Skip Headers
Oracle® Identity Manager Connector Guide for IBM i5/OS (OS/400) Advanced
Release 9.0.3
Part Number B32447-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

B Connector Architecture

This appendix describes the i5/OS (OS/400) IBM i5/OS (OS/400) Advanced Connector functionality in detail in the following sections:

Oracle Identity Manager LDAP Gateway

The architecture for Oracle Identity Manager Advanced Connector begins with the Oracle Identity Manager LDAP Gateway. The LDAP Gateway is built on Java 1.4.2, allowing for portability across different platforms and operating systems and complete integration with the Oracle Identity Manager system.

The LDAP Gateway works transparently with Oracle Identity Manager to communicate with IBM i5/OS (OS/400) facilities. The LDAP Gateway is installed along with Oracle Identity Manager on the same server. In addition, the Reconciliation Agent enables the LDAP Gateway server to become a subscriber to security and identity events from IBM i5/OS (OS/400).

Oracle Identity Manager maps midrange authentication repositories by the LDAP DN. By changing the LDAP DN, different authentication repositories and different target system resources can be addressed.

Oracle Identity Manager Provisioning Agent

The Provisioning Agent is an i5/OS (OS/400) component, receiving native IBM i5/OS (OS/400) Advanced provisioning commands from the LDAP Gateway. These requests are processed against the IBM i5/OS (OS/400) Advanced authentication repository with the response parsed and returned to the LDAP Gateway.

The Provisioning Agent includes LDAP bind and authorization requests. In addition to traditional provisioning functions, the Provisioning Agent can also build the necessary i5/OS (OS/400) logon functions and working to replicate existing i5/OS (OS/400) user profile scenarios.

The Provisioning Agent receives Identity and Authorization change events, and effects requested changes on the i5/OS (OS/400) midrange authentication repository.

Oracle Identity Manager Reconciliation Agent

When an event occurs on i5/OS (OS/400), independent of any custom installed technology, the event is processed through an appropriate i5/OS (OS/400) exit. Because the Reconciliation Agent uses exit technology, there are no hooks in the i5/OS (OS/400) operating system.

Identity events that arise from a user at i5/OS (OS/400) login, changes by an administrator from the command prompt, or events resulting from batch jobs are detected and notification messages are securely sent in real time. The Reconciliation Agent captures changes to user attributes, changes to a user account, and certain changes to user authorization for libraries and resources. If a user account is created or deleted on i5/OS (OS/400), the Reconciliation Agent will notify Oracle Identity Manager and even create a corresponding account in Oracle Identity Manager.

Passwords fall into a special category. If business rules permit, a password change will be passed to Oracle Identity Manager in clear text and real time. In a testing environment, it is almost immediate. Within other business rules, only a notification that the password has been changed will be passed.

The Reconciliation Agent sends notification events to the LDAP Gateway from i5/OS (OS/400). This architecture does not originate with IBM i5/OS (OS/400), but captures the events just outside the operating system using exit technology, in real time.

A command execution is passed through an exit, just before full completion of the native i5/OS (OS/400) command. A common use of this technology is to require user accounts or passwords to be formatted to a proper length or that they must contain at least one letter and one number. If the exit fails, the command fails and returns an error message. By capturing identity or authentication events at an exit, the Reconciliation Agent captures these events just prior to completing the command and storing the results in the IBM i5/OS (OS/400) Advanced authentication repository.

Message Transport Layer

JTOpen is a library of Java classes that allow you to implement the client-server and internet programming model with an i5/OS (OS/400) system. The JTOpen classes can be used by Java applets, servlets, and applications to access data and resources on an i5/OS (OS/400) system. JTOpen requires only the Java Virtual Machine (JVM) and the Java Developer Kit (JDK).

Functionally, JTOpen is the same as IBM Toolbox for Java. In addition to being Open Source, JTOpen is IBM's effort to get fixes and enhancements out to customers as soon as possible without being constrained by release schedules and other such factors.

Note:

For more information on the JTOpen project and IBM's role in the effort, refer to the JTOpen project home page at:

http://jt400.sourceforge.net/

See Also:

For more information on JTOpen functionality, refer to the IBM Toolbox for Java documentation at the following location:

http://www-03.ibm.com/servers/eserver/iseries/toolbox/overview.html

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us