Oracle® Identity Manager Connector Guide for UNIX SSH Release 9.0.1 Part Number B31140-01 |
|
|
View PDF |
Deploying the connector involves the following steps:
The following table lists the deployment requirements for the connector.
Configuring the target system involves the steps described in the following sections:
This section provides instructions to configure the target system on the following platforms:
Perform the following steps for Solaris and Linux environments:
Ensure that the /etc/passwd
and /etc/shadow
directories are available on the UNIX server.
Ensure that a passwd
mirror file is created on the target server by using a command similar to the following:
cp /etc/passwd/etc/passwd1
The same file name with the path must be inserted in the Passwd Mirror File/User Mirror File (AIX)
task attribute of the reconciliation scheduled task.
Ensure that a shadow mirror file is created on the target server by using a command similar to the following:
cp /etc/shadow/etc/shadow1
The name and path of this file must be specified for the Shadow Mirror File
attribute of the scheduled task for reconciliation.
Perform the following steps for AIX environments:
Ensure that the /etc/passwd
and /etc/security/user
files are available on the server.
Ensure that a user mirror file is created on the server by using a command similar to the following:
lsuser -c -a id pgrp gecos home shell expires maxage ALL > /mainUserFile1 tr '#' ' ' < /mainUserFile1 > /mainUserFileTemp1 cat /mainUserFileTemp1 > /mainUserFile1
The name and path of this file must be specified for the Passwd Mirror File/User Mirror File (AIX)
attribute of the scheduled task for reconciliation.
Perform the following steps for HP-UX environments:
Note:
If you are using an HP-UX configuration, then start from Step 1. Otherwise, go to Step 5.Log in as root by specifying the user name as sam.
Click Enter.
Select to Auditing and Security and System Security Policies. A message is displayed asking if you want to convert from the system to the trusted mode.
Click OK.
If the following message is displayed, then skip Step 5:
System changed successfully to trusted system
Ensure that the /etc/passwd
and /etc/shadow
directories are available on the target server.
If the shadow file does not exist, then follow the installation instructions at
http://www.software.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=ShadowPassword
All the patches are available in the HP patch database, which you can download from
The ShadowPW includes new files to support shadow passwords.
The following are required patches:
PHNE_23502, PHCO_24402, PHCO_25526, PHCO_25568, PHCO_27036, PHCO_27038, PHCO_27040, PHCO_27041, PHCO_27042, PHCO_27064, PHCO_28192, PHCO_28194, and PHCO_30402
Do not install a corequisite patch if it is superseded by another patch.
Apply the following guidelines when you install these patches:
When CDE is present, it is very important to install both patch PHSS_26492 and PHSS_26493.
Patch PHCO_28193 must be installed only if UUCP is present.
Patch PHCO_28176 must be installed only if the /usr/lbin/tsconvert
command is present.
Patch PHCO_27035 defines the prototypes of new APIs.
Patch PHCO_27909 updates the main pages.
If necessary, patch PHCO_23578 updates the Software Distributor.
An optional patch is not installed if the underlying product is removed from the system. For example, if UUCP has been removed, then patch PHCO_28193 is not installed.
Note:
If UUCP is installed, then in order to ensure correct functioning of theuucp
command in shadow mode, you must also install patch PHCO_28193.To install the bundle:
Log in as root.
Download the ShadowPassword.depot
file to the /tmp
directory.
Verify that the file has been downloaded by using the swlist
command as follows:
swlist -d @ complete_path/ShadowPassword.depot
The following is sample output of the swlist
command:
# Initializing... # Contacting target localhost... # # Target: localhost:/tmp/ShadowPassword.depot # Bundle(s): #ShadowPassword B.11.11.02 HP-UX 11.11 Shadow Password Bundle
Note:
When you use theswlist
and swinstall
commands, you must specify the complete path in the source depot.Create a backup of the system before installing the product.
On a standalone system, run the swinstall
command to install the product as follows:
swinstall -x autoreboot=true -s complete_path/ShadowPassword.depot \*
Verify that the ShadowPW.SHADOW
file set is installed by using the swlist
command as follows:
# swlist -l fileset complete_path/ShadowPW.SHADOW
The following is sample output of this command
# Initializing... # Contacting target "localhost"... # # Target: localhost:/ #ShadowPW.SHADOW B.11.11.02 HP-UX 11.11 Shadow Password Enablement
After the patches are installed, the system can be converted to use shadow passwords by running the pwconv
command. This command converts the entries in the /etc/passwd
file to the appropriate format in the /etc/shadow
file.
