Skip Headers
Oracle® Identity Manager Connector Guide for IBM RACF Advanced
Release 9.0.4

Part Number E10451-20
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

What's New in the Oracle Identity Manager Advanced Connector for IBM RACF?

This chapter provides an overview of the updates made to the software and documentation for the Oracle Identity Manager Advanced Connector for IBM RACF in release 9.0.4.23.

The updates discussed in this chapter are divided into the following categories:

Software Updates

The following sections discuss software updates:

Software Updates in Release 9.0.4.23

The following are the software updates in release 9.0.4.23:

Support for New Oracle Identity Manager Release

From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 2 (11.1.2.0.1) or later.

This information is also discussed in Section 1.1, "Certified Components."

Support for Provisioning Default Group Updates

From this release onward, the connector supports provisioning of updates to a user's default group. When a change default group request is provisioned to the target system, the LDAP gateway automatically adds the user to the new default group, and then updates the user's DFLTGRP attribute to the new group. This information is also discussed in Section 1.5.3, "User Attributes for Target Resource Reconciliation and Provisioning."

Support for Universal Groups

From this release onward, the connector supports the use of universal groups in provisioning and reconciliation operations. Universal groups can have unlimited number of AUTH(USE) userIDs on the target system. This information is also discussed in Table 3-6 in Section 3.9, "Installing and Configuring the LDAP Gateway."

Resolved Issues in Release 9.0.4.23

The following table lists issues resolved in release 9.0.4.23:

Bug Number Issue Resolution

16568815

The FindAllDatasets scheduled task did not reconcile datasets whose dataset name started with a pound (#) character.

This issue has been resolved. The LDAP gateway can now reconcile datasets that begin with a pound character.

16444260

RACF form password did not follow UD_formname_PASSWORD naming convention, so password policies were not triggered.

This issue has been resolved. The RACF form field for passwords has been renamed to follow the UD_formname_PASSWORD context so that password policies are automatically triggered.

13791726

User names containing apostrophes (') were truncated during provisioning operations.

This issue has been resolved. Apostrophes are no longer causing the CN or NAME fields to be truncated.

16477390

Provisioning operations failed if user names contained special characters (for example, accent marks).

This issue has been resolved. Use of special characters in user names is no longer causing provisioning operations to fail.


Software Updates in Release 9.0.4.22

The following are the software updates in release 9.0.4.22:

New Additions:

Support for Reconciliation Agent

As of this release STARTUP is no longer required to build the Subpool for Voyager. There is a new Voyager control file parameter for the STARTUP integration into Voyager. The parameter is SUBPOOL_SIZE=. Additionally, a new feature has been added to Voyager. The feature is controlled by a Voyager control file parameter, PIONEER_ID=. Three parameters are now optional in the Voyager control file, these are:

  1. DELAY=

  2. STARTDELAY=

  3. PRTNCODE=

    The parameter section for Voyager has been updated to reflect the changes. No STC ddnames have changed in Voyager. WRAPUP also has been incorporated in Voyager. Both STARTUP and WRAP procedures and programs will be included in the distribution. See Chapter 2, "Deploying the IdF Advanced Adapter for IBM RACF" for more details.

Support for Provisioning Agent

The batch interface for ALIAS processing and SEARCH classes has now been moved to be processed internally by Pioneer. Three control file parameters have been removed and are no longer needed, these are:

  1. RWAIT=

  2. JWAIT=

  3. QUEUE_DSN=

All parameters for Pioneer are now contained in the control file. Pioneer STC ddnames have been changed:

From To

//RECONJCL -

Removed

//INJCLR-

Removed


Support for TCPIP

Pioneers TCP message size has changed from 32K to 65K. Pioneer's INITAPI now sets MAXSOC to 5000 sockets. Pioneer's Read Socket logic was modified to ignore any inbound message size less than 1600 bytes. The LDAP sends only 1600 bytes.

Support for Pioneer's Support Clist

Pioneer's Rexx clist library now only contains following clists. They are called internally by Pioneer using "IRXJCL".

See Chapter 2, "Deploying the IdF Advanced Adapter for IBM RACF" more details.

Resolved Issues in Release 9.0.4.22

The following table lists issues resolved in release 9.0.4.22:

Bug Number Issue Resolution

15865759

The racf reconciliation gives error string index out of bound exception.

