Skip Headers
Oracle® Identity Manager Connector Guide for UNIX SSH
Release 9.0.1
Part Number B31140-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

2 Deploying the Connector

Deploying the connector involves the following steps:

Step 1: Verifying Deployment Requirements

The following table lists the deployment requirements for the connector.

Item Requirement
Oracle Identity Manager Oracle Identity Manager release 8.5.3 or later
Target systems The target system can be any one of the following:

  • Solaris 8, Solaris 9, or Solaris 10

  • HP-UX 11.11 (trusted/nontrusted)

  • Linux (Red Hat Linux AS 2.1, Red Hat Linux AS 3.x, or Red Hat Linux AS 4.1)

  • AIX 4.3 or AIX 5.2
External code JSCAPE SSH/SSH Libraries (SSH factory)
Other systems OpenSSH, OpenSSL, OS Patches (HP-UX), and SUDO software (only if the SUDO Admin mode is required)

Step 2: Configuring the Target System

Configuring the target system involves the steps described in the following sections:

Platform-Specific Configuration Steps

This section provides instructions to configure the target system on the following platforms:

For Solaris and Linux

Perform the following steps for Solaris and Linux environments:

  1. Ensure that the /etc/passwd and /etc/shadow directories are available on the UNIX server.

  2. Ensure that a passwd mirror file is created on the target server by using a command similar to the following:

    cp /etc/passwd/etc/passwd1

    The same file name with the path must be inserted in the Passwd Mirror File/User Mirror File (AIX) task attribute of the reconciliation scheduled task.

  3. Ensure that a shadow mirror file is created on the target server by using a command similar to the following:

    cp /etc/shadow/etc/shadow1

    The name and path of this file must be specified for the Shadow Mirror File attribute of the scheduled task for reconciliation.

For AIX

Perform the following steps for AIX environments:

  1. Ensure that the /etc/passwd and /etc/security/user files are available on the server.

  2. Ensure that a user mirror file is created on the server by using a command similar to the following:

    lsuser -c -a id pgrp gecos home shell expires maxage ALL > /mainUserFile1
tr '#' ' ' < /mainUserFile1 > /mainUserFileTemp1
cat /mainUserFileTemp1 > /mainUserFile1

    The name and path of this file must be specified for the Passwd Mirror File/User Mirror File (AIX) attribute of the scheduled task for reconciliation.

For HP-UX

Perform the following steps for HP-UX environments:

Note:

If you are using an HP-UX configuration, then start from Step 1. Otherwise, go to Step 5.

  1. Log in as root by specifying the user name as sam.

  2. Click Enter.

  3. Select to Auditing and Security and System Security Policies. A message is displayed asking if you want to convert from the system to the trusted mode.

  4. Click OK.

    If the following message is displayed, then skip Step 5:

    System changed successfully to trusted system

  5. Ensure that the /etc/passwd and /etc/shadow directories are available on the target server.

    If the shadow file does not exist, then follow the installation instructions at

    http://www.software.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=ShadowPassword

    All the patches are available in the HP patch database, which you can download from

    http://www2.itrc.hp.com/

Installing Required and Optional Enablement Patches

The ShadowPW includes new files to support shadow passwords.

The following are required patches:

PHNE_23502, PHCO_24402, PHCO_25526, PHCO_25568, PHCO_27036, PHCO_27038, PHCO_27040, PHCO_27041, PHCO_27042, PHCO_27064, PHCO_28192, PHCO_28194, and PHCO_30402

Do not install a corequisite patch if it is superseded by another patch.

Apply the following guidelines when you install these patches:

  • When CDE is present, it is very important to install both patch PHSS_26492 and PHSS_26493.

  • Patch PHCO_28193 must be installed only if UUCP is present.

  • Patch PHCO_28176 must be installed only if the /usr/lbin/tsconvert command is present.

  • Patch PHCO_27035 defines the prototypes of new APIs.

  • Patch PHCO_27909 updates the main pages.

  • If necessary, patch PHCO_23578 updates the Software Distributor.

  • An optional patch is not installed if the underlying product is removed from the system. For example, if UUCP has been removed, then patch PHCO_28193 is not installed.

    Note:

    If UUCP is installed, then in order to ensure correct functioning of the uucp command in shadow mode, you must also install patch PHCO_28193.