Reboot the system. Remember to keep the shadow password handy.
To disable the shadow passwords and switch back to standard passwords:
Log in as root.
Run pwunconv.
Caution:
If you skip this step, then the system may become unbootable in the multiuser mode.Reboot the system.
Ensure that the /etc/shadow
file does not exist and that passwords are in the /etc/password
file.
You can do this by running the swremove Shadow
command.
From the Shadow Password bundle, remove the enabling patches that were installed but are no longer needed. This is an optional step.
Ensure that a password mirror file is created on the server by running a command similar to the following:
cp /etc/passwd /etc/passwd1
The same file name with the path must be inserted in the Passwd Mirror File/User Mirror File (AIX)
attribute of the scheduled task for reconciliation.
Ensure that a shadow mirror file is created on the server by running a command similar to the following:
cp /etc/shadow /etc/shadow1
The same file name with the path must be inserted in the Shadow Mirror File
attribute of the scheduled task for reconciliation.
This section describes the procedure to install external software.
Follow these steps to install OpenSSH on Solaris 9 or HP-UX.
For Solaris 9
If SSH is not installed on the Solaris server, then install the appropriate OpenSSH. For Solaris 9, you can download the packages listed in this section from
If the GCC compiler is not installed, then install the following packages:
libgcc-3.4.1-sol9-sparc-local.gz
libiconv-1.8-sol9-sparc-local.gz
You must install these packages in the following order:
prngd-0.9.25-sol9-sparc-local.gz
tcp_wrappers-7.6-sol9-sparc-local.gz
zlib-1.2.1-sol9-sparc-local.gz
openssl-0.9.7d-sol9-sparc-local.gz
openssh-3.9p1-sol9-sparc-local.gz
Create a group with the name sshd
and group ID 27.
Add a user with the name sshadmin
to this group.
To enable root logins, change the value of PermitRootLogin
in the /etc/ssh/sshd_config
file:
PermitRootLogin yes
The default value is no.
Change it to yes.
For Solaris 8
If SSH is not installed on the Solaris server, then install the appropriate OpenSSH. For Solaris 8, you can download the packages listed in this section from
http://www.sunfreeware.com/openssh8.html
If the GCC compiler is not installed, then you must install the packages in the following file:
libgcc-3.3-sol8-sparc-local.gz
The following are the packages inside this file. You must install these packages in the specified order:
prngd-0.9.25-sol8-sparc-local.gz
(optional)
tcp_wrappers-7.6-sol8-sparc-local.gz
(optional, but recommended)
zlib-1.2.1-sol8-sparc-local.gz
openssl-0.9.7g-sol8-sparc-local.gz
openssh-4.1p1-sol8-sparc-local.gz
Create a group with the name sshd
and group ID 27
. Add a user with the name sshadmin
to this group.
To enable root logins, change the value of PermitRootLogin
in the /etc/ssh/sshd_config
file:
PermitRootLogin yes
The default value is no.
Change it to yes.
For Solaris 10
By default, OpenSSH is installed on Solaris 10. If it is not installed, then install the OpenSSH server from the installation CD. To enable SSH on Solaris 10, make the following changes in the /etc/ssh/ssh_config
file:
Remove the comment character from the Host *
line.
Change the value of PermitRootLogin
to yes.
For HP-UX
If SSH is not installed on the UNIX server, then install the appropriate OpenSSH:
For HP-UX 11.11, download and install the appropriate patch from
For HP-UX B.11.11, download the file, PHCO_31903.depot
for hpux_800_11.11_11300132-patch.tgz.
Use the following command to install it:
swinstall -x autoreboot=true -x patch_match_target=true -s /tmp/PHCO_31903.depot
Download and install OpenSSH. You can download the T1471AA_A.03.81.002_HP-UX_B.11.11_32+64.depot
file from
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA
After the patch is successfully installed, use the following command to install openSSH.
swinstall -s /tmp/T1471AA_A.03.81.002_HP-UX_B.11.11_32+64.depot
After this is installed, the HP-UX Secure Shell daemon (sshd
) is preconfigured and started.
Create a group with the name sshd.
Add a user with the name sshadmin
to this group.
To enable root logins, change the value of PermitRootLogin
in the /etc/ssh/sshd_config
file as follows:
PermitRootLogin yes
The default value is no.
Change it to yes.
For Linux
By default, OpenSSH is installed on Linux Advanced Server 2.1 and Linux Advanced Server 3. If it is not installed, then install the OpenSSH server from the installation CD.
For AIX
If SSH is not installed on the AIX 5.2 server, then perform the following steps:
Download and install OpenSSL.
Download the openssl-0.9.7d-aix5.1.ppc.rpm
file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
Then, enter the following command to install OpenSSL:
geninstall -d/dev R: openssl-0.9.7d-2.aix5.1.ppc.rpm
In this command, /dev
is the location on the AIX server where the openssl-0.9.7d-2.aix5.1.ppc.rpm
file is stored.
Download and install PRNG.
Download the prngd-0.9.23-3.aix4.3.ppc.rpm
file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
Then, enter the following command to install PRNG:
geninstall -d/dev R: prngd-0.9.23-3.aix4.3.ppc.rpm
In this command, /dev
is the location on the AIX server where the prngd-0.9.23-3.aix4.3.ppc.rpm
file is stored.
Download and install OpenSSH.
Download the openssh-3.8.1p1_52.tar.gz
file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
Then, enter the following commands to install openSSH:
gunzip /dev/openssh-3.8.1p1_52.tar.gz tar -xvf /dev/openssh-3.8.1p1_52.tar geninstall -I"Y" -d/dev I:openssh.base
In these commands, /dev
is the location on the AIX server where the openssh-3.8.1p1_52.tar.gz
file is stored.
To enable root logins, change the value of PermitRootLogin
in the /etc/ssh/sshd_config
file as follows:
PermitRootLogin yes
The default value is no.
Change it to yes.
If you want to use the SSH connector in the SUDO Admin mode, then perform the following steps to install and configure SUDO:
For Solaris
If SUDO is not installed on the Solaris server, then first download it.
For Solaris 9, download the sudo-1.6.8p4-sol9-sparc-local.gz
file from
For Solaris10, download the sudo-1.6.8p9-sol9-sparc-local.gz
file from
For Solaris 8, download the sudo-1.6.8p9-sol8-sparc-local.gz
file from
Use the following command to install SUDO:
pkgadd -d filename_with_full_path
Edit the sudoers
file on the Solaris server to customize it according to your requirements. This file is located in the following directory:
/usr/local/etc/
For example, if a group named mqm
exists on the HP-UX server, and you require all members of the group to act as SUDO users with all possible privileges, then the sudoers
file must contain a line similar to the following:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you require some other group members or individual users to be SUDO users with specific privileges, then you must edit this file as you did for the sample value mqm.
This connector uses the following commands:
useradd
usermod
passwd
cat
diff
Therefore, the SUDO user must have privileges to run these commands.
Note:
Do not use theNOPASSWD: ALL
option for any SUDO user or group.See Also:
For information about customizing thesudoers
file, refer to
Edit the same sudoers
file so that every time a command is run in SUDO mode, the SUDO user is prompted for the password. Add the following line under the # Defaults specification
header:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Log in to the Solaris computer as root, and enter the following commands:
chmod 440 /usr/local/etc/sudoers chgrp root /usr/local/etc/sudoers chmod 4111 /usr/local/bin/sudo
Create a SUDO user. The SUDO user must be created according to the constraints specified in the sudoers
file.
The SUDO user must always be created with its home directory by using a command similar to the following:
useradd -g group_name -d /export/home/directory_name -m user_name
In the .profile
file, which is created in the home directory, add the following lines to set the value of the PATH environment variable:
PATH=/usr/sbin:/usr/local/bin:/usr/local/etc:/var/adm/sw/products:$PATH export PATH
For HP-UX
If SUDO is not installed on the HP-UX server, then install the appropriate SUDO. For HP-UX, download the sudo-1.6.8p6-sd-11.11.depot.gz
file from
http://hpux.cs.utah.edu/hppd/hpux/
Enter the following command to install SUDO:
swinstall -s filename_with_full_path
Edit the sudoers
file to customize it according to your requirements. This file is located in the folowing directory:
xellerate_home/Xellerate/XLIntegrations/SSH/config/
For example, if you have a group named mqm
on the HP-UX server and you want all members of the group to act as SUDO users with all possible privileges, then the sudoers
file must contain the following line:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you want to make SUDO users with specific privileges out of other group members or individual users, then edit this file as you did for the sample value mqm.
This connector uses the following commands:
useradd
usermod
passwd
cat
diff
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL
option for any SUDO user or group.See Also:
For information about customizing thesudoers
file, refer to
Edit the same sudoers
file so that every time a command is run in SUDO mode, the SUDO user is prompted for a password. Add the following line under the # Defaults specification
header:
Defaults timestamp_timeout=0
This is an essential prerequisite for the connector to work successfully.
Copy the sudoers
file that you edited into the /etc
directory of the target system. After copying the file, enter the following command:
dos2ux /etc/ sudoers > /etc/sudoers1
Then, change the name of the file from sudoers1
to sudoers.
Log in as root, and enter the following commands on the HP-UX computer:
chmod 440 /etc/sudoers chgrp root /etc/sudoers chmod 4111 /usr/local/bin/sudo
Create a SUDO user. The SUDO user should be created according to the constraints specified in the sudoers
file.
The SUDO user should always be created with its home directory by using a command similar to the following:
useradd -g group_name -d /home/directory_name -m user_name
In addition, in the .profile
file, which is created in the home directory, add the following lines to set the appropriate PATH:
PATH=/usr/sbin:/usr/local/bin:/usr/local/etc:/var/adm/sw/products:$PATH export PATH
For AIX
If SUDO is not installed on AIX 5.2, then install the appropriate SUDO AIX 5.2 version sudo-1.6.7p5-2.aix5.1.ppc.rpm
file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
If RPM Package Manager is not installed on the AIX 5.2 server, then install it from
http://www-1.ibm.com/servers/aix/products/aixos/linux/altlic.html
Enter the following command to install SUDO:
rpm -I /dev/sudo-1.6.7p5-2.aix5.1.ppc.rpm
In this command, /dev
is the location on the AIX server where the sudo-1.6.7p5-2.aix5.1.ppc.rpm
file is stored.
Edit the sudoers
file, which is in the /etc
directory on the AIX server, to customize the file according to your requirements.
For example, if you have a group named mqm
in the AIX server and require all members of the group to act as SUDO users with all possible privileges, then the sudoers
file must contain the following line:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you need other group members or individual users to be SUDO users with specific privileges, then edit this file as was done for the sample value mqm.
This connector uses the following commands:
mkuser
chuser
passwd
cat
diff
usermod
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL
option for any SUDO user or group.See Also:
For information about customizing thesudoers
file, refer to
Edit the same sudoers
file to configure the system, so that every time a command is run through SUDO mode, the SUDO user is prompted for a password. Add the following line under the # Defaults specification
header:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Create a SUDO user. The SUDO user should be created according to the constraints specified in the sudoers
file.
For LINUX AS 2.1
If SUDO is not installed on the Linux Advanced Server 2.1 server, then install the appropriate SUDO. For Linux Advanced Server 2.1, download the sudo-1.6.7p5-1.i686.rpm
file from
http://rpmfind.net/linux/rpm2html/search.php?query=sudo&submit=Search
Then, enter the following command to install SUDO:
rpm -i /dev/sudo-1.6.7p5-1.i686.rpm
In this command, /dev
is the location on the Linux server where the sudo-1.6.7p5-1.i686.rpm
file is stored.
Edit the sudoers
file, which is in the /etc
directory on the Linux Advanced Server 2.1 server, to customize it according to your requirements:
For example, if you have a group named mqm
on the Linux server and require all members of the group to act as SUDO users with all possible privileges, then the sudoers
file must contain the following line:
%mqm ALL= (ALL) ALL
This example is only a sample configuration. If you need other group members or individual users to be SUDO users with specific privileges, then edit this file as was done for the sample value mqm
.
The commands that this connector uses are:
useradd
usermod
passwd
cat
diff
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL
option for any SUDO user or group.See Also:
For information about customizing thesudoers
file, refer to
Edit the same sudoers
file to configure the system, so that every time a command is run in SUDO mode, the SUDO user is prompted for a password. Under the # Defaults specification
header, add the following line:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Create a SUDO user. The SUDO user should be created according to the constraints specified in the sudoers
file.
For LINUX AS 3.x and LINUX AS 4.1
If SUDO is not installed on the Linux Advanced Server 3.0 or 4.1 server, then install the appropriate SUDO. For Linux Advanced Server 3.0 and 4.1, download the sudo-1.6.7p5-1.i686.rpm
file from
http://rpmfind.net/linux/rpm2html/search.php?query=sudo&submit=Search
Then, enter the following command to install SUDO:
rpm -i /dev/sudo-1.6.7p5-1.i686.rpm
In this command, /dev
is the location on the Linux server where the sudo-1.6.7p5-1.i686.rpm
file is stored.
Edit the sudoers
file, which is in the /etc
directory on the Linux Advanced Server 3.0 server, to customize it.
For example, if you have a group named mqm
on the Linux server and want all of the members of the group to act as SUDO users with all possible privileges, then the sudoers
file must contain the following line:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you want some other group members or individual users to be SUDO users with specific privileges, you would need to edit this file as was done for the sample value mqm.
This connector uses the following commands:
useradd
usermod
passwd
cat
diff
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL
option for any SUDO user or group.See Also:
For information about customizing thesudoers
file, refer to
Edit the same sudoers
file to configure the system, so that every time a command is run through SUDO mode, the SUDO user is prompted for a password. Add the following line under the # Defaults specification
line:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to successfully work.
Create a SUDO user. You must create the SUDO user according to the constraints specified in the sudoers
file.
In the .bash_profile
file, which is created in the home directory, add the following lines to set the appropriate PATH:
PATH=/usr/sbin:$PATH export PATH
This section discusses the following topics:
To configure Public Key Authentication:
Copy SSH/scripts/privateKeyGen.sh.
For Solaris or Linux:
dos2UNIX privateKeyGen.sh privateKeyGen.sh
For HP-UX:
dos2ux privateKeyGen.sh
Run the privateKeyGen.sh
script on the UNIX server. Provide a secure pass phrase when prompted.
Alternatively, enter the following commands on the UNIX server:
mkdir /.ssh chmod 700 /.ssh ssh-keygen -q -f /.ssh/id_rsa -t rsa chmod 700 /.ssh chmod go-rwx /.ssh/* cat /.ssh/id_rsa.pub >> /.ssh/authorized_keys
When these commands are run, the following files are created in the /ssh
directory:
id_rsa:
This is a private key file. It is distributed to all the relevant Oracle Identity Manager servers.
authorized_keys:
This is the public key with the pass phrase. It is located on the server and is used for private key verification.
When the keys are generated successfully, edit the sshd_config
file for Pubic Key Authentication and test login.
After successfully testing login, copy the id_rsa
file to the following directory:
xellerate_home/Xellerate/XLIntegrations/SSH/Config
Note:
This release of the connector has been tested and certified only for RSA keys, and not DSA. In addition, this connector has been tested and certified for only single key configuration and not multiple keys.To configure SSH Public Key Authentication:
For Solaris
Set the following parameters in the /etc/ssh/sshd_config
file:
To restart the SSH server, enter the following commands:
/etc/init.d/sshd stop
/etc/init.d/sshd start
To test login:
ssh -i /.ssh/id_rsa -l root 192.168.50.45
This command prompts you for the passkey before setting up the connection.
For HP-UX
Uncomment the following lines in the /etc/ssh/sshd_config
file:
AuthorizedKeysFile: .ssh/authorized_keys
PermitRootLogin: yes
(to allow root user)
PubkeyAuthentication: yes
To restart the SSH Server, enter the following command:
/opt/ssh/sbin/sshd
To test login, enter the following command:
ssh -i /.ssh/id_rsa -l root 192.168.0.157
This command prompts for the passkey and enables you to connect.
For Linux
Uncomment the following line in the /etc/ssh/sshd_config
file:
AuthorizedKeysFile .ssh/authorized_keys
To restart the SSH server, enter the following commands:
etc/init.d/sshd stop
etc/init.d/sshd start
To test login, enter the following command:
ssh -i /.ssh/id_rsa -l root 10.1.1.61
This command prompts for the passkey and enables you to connect.
For AIX
The first step of this procedure depends on the version of AIX that you are using:
For AIX 4.3, use the /etc/openssh/sshd_config
file to set the following parameters:
For AIX 5.2, use the /etc/ssh/sshd_config
file to set the following parameters:
export PATH=$PATH: /usr/sbin
Installation path: /etc/ssh/
sshd -- /usr/sbin/
Open the /etc/ssh/sshd_config
file, and uncomment the following lines:
AuthorizedKeysFile .ssh/authorized_keys
PermitRootLogin - yes
(to allow root user)
PubkeyAuthentication - yes
To restart the SSH server, enter the following commands:
opt/ssh/sbin/sshd
(For AIX 4.3)
usr/sbin/sshd
(For AIX 5.2)
To test the login, enter the following command:
ssh -i /.ssh/id_rsa -l root 192.168.0.157
This command prompts for the passkey and enables you to connect.
Note:
This release of the connector does not support Public Key Authentication provisioning if it is implemented through the SUDO Admin mode. The Public Key Authentication used for system access is available by logging in as root.The connector files to be copied and the directories to which you must copy them are given in the following table.
Note:
The directory paths given in the first column of this table correspond to the location of the connector files in the following ZIP file on the installation media:Operating Systems\UNIX\Unix SSH Rev 4.1.0.zip
Refer to "Files and Directories That Comprise the Connector" for more information about these files.
File in the Installation Media Directory | Destination Directory |
---|---|
The following files in the xml directory:
XLISSH_DM.xml XLISSH SchedulerTask_DM.xml XLISSH_Trusted_DM.xml |
xellerate_home\xellerate\XLIntegrations\SSH\xml
|
lib\xliSSH.jar |
xellerate_home\xellerate\JavaTasks
|
lib\xliSSH.jar |
xellerate_home\xellerate\ScheduleTask
|
lib\801\xliSSH.jar |
xellerate_home\xellerate\XLIntegrations\SSH\lib\801
|
config\sudoers |
xellerate_home\xellerate\XLIntegrations\SSH\config
|
scripts\privateKeyGen.sh |
xellerate_home\xellerate\XLIntegrations\SSH\scripts
|
ext\sshfactory.jar |
xellerate_home\xellerate\XLIntegrations\SSH\ext
|
The following files in the tests directory:
config\config.properties lib\xliSSHTest.jar scripts\SSH.bat |
xellerate_home\xellerate\XLIntegrations\SSH\tests
|
docs\B31140_01.pdf docs\html |
xellerate_home\xellerate\XLIntegrations\docs
|
To import the connector XML files:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the XLISSH_DM.xml
file, which is in the xellerate_home
/xellerate/XLIntegrations/SSH/xml
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the SSH server Solaris
IT resource is displayed.
Specify values for the parameters of the SSH server Solaris
IT resource. Refer to the table in the "Defining IT Resources" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the SSH Server
IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. You must remove these nodes. To do this, right-click each such node and then select Remove.
Click Import. The connector file is imported into Oracle Identity Manager.
Perform the same procedure to import the XLISSH SchedulerTask_DM.xml
file, which is in the xellerate_home
/xellerate/XLIntegrations/SSH/xml
directory.
If you plan to use the connector in trusted source reconciliation mode, then perform the same procedure to import the XLISSH_Trusted_DM.xml
file. This file is in the xellerate_home
/xellerate/XLIntegrations/SSH/xml
directory.
Caution:
Only one connector can be configured as a trusted source. If you import theXLISSH_Trusted_DM.xml
file while you have another trusted source configured, then both connector reconciliations would stop working.After you import the connector XML file, proceed to the "Step 5: Configuring Reconciliation" section.
You must specify values for the SSH server Solaris
IT resource parameters listed in the following table.
Parameter Name | Parameter Description |
---|---|
Admin UserId |
root or jdoe
Here, |
Admin Password/Private file Pwd |
dead_line (for root/non-SUDO) or jdoe
Here, Note: For the SUDO Admin mode, the private key is not supported. |
Server IP Address |
10.1.1.61 |
Port |
22 |
Private Key |
Private key file name with full path
Note: For SUDO admin, this parameter must be left blank. |
Server OS |
AIX, HP-UX, SOLARIS, and LINUX |
Shell Prompt |
# or $ |
Login Prompt |
You can ignore this parameter. This parameter is not used for SSH. |
Password Prompt |
You can ignore this parameter. This parameter is not used for SSH. |
Whether Trusted System (HP-UX) |
YES (for trusted HP-UX System) or NO (for nontrusted HP-UX system) |
Whether SUDO Admin Mode |
NO (for root) or YES (for SUDO Admin mode) |
After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.
This section describes the following steps involved in configuring the Oracle IdentityManager server:
This section consists of the following:
To configure system properties:
Open the Oracle Identity Manager Design Console.
Navigate to the System Configuration page.
Add a new entry in the Server category:
Name: Default date format
Keyword: XL.DefaultDateFormat
Value: MMM dd, yyyy 'at' hh:mm:ss z
Click Save.
This procedure involves the following steps:
Open the Resource Object form, and search for the Xellerate User. On the Object Reconciliation tab, add the required reconciliation fields. Add all the reconciliation fields that would be needed to provide input for mandatory fields in the Xellerate User form. For example, fields like User Login and First Name. Only one mandatory field, Password, can be ignored. All the mandatory fields of the User Defined process form must be mapped.
Open the Process Definition form, and search for the Xellerate User. On the Reconciliation Field Mappings tab, add the required reconciliation field mappings. All the manadatory fields of the user defined process form should be mapped.
Open the Reconciliation Rules form, and create a new rule for the Xellerate User resource object, with a rule element.
After creating the rule, select the Active check box.
Configuring reconciliation involves creating scheduled tasks for User reconciliations. To create a scheduled task:
Open the Oracle Identity Design Console.
Expand the Xellerate Administration folder.
Select Task Scheduler.
Click Find. The details of the predefined scheduled tasks are displayed on two different tabs.
Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager attempts to complete the task before assigning the ERROR
status to the task.
Ensure that the Disabled and Stop Execution check boxes are cleared.
In the Start region, double-click the Start Time field. From the date-time editor that is displayed, set the date and time at which you want the task to run.
Specify that you want the task to run on a recurring basis by selecting the Recurring Intervals option.
In the Interval region, set the following schedule parameters:
To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.
If you select the Recurring Intervals option, then you must almost specify the time interval at which you want to run the task on a recurring basis.
To set the task to run only once, select the Once option.
Provide values for the user-configurable attributes of the scheduled task. Refer to the appropriate table in the "Specifying Attributes for the Scheduled Task Attributes" section for information about the values to be specified.
See Also:
Oracle Identity Manager Design Console Guide for information about adding and removing task attributesClick Save. The scheduled task is created. The INACTIVE
status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.
Repeat Step 5 through 11 to define the second scheduled task.
After you create both scheduled tasks, proceed to the "Step 6: Compiling Adapters" section.
You must specify values for the following attributes of the reconciliation scheduled task.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.Attribute | Description | Sample Value |
---|---|---|
Server |
Name of the IT resource | SSH server Solaris |
Passwd Mirror File/User Mirror File |
Name of the passwd mirror file/user mirror file
This attribute is used only on AIX. The SUDO user must have read and write permissions on this file. For example, suppose you run the following command to view the permissions on the mirror file:
The command generates the following output:
In this output, |
/etc/passwd1 |
Shadow Mirror File |
Name of the shadow mirror file
The SUDO user must have read and write permissions on this file. For example, suppose you run the following command to view the permissions on the mirror file:
The command generates the following output:
In this output, Note: The value of this attribute must not be null or blank, even for a trusted system. However, the reconciliation process ignores it. |
/etc/shadow1 |
Target System Recon - Resource Object name |
Name of the target system resource object | SSH User |
Trusted Source Recon - Resource Object name |
Name of the trusted source resource object | Xellerate User |
After you specify values for these task attributes, go to Step 11 of the procedure to create scheduled tasks.
The following adapters are imported into Oracle Identity Manager when you import the connector XML file. You must compile these adapters before you can use them for provisioning accounts on the target system.
SSH Disable User
SSH GECOS Updated
SSH Set Password
SSH Default Shell Updated
SSH Password Change Time Updated
SSH Create User
SSH Delete User
SSH Home Directory Updated
SSH Primary Group Name Updated
SSH Account Expiry Date Updated
SSH User UID Updated
SSH Secondary Group Name Updated
SSH Inactive Days Updated
SSH User Login Updated
SSH Enable User
SSH Prepopulate User Login
SSH Prepopulate End Date
To compile adapters by using the Adapter Manager form:
Open the Adapter Manager form.
To compile all the adapters that you import into the current database, select the Compile All option.
To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select the Compile Selected option.
Click Start. Oracle Identity Manager compiles the adapters that you specify.
To view detailed information about an adapter:
Highlight the adapter in the Adapter Manager form.
Double-click the row header of the adapter, or right-click the adapter.
Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.