValuedAttributes. See "Attributes of the Reconcile All Users Scheduled Task" OOTB Reconcile All Users Task)

Note:

The above GENUFILE task must run first, or you will get an LDAP error stating no file found.

The Scheduled Task needs to perform the following functional tasks:

  1. Pass in the correct IT Resource and initialize an LDAP Connection using the LdapOperationsImpl class located in the racf-adv-scheduled-task.jar

    “com.identityforge.racf.util.LdapOperationsImpl”

    try {

    ldapOp = new LdapOperationsImpl(ldapHost, ldapPort, ldapRootContextDn, ldapPrincipalDn, ldapPrincipalwd, ssl, trustStore, trustStorePassword, trustStoreType);

    } catch (Exception e) {

    oimlogger.error("Error while getting LdapOperationsImpl instance... " + e.getMessage());

    e.printStackTrace();

    throw new Exception(e);

    }

  2. Initiate file generation by calling the following LDAP create context.

    BaseDN = ou=People,dc=racf,dc=com (or your matching suffix)

    Filter = “(alldata=true)”

    ldapOp.setLdapConnection();

    try {

    Attributes matchAttrs = new BasicAttributes(true);

    matchAttrs.put(new BasicAttribute("alldata", "true"));

    SearchControls ctls = new SearchControls();

    ctls.setCountLimit(0);

    NamingEnumeration<?> answer =

    ctx.search("ou=People,dc=racf,dc=com", matchAttrs);

    while (answer.hasMoreElements()) {

    SearchResult result = (SearchResult) answer.nextElement();

    Attributes uattrs = result.getAttributes();

    NamingEnumeration<? extends Attribute> aresult = uattrs.getAll();

    while ( aresult.hasMoreElements() ) {

    Attribute attr = aresult.nextElement();

    System.out.println(

    "ATTR NAME: " + attr.getID() + " ATTR VAL: " + attr.get());

    }

    }

    } catch (NamingException nException) {

    System.out.println(nException.toString());

    }

  3. Close LDAP connection after all data received before initiating Oracle Identity Manager reconciliation.

    ldapOp.disconnectLdapConnection();

DELUFILE Scheduled Task:

The Scheduled Task needs to perform the following functional tasks:

  1. Pass in the correct IT Resource and initialize an LDAP Connection using the LdapOperationsImpl class located in the racf-adv-scheduled-task.jar

    “com.identityforge.racf.util.LdapOperationsImpl”

    try {

    ldapOp = new LdapOperationsImpl(ldapHost, ldapPort, ldapRootContextDn, ldapPrincipalDn, ldapPrincipalwd, ssl, trustStore, trustStorePassword, trustStoreType);

    } catch (Exception e) {

    oimlogger.error("Error while getting LdapOperationsImpl instance... " + e.getMessage());

    e.printStackTrace();

    throw new Exception(e);

    }

  2. Initiate file deletion by calling the following LDAP destroy context.

    ldapOp.setLdapConnection();

    String userId = “file”;

    String dn = "uid=" + usrId + ",ou=delufile,dc=racf,dc=com";

    ctx.destroySubcontext(dn);

  3. Close LDAP connection and do nothing in regards to Oracle Identity Manager reconciliation as this will just delete the file

    ldapOp.disconnectLdapConnection();

5.8.2 Reconcile Group Extract File

This task will perform full reconciliation about 30% - 50% faster than the normal OOTB Scheduled Task that reconciles all groups. This requires coordination with configuration changes for the Pioneer Mainframe Agent. This feature requires 3 different scheduled tasks to be written that will use standard LDAP calls to perform:

  1. GENGFILE: Generates a file on the Mainframe of all groups along with their associated data attributes.

  2. SRCHLG: Reads the above generated file and returns all groups and attribute values in one request/response.

  3. DELGFILE: Deletes the generated file.

GENGFILE Scheduled Task:

See section, "GENUFILE Scheduled Task:" for more information and perform the following steps:

Change the user genufile DN to this new group file DN:

String dn = "cn=" + fileName + ",ou=gengfile,dc=racf,dc=com";

SRCHLG Scheduled Task:

See section, "SRCHLU Scheduled Task:" for more information.

The only change for Group Search All Data is the new DN:

ctx.search("ou=Groups,dc=racf,dc=com", matchAttrs);

DELGFILE Scheduled Task:

See section, "DELUFILE Scheduled Task:" for more information and add the new DN:

String dn = "cn=" + fileName + ",ou=delgfile,dc=racf,dc=com";

5.9 Use and Build Custom Real-Time Reconciliation Adapter

The abstract class named RacfAgentReconAdapter.class file has been included in the racf-adv-agent-recon.jar file. You can use this abstract class file and can extend it as a part of the new custom adapter.

Example Class

public class CustomRacfReconImplextends RacfAgentReconAdapter

To extend the abstract class file, the following abstract functions must be implemented:

public abstract void create( String entryId, Attributes attrs )throws NamingException ;
public abstract void update( String entryId, Attributes attrs )throws NamingException;
public abstract void revoke( String entryId, Attributes attrs )throws NamingException;
public abstract void resume( String entryId, Attributes attrs )throws NamingException;
public abstract void resetPassword( String entryId, String userPassword, Attributes attrs )throws NamingException;
public abstract void delete( String entryId, Attributes attrs )throws NamingException ;

public abstract void createGroup( String entryId, Attributes attrs )throws NamingException;
public abstract void updateGroup( String entryId, Attributes attrs )throws NamingException;
public abstract void deleteGroup( String entryId, Attributes attrs )throws NamingException

Note:

When compiling, make sure the /ldapgateway/dist/idfserver.jar is on the classpath.

After creating and compiling the custom class file, perform the following steps:

  1. Add the new class to a jar file and add it to the ldapgateway/etc directory.

  2. Add the new jar file to the /ldapgateway/bin/run.bat(.sh) classpath variable.

  3. Edit the ldapgateway/dist/idfserver.jar file and add it to the <bean name=”racf”> that you are using for reconciliation and the reference to this locations using the full package and class name.

<property name="agentAdapters">
<list>
<value>com.custom.CustomRacfAgentReconImpl</value>
</list>
         </property>

5.10 LDAP Reconciliation Supported Queries

User Reconciliation Queries:

  1. All User DN's and "uid" attribute

    1. baseDn= ou=People,dc=racfxxx,dc=com

    2. filter= (objectclass=*)

  2. Single User Search for all data

    1. baseDn=ou=People,dc=racfxxx,dc=com

    2. filter= (uid=idxxx)

Group Reconciliation Queries:

  1. All Group DN's and "cn" attribute

    1. baseDn= ou=Groups,dc=racfxxx,dc=com

    2. filter= (objectclass=*)

  2. Single User Search for all data

    1. baseDn= ou=Groups,dc=racfxxx,dc=com

    2. filter= (cn=idxxx)

Dataset Profiles for a given USER (uid) Reconciliation Queries:

  1. Dataset Profiles returned for a user

    1. baseDn= ou=Datasets,dc=racfxxx,dc=com

    2. filter= (uniqueMember=uid=idxxx,ou=People,dc=racfxxx,dc=com)i

      OR

    3. Filter= (uid=idxxx)

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us