Installing the Shadow Password Bundle

To install the bundle:

  1. Log in as root.

  2. Download the ShadowPassword.depot file to the /tmp directory.

  3. Verify that the file has been downloaded by using the swlist command as follows:

    swlist -d @ complete_path/ShadowPassword.depot

    The following is sample output of the swlist command:

    # Initializing...
# Contacting target localhost...
#
# Target: localhost:/tmp/ShadowPassword.depot
# Bundle(s):
#ShadowPassword  B.11.11.02  HP-UX 11.11 Shadow Password Bundle

    Note:

    When you use the swlist and swinstall commands, you must specify the complete path in the source depot.

  4. Create a backup of the system before installing the product.

  5. On a standalone system, run the swinstall command to install the product as follows:

    swinstall -x autoreboot=true -s complete_path/ShadowPassword.depot \*

  6. Verify that the ShadowPW.SHADOW file set is installed by using the swlist command as follows:

    # swlist -l fileset complete_path/ShadowPW.SHADOW

    The following is sample output of this command

    # Initializing...
# Contacting target "localhost"...
#
# Target: localhost:/
#ShadowPW.SHADOW  B.11.11.02 HP-UX 11.11 Shadow Password Enablement

    After the patches are installed, the system can be converted to use shadow passwords by running the pwconv command. This command converts the entries in the /etc/passwd file to the appropriate format in the /etc/shadow file.

  7. Reboot the system. Remember to keep the shadow password handy.

Uninstalling the Shadow Password Bundle

To disable the shadow passwords and switch back to standard passwords:

  1. Log in as root.

  2. Run pwunconv.

    Caution:

    If you skip this step, then the system may become unbootable in the multiuser mode.

  3. Reboot the system.

  4. Ensure that the /etc/shadow file does not exist and that passwords are in the /etc/password file.

    You can do this by running the swremove Shadow command.

  5. From the Shadow Password bundle, remove the enabling patches that were installed but are no longer needed. This is an optional step.

  6. Ensure that a password mirror file is created on the server by running a command similar to the following:

    cp /etc/passwd /etc/passwd1

    The same file name with the path must be inserted in the Passwd Mirror File/User Mirror File (AIX) attribute of the scheduled task for reconciliation.

  7. Ensure that a shadow mirror file is created on the server by running a command similar to the following:

    cp /etc/shadow /etc/shadow1

    The same file name with the path must be inserted in the Shadow Mirror File attribute of the scheduled task for reconciliation.

Installing External Software

This section describes the procedure to install external software.

Installing OpenSSH

Follow these steps to install OpenSSH on Solaris 9 or HP-UX.

For Solaris 9

  1. If SSH is not installed on the Solaris server, then install the appropriate OpenSSH. For Solaris 9, you can download the packages listed in this section from

    http://www.sunfreeware.com/

    If the GCC compiler is not installed, then install the following packages:

    libgcc-3.4.1-sol9-sparc-local.gz

    libiconv-1.8-sol9-sparc-local.gz

    You must install these packages in the following order:

    1. prngd-0.9.25-sol9-sparc-local.gz

    2. tcp_wrappers-7.6-sol9-sparc-local.gz

    3. zlib-1.2.1-sol9-sparc-local.gz

    4. openssl-0.9.7d-sol9-sparc-local.gz

    5. openssh-3.9p1-sol9-sparc-local.gz

  2. Create a group with the name sshd and group ID 27. Add a user with the name sshadmin to this group.

    To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file:

    PermitRootLogin yes

    The default value is no. Change it to yes.

For Solaris 8

  1. If SSH is not installed on the Solaris server, then install the appropriate OpenSSH. For Solaris 8, you can download the packages listed in this section from

    http://www.sunfreeware.com/openssh8.html

    If the GCC compiler is not installed, then you must install the packages in the following file:

    libgcc-3.3-sol8-sparc-local.gz

    The following are the packages inside this file. You must install these packages in the specified order:

    1. prngd-0.9.25-sol8-sparc-local.gz (optional)

    2. tcp_wrappers-7.6-sol8-sparc-local.gz (optional, but recommended)

    3. zlib-1.2.1-sol8-sparc-local.gz

    4. openssl-0.9.7g-sol8-sparc-local.gz

    5. openssh-4.1p1-sol8-sparc-local.gz

  2. Create a group with the name sshd and group ID 27. Add a user with the name sshadmin to this group.

    To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file:

    PermitRootLogin yes

    The default value is no. Change it to yes.

