Skip Headers
Oracle® Identity Manager Connector Guide for RSA Authentication Manager
Release 9.0.4

E11207-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. The connector for RSA Authentication Manager is used to integrate Oracle Identity Manager with RSA Authentication Manager.

This chapter contains the following sections:

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, RSA Authentication Manager has been referred to as the target system.

1.1 Certified Components

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager release 9.0.1 through release 9.0.3.2

  • Oracle Identity Manager release 9.1.0.1

    Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector will support.

  • Oracle Identity Manager 11g release 1 (11.1.1)

    Note: In this guide, Oracle Identity Manager release 11.1.1 has been used to denote Oracle Identity Manager 11g release 1 (11.1.1).

The connector does not support Oracle Identity Manager running on Oracle Application Server. For detailed information about certified components of Oracle Identity Manager, see the certification matrix on Oracle Technology Network at

http://www.oracle.com/technetwork/documentation/oim1014-097544.html

Target system and target system host platforms

The target system can be any one of the following:

  • RSA ACE/Server 5.2 on Windows Server 2003, Solaris 8, Solaris 9, Solaris 10

  • RSA Authentication Manager 6.0 on Windows Server 2003

  • RSA Authentication Manager 6.1 on Windows Server 2003

  • RSA Authentication Manager 6.1.2 on Solaris 9, Solaris 10

JDK

The JDK version can be one of the following:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.2, or a later release in the 1.4.2 series.

  • For Oracle Identity Manager release 9.1.0.x, use JDK 1.5 or a later release in the 1.5 series.

  • For Oracle Identity Manager release 11.1.1, use JDK 1.6 update 18 or later, or JRockit JDK 1.6 update 17 or later.

Other systems

RSA SecurID software token application

See Also: The "Installing Software Tokens" section for more information about the RSA SecurID software token


1.2 Certified Languages

The connector supports the following languages:

See Also:

For information about supported special characters
  • For Oracle Identity Manager release from 9.0.1 through 9.0.3.2 and release 9.1.0.x, see Oracle Identity Manager Globalization Guide.

  • For Oracle Identity Manager release 11.1.1, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

1.3 Reconciliation Module

Reconciliation involves duplicating in Oracle Identity Manager additions of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.

See Also:

One of the following guides for conceptual information about reconciliation configurations:
  • For Oracle Identity Manager release from 9.0.1 through 9.0.3.2 and release 9.1.0.x, see Oracle Identity Manager Connector Concepts Guide.

  • For Oracle Identity Manager release 11.1.1, see Oracle Fusion Middleware User's Guide for Oracle Identity Manager.

This section discusses the following topics:

1.3.1 Reconciled Resource Object Fields

The following target system fields are reconciled:

  • Default Login

  • First Name

  • Last Name

  • Temporary User

  • Start Date

  • Start Time

  • End Date

  • End Time

  • Group Name

  • Group Login

  • Key Value

  • Data Value

  • Token Serial Number

  • Type of Token

1.3.2 Reconciled Xellerate User Fields

The following target system fields are reconciled only if trusted source reconciliation is implemented:

  • User ID

  • First Name

  • Last Name

  • Employee Type

  • User Type

  • Organization

1.3.3 Reconciliation of Multivalue Attribute Groups

The following are features related to the reconciliation of multivalue attribute groups:

  • Group names that include the names of sites are entered in the group_name@domain_name format. In Oracle Identity Manager 9.0.3, you can choose not to include the domain name while creating or updating the name of a group. Similarly, regardless of whether or not the name of a group in the target system includes a domain name, it is reconciled in Oracle Identity Manager.

    Note:

    The term "domain name" in the Oracle Identity Manager context is the same as "site name" in RSA Authentication Manager.
  • When a user is deleted from a group in ACE, the group is also deleted from the user's ACE process child table.

1.4 Provisioning Module

Provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. You use the Administrative and User Console to perform provisioning operations.

See Also:

One of the following guides for conceptual information about provisioning:
  • For Oracle Identity Manager release from 9.0.1 through 9.0.3.2 and release 9.1.0.x, see Oracle Identity Manager Connector Concepts Guide.

  • For Oracle Identity Manager release 11.1.1, see Oracle Fusion Middleware User's Guide for Oracle Identity Manager.

