Oracle® Identity Manager Connector Guide for UNIX SSH Release 9.0.3 Part Number B32374-01 |
|
|
View PDF |
Deploying the connector involves the following steps:
If you want to configure the connector for multiple installations of UNIX SSH, then perform the following procedure:
The following table lists the deployment requirements for the connector.
Item | Requirement |
---|---|
Oracle Identity Manager | Oracle Identity Manager release 8.5.3 or later |
Target systems | The target system can be any one of the following:
|
External code | JSCAPE SSH/SSH Libraries (SSH factory) |
Other systems | OpenSSH, OpenSSL, operating system patches (HP-UX), and SUDO software (only if the SUDO Admin mode is required) |
Target system user account | root or sudo user
You provide the credentials of this user account while performing the procedure in the "Defining IT Resources" section. |
Character encoding (en_US ) supported by the target system |
The target system must support en_US character encoding standards such as UTF-8 and iso8859 .
Use the following command to check the locale -a Note: If the target system does not support any of the |
The supported shell types for various operating systems are given in the following table.
Solaris | HP-UX | Linux | AIX |
---|---|---|---|
sh |
csh |
ksh |
csh |
csh |
ksh |
bash |
ksh |
- | sh |
sh |
sh |
- | - | csh |
- |
Configuring the target system involves the steps described in the following sections:
This section provides instructions to configure the target system on the following platforms:
Perform the following steps for Solaris and Linux environments:
Ensure that the /etc/passwd
and /etc/shadow
files are available on the UNIX server.
Ensure that a passwd
mirror file is created on the target server by using a command similar to the following:
cp /etc/passwd /etc/passwd1
The same file name with the path must be inserted in the Passwd Mirror File/User Mirror File
attribute of the reconciliation scheduled task.
Ensure that a shadow mirror file is created on the target server by using a command similar to the following:
cp /etc/shadow /etc/shadow1
The name and path of this file must be specified for the Shadow Mirror File
attribute of the reconciliation scheduled task.
Perform the following steps for AIX environments:
Ensure that the /etc/passwd
and /etc/security/user
files are available on the server.
Ensure that a user mirror file is created on the server by using a command similar to the following:
lsuser -c -a id pgrp gecos home shell expires maxage ALL |
tr '#' ' ' > /etc/mainUserFile1
The name and path of this file must be specified for the Passwd Mirror File/User Mirror File (AIX)
attribute of the scheduled task for reconciliation.
Perform the following steps for HP-UX environments:
Log in as root and then run the following command:
Select Auditing and Security and System Security Policies. A message is displayed asking if you want to switch to the trusted mode.
Click OK.
If the following message is displayed, then skip the next step:
System changed successfully to trusted system
Ensure that the /etc/passwd
and /etc/shadow
directories are available on the target server.
If the shadow file does not exist, then follow the installation instructions at
http://docs.hp.com/en/5991-0909/index.html
All the patches are available in the HP patch database, which you can download from
This section describes the procedure to install external software.
Follow these steps to install OpenSSH on Solaris 9 or HP-UX.
For Solaris 8
If SSH is not installed on the Solaris server, then install the appropriate OpenSSH. For Solaris 8, you can download the packages listed in this section from
http://www.sunfreeware.com/openssh8.html
If the GCC compiler is not installed, then you must install the packages in the following file:
libgcc-3.3-sol8-sparc-local.gz
The following packages are included in this file. You must install these packages in the specified order:
prngd-0.9.25-sol8-sparc-local.gz
(optional)
tcp_wrappers-7.6-sol8-sparc-local.gz
(optional, but recommended)
zlib-1.2.1-sol8-sparc-local.gz
openssl-0.9.7g-sol8-sparc-local.gz
openssh-4.1p1-sol8-sparc-local.gz
Create a group with the name sshd
and group ID 27
. Add a user with the name sshadmin
to this group.