For Solaris 10

By default, OpenSSH is installed on Solaris 10. If it is not installed, then install the OpenSSH server from the installation CD. To enable SSH on Solaris 10, make the following changes in the /etc/ssh/ssh_config file:

  1. Remove the comment character from the Host * line.

  2. Change the value of PermitRootLogin to yes.

For HP-UX

If SSH is not installed on the UNIX server, then install the appropriate OpenSSH:

  1. For HP-UX 11.11, download and install the appropriate patch from

    http://www4.itrc.hp.com/

    For HP-UX B.11.11, download the file, PHCO_31903.depot for hpux_800_11.11_11300132-patch.tgz. Use the following command to install it:

    swinstall -x autoreboot=true -x patch_match_target=true -s /tmp/PHCO_31903.depot

  2. Download and install OpenSSH. You can download the T1471AA_A.03.81.002_HP-UX_B.11.11_32+64.depot file from

    http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

    After the patch is successfully installed, use the following command to install openSSH.

    swinstall -s /tmp/T1471AA_A.03.81.002_HP-UX_B.11.11_32+64.depot

    After this is installed, the HP-UX Secure Shell daemon (sshd) is preconfigured and started.

  3. Create a group with the name sshd.

  4. Add a user with the name sshadmin to this group.

  5. To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file as follows:

    PermitRootLogin yes

    The default value is no. Change it to yes.

For Linux

By default, OpenSSH is installed on Linux Advanced Server 2.1 and Linux Advanced Server 3. If it is not installed, then install the OpenSSH server from the installation CD.

For AIX

If SSH is not installed on the AIX 5.2 server, then perform the following steps:

  1. Download and install OpenSSL.

    Download the openssl-0.9.7d-aix5.1.ppc.rpm file from

    http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

    Then, enter the following command to install OpenSSL:

    geninstall -d/dev R: openssl-0.9.7d-2.aix5.1.ppc.rpm

    In this command, /dev is the location on the AIX server where the openssl-0.9.7d-2.aix5.1.ppc.rpm file is stored.

  2. Download and install PRNG.

    Download the prngd-0.9.23-3.aix4.3.ppc.rpm file from

    http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

    Then, enter the following command to install PRNG:

    geninstall -d/dev R: prngd-0.9.23-3.aix4.3.ppc.rpm

    In this command, /dev is the location on the AIX server where the prngd-0.9.23-3.aix4.3.ppc.rpm file is stored.

  3. Download and install OpenSSH.

    Download the openssh-3.8.1p1_52.tar.gz file from

    http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

    Then, enter the following commands to install openSSH:

    gunzip /dev/openssh-3.8.1p1_52.tar.gz
tar -xvf /dev/openssh-3.8.1p1_52.tar
geninstall -I"Y" -d/dev I:openssh.base

    In these commands, /dev is the location on the AIX server where the openssh-3.8.1p1_52.tar.gz file is stored.

  4. To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file as follows:

    PermitRootLogin yes

    The default value is no. Change it to yes.

Installing and Configuring SUDO

If you want to use the SSH connector in the SUDO Admin mode, then perform the following steps to install and configure SUDO:

For Solaris

  1. If SUDO is not installed on the Solaris server, then first download it.

  2. Use the following command to install SUDO:

    pkgadd -d filename_with_full_path

  3. Edit the sudoers file on the Solaris server to customize it according to your requirements. This file is located in the following directory:

    /usr/local/etc/

    For example, if a group named mqm exists on the HP-UX server, and you require all members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain a line similar to the following:

    %mqm ALL= (ALL) ALL

    This is only a sample configuration. If you require some other group members or individual users to be SUDO users with specific privileges, then you must edit this file as you did for the sample value mqm.

    This connector uses the following commands:

    • useradd

    • usermod

    • passwd

    • cat

    • diff

    Therefore, the SUDO user must have privileges to run these commands.

    Note:

    Do not use the NOPASSWD: ALL option for any SUDO user or group.

    See Also:

    For information about customizing the sudoers file, refer to

    http://www.courtesan.com/sudo/man/sudoers.html

  4. Edit the same sudoers file so that every time a command is run in SUDO mode, the SUDO user is prompted for the password. Add the following line under the # Defaults specification header:

    Defaults timestamp_timeout=0

    This is a prerequisite for this connector to work successfully.