For this target system, provisioning is divided into the following types:

1.4.1 RSA Authentication Manager User Provisioning

In this provisioning type, you can specify values for the following fields:

  • Default Login

  • First Name

  • Last Name

  • Temporary User

  • Start Date

  • Start Time

  • End Date

  • End Time

  • Group Login

  • Group Name

  • Key Value

  • Data Value

1.4.2 RSA Authentication Manager Token Provisioning

In this provisioning type, you can specify values for the following fields:

  • Token Serial Number

  • PIN

  • Current Token Code

  • Lifetime (hours)

  • Number of Digits

  • Type of Token

  • Copy Protection Flag

  • Password

  • Password Usage and Interpretation Method

  • Software Token File Name

  • Encryption Key Type

  • Type of Algorithm

1.5 Supported Functionality

The following table lists the functions that are available with this connector.

Function Description
Create User Creates a user
Update User Updates the identity attributes of a provisioned user
Delete User Deletes a user

This function would not run if the user to be deleted is an administrator.

Enable Token Enables a disabled token
Disable Token Disables an existing token
Assign SecurID Tokens to Users Assigns a token to a user

While assigning a software token to the user, the Type of Algorithm field must be filled in the process form.

  • If SID is selected in the Type of Algorithm field, then values must be specified for the following fields in the process form:

    - Software Token File Name: This is the name of the RSA SecurID software token file in which user and token information is saved. You must enter the file name with the full directory path and ensure that the extension is .sdtid.

    - Encryption Key Type

    - Copy Protection Flag

    - Password Usage and Interpretation Method

    - Password

    - Encryption Key Type

    - Password Usage and Interpretation Method

    - Password

    Note: If these combinations do not matter, then you can accept the default options.

  • If AES is specified in the Type of Algorithm field, then:

    You must enter a value in the Software Token File Name field of the process form. This is the name of the RSA SecurID software token file in which user and token information is saved. You must enter the file name with the full directory path and ensure that the extension is .sdtid.

    The Password field is optional.

    The following fields can be ignored:

    - Encryption Key Type

    - Copy Protection Flag

    - Password Usage and Interpretation Method

Revoke SecurID Tokens from Users Revokes a token from a user
Assign Users to RSA Authentication Manager Groups Assigns a user to a group

You must ensure that the following prerequisites are met before you use this function:

  • Valid groups exist in RSA Authentication Manager.

  • The required lookup codes (corresponding to valid group names) are added in the UD_Lookup.ACE_Group lookup definition. For example, for a group called Managers defined in ACE DB, the following entry must be added as the lookup code:

    Code Key: Managers

    Decode: Managers

    Lang: en

    Country: US

Remove Users from RSA Authentication Manager Groups Removes a user from a group

You must ensure that the following prerequisites are met before you use this function:

  • Valid groups exist in ACE DB.

  • This function is run only after the Assign Users to RSA Authentication Manager Groups function has been run.

Set Token PIN Updates the configuration of a token according to a change in the PIN attribute
Set PIN to Next Token Code Mode Sets the PIN to the next token code mode in RSA Authentication Manager
Track Lost Tokens Updates the configuration of a token according to a change in the Track Lost attribute
Test Login Verifies the login for a new user to whom a token has been assigned

You must ensure that the following prerequisites are met before you use this function:

  • An agent host is defined in the RSA Authentication Manager database.

  • The user for whom the Test Login function is to be implemented is enabled on this agent host. After this is done, the RSA Authentication Manager is restarted (Broker as well as Authentication Server).

For software token types, you must enter the passcode, instead of the token code, in the Current Token Code field in the process form.

The passcode can be viewed by using the software token application, which is installed on the Oracle Identity Manager server.

See Also: The "Installing Software Tokens" section for more information

Add key-data pairs to user extension data Adds a key-data pair to user extension data

Before you use this function, you must ensure that the following prerequisite is met:

User must not have user extension data with the same key before provisioning to the target system.

Update key-data pairs in user extension data Update a key-data pair in user extension data

Before you use this function, you must ensure that the following prerequisites are met:

  • User must have user extension data with the same key value before provision to the target system.

  • You must not change the key value. Only the data value needs to be change before provisioning.

Delete key-data pairs from user extension data Delete a key-data pair user extension data

Before you use this function, you must ensure that the following prerequisite is met:

User must have user extension data with the same key value before provisioning to the target system.


1.6 Files and Directories That Comprise the Connector

The files and directories that comprise this connector are listed and described in Table 1-2.