This issue has been resolved. After the configuration change RACF reconciliation is successful now.

14761989

The DeleteAlias method is missing in racf-provisioning-adapter.jar.

This issue has been resolved. Now the DeleteAlias function has been added to the provisioning jar.

14761829

While instant reconciliation the callingendofjobapi was not called.

This issue has been resolved. The callingendofjob() has been added for 11G R1 and R2.

14693734

Users exist with multiple resource objects for the same account.

This issue has been resolved. This is part of the new persistence architecture that has explained in the connector document.

14544980

The racf command crashes due to the racf advanced connector exits.

This issue has been resolved. The exit has been fixed, now the racf command runs successfully.

14479084

The racf connector does not show job status for group, data set and resource reconciliation.

This issue has been resolved. Now the connector shows job status successfully.

14137090

The racf advanced connector duplicates records.

This issue has been resolved. This is a part of the new persistence architecture that has explained in the connector document.

13791726

The apostrophe (') makes name truncated in racf connector when provisioning from Oracle Identity Manager.

This issue has been resolved. You need to add double quotes (" ") to Oracle Identity Manager name form field.


Software Updates in Release 9.0.4.21

The following are the software updates in release 9.0.4.21:

Support for new RACF CREATDSN members

From this release onward, the connector supports new RACF CREATDSN members. See Chapter 2, "Deploying the IdF Advanced Adapter for IBM RACF" for more details.

Voyager and Pioneer Audit Examples

From this release onward, the Voyager and Pioneer Audit Examples have been included in the connector. See Chapter 2, "Deploying the IdF Advanced Adapter for IBM RACF" for more details.

Resolved Issues in Release 9.0.4.21

There are no resolved issues in release 9.0.4.21.

Software Updates in Release 9.0.4.20

The following are the software updates in release 9.0.4.20:

Support for New Dataset

From this release onwards, the connector supports new datasets for Voyager and pioneer. See Chapter 2, "Deploying the IdF Advanced Adapter for IBM RACF" for more details.

Support for New Feature

From this release onwards, the connector supports a new feature Audit log.

See Chapter 2, "Deploying the IdF Advanced Adapter for IBM RACF" for more details.

Support for User-Defined Resources Reconciliation Queries

From this release onwards, the connector supports User-Defined Resources Reconciliation Queries. See Section 5.9, "LDAP Reconciliation Supported Queries" for more details.

Resolved Issues in Release 9.0.4.20

The following table lists issues resolved in release 9.0.4.20:

Bug Number Issue Resolution

13905563

Enhancement request for RACF connector for INJCLR1 and ReconJCL DD statements in Pioneer Started Tasks.

This issue has been resolved. The INJCLR1 and ReconJCL DD statements in Pioneer Started Tasks have been enhanced.

14043036

The connector needs to extend the functionality to import resources for custom class types.

This issue has been resolved. The latest RACF connector supports reconciling resources of class type.

14091677

The deployment fails with error when trying to deploy IBM RACF advanced connector on Oracle Identity Manager.

This issue has been resolved. Now the IBM RACF advanced can be successfully deployed on Oracle Identity Manager.

14137090

RACF advanced connector duplicates records.

This issue has been resolved. A parameter called Voyager Delay has been added.


Software Updates in Release 9.0.4.19

The following are the software updates in release 9.0.4.19:

Support for New Functions

From this release onwards, the connector supports new functions (create group, alter group, and delete group). See Section 1.5, "Connector Objects Used During Reconciliation and Provisioning," for details.

Support for New Parameters in Property File

From this release onwards, the connector supports new Parameters in the property file useExtractUser, _configExtractAttrs_, and _allowDeleteDS_. See Table 3-6 for more details.

Enhanced Reconciliation

From this release onwards, the connector supports enhanced reconciliation. See Section 5.8, "Use and Build Custom Real-Time Reconciliation Adapter," and Section 5.9, "LDAP Reconciliation Supported Queries" for more details.

Resolved Issues in Release 9.0.4.19

The following table lists issues resolved in release 9.0.4.19:

Bug Number Issue Resolution

13846604

When installing 13778002 patch, it show version as 9.0.4.17.

This issue has been resolved. The version has been corrected in this patch.