To enable root logins, change the value of PermitRootLogin
in the /etc/ssh/sshd_config
file as follows:
PermitRootLogin yes
Note:
Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value ofPermitRootLogin
to without-password
.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
For Solaris 9
If SSH is not installed on the Solaris server, then install the appropriate OpenSSH. For Solaris 9, you can download the packages listed in this section from
Note:
If the GCC compiler is not installed, then install the following packages:libgcc-3.4.1-sol9-sparc-local.gz
libiconv-1.8-sol9-sparc-local.gz
You must install these packages in the following order:
prngd-0.9.25-sol9-sparc-local.gz
tcp_wrappers-7.6-sol9-sparc-local.gz
zlib-1.2.1-sol9-sparc-local.gz
openssl-0.9.7d-sol9-sparc-local.gz
openssh-3.9p1-sol9-sparc-local.gz
Create a group with the name sshd
and group ID 27
. Add a user with the name sshadmin
to this group.
To enable root logins, change the value of PermitRootLogin
in the /etc/ssh/sshd_config
file as follows:
PermitRootLogin yes
Note:
Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value ofPermitRootLogin
to without-password
.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
For Solaris 10
By default, OpenSSH is installed on Solaris 10. If it is not installed, then install the OpenSSH server from the operating system installation CD. To enable SSH on Solaris 10, make the following changes in the /etc/ssh/ssh_config
file:
Remove the comment character from the Host *
line.
To enable root logins, change the value of PermitRootLogin
in the /etc/ssh/sshd_config
file as follows:
PermitRootLogin yes
Note:
Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value ofPermitRootLogin
to without-password
.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
For HP-UX
If SSH is not installed on the UNIX server, then install the appropriate OpenSSH:
For HP-UX 11.11, download and install the appropriate patch from
For HP-UX B.11.11, download the file, PHCO_33711.depot
for hpux_800_11.11_11300132-patch.tgz.
Use the following command to install it:
swinstall -x autoreboot=true -x patch_match_target=true -s /tmp/PHCO_33711.depot
Download and install OpenSSH. You can download the T1471AA_A.03.81.002_HP-UX_B.11.11_32+64.depot
file from
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA
After the patch is successfully installed, use the following command to install openSSH.
swinstall -s /tmp/T1471AA_A.03.81.002_HP-UX_B.11.11_32+64.depot
After this is installed, the HP-UX Secure Shell daemon (sshd
) is automatically preconfigured and started.
Create a group with the name sshd.
Add a user with the name sshadmin
to this group.
To enable root logins, change the value of PermitRootLogin
in the /etc/ssh/sshd_config
file as follows:
PermitRootLogin yes
Note:
Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value ofPermitRootLogin
to without-password
.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
For Linux
By default, OpenSSH is installed on Red Hat Advanced Server 2.1 and Red Hat Enterprise Linux 3. If it is not installed, then install the OpenSSH server from the operating system installation CD.
For AIX
If SSH is not installed on the AIX 5.2 server, then perform the following steps:
Download and install OpenSSL.
Download the openssl-0.9.7d-aix5.1.ppc.rpm
file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
Then, enter the following command to install OpenSSL:
geninstall -d /root/download R: openssl-0.9.7d-2.aix5.1.ppc.rpm
In this command, /root/download
is the location on the AIX server where the openssl-0.9.7d-2.aix5.1.ppc.rpm
file is stored.
Download and install PRNG.
Download the prngd-0.9.23-3.aix4.3.ppc.rpm
file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
Then, enter the following command to install PRNG:
geninstall -d /root/download R: prngd-0.9.23-3.aix4.3.ppc.rpm
In this command, /root/download
is the location on the AIX server where the prngd-0.9.23-3.aix4.3.ppc.rpm
file is stored.
Download and install OpenSSH.
Download the openssh-3.8.1p1_52.tar.gz
file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
Then, enter the following commands to install openSSH:
gunzip /root/download/openssh-3.8.1p1_52.tar.gz tar -xvf /root/download/openssh-3.8.1p1_52.tar geninstall -I"Y" -d /root/download I:openssh.base
In these commands, /root/download
is the location on the AIX server where the openssh-3.8.1p1_52.tar.gz
file is stored.
To enable root logins, change the value of PermitRootLogin
in the /etc/ssh/sshd_config
file as follows:
PermitRootLogin yes
Note:
Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value ofPermitRootLogin
to without-password
.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
If you want to use the SSH connector in the SUDO Admin mode, then perform the following steps to install and configure SUDO:
For Solaris
If SUDO is not installed on the Solaris server, then first download it.