Table 1-2 Files and Directories On the Installation Media

File in the Installation Media Directory Description

Files in the DataSets directory

These XML files specify the information to be submitted by the requester during a request-based provisioning operation.

lib/xliACE.jar

This JAR file contains the class files required for provisioning. During connector installation, this file is copied to the following location:

  • For an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 and release 9.1.0.x: OIM_HOME/xellerate/JavaTasks

  • For Oracle Identity Manager release 11.1.1: Oracle Identity Manager database

lib/xliACERecon.jar

This JAR file contains the class files required for reconciliation. During connector installation, this file is copied to the following location:

  • For an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 and release 9.1.0.x: OIM_HOME/xellerate/ScheduleTask

  • For Oracle Identity Manager release 11.1.1: Oracle Identity Manager database

remotePackage/config/xl.policy

This file contains the security configuration that is required for the RMI server codebase for running calls on RSA Authentication Manager for reconciliation.

remotePackage/lib/ACE52/ACEUser.dll

This file contains the shared library that is required to support provisioning in RSA ACE Server 5.2.

remotePackage/lib/ACE52Sol/libACEUser.so

This file contains the shared library that is required to support provisioning in RSA Authentication Manager.

remotePackage/lib/AuthMgr60/ACEUser.dll

This file contains the shared library that is required to support provisioning in RSA Authentication Manager 6.0.

remotePackage/lib/AuthMgr61/ACEUser.dll

This file contains the shared library that is required to support provisioning in RSA Authentication Manager 6.1, on Microsoft Windows.

remotePackage/lib/xliACERemote.jar

This file contains the Java classes that are required for provisioning to RSA Authentication Manager and reconciliation from RSA Authentication Manager to Oracle Identity Manager.

remotePackage/scripts/AuthMgrImportXLCert.bat

This file contains the script for importing the required security certificate into the remote manager keystore (.xlkeystore).

remotePackage/scripts/AuthMgrImportXLCert.sh

This file contains the script for importing the required security certificate into the remote manager keystore (.xlkeystore) on Solaris.

remotePackage/tests/config/xl.policy

This file contains the security configuration required for the RMI server codebase to run test calls on RSA Authentication Manager.

remotePackage/tests/lib/xliACETestServer.jar

This file contains the Java classes that are required to run the RMI server for running test calls on RSA Authentication Manager.

remotePackage/tests/scripts/runTestServer.bat

This file contains the script that is required to run the RMI server for running test calls on RSA Authentication Manager.

remotePackage/tests/scripts/runTestServer.sh

This file contains the script that is required to run the RMI server for running test calls on RSA Authentication Manager, on Solaris.

Files in the resources directory

Each of these resource bundles contains language-specific information that is used by the connector. During connector installation, these resource bundles are copied to the following location:

  • For Oracle Identity Manager release 9.0.1 through release 9.0.3.2 and release 9.1.0.x: OIM_HOME/xellerate/connectorResources

  • For Oracle Identity Manager release 11.1.1: Oracle Identity Manager database

Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages.

scripts/AuthMgrImportRMCert.bat

This file contains the script for importing the required security certificate in the Oracle Identity Manager server keystore (.xlkeystore).

scripts/AuthMgrImportRMCert.sh

This file contains the script for importing the required security certificate in the Oracle Identity Manager server keystore (.xlkeystore) on Solaris.

tests/config/config.properties

This file contains the properties required by the RMI client for running test calls from the Oracle Identity Manager server.

tests/lib/xliACETestClient.jar

This file contains the Java classes required to run the RMI client for running test calls from the Oracle Identity Manager server.

tests/scripts/runTestClient.bat

This file contains the script required to run the RMI client for running test calls from the Oracle Identity Manager Server, for Microsoft Windows.

tests/scripts/runTestClient.sh

This file contains the script required to run the RMI client for running test calls from the Oracle Identity Manager Server, for Solaris.

xml/RSAAuthManagerResourceObject.xml

This file contains definitions for the following ACE User and ACE Token components of the connector:

  • IT Resource definition

  • IT Resource

  • Process forms

  • Process task and rule-generator adapters (along with their mappings)

  • Resource objects

  • Provisioning process

  • Pre-populate rules that are used with this connector

  • Reconciliation scheduled tasks

xml/RSAAuthManagerXLResourceObject.xml

This file contains configuration parameters for the Xellerate User. You must import this file only if you plan to use the connector in trusted source reconciliation mode.


Note:

The files in the tests directory are used only to run tests on the connector.

The "Copying Connector Files" section provides instructions to copy these files into the required directories.

1.7 Determining the Release Number of the Connector

Note:

If you are using Oracle Identity Manager release 9.0.1 through release 9.0.3.2 and release 9.1.0.x, then the procedure described in this section is optional.

If you are using Oracle Identity Manager release 11.1.1, then skip this section.

You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:

  1. Extract the contents of the xliACE.jar file. This file is in the following directory on the installation media:

    Security Applications/RSA Authentication Manager
    
  2. Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xliACE.jar file.

    In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.