  5. Log in to the Solaris computer as root, and enter the following commands:

    chmod 440 /usr/local/etc/sudoers
chgrp root /usr/local/etc/sudoers
chmod 4111 /usr/local/bin/sudo

  6. Create a SUDO user. The SUDO user must be created according to the constraints specified in the sudoers file.

    The SUDO user must always be created with its home directory by using a command similar to the following:

    useradd -g group_name -d /export/home/directory_name -m user_name

  7. In the .profile file, which is created in the home directory, add the following lines to set the value of the PATH environment variable:

    PATH=/usr/sbin:/usr/local/bin:/usr/local/etc:/var/adm/sw/products:$PATH 
export PATH

For HP-UX

  1. If SUDO is not installed on the HP-UX server, then install the appropriate SUDO. For HP-UX, download the sudo-1.6.8p6-sd-11.11.depot.gz file from

    http://hpux.cs.utah.edu/hppd/hpux/

    Enter the following command to install SUDO:

    swinstall -s filename_with_full_path

  2. Edit the sudoers file to customize it according to your requirements. This file is located in the folowing directory:

    xellerate_home/Xellerate/XLIntegrations/SSH/config/

    For example, if you have a group named mqm on the HP-UX server and you want all members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain the following line:

    %mqm ALL= (ALL) ALL

    This is only a sample configuration. If you want to make SUDO users with specific privileges out of other group members or individual users, then edit this file as you did for the sample value mqm.

    This connector uses the following commands:

    • useradd

    • usermod

    • passwd

    • cat

    • diff

    Therefore, the SUDO user must have the privileges required to run these commands.

    Note:

    Do not use the NOPASSWD: ALL option for any SUDO user or group.

    See Also:

    For information about customizing the sudoers file, refer to

    http://www.courtesan.com/sudo/man/sudoers.html

  3. Edit the same sudoers file so that every time a command is run in SUDO mode, the SUDO user is prompted for a password. Add the following line under the # Defaults specification header:

    Defaults timestamp_timeout=0

    This is an essential prerequisite for the connector to work successfully.

  4. Copy the sudoers file that you edited into the /etc directory of the target system. After copying the file, enter the following command:

    dos2ux /etc/ sudoers > /etc/sudoers1

    Then, change the name of the file from sudoers1 to sudoers.

  5. Log in as root, and enter the following commands on the HP-UX computer:

    chmod 440 /etc/sudoers
chgrp root /etc/sudoers
chmod 4111 /usr/local/bin/sudo

  6. Create a SUDO user. The SUDO user should be created according to the constraints specified in the sudoers file.

    The SUDO user should always be created with its home directory by using a command similar to the following:

    useradd -g group_name -d /home/directory_name -m user_name

    In addition, in the .profile file, which is created in the home directory, add the following lines to set the appropriate PATH:

    PATH=/usr/sbin:/usr/local/bin:/usr/local/etc:/var/adm/sw/products:$PATH
export PATH

For AIX

  1. If SUDO is not installed on AIX 5.2, then install the appropriate SUDO AIX 5.2 version sudo-1.6.7p5-2.aix5.1.ppc.rpm file from

    http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

  2. If RPM Package Manager is not installed on the AIX 5.2 server, then install it from

    http://www-1.ibm.com/servers/aix/products/aixos/linux/altlic.html

  3. Enter the following command to install SUDO:

    rpm -I /dev/sudo-1.6.7p5-2.aix5.1.ppc.rpm

    In this command, /dev is the location on the AIX server where the sudo-1.6.7p5-2.aix5.1.ppc.rpm file is stored.

  4. Edit the sudoers file, which is in the /etc directory on the AIX server, to customize the file according to your requirements.

    For example, if you have a group named mqm in the AIX server and require all members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain the following line:

    %mqm ALL= (ALL) ALL

    This is only a sample configuration. If you need other group members or individual users to be SUDO users with specific privileges, then edit this file as was done for the sample value mqm.

    This connector uses the following commands:

    • mkuser

    • chuser

    • passwd

    • cat

    • diff

    • usermod

    Therefore, the SUDO user must have the privileges required to run these commands.

    Note:

    Do not use the NOPASSWD: ALL option for any SUDO user or group.