For Solaris 9, download the sudo-1.6.8p4-sol9-sparc-local.gz
file from
For Solaris10, download the sudo-1.6.8p9-sol9-sparc-local.gz
file from
For Solaris 8, download the sudo-1.6.8p9-sol8-sparc-local.gz
file from
Use the following command to install SUDO:
pkgadd -d filename_with_full_path
Edit the sudoers
file on the Solaris server to customize it according to your requirements. This file is located in the following directory:
/usr/local/etc/
For example, if a group named mqm
exists on the Solaris server, and you require all members of the group to act as SUDO users with all possible privileges, then the sudoers
file must contain a line similar to the following:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you require some other group members or individual users to be SUDO users with specific privileges, then you must edit this file as you did for the sample value mqm.
This connector uses the following commands:
useradd
usermod
passwd
cat
diff
Therefore, the SUDO user must have privileges to run these commands.
Note:
Do not use theNOPASSWD: ALL
option for any SUDO user or group.
For information about customizing the sudoers
file, refer to
Edit the same sudoers
file so that every time a command is run in SUDO Admin mode, the SUDO user is prompted for the password. Add the following line under the # Defaults specification
header:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Log in to the Solaris computer as root, and enter the following commands:
chmod 440 /usr/local/etc/sudoers chgrp root /usr/local/etc/sudoers chmod 4111 /usr/local/bin/sudo
Create a SUDO user. The SUDO user must be created according to the constraints specified in the sudoers
file.
The SUDO user must always be created with its home directory by using a command similar to the following:
useradd -g group_name -d /export/home/directory_name -m user_name
In the sudo user's .profile
file, which is created in the sudo user's home directory, add the following lines to set the value of the PATH environment variable:
PATH=/usr/sbin:/usr/local/bin:/usr/local/etc:/var/adm/sw/products:$PATH export PATH
For HP-UX
If SUDO is not installed on the HP-UX server, then install the appropriate SUDO. For HP-UX, download the sudo-1.6.8p6-sd-11.11.depot.gz
file from
Enter the following command to install SUDO:
swinstall -s filename_with_full_path
Edit the sudoers
file to customize it according to your requirements. This file is located in the folowing directory:
OIM_home/Xellerate/XLIntegrations/SSH/config/
For example, if you have a group named mqm
on the HP-UX server and you want all members of the group to act as SUDO users with all possible privileges, then the sudoers
file must contain the following line:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you want to make SUDO users with specific privileges out of other group members or individual users, then edit this file as you did for the sample value mqm.
This connector uses the following commands:
useradd
usermod
passwd
cat
diff
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL
option for any SUDO user or group.
For information about customizing the sudoers
file, refer to
Edit the same sudoers
file so that every time a command is run in SUDO Admin mode, the SUDO user is prompted for a password. Add the following line under the # Defaults specification
header:
Defaults timestamp_timeout=0
This is an essential prerequisite for the connector to work successfully.
Copy the sudoers
file that you edited into the /etc
directory of the target system. After copying the file, enter the following command:
dos2ux /etc/sudoers > /etc/sudoers1
Then, change the name of the file from sudoers1
to sudoers.
Log in as root, and enter the following commands on the HP-UX computer:
chmod 440 /etc/sudoers chgrp root /etc/sudoers chmod 4111 /usr/local/bin/sudo
Create a SUDO user. The SUDO user should be created according to the constraints specified in the sudoers
file.
The SUDO user should always be created with its home directory by using a command similar to the following:
useradd -g group_name -d /home/directory_name -m user_name
In addition, in the .profile
file, which is created in the home directory, add the following lines to set the appropriate PATH:
PATH=/usr/sbin:/usr/local/bin:/usr/local/etc:/var/adm/sw/products:$PATH export PATH
For AIX
If SUDO is not installed on AIX 5.2, then install the appropriate SUDO AIX 5.2 version sudo-1.6.7p5-2.aix5.1.ppc.rpm
file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
If RPM Package Manager is not installed on the AIX 5.2 server, then install it from
http://www-1.ibm.com/servers/aix/products/aixos/linux/altlic.html
Enter the following command to install SUDO:
rpm -I /root/download/sudo-1.6.7p5-2.aix5.1.ppc.rpm
In this command, /root/download
is the location on the AIX server where the sudo-1.6.7p5-2.aix5.1.ppc.rpm
file is stored.