Software Updates in Release 9.0.4.17

The following are the software updates in release 9.0.4.17:

Support for Multiple Target Resource Reconciliation Through a Single LPAR

From this release onward, change-based reconciliation using a single LDAP gateway installation from multiple target resource systems is supported. As part of this update, the VOYAGER_ID.properties file (previously known as racfConnection.properties) must be renamed to match the Voyager server's VOYAGER_ID control file property.

Change in Pioneer's Dataset Definition

Pioneer's Dataset Definition (DD) for SYSTSPRT has been changed from RECFM=F to RECFM=FB, Changes were in called programs RACFUSRP and RACFUSRG. Disk space for the file is now blocked, better utilizing the file space.

New Parameter for Voyager

Voyager has a new parameter in the control file. The parameter is VOYAGER_ID=xxxxxxxx, where xxxxxxxx is a 8 character unique identifier for Voyager. See Chapter 2, "Deploying the IdF Advanced Adapter for IBM RACF" for details.

Resolved Issues in Release 9.0.4.17

There are no resolved issues in release 9.0.4.17.

Software Updates in Release 9.0.4.16

There are no software updates in release 9.0.4.16.

Resolved Issues in Release 9.0.4.16

The following table lists issues resolved in release 9.0.4.16:

Bug Number Issue Resolution

13259031

Ensure that the product can support port reservation.

This issue has been resolved. The IBM RACF Advanced Pioneer/Voyager agent has been enhanced to support port reservation.

13259151

Need to certify that the product functions correctly when RRSF is active.

This issue has been resolved. The connector is certified to function correctly when RRSF is active.

13259097

The connector should work with RACF subsystem.

This issue has been resolved. The connector has been certified to work with RACF subsystem.

13259110

Add PDS support to pioneer and voyager started tasks for parmlib members and for JCL references.

This issue has been resolved. The IBM RACF Advanced Pioneer/Voyager agent has been added PDS support for parmlib members and for JCL references.


Software Updates in Release 9.0.4.15

The following are the software updates in release 9.0.4.15:

Support for New Lookup Definition Scheduled Tasks

From this release onward, the connector includes scheduled tasks for storing all resources, groups, and datasets in lookup definitions. These lookups are used during the provisioning process, allowing the user to select an existing group, resource, or dataset from a lookup list, instead of manually entering the name in the provisioning form.

Support for Initial Reconciliation Via Scheduled Task

From this release onward, initial reconciliation is no longer performed using the racf-initial-recon-adapter deployment. Instead, initial reconciliation is supported via the RACF Reconcile All Users scheduled task.

Support for User's Dataset Reconciliation

From this release onward, user's dataset membership can be reconciled using the RACF Find User's Datasets scheduled task. The list of datasets is stored by default in the Lookup.UsersDatasets lookup definition.

Resolved Issues in Release 9.0.4.15

The following table lists issues resolved in release 9.0.4.15:

Bug Number Issue Resolution

11809955

Need to certify the connector to operate with z/OS V1.12

This issue has been resolved. The connector is certified to operate with z/OS V1.12 in this release.

11738283

Need to enhance IBM RACF Advanced Pioneer/Voyager agent to support z/OS Mainframe Application.

This issue has been resolved. The IBM RACF Advanced Pioneer/Voyager agent has been enhanced to support z/OS Mainframe Application.

10312927

Dataset reconciliation is not supported.

This issue has been resolved. The dataset name reconciliation is now supported. Additional dataset attribute reconciliation will be included in a future release.

10279466

Unable to import RACFADV.XML

This issue has been resolved. Importing RACFADV.XML file is now possible.

10264127

The Create Alias is not a defined z/OS process.

This issue has been resolved. The proper command is an IDCAMS – DEFINE ALIAS.

9911671

Reconciliation agent does not shut down using the F Voyager shut down.

This issue has been resolved. Reconciliation agent now shuts down using the F Voyager shut down.

7201081

Need to split Mainframe into four catalogs.

This issue has been resolved. Mainframe is split into four catalogs.

7033009

Special characters are not supported in the user profile ID string.

This issue has been resolved. Special characters are supported in this release.

6900952

Default group shows up in both parent and child forms.

This is no longer considered an issue. RACF includes the default group in the group membership listing for a user, so default groups will continue to be listed on both forms.