    See Also:

    For information about customizing the sudoers file, refer to

    http://www.courtesan.com/sudo/man/sudoers.html

  5. Edit the same sudoers file to configure the system, so that every time a command is run through SUDO mode, the SUDO user is prompted for a password. Add the following line under the # Defaults specification header:

    Defaults timestamp_timeout=0

    This is a prerequisite for this connector to work successfully.

  6. Create a SUDO user. The SUDO user should be created according to the constraints specified in the sudoers file.

For LINUX AS 2.1

  1. If SUDO is not installed on the Linux Advanced Server 2.1 server, then install the appropriate SUDO. For Linux Advanced Server 2.1, download the sudo-1.6.7p5-1.i686.rpm file from

    http://rpmfind.net/linux/rpm2html/search.php?query=sudo&submit=Search

    Then, enter the following command to install SUDO:

    rpm -i /dev/sudo-1.6.7p5-1.i686.rpm

    In this command, /dev is the location on the Linux server where the sudo-1.6.7p5-1.i686.rpm file is stored.

  2. Edit the sudoers file, which is in the /etc directory on the Linux Advanced Server 2.1 server, to customize it according to your requirements:

    For example, if you have a group named mqm on the Linux server and require all members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain the following line:

    %mqm ALL= (ALL) ALL

    This example is only a sample configuration. If you need other group members or individual users to be SUDO users with specific privileges, then edit this file as was done for the sample value mqm.

    The commands that this connector uses are:

    • useradd

    • usermod

    • passwd

    • cat

    • diff

    Therefore, the SUDO user must have the privileges required to run these commands.

    Note:

    Do not use the NOPASSWD: ALL option for any SUDO user or group.

    See Also:

    For information about customizing the sudoers file, refer to

    http://www.courtesan.com/sudo/man/sudoers.html

  3. Edit the same sudoers file to configure the system, so that every time a command is run in SUDO mode, the SUDO user is prompted for a password. Under the # Defaults specification header, add the following line:

    Defaults timestamp_timeout=0

    This is a prerequisite for this connector to work successfully.

  4. Create a SUDO user. The SUDO user should be created according to the constraints specified in the sudoers file.

For LINUX AS 3.x and LINUX AS 4.1

  1. If SUDO is not installed on the Linux Advanced Server 3.0 or 4.1 server, then install the appropriate SUDO. For Linux Advanced Server 3.0 and 4.1, download the sudo-1.6.7p5-1.i686.rpm file from

    http://rpmfind.net/linux/rpm2html/search.php?query=sudo&submit=Search

    Then, enter the following command to install SUDO:

    rpm -i /dev/sudo-1.6.7p5-1.i686.rpm

    In this command, /dev is the location on the Linux server where the sudo-1.6.7p5-1.i686.rpm file is stored.

  2. Edit the sudoers file, which is in the /etc directory on the Linux Advanced Server 3.0 server, to customize it.

    For example, if you have a group named mqm on the Linux server and want all of the members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain the following line:

    %mqm ALL= (ALL) ALL

    This is only a sample configuration. If you want some other group members or individual users to be SUDO users with specific privileges, you would need to edit this file as was done for the sample value mqm.

    This connector uses the following commands:

    • useradd

    • usermod

    • passwd

    • cat

    • diff

    Therefore, the SUDO user must have the privileges required to run these commands.

    Note:

    Do not use the NOPASSWD: ALL option for any SUDO user or group.

    See Also:

    For information about customizing the sudoers file, refer to

    http://www.courtesan.com/sudo/man/sudoers.html

  3. Edit the same sudoers file to configure the system, so that every time a command is run through SUDO mode, the SUDO user is prompted for a password. Add the following line under the # Defaults specification line:

    Defaults timestamp_timeout=0

    This is a prerequisite for this connector to successfully work.

  4. Create a SUDO user. You must create the SUDO user according to the constraints specified in the sudoers file.

    In the .bash_profile file, which is created in the home directory, add the following lines to set the appropriate PATH:

    PATH=/usr/sbin:$PATH
export PATH

Public Key Authentication (SSH Key Generation)

This section discusses the following topics:

Configuring Public Key Authentication

To configure Public Key Authentication:

  1. Copy SSH/scripts/privateKeyGen.sh.

    For Solaris or Linux:

    dos2UNIX privateKeyGen.sh privateKeyGen.sh

    For HP-UX:

    dos2ux privateKeyGen.sh

    Run the privateKeyGen.sh script on the UNIX server. Provide a secure pass phrase when prompted.