Edit the sudoers
file, which is in the /etc
directory on the AIX server, to customize the file according to your requirements.
For example, if you have a group named mqm
in the AIX server and require all members of the group to act as SUDO users with all possible privileges, then the sudoers
file must contain the following line:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you need other group members or individual users to be SUDO users with specific privileges, then edit this file as was done for the sample value mqm.
This connector uses the following commands:
mkuser
chuser
passwd
cat
diff
usermod
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL
option for any SUDO user or group.
For information about customizing the sudoers
file, refer to
Edit the same sudoers
file to configure the system, so that every time a command is run through SUDO Admin mode, the SUDO user is prompted for a password. Add the following line under the # Defaults specification
header:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Create a SUDO user. The SUDO user should be created according to the constraints specified in the sudoers
file.
For Red Hat Advanced Server 2.1
If SUDO is not installed on the Red Hat Advanced Server 2.1 server, then install the appropriate SUDO. To do this, first download the sudo-1.6.7p5-1.i686.rpm
file from
http://rpmfind.net/linux/rpm2html/search.php?query=sudo&submit=Search
Then, enter the following command to install SUDO:
rpm -i /root/download/sudo-1.6.7p5-1.i686.rpm
In this command, /root/download
is the location on the Linux server where the sudo-1.6.7p5-1.i686.rpm
file is stored.
Use the visudo
command to edit and customize the /etc/sudoers
file according to your requirements.
Note:
If you cannot use thevisudo
command to edit the sudoers
file, then:
Enter the following command:
chmod 777 /etc/sudoers
Make the required changes in the sudoers
file.
Enter the following command:
chmod 440 /etc/sudoers
For example, if you have a group named mqm
on the Linux server and require all members of the group to act as SUDO users with all possible privileges, then the sudoers
file must contain the following line:
mqm ALL= (ALL) ALL
This example is only a sample configuration. If you need other group members or individual users to be SUDO users with specific privileges, then edit this file as was done for the sample value mqm
.
The commands that this connector uses are:
useradd
usermod
passwd
cat
diff
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL
option for any SUDO user or group.
For information about customizing the sudoers
file, refer to
Edit the same sudoers
file to configure the system, so that every time a command is run in SUDO Admin mode, the SUDO user is prompted for a password. Under the # Defaults specification
header, add the following line:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Create a SUDO user as follows:
Enter the following command:
useradd -g group_name -d /home/directory_name -m user_name
In this command:
- group_name
is the SUDO users group for which there is an entry in the /etc/sudoers
file.
- directory_name
is the name of the directory in which you want to create the default directory for the user.
In the .bash_profile
file, which is created in the /home/
directory_name
directory, add the following lines to set the PATH
environment variable:
PATH=/usr/sbin:$PATH export PATH
For Red Hat Enterprise Linux 3.x and Red Hat Linux 4.x
If SUDO is not installed on the Red Hat Enterprise Linux 3.x or 4.x server, then install the appropriate SUDO. For Linux Advanced Server 3.0 and 4.1, download the sudo-1.6.7p5-1.i686.rpm
file from
http://rpmfind.net/linux/rpm2html/search.php?query=sudo&submit=Search
Then, enter the following command to install SUDO:
rpm -i /root/download/sudo-1.6.7p5-1.i686.rpm
In this command, /root/download
is the location on the Linux server where the sudo-1.6.7p5-1.i686.rpm
file is stored.
Use the visudo
command to edit and customize the /etc/sudoers
file according to your requirements.
Note:
If you cannot use thevisudo
command to edit the sudoers
file, then:
Enter the following command:
chmod 777 /etc/sudoers
Make the required changes in the sudoers
file.
Enter the following command:
chmod 440 /etc/sudoers
For example, if you have a group named mqm
on the Linux server and want all of the members of the group to act as SUDO users with all possible privileges, then the sudoers
file must contain the following line:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you want some other group members or individual users to be SUDO users with specific privileges, you must edit this file as was done for the sample value mqm.
This connector uses the following commands:
useradd
usermod
passwd
cat
diff
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL
option for any SUDO user or group.