5733395

Two LAST CONNECT DATE are displayed when provisioning OIMRACF.

This issue has been resolved. LAST CONNECT DATE is no longer displayed when provisioning OIMRACF.

5566736

Hardcoded strings such as "Dataset Name" and "Dataset Access" appears when provisioning RACF Advanced resource.

This issue has been resolved. The hardcoded strings does not appear when provisioning RACF Advanced resource.


Software Updates in Release 9.0.4.14

The following are the software updates in release 9.0.4.14:

Support for New Script for Oracle Identity Manager 11g Release (11.1.1)

From this release onward, new script and lib directories are provided for Oracle Identity Manager 11g release 1 (11.1.1) to enable jar and property files to be picked up directly from this new location. See Section 3.1, "Files and Directories That Comprise the Connector" and Section 3.3, "Before Running the Connector Installer" for usage instructions.

Resolved Issues in Release 9.0.4.14

The following table lists issues resolved in release 9.0.4.14:

Bug Number Issue Resolution

10224186

Reconciliation of multiple IT resource for the same target system is not supported.

This issue has been resolved. Reconciliation of multiple IT resource for the same target system is now supported.

10304189

Unable to remove the IBM RACF user from the default group.

This issue has been resolved. The IBM RACF user can now be removed from the default group.


Software Updates in Release 9.0.4.13

The following are the software updates in release 9.0.4.13:

Support for New Oracle Identity Manager Release

From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 1 (11.1.1). Where applicable, instructions specific to this Oracle Identity Manager release have been added in the guide.

See Section 1.1, "Certified Components" for the full list of certified Oracle Identity Manager releases.

Support for Request-Based Provisioning

From this release onward, the connector provides support for request-based provisioning on Oracle Identity Manager 11g release 1 (11.1.1).

See Chapter 2, "Deploying the IdF Advanced Adapter for IBM RACF" for more information.

Resolved Issues in Release 9.0.4.13

The following table lists issues resolved in release 9.0.4.13:

Bug Number Issue Resolution

10075543

The status of resource allocation on Oracle Identity Manager was Provisioned even when the Create User provisioning operation failed.

This issue has been resolved. The status of the resource now correctly reflects the outcome of the provisioning operation.

9911671

The Reconciliation Agent could not be shut down by running the F VOYAGER,SHUTDOWN command.

This issue has been resolved. The F VOYAGER,SHUTDOWN command now works as expected.


Software Updates in Release 9.0.4.12

The following table lists issues resolved in release 9.0.4.12:

Bug Number Issue Resolution

9962145

Passwords were displayed in clear text in the logs for the Provisioning Agent.

This issue has been resolved. Passwords are not recorded in the logs.

9031465

During initial reconciliation, a trusted source reconciliation run was immediately followed by target resource reconciliation.

This issue has been resolved. A trusted source reconciliation run is not followed by target resource reconciliation.

7199039

The Resume User (that is, Enable User) provisioning operation worked correctly on the target system. However, the status in Oracle Identity Manager was not correct.

This issue has been resolved. The status in Oracle Identity Manager is now set correctly.

7193225

During a provisioning operation, the tsoProc attribute was updated on the target system even when the TSO Proc Updated process task was rejected on Oracle Identity Manager.

This issue has been resolved. The tsoProc attribute on the target system is modified only when the TSO Proc Updated process task is successfully run on Oracle Identity Manager.

7024223

The initial reconciliation scripts for this connector and the Oracle Identity Manager Connector for CA ACF2 had the same name.

This issue has been resolved. The initial reconciliation scripts have been given new names.

6901000

User status reconciliation was not available by default. After deploying the connector, you had to set up status reconciliation.

This issue has been resolved. User status reconciliation is now available by default.


Software Updates in Release 9.0.4.11

Support for New Target System Attributes

The following target system attributes have been added for reconciliation and provisioning:

See Also:

Section 1.5.3, "User Attributes for Target Resource Reconciliation and Provisioning" for the full list of supported attributes.