    Alternatively, enter the following commands on the UNIX server:

    mkdir /.ssh
chmod 700 /.ssh
ssh-keygen -q -f /.ssh/id_rsa -t rsa
chmod 700 /.ssh
chmod go-rwx /.ssh/*
cat /.ssh/id_rsa.pub >> /.ssh/authorized_keys

    When these commands are run, the following files are created in the /ssh directory:

    • id_rsa: This is a private key file. It is distributed to all the relevant Oracle Identity Manager servers.

    • authorized_keys: This is the public key with the pass phrase. It is located on the server and is used for private key verification.

  2. When the keys are generated successfully, edit the sshd_config file for Pubic Key Authentication and test login.

  3. After successfully testing login, copy the id_rsa file to the following directory:

    xellerate_home/Xellerate/XLIntegrations/SSH/Config

    Note:

    This release of the connector has been tested and certified only for RSA keys, and not DSA. In addition, this connector has been tested and certified for only single key configuration and not multiple keys.

Configuring SSH Public Key Authentication

To configure SSH Public Key Authentication:

For Solaris

  1. Set the following parameters in the /etc/ssh/sshd_config file:

    • PubKeyAuthorization: yes

    • PasswordAuthentication: no

    • PermitRootLogin: yes (to allow root user access)

  2. To restart the SSH server, enter the following commands:

    • /etc/init.d/sshd stop

    • /etc/init.d/sshd start

  3. To test login:

    ssh -i /.ssh/id_rsa -l root 192.168.50.45

    This command prompts you for the passkey before setting up the connection.

For HP-UX

  1. Uncomment the following lines in the /etc/ssh/sshd_config file:

    • AuthorizedKeysFile: .ssh/authorized_keys

    • PermitRootLogin: yes (to allow root user)

    • PubkeyAuthentication: yes

  2. To restart the SSH Server, enter the following command:

    /opt/ssh/sbin/sshd

  3. To test login, enter the following command:

    ssh -i /.ssh/id_rsa -l root 192.168.0.157

    This command prompts for the passkey and enables you to connect.

For Linux

  1. Uncomment the following line in the /etc/ssh/sshd_config file:

    AuthorizedKeysFile .ssh/authorized_keys

  2. To restart the SSH server, enter the following commands:

    • etc/init.d/sshd stop

    • etc/init.d/sshd start

  3. To test login, enter the following command:

    ssh -i /.ssh/id_rsa -l root 10.1.1.61

    This command prompts for the passkey and enables you to connect.

For AIX

  1. The first step of this procedure depends on the version of AIX that you are using:

    • For AIX 4.3, use the /etc/openssh/sshd_config file to set the following parameters:

      • export PATH=$PATH: /usr/local/bin

      • Installation path: /etc/openssh/

      • sshd -- /usr/local/bin/

    • For AIX 5.2, use the /etc/ssh/sshd_config file to set the following parameters:

      • export PATH=$PATH: /usr/sbin

      • Installation path: /etc/ssh/

      • sshd -- /usr/sbin/

  2. Open the /etc/ssh/sshd_config file, and uncomment the following lines:

    • AuthorizedKeysFile .ssh/authorized_keys

    • PermitRootLogin - yes (to allow root user)

    • PubkeyAuthentication - yes

  3. To restart the SSH server, enter the following commands:

    • opt/ssh/sbin/sshd (For AIX 4.3)

    • usr/sbin/sshd (For AIX 5.2)

  4. To test the login, enter the following command:

    ssh -i /.ssh/id_rsa -l root 192.168.0.157

    This command prompts for the passkey and enables you to connect.

    Note:

    This release of the connector does not support Public Key Authentication provisioning if it is implemented through the SUDO Admin mode. The Public Key Authentication used for system access is available by logging in as root.

Step 3: Copying the Connector Files

The connector files to be copied and the directories to which you must copy them are given in the following table.

Note:

The directory paths given in the first column of this table correspond to the location of the connector files in the following ZIP file on the installation media:

Operating Systems\UNIX\Unix SSH Rev 4.1.0.zip

Refer to "Files and Directories That Comprise the Connector" for more information about these files.