For information about customizing the sudoers
file, refer to
Edit the same sudoers
file to configure the system, so that every time a command is run in SUDO Admin mode, the SUDO user is prompted for a password. Under the # Defaults specification
header, add the following line:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Create a SUDO user as follows:
Enter the following command:
useradd -g group_name -d /home/directory_name -m user_name
In this command:
- group_name
is the SUDO users group for which there is an entry in the /etc/sudoers
file.
- directory_name
is the name of the directory in which you want to create the default directory for the user.
In the .bash_profile
file, which is created in the /home/
directory_name
directory, add the following lines to set the PATH
environment variable:
PATH=/usr/sbin:$PATH export PATH
This section discusses the following topics:
To configure Public Key Authentication:
Copy SSH/scripts/privateKeyGen.sh
to any directory on the server.
Open this script file in a text editor and specify a working directory path other than the default value given in the file.
If required, enter the following command:
For Solaris or Linux:
dos2unix privateKeyGen.sh privateKeyGen.sh
For HP-UX:
dos2ux privateKeyGen.sh
Run the privateKeyGen.sh
script on the UNIX server. Provide a secure pass phrase when prompted.
When these commands are run, the following files are created in the $HOME/.ssh
directory:
id_rsa:
This is a private key file.
authorized_keys:
This file lists public keys that can be used to log in.
When the keys are generated successfully, edit the sshd_config
file for Pubic Key Authentication and test login.
After successfully testing login, copy the id_rsa
file to the following directory:
OIM_home/Xellerate/XLIntegrations/SSH/Config
Note:
This release of the connector has been tested and certified only for RSA keys, and not DSA. In addition, this connector has been tested and certified for only single key configuration and not multiple keys.To configure SSH Public Key Authentication:
For Solaris
Set the following parameters in the /etc/ssh/sshd_config
file:
PubKeyAuthorization yes PasswordAuthentication no PermitRootLogin yes
Note:
Change the value ofPermitRootLogin
to yes
only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin
to without-password
.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
To restart the SSH server, enter the following commands:
/etc/init.d/sshd stop
/etc/init.d/sshd start
To test login:
ssh -i /.ssh/id_rsa -l root server_IP_address
This command prompts you for the passkey before setting up the connection.
For HP-UX
Uncomment the following lines in the /etc/ssh/sshd_config
file:
PermitRootLogin yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Note:
Change the value ofPermitRootLogin
to yes
only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin
to without-password
.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
To restart the SSH Server, enter the following command:
/opt/ssh/sbin/sshd
To test login, enter the following command:
ssh -i /.ssh/id_rsa -l root server_IP_address
When prompted, enter the passkey to connect to the server.
For Linux
Enter the following commands at the UNIX server prompt:
mkdir /.ssh chmod 700 /.ssh ssh-keygen -q -f /.ssh/id_rsa -t rsa chmod 700 /.ssh/*
You are prompted to enter a passphrase when you enter these commands. You can press Enter if you do not want to use a passphrase.
Add the following line in the /etc/ssh/sshd_config
file:
AuthorizedKeysFile /.ssh/id_rsa.pub
Enter the following commands to restart the UNIX server:
/etc/init.d/sshd stop /etc/init.d/sshd start
To check if you can connect to the target system using the SSH protocol, directly from the command prompt and without using a password, enter the following command:
#ssh -l root -i /.ssh/id_rsa host_ip_address
Copy the /.ssh/id_rsa
file to the following directory:
OIM_home/xellerate/XLIntegrations/SSH/config
When you perform the procedure described in the "Defining IT Resources" section, provide the name and full path of the id_rsa
file as the value of the Private Key
parameter:
OIM_home/xellerate/XLIntegrations/SSH/config/id_rsa
For AIX
The first step of this procedure depends on the version of AIX that you are using:
For AIX 4.3, use the /etc/openssh/sshd_config
file to set the following parameters:
export PATH=$PATH: /usr/local/bin Installation path: /etc/openssh/ sshd -- /usr/local/bin/
For AIX 5.2, use the /etc/ssh/sshd_config
file to set the following parameters:
export PATH=$PATH: /usr/sbin Installation path: /etc/ssh/ sshd -- /usr/sbin/
Open the /etc/ssh/sshd_config
file, and uncomment the following lines:
AuthorizedKeysFile .ssh/authorized_keys PermitRootLogin yes PubkeyAuthentication yes
Note:
Change the value ofPermitRootLogin
to yes
only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin
to without-password
.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
To restart the SSH server, enter the following commands:
/opt/ssh/sbin/sshd
(For AIX 4.3)
/usr/sbin/sshd
(For AIX 5.2)
To test the login, enter the following command:
ssh -i /.ssh/id_rsa -l root server_IP_address
When prompted, enter the passkey to connect to the server.
Note:
This release of the connector does not support Public Key Authentication provisioning if it is implemented through the SUDO Admin mode. The Public Key Authentication used for system access is available for the root user. This point is also mentioned in the Known Issues list in Chapter 4.The connector files to be copied and the directories to which you must copy them are given in the following table.
Note:
The directory paths given in the first column of this table correspond to the location of the connector files in the following directory on the installation media:Operating Systems\UNIX\UNIX SSH
Refer to the "Files and Directories That Comprise the Connector" section for more information about these files.
File in the Installation Media Directory | Destination Directory |
---|---|
config\sudoers |
OIM_home/xellerate/XLIntegrations/SSH/config
|
ext\sshfactory.jar |
OIM_home/xellerate/ThirdParty
|
lib\xliSSH.jar |
OIM_home/xellerate/JavaTasks
|
lib\xliSSH.jar |
OIM_home/xellerate/ScheduleTask
|
Files in the resources directory |
OIM_home/xellerate/connectorResources
|
scripts\privateKeyGen.sh |
OIM_home/xellerate/XLIntegrations/SSH/scripts
|
Files in the tests directory |
OIM_home/xellerate/XLIntegrations/SSH/tests
|
Files in the xml directory |
OIM_home/xellerate/XLIntegrations/SSH/xml
|
Note:
While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy theconnectorResources
directory and the JAR files to the corresponding directories on each node of the cluster.Configuring the Oracle Identity Manager server involves the following procedures:
Note:
In a clustered environment, you must perform this step on each node of the cluster.Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.
To set the required input locale:
Note:
Depending on the operating system used, you may need to perform this procedure differently.Open Control Panel.
Double-click Regional Options.
On the Input Locales of the Regional Options dialog box, add the input locale that you want to use and then switch to the input locale.
Whenever you add a new resource bundle in the OIM_home
\xellerate\connectorResources
directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, change to the OIM_home
\xellerate\bin
directory.
Enter one of the following commands:
Note:
You must perform Step 1 before you perform this step. If you run the command as follows, then an exception is thrown:OIM_home\xellerate\bin\batch_file_name
On Microsoft Windows:
PurgeCache.bat ConnectorResourceBundle
On UNIX:
PurgeCache.sh ConnectorResourceBundle
In this command, ConnectorResourceBundle
is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:
OIM_home\xellerate\config\xlConfig.xml
Note:
You can ignore the exception that is thrown when you perform Step 2.When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may still allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level depends on the application server that you use:
For JBoss Application Server
In the JBoss_home
\server\default\conf\log4j.xml
file, add the following lines of XML code:
<category name = "Adapter.TELNETSSH">
<priority value = "log_level"/>
</category>
In the second XML code line, replace log_level
with the log level that you want to set. For example:
<category name = "Adapter.TELNETSSH"> <priority value = "WARN"/> </category>
After you enable logging, log information is written to the following file:
JBoss_home\server\default\log\server.log
For IBM WebSphere
Add the following line in the OIM_home
\xellerate\config\log.properties
file:
log4j.logger.Adapter.TELNETSSH=log_level
In this line, replace log_level
with the log level that you want to set. For example:
log4j.logger.Adapter.TELNETSSH=INFO
After you enable logging, log information is written to the following file:
WebSphere_home\AppServer\logs\server_name\startServer.log
For BEA WebLogic
Add the following line in the OIM_home
\xellerate\config\log.properties
file:
log4j.logger.Adapter.TELNETSSH=log_level
In this line, replace log_level
with the log level that you want to set. For example:
log4j.logger.Adapter.TELNETSSH=INFO
After you enable logging, log information is written to the following file:
WebLogic_home\user_projects\domains\domain_name\server_name\server_name.log
For OC4J
Add the following line in the OIM_home
\xellerate\config\log.properties
file:
log4j.logger.Adapter.TELNETSSH=log_level
In this line, replace log_level
with the log level that you want to set. For example:
log4j.logger.Adapter.TELNETSSH=INFO
After you enable logging, log information is written to the following file:
OC4J_home\opmn\logs\default_group~home~default_group~1.log
To import the connector XML files:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the XLISSH_DM.xml
file, which is in the OIM_home
/xellerate/XLIntegrations/SSH/xml
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the SSH server Solaris
IT resource is displayed.