CICS_OPCLASS

CICS_OPIDENT

CICS_OPPRTY

CICS_RSLKEY

CICS_TIMEOUT

CICS_TSLKEY

CICS_XRFSOFF

NETVIEW_CONSNAME

NETVIEW_CTL

NETVIEW_DOMAINS

NETVIEW_IC

NETVIEW_MSGRECVR

NETVIEW_NGMFADMN

NETVIEW_NGMFVSPN

NETVIEW_OPCLASS

OMVS_ASSIZEMAX

OMVS_AUTOUID

OMVS_SHARED

OMVS_CPUTIMEMAX

OMVS_FILEPROCMAX

OMVS_MEMLIMIT

OMVS_MMAPAREAMAX

OMVS_PROCUSERMAX

OMVS_SHMEMMAX

OMVS_THREADSMAX

Support for Running IBM z/OS Batch Jobs Through the Provisioning Agent

From this release onward, the Provisioning Agent can be configured to run IBM z/OS batch jobs corresponding to provisioning functions you specify. See the following for more information:

Support for IBM z/OS version 1.11

From this release onward, IBM z/OS version 1.11 is one of the certified target system identity repositories. This operating system version has been added in Section 1.1, "Certified Components."

Resolved Issues in Release 9.0.4.11

The following table lists issues resolved in release 9.0.4.11:

Bug Number Issue Resolution

8935868

The Reconciliation Agent failed and would not recover correctly if the LDAP Gateway was stopped or failed and was then restarted.

This issue has been resolved. The Reconciliation Agent does not fail if the LDAP Gateway is restarted after it fails or is stopped.

9037350

While deploying the connector, you had to copy the following files into the OIM_HOME/xellerate/JavaTasks directory:

scripts/initialRacfAdv.properties

scripts/run_initial_recon_provisioning.sh

scripts/run_initial_recon_provisioning.bat

scripts/racf-adv-initial-recon.jar

The properties file contains details of the target system host computer. If you had multiple nodes, then you had to modify the properties file each time you wanted to run it on a different node.

This issue has been resolved. For each node of the target system, you can create directories inside the JavaTasks directory and then create copies of all the script files inside each directory. For example, you can create directories with names JavaTasks/racf1, JavaTasks/racf1, JavaTasks/racf1, and so on, and create copies of the script files in each directory.

9182884

An error related to IBM RACF error code prefixes was sometimes thrown without due cause.

This issue has been resolved.


Software Updates in Release 9.0.4.4

The following table lists issues resolved in release 9.0.4.4:

Bug Number Issue Resolution

7286016

On certain UK operating environments, a mainframe code page of GB was used instead of the default UK. This caused the mainframe agents to use the American pound symbol instead of the British pound symbol.

This issue has been resolved. The mainframe agents have been rebuilt to include the GB code page.


Software Updates in Release 9.0.4.3

The following is a software updates in release 9.0.4.3:

Support for IBM z/OS version 1.9

From this release onward, IBM z/OS version 1.9 is one of the certified target system identity repositories. This operating system version has been added in Section 1.1, "Certified Components."

Software Updates Up to Release 9.0.4.2

The following are software updates up to release 9.0.4.2:

Documentation-Specific Updates

The following sections discuss documentation-specific updates:

Documentation-Specific Updates in Releases 9.0.4.23

The following are the documentation-specific updates in release 9.0.4.23:

Documentation-Specific Updates in Releases 9.0.4.22

The following are the documentation-specific updates in release 9.0.4.22:

Documentation-Specific Updates in Releases 9.0.4.21

There are no documentation-specific updates in release 9.0.4.21.

Documentation-Specific Updates in Releases 9.0.4.20

The following are the documentation-specific updates in release 9.0.4.20:

Documentation-Specific Updates in Releases 9.0.4.19

The following are the documentation-specific updates in release 9.0.4.19:

Documentation-Specific Updates in Releases 9.0.4.17

The following are the documentation-specific updates in release 9.0.4.17:

Documentation-Specific Updates in Releases 9.0.4.16

The following are the documentation-specific updates in release 9.0.4.16.

Documentation-Specific Updates in Releases 9.0.4.15

There are no documentation-specific updates in release 9.0.4.15.

Documentation-Specific Updates in Releases 9.0.4.14

There are no documentation-specific updates in release 9.0.4.14.

Documentation-Specific Updates in Releases 9.0.4.13

There are no documentation-specific updates in release 9.0.4.13.

Documentation-Specific Updates in Releases 9.0.4.2 Through 9.0.4.12

The following sections discuss documentation-specific updates have been made in releases 9.0.4.2 to 9.0.4.12: