1 About the Connector

The Oracle Identity Manager CA-ACF2 Advanced Connector provides a native interface between the CA-ACF2 installed on z/OS mainframe and Oracle Identity Manager. The Advanced Connector functions as a trusted virtual administrator on the targeted platform, performing tasks such as creating login IDs, suspending IDs, changing passwords, and performing other functions that administrators usually perform manually.

The CA-ACF2 Advanced connector enables provisioning and reconciliation to CA-ACF2 security facilities. This chapter discusses the following topics:

• Overview of the CA-ACF2 Advanced Connector

• Supported Functionality

• Multilanguage Support

• Files and Directories That Comprise the Connector

• How to Use This Guide

Overview of the CA-ACF2 Advanced Connector

The Oracle Identity Manager CA ACF2 Advanced Connector includes the following components:

• LDAP Gateway: The LDAP Gateway receives instructions from Oracle Identity Manager in the same way as any LDAP version 3 identity store. These LDAP commands are then converted into native mainframe commands for CA-ACF2 and sent to the Provisioning Agent. The response is also native to CA-ACF2, which is then parsed into an LDAP response. After execution, an LDAP-formatted response is returned to the requesting application.

• Provisioning Agent: The Provisioning Agent is a mainframe component, receiving native mainframe CA-ACF2 provisioning commands from the LDAP Gateway. These requests are processed against the CA-ACF2 authentication repository with the response parsed and returned to the LDAP Gateway.

• Reconciliation Agent: The Reconciliation Agent captures native mainframe events using advanced exit technology for seamless reconciliation to the Oracle Identity Manager through the LDAP Gateway. The Reconciliation Agent captures events occurring from TSO logins, command prompt, batch jobs, and other native events in real time. The Reconciliation Agent captures these events and transforms them into notification messages for the Oracle Identity Manager through the LDAP Gateway.

• Message Transport Layer: The message transport layer enables the exchange of messages between the LDAP Gateway and the Provisioning and Reconciliation Agents. You can use the following messaging protocols for the message transport layer:

  • IBM MQ Series

  • TCP/IP with internal Advanced Encryption Standard (AES) encryption using 128-bit cryptographic keys. The CA-ACF2 Advanced Connector supports a manually configured message transport layer using the TCP/IP protocol, which is functionally similar to proprietary message transport layer protocols.

In addition, the CA-ACF2 Advanced connector is engineered for high-performance environments and transactions.

See Also:

For more information on the CA-ACF2 Advanced Connector architecture and configuration of the message transport layer, refer to Appendix B, "Connector Architecture"

Supported Functionality

The following sections list the features available with the CA-ACF2 Advanced connector:

• Provisioning Agent Functionality

• Reconciliation Agent Functionality

• Reconciled Attributes

Provisioning Agent Functionality

The Provisioning Agent provides the following functionality:

• Change passwords

• Reset passwords

• Create users

• Modify users

• Revoke user accounts

• Add user to groups

• Delete users

• Resume user accounts

• List users

• List groups

• List users by groups

• List resource profiles by user

• Grant user access to data sets

• Grant user access to resource profiles

• Grant user access to TSO

Reconciliation Agent Functionality

The Reconciliation Agent provides the following functionality:

• Change passwords

• Password resets

• Create user data

• Modify user data

• Revoke users

• Add users to groups

• Delete users

• Resume users

Reconciled Attributes

This section discusses the elements that the Reconciliation Agent extracts from the target system to construct reconciliation event records. The attributes that are reconciled between the CA-ACF2 and Oracle Identity Manager systems are listed in the following table:

Reconciled Attributes with CA-ACF2
uid	userPassword	sn
cn	givenName	resumeDate
revokeDate	dataset	lastaccessdate
lastconnectdate	defaultgroup	owner
memberOf	attributes	tsoacctnum
tsoholdclass	tsojobclass	tsomsgclass
tsoproc	tsosize	tsomaxsize
tsosysoutclass	tsounit	tsouserdata
tsocommand	tsodest	tsoseclabel

See Also:

Appendix A, "Attribute Mapping Between Oracle Identity Manager and CA-ACF2"

Multilanguage Support

In addition to English, this release of the connector supports the following languages:

• English

• Brazilian Portuguese

• French

• German

• Italian

• Japanese

• Korean

• Simplified Chinese

• Spanish

• Traditional Chinese

Files and Directories That Comprise the Connector

The files and directories that comprise this connector are located in the following directory on the installation media:

Security Applications/CA ACF2/CA ACF2 Advanced

Copy the contents of this file to the oim_home directory. The contents of this file are described in brief in the following table:

Files and Directories	Description of Files and Contents
etc/LDAP Gateway/ldapgateway.zip	Files required for LDAP Gateway deployment in the Oracle Identity Manager system.
etc/Provisioning and Reconciliation Connector/Mainframe_ACF2_version.zip	Files required for the installation of the Provisioning Agent and the Reconciliation Agent on the mainframe.
lib/idm.jar	The connector JAR file to be deployed on the Oracle Identity Manager system.
lib/acf2-adv-agent-recon.jar lib/acf2Connection.properties	Files required for real-time reconciliation between Oracle Identity Manager and the target system.
Files in the resources directory	Each of these files contain locale-specific information that is used by the connector. Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console.
scripts/run_initial_recon_provisioning.sh scripts/run_initial_recon_provisioning.bat scripts/acf2-adv-initial-recon.jar scripts/initialAcf2Adv.properties	Files that are used for performing the initial reconciliation run.
scripts/run_initial_recon_disable.sh scripts/run_initial_recon_disable.bat	These files are scripts that perform the initial reconciliaton run. In addition, these scripts also check for users disabled on the target system and disable them on Oracle Identity Manager.
xml/oimAcf2AdvancedConnector.xml	The XML file that contains component definitions for the connector.

See Also:

• Step 2: Copying the Connector Files in Chapter 2

• Step 2: Installing the Connector Agents in Chapter 3

How to Use This Guide

The CA-ACF2 Advanced connector deployment primarily consists of installing the LDAP Gateway, the Reconciliation Agent, and the Provisioning Agent. The LDAP Gateway is installed on the same system as the Oracle Identity Manager server. The Provisioning Agent and the Reconciliation Agent are installed on the mainframe.

The deployment procedure on the Oracle Identity Manager server is different in nature from the deployment procedure on the mainframe. For simplicity, these instructions have been divided into two chapters in this guide:

• Chapter 2, "Deployment on the Oracle Identity Manager Server" covers instructions for deploying the connector on the Oracle Identity Manager system. This consists of configuring the Oracle Identity Manager server, importing the connector XML file, compiling adapters, installing the LDAP Gateway, configuring the message transport layer, and so on.

• Chapter 3, "Connector Deployment on the Target CA-ACF2 System" includes the second set of instructions to deploy the connector on the mainframe to interface with Oracle Identity Manager. While it may be possible for the Oracle Identity Manager administrator to perform these tasks, it is recommended that these tasks be performed with the assistance of the mainframe administrator.