Specify values for the parameters of the SSH server Solaris
IT resource. Refer to the table in the "Defining IT Resources" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the SSH Server
IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. Remove these nodes by right-clicking each node and then selecting Remove.
Click Import. The connector file is imported into Oracle Identity Manager.
Perform the same procedure to import the XLISSH SchedulerTask_DM.xml
file, which is in the OIM_home
/xellerate/XLIntegrations/SSH/xml
directory.
If you plan to use the connector in trusted source reconciliation mode, then perform the same procedure to import the XLISSH_Trusted_DM.xml
file. This file is in the OIM_home
/xellerate/XLIntegrations/SSH/xml
directory.
Caution:
Only one connector can be configured for trusted source reconciliation. If you import theXLISSH_Trusted_DM.xml
file while you have another trusted source configured, then both connector reconciliations would stop working.After you import the connector XML file, proceed to the "Step 6: Configuring Reconciliation" section.
You must specify values for the SSH server Solaris
IT resource parameters listed in the following table.
Parameter | Description |
---|---|
Admin UserId |
User ID of the administrator
Here, |
Admin Password/Private file Pwd |
Password of the administrator
Here, Note: For the SUDO Admin mode, the private key is not supported. You must not specify a value for this mode. If a private key is used, then the Private Key PassPhrase must be provided as the value of this parameter. |
Server IP Address |
Server IP address |
Port |
The port at which the SSH service is running on the server
Default value: |
Private Key |
Private key file name with full path
Note: For SUDO Admin administrator, this parameter must be left blank. |
Server OS |
Specify one of the following:
|
Shell Prompt |
# or $ |
Login Prompt |
You can ignore this parameter. This parameter is not used for SSH. |
Password Prompt |
You can ignore this parameter. This parameter is not used for SSH. |
Whether Trusted System (HP-UX) |
YES (for trusted HP-UX System) or NO (for nontrusted HP-UX system) |
Whether SUDO Admin Mode |
NO (for root) or YES (for SUDO Admin mode) |
Target Locale |
Target locale (language and country)
You can specify any one of the following values:
Note: You must not make any change (uppercase or lowercase) in the value that you specify. |
Supported Character Encoding (en_US) - Target |
Encoding format for the en_US target locale
The default value is UTF-8. Note: You can check which locale -a |
After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.
This section describes the following steps involved in configuring the Oracle Identity Manager server:
This section discusses the following topics:
To configure system properties:
Navigate to the System Configuration page.
Check if there is an entry for "Default date format." If this entry is not there, then perform Step 4.
Add a new entry in the Server category:
Name: Default date format
Keyword: XL.DefaultDateFormat
Value: yyyy/MM/dd hh:mm:ss z
Click Save.
Note:
Perform this step of the procedure only if you want to configure trusted source reconciliation. Only one connector can be configured for trusted source reconciliation. If you configure trusted source reconciliation for this connector while you have another trusted source configured, then both connector reconciliations would stop working.Refer to Oracle Identity Manager Connector Framework Guide for conceptual information about reconciliation configurations.
This procedure involves the following steps:
In the Resource Object form:
Search for the Xellerate User.
On the Object Reconciliation tab, add the required reconciliation fields. Add all the reconciliation fields that will be needed to provide input for mandatory fields in the Xellerate User form, for example, fields such as User Login and First Name. Only one mandatory field, Password, can be left unmapped. All the mandatory fields of the User Defined process form must be mapped.
In the Process Definition form:
Search for the Xellerate User.
On the Reconciliation Field Mappings tab, add the required reconciliation field mappings. All the mandatory fields of the User Defined process form should be mapped.
In the Reconciliation Rules form:
Create a new rule for the Xellerate User resource object, with a rule element.
Select the Active check box.
To create the reconciliation scheduled task:
Expand the Xellerate Administration folder.
Select Task Scheduler.
Click Find. The details of the predefined scheduled tasks are displayed.
Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR
status to the task.
Ensure that the Disabled and Stop Execution check boxes are not selected.
In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.
In the Interval region, set the following schedule parameters:
To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.
If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.
To set the task to run only once, select the Once option.
Provide values for the user-configurable attributes of the scheduled task. Refer to the "Specifying Values for the Scheduled Task Attributes" section for information about the values to be specified.
See Also:
Oracle Identity Manager Design Console Guide for information about adding and removing task attributesClick Save. The scheduled task is created. The INACTIVE
status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.
After you create the scheduled task, proceed to the "Enabling Reconciliation in Oracle Identity Manager Release 9.0.1" section.
You must specify values for the following attributes of the reconciliation scheduled task.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.Attribute | Description | Sample Value |
---|---|---|
Server |
Name of the IT resource | SSH server Solaris |
Passwd Mirror File/User Mirror File |
Name of the password mirror file/user mirror file
The SUDO user must have read and write permissions on this file. For example, suppose you run the following command to view the permissions on the mirror file:
The command generates the following output:
In this output, |
/etc/passwd1 |
Shadow Mirror File |
Name of the shadow mirror file
The SUDO user must have read and write permissions on this file. For example, suppose you run the following command to view the permissions on the mirror file:
The command generates the following output:
In this output, Note: This attribute is not required on AIX. The value of this attribute must not be null or blank, even for an HP-UX trusted system. However, the reconciliation process on an HP-UX trusted system ignores this attribute. |
/etc/shadow1 |
Target System Recon - Resource Object name |
Name of the target system resource object | SSH User |
Trusted Source Recon - Resource Object name |
Name of the trusted source resource object | Default value: Xellerate User
Specify |
Date Format |
Format in which date values sent from the target system are to be saved during reconciliation
The value that you specify must be the same as the value specified in the "Configuring System Properties" section. |
yyyy/MM/dd hh:mm:ss z |
After you specify values for these task attributes, proceed to Step 10 of the procedure to create scheduled tasks.
If you are using Oracle Identity Manager release 9.0.1, then you must perform the following procedure to enable reconciliation:
See Also:
Oracle Identity Manager Design Console GuideOpen the Process Definition form for the SSH User
. This form is in the Process Management folder.
Click the Reconciliation Field Mappings tab.
For each field that is of the IT resource type:
Double-click the field to open the Edit Reconciliation Field Mapping window for that field.
Deselect Key Field for Reconciliation Matching.
The following adapters are imported into Oracle Identity Manager when you import the connector XML file:
SSH Disable User
SSH GECOS Updated
SSH Set Password
SSH Default Shell Updated
SSH Password Change Time Updated
SSH Create User
SSH Delete User
SSH Home Directory Updated
SSH Primary Group Name Updated
SSH Account Expiry Date Updated
SSH User UID Updated
SSH Secondary Group Name Updated
SSH Inactive Days Updated
SSH User Login Updated
SSH Enable User
SSH Prepopulate User Login
SSH Prepopulate End Date
You must compile these adapters before you can use them to provision accounts on the target system.
To compile adapters by using the Adapter Manager form:
Open the Adapter Manager form.
To compile all the adapters that you import into the current database, select Compile All.
To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.
Note:
Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have anOK
compilation status.Click Start. Oracle Identity Manager compiles the selected adapters.
If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_home
\xellerate\Adapter
directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.
To view detailed information about an adapter:
Highlight the adapter in the Adapter Manager form.
Double-click the row header of the adapter, or right-click the adapter.
Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.
Note:
Perform this procedure only if you want to configure the connector for multiple installations of UNIX SSH. Refer to Oracle Identity Manager Design Console Guide for detailed instructions on performing each step of this procedure.To configure the connector for multiple installations of the target system:
Create and configure one IT resource for each target system installation.
The IT Resources form is in the Resource Management folder. An IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.
Configure reconciliation for each target system installation. Refer to the "Step 6: Configuring Reconciliation" section for instructions. Note that you only need to modify the attributes that are used to specify the IT resource and to specify whether or not the target system installation is to be set up as a trusted source.
You can designate either a single or multiple installations of UNIX SSH as the trusted source.
If required, modify the fields to be reconciled for the Xellerate User resource object.
When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the UNIX SSH installation to which you want to provision the user.