Oracle® Identity Manager Connector Guide for CA ACF2 Advanced Release 9.0.1 Part Number B31112-01 |
|
|
View PDF |
After you deploy the connector, you must test it to ensure that it functions as expected. The CA ACF2 Connector is composed of a Gateway and two mainframe adapters, requiring both connectivity and use cases testing:
This chapter contains information on the the following types of testing:
Connectivity testing: All message transport layers have a dependency on open ports, allowing application data to be to be passed between applications and between machines. This test checks for open ports on the mainframe system from the Oracle Identity Manager system. Within the Oracle Identity Manager Advanced Connector, there are two different message transport layers supported: IBM MQ Series and TCP/IP. Both systems depend on open ports to communicate.
Provisioning Testing: This type of test involves using Oracle Identity Manager for provisioning or de-provisioning one of its users or organizations with a target resource. In other words, Oracle Identity Manager is the starting point of the connector, and the target resource is the end point.
Reconciliation Testing: In this type of test, you reconcile Oracle Identity Manager with either a trusted source or a target resource. In other words, the trusted source or target resource is the starting point of the connector, and Oracle Identity Manager is the end point.
Note:
In earlier releases of this guide, the connector was referred to as the integration.This chapter contains the following sections:
Within the Oracle Identity Manager Advanced Connector, there are two different message transport layers supported: IBM MQ Series and TCP/IP. Both systems depend on open ports to communicate. This section discusses open port testing for CA ACF2 connector. Testing of open ports is done on the Oracle Identity Manager server system.
Note:
In enterprise security environments, firewalls may be configured to only allow aping
test from specific machines. Also, please notify your network administrator and the mainframe security manager about the port testing, as this activity may trigger automated network responses and notifications.The following tests assume that the test will be conducted on the Oracle Identity Manager server, with localhost
as the IP name of the Oracle Identity Manager server and [mainframeIP]
as the IP address of the mainframe.
Internal to the Oracle Identity Manager server, Oracle Identity Manager and the CA ACF2 Advanced Connector communicate on port 5389.
ping localhost:5389
For IBM MQ Series messaging, the standard port is 1414. This port will need to be tested for both the Oracle Identity Manager server and the mainframe system.
ping localhost:1414 ping [mainframeIP]:1414
The TCP/IP message transport layer relies on several different ports. The ports should be matched between each system. For provisioning to CA ACF2, run the following test:
ping [mainframeIP]:5792
For reconciliation with CA ACF2:
ping localhost:5290 ping [mainframeIP]:5290
Note:
It is common for the mainframe TCP/IP configuration and the CA ACF2 Advanced Connector Adapter JCLs to have the same code set, even if multiple LPARs and connectors are used. As the port traffic passes through a router, the public IP address then becomes different from the private locally assigned machine IP address. This conversion of the private and public IP address can also extend to remapping to the ports.This section focuses on the functional and performance test cases that are associated with this connector. The following table includes information on running test cases on the CA ACF2 Advanced connector:
Test Case | Test Type | Description/Comment |
---|---|---|
Test to Change CA ACF2 Password | Provisioning | A user password is changed, with the change posted to the mainframe through the Advanced Connector. |
Test to Reset CA ACF2 Password | Provisioning | A user password is reset, with the change posted to the mainframe through the Advanced Connector. |
Test to Create CA ACF2 User | Provisioning | A user is created, with the change posted to the mainframe through the Advanced Connector. |
Test to Revoke/disable CA ACF2 User Account | Provisioning | A user ID is revoked, with the change posted to the mainframe through the Advanced Connector. |
Test to Resume CA ACF2 User Account | Provisioning | A user ID is resumed from a revoked status, with the change posted to the mainframe through the Advanced Connector. |
Test to List CA ACF2 Users | Provisioning | A list of users is retrieved from the mainframe CA ACF2 repository. |
Test to Permit CA ACF2 User Access to Resource Profile | Provisioning | A user is authorized to access mainframe resources, with change posted to the mainframe through the Advanced Connector. |
Test to Permit CA ACF2 User Access to TSO | Provisioning | A user is provisioned to logon the mainframe through TSO, with the change posted to the mainframe through the Advanced Connector. |
Test to Remove CA ACF2 User Access to Dataset | Provisioning | A user is removed from access to a mainframe dataset, with the change posted to the mainframe through the Advanced Connector. |
Test to Remove CA ACF2 User Access to Resource Profile | Provisioning | A user is removed from access to a mainframe resource, with the change posted to the mainframe through the Advanced Connector. |
Test to Detect and Report Native CA ACF2 Password Change Event | Reconciliation | A native password change is made on the mainframe and subsequently detected by the Advanced Connector. |
Test to Detect and Report Native CA ACF2 Password Reset Event | Reconciliation | A native password reset is made on the mainframe and subsequently detected by the Advanced Connector. |
Test to Detect and Report Native CA ACF2 Create User Data Event | Reconciliation | A create user is made by an administrator natively on the mainframe and subsequently detected by the Advanced Connector. |
Test to Detect and Report Native CA ACF2 Revoke User Event | Reconciliation | A userID password is revoked through native mainframe events, which is subsequently detected by the Advanced Connector. |
Test to Detect and Report Native CA ACF2 Delete User Event | Reconciliation | A userID is deleted through native mainframe events, which is subsequently detected by the Advanced Connector. |
Test to Detect and Report Native CA ACF2 Resume User Event | Reconciliation | A userID is resumed from a revoke status through native mainframe events, which is subsequently detected by the Advanced Connector. |
The following table lists solutions to some commonly encountered issues associated with the CA ACF2 connector.
Problem Description | Solution |
---|---|
Oracle Identity Manager cannot establish a connection to the CA ACF2 Server. |
|
The mainframe does not appear to respond. |
|
A particular use case does not appear to be functioning. |
|
The Oracle Identity Manager CA ACF2 architecture has been engineered for enterprise-level performance. When an identity event passes through an exit, the Reconciliation Connector analyzes the event, and then creates a message, allowing the command to complete its routine without loss of time.
A given event will typically fire multiple exits at the same time. For example, a batch job that generates a password change identity event will fire both a batch exit and a password change exit. The Reconciliation Connector captures both events, filters duplicate entries, and passes the result to the Oracle Identity Manager LDAP Gateway.
A batch job to change 50,000 passwords has been tested on a single LPAR to complete within 10 minutes. Because two exits were involved, 100,000 messages were created, filtered, and transformed into MQ messages. The LDAP Gateway then took 30 minutes to retrieve and update the distributive system identity store, with most of that time consumed by the LDAP database.
The LDAP Gateway is engineered to detect when a given event originates from the Oracle Identity Manager, when it passes through the Reconciliaton Connector. Provisioning Connector events also create a native exit event that is detected. To prevent a feedback loop, events that originate from the LDAP Gateway are logged, but are not reported again to the Oracle Identity Manager. By contrast, events that originate outside the Oracle Identity Manager are treated as native events, and recorded for future auditing.
The LDAP Gateway and Reconciliation securely capture, filter, and log the identity events from the host system, publishing them for use by Oracle Identity Manager.