Sun[TM] Identity Manager 8.0 Resources Reference |
OS/400The OS/400 resource adapter is defined in the com.waveset.adapter.OS400ResourceAdapter class.
Resource Configuration Notes
None
Identity Manager Installation Notes
The OS/400 resource adapter is a custom adapter. You must perform the following steps to complete the installation process:
- Download version 2.03 of the JTOpen product from the following URL: http://jt400.sourceforge.net
- Unzip the JTOpen file and follow the installation instructions. Be sure to place library files in the correct location and to set the environment variables as directed.
You must contact IBM to obtain the jt400.jar file.
- Copy the jt400.jar file to the InstallDir\WEB-INF\lib directory.
- To add an OS/400 resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.OS400ResourceAdapter
Usage Notes
Identity Manager supports three options for handling OS/400 objects that are associated with an account on an OS/400 resource. To enable this specialized support, you must use the OS400Deprovision form that is located in the Identity Manager sample directory. You must also edit the system configuration object; instructions for doing this are included in comments in the OS400Deprovision form. Once enabled, these options appear on the Delete Resource Accounts page when you choose to delete a user's OS/400 resource account.
Available delete options are:
- DLT - The user's resource account and associated OS/400 objects are deleted.
- NODLT - If the user has associated objects, his account is not deleted and associated OS/400 objects are not affected.
- CHGOWN - The user's resource account is deleted and associated OS/400 objects are assigned to a designated owner. CHGOWN is the default option. By default, OS/400 objects are assigned to the QDFTOWN profile.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager may use Secure Sockets Layer (SSL) to communicate with the OS/400 adapter. If so, the following product must be implemented:
This program contains the SSLight package, which is necessary for SSL connections from Identity Manager through the Java Toolbox installation on the OS/400 resource.
Required Administrative Privileges
The following administrative privileges are required for this adapter:
- CRT: To add an OS/400 user, the administrator must have (1) *SECADM special authority, (2) *USE authority to the initial program, initial menu, job description, message queue, output queue, and attention-key-handling program if specified, and (3) *CHANGE and object management authorities to the group profile and supplemental group profiles, if specified.
- CHG: You must have *SECADM special authority, and *OBJMGT and *USE authorities to the user profile being changed, can specify this command. *USE authority to the current library, program, menu, job description, message queue, print device, output queue, or ATTN key handling program is required to specify these parameters.
- DLT: The user must have use (*USE) and object existence (*OBJEXIST) authority to the user profile. The user must have existence, use, and delete authorities to delete a message queue associated with and owned by the user profile. The user profile cannot be deleted if a user is currently running under the profile, or if it owns any objects and OWNOBJOPT(*NODLT) is specified. All objects in the user profile must first either be transferred to new owners by using the Change Object Owner (CHGOBJOWN) command or be deleted from the system. This can also be accomplished by specifying OWNOBJOPT(*DLT) to delete the objects or OWNOBJOPT(*CHGOWN user-profile-name) to change the ownership. Authority granted to the user does not have to be specifically revoked by the Revoke Object Authority (RVKOBJAUT) command; it is automatically revoked when the user profile is deleted.
- DSP: The user name can be specified as USRPRF(*ALL) or USRPRF(generic*-user-name) only when TYPE(*BASIC) and OUTPUT(*OUTFILE) are specified.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
No
Pass-through authentication
No
Before/after actions
Yes
Data loading methods
Account Attributes
The following table provides information about OS/400account attributes. All attributes are strings, unless indicated otherwise.
Resource Object Management
None
Identity Template
$accountId$
Sample Forms
OS400UserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.OS400ResourceAdapter