File in the Installation Media Directory Destination Directory
The following files in the xml directory: 
XLISSH_DM.xml
XLISSH SchedulerTask_DM.xml
XLISSH_Trusted_DM.xml


xellerate_home\xellerate\XLIntegrations\SSH\xml

lib\xliSSH.jar

xellerate_home\xellerate\JavaTasks

lib\xliSSH.jar

xellerate_home\xellerate\ScheduleTask

lib\801\xliSSH.jar

xellerate_home\xellerate\XLIntegrations\SSH\lib\801

config\sudoers

xellerate_home\xellerate\XLIntegrations\SSH\config

scripts\privateKeyGen.sh

xellerate_home\xellerate\XLIntegrations\SSH\scripts

ext\sshfactory.jar

xellerate_home\xellerate\XLIntegrations\SSH\ext
The following files in the tests directory: 
config\config.properties
lib\xliSSHTest.jar
scripts\SSH.bat


xellerate_home\xellerate\XLIntegrations\SSH\tests

docs\B31140_01.pdf
docs\html

xellerate_home\xellerate\XLIntegrations\docs

Step 4: Importing the Connector XML Files

To import the connector XML files:

  1. Open the Oracle Identity Manager Administrative and User Console.

  2. Click the Deployment Management link on the left navigation bar.

  3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

  4. Locate and open the XLISSH_DM.xml file, which is in the xellerate_home/xellerate/XLIntegrations/SSH/xml directory. Details of this XML file are shown on the File Preview page.

  5. Click Add File. The Substitutions page is displayed.

  6. Click Next. The Confirmation page is displayed.

  7. Click Next. The Provide IT Resource Instance Data page for the SSH server Solaris IT resource is displayed.

  8. Specify values for the parameters of the SSH server Solaris IT resource. Refer to the table in the "Defining IT Resources" section for information about the values to be specified.

  9. Click Next. The Provide IT Resource Instance Data page for a new instance of the SSH Server IT resource type is displayed.

  10. Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.

    See Also:

    If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.

  11. Click View Selections.

    The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. You must remove these nodes. To do this, right-click each such node and then select Remove.

  12. Click Import. The connector file is imported into Oracle Identity Manager.

  13. Perform the same procedure to import the XLISSH SchedulerTask_DM.xml file, which is in the xellerate_home/xellerate/XLIntegrations/SSH/xml directory.

  14. If you plan to use the connector in trusted source reconciliation mode, then perform the same procedure to import the XLISSH_Trusted_DM.xml file. This file is in the xellerate_home/xellerate/XLIntegrations/SSH/xml directory.

    Caution:

    Only one connector can be configured as a trusted source. If you import the XLISSH_Trusted_DM.xml file while you have another trusted source configured, then both connector reconciliations would stop working.

After you import the connector XML file, proceed to the "Step 5: Configuring Reconciliation" section.

Defining IT Resources

You must specify values for the SSH server Solaris IT resource parameters listed in the following table.

Parameter Name Parameter Description
Admin UserId root or jdoe

Here, jdoe is the SUDO user ID, for the SUDO Admin mode.
Admin Password/Private file Pwd dead_line (for root/non-SUDO) or jdoe

Here, jdoe is the SUDO user password (for the SUDO Admin mode)

Note: For the SUDO Admin mode, the private key is not supported.
Server IP Address 10.1.1.61
Port 22
Private Key Private key file name with full path

Note: For SUDO admin, this parameter must be left blank.
Server OS AIX, HP-UX, SOLARIS, and LINUX
Shell Prompt # or $
Login Prompt You can ignore this parameter. This parameter is not used for SSH.
Password Prompt You can ignore this parameter. This parameter is not used for SSH.
Whether Trusted System (HP-UX) YES (for trusted HP-UX System) or NO (for nontrusted HP-UX system)
Whether SUDO Admin Mode NO (for root) or YES (for SUDO Admin mode)

After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.

Step 5: Configuring Reconciliation

This section describes the following steps involved in configuring the Oracle IdentityManager server:

Adding Prerequisites for Reconciliation

This section consists of the following:

Configuring System Properties

To configure system properties:

  1. Open the Oracle Identity Manager Design Console.

  2. Navigate to the System Configuration page.

  3. Add a new entry in the Server category:

    • Name: Default date format

    • Keyword: XL.DefaultDateFormat

    • Value: MMM dd, yyyy 'at' hh:mm:ss z

  4. Click Save.

Configuring Trusted Source Reconciliation Oracle Identity Manager Entities

This procedure involves the following steps:

  1. Open the Resource Object form, and search for the Xellerate User. On the Object Reconciliation tab, add the required reconciliation fields. Add all the reconciliation fields that would be needed to provide input for mandatory fields in the Xellerate User form. For example, fields like User Login and First Name. Only one mandatory field, Password, can be ignored. All the mandatory fields of the User Defined process form must be mapped.

  2. Open the Process Definition form, and search for the Xellerate User. On the Reconciliation Field Mappings tab, add the required reconciliation field mappings. All the manadatory fields of the user defined process form should be mapped.

  3. Open the Reconciliation Rules form, and create a new rule for the Xellerate User resource object, with a rule element.

  4. After creating the rule, select the Active check box.

Defining Scheduled Tasks

Configuring reconciliation involves creating scheduled tasks for User reconciliations. To create a scheduled task:

  1. Open the Oracle Identity Design Console.

  2. Expand the Xellerate Administration folder.

  3. Select Task Scheduler.

  4. Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.

  5. Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager attempts to complete the task before assigning the ERROR status to the task.

  6. Ensure that the Disabled and Stop Execution check boxes are cleared.

  7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, set the date and time at which you want the task to run.

  8. Specify that you want the task to run on a recurring basis by selecting the Recurring Intervals option.

  9. In the Interval region, set the following schedule parameters:

    • To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

      If you select the Recurring Intervals option, then you must almost specify the time interval at which you want to run the task on a recurring basis.

    • To set the task to run only once, select the Once option.

  10. Provide values for the user-configurable attributes of the scheduled task. Refer to the appropriate table in the "Specifying Attributes for the Scheduled Task Attributes" section for information about the values to be specified.

    See Also:

    Oracle Identity Manager Design Console Guide for information about adding and removing task attributes

  11. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

  12. Repeat Step 5 through 11 to define the second scheduled task.

After you create both scheduled tasks, proceed to the "Step 6: Compiling Adapters" section.

Specifying Attributes for the Scheduled Task Attributes

You must specify values for the following attributes of the reconciliation scheduled task.

Note:

Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
Attribute Description Sample Value
Server Name of the IT resource SSH server Solaris
Passwd Mirror File/User Mirror File Name of the passwd mirror file/user mirror file

This attribute is used only on AIX. The SUDO user must have read and write permissions on this file.

For example, suppose you run the following command to view the permissions on the mirror file:

$ ls -ltr passwd1

The command generates the following output:

-rwxr--r-- 1 janedoe mqm 9972 Mar 11 20:35 passwd1

In this output, janedoe is the SUDO user.

 /etc/passwd1
Shadow Mirror File Name of the shadow mirror file

The SUDO user must have read and write permissions on this file.

For example, suppose you run the following command to view the permissions on the mirror file:

$ ls -ltr shadow1

The command generates the following output:

-rwxr--r-- 1 janedoe mqm 9972 Mar 11 20:35 shadow1

In this output, janedoe is the SUDO user.

Note: The value of this attribute must not be null or blank, even for a trusted system. However, the reconciliation process ignores it.

 /etc/shadow1
Target System Recon - Resource Object name Name of the target system resource object SSH User
Trusted Source Recon - Resource Object name Name of the trusted source resource object Xellerate User

After you specify values for these task attributes, go to Step 11 of the procedure to create scheduled tasks.

Step 6: Compiling Adapters

The following adapters are imported into Oracle Identity Manager when you import the connector XML file. You must compile these adapters before you can use them for provisioning accounts on the target system.

To compile adapters by using the Adapter Manager form:

  1. Open the Adapter Manager form.

  2. To compile all the adapters that you import into the current database, select the Compile All option.

    To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select the Compile Selected option.

  3. Click Start. Oracle Identity Manager compiles the adapters that you specify.

To view detailed information about an adapter:

  1. Highlight the adapter in the Adapter Manager form.

  2. Double-click the row header of the adapter, or right-click the adapter.

  3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

Note:

To compile multiple adapters simultaneously, use the Adapter Manager form. To compile one adapter at a time, use the Adapter Factory form. Refer to Oracle Identity Manager Tools Reference Guide for information about how to use these forms.
Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us