1 About the Connector

The Oracle Identity Manager IBM RACF Advanced Connector provides a native interface between IBM RACF installed on z/OS mainframe and Oracle Identity Manager. The Advanced Connector functions as a trusted virtual administrator on the targeted platform, performing tasks such as creating login IDs, suspending IDs, changing passwords, and performing other functions that administrators usually perform manually.

The IBM RACF Advanced Connector enables provisioning and reconciliation to IBM RACF security facilities. This chapter discusses the following topics:

Overview of IBM RACF Advanced Connector
Supported Functionality
Multilanguage Support
Files and Directories That Comprise the Connector
How to Use This Guide

Overview of IBM RACF Advanced Connector

The IBM RACF Advanced Connector includes the following components:

LDAP Gateway: The LDAP Gateway receives instructions from Oracle Identity Manager in the same way as any LDAP version 3 identity store. These LDAP commands are then converted into native mainframe commands for IBM RACF and sent to the Provisioning Agent. The response is also native to IBM RACF, which is then parsed into an LDAP response. After execution, an LDAP-formatted response is returned to the requesting application.
Provisioning Agent: The Provisioning Agent is a mainframe component, receiving native mainframe IBM RACF provisioning commands from the LDAP Gateway. These requests are processed against the IBM RACF authentication repository with the response parsed and returned to the LDAP Gateway.
Reconciliation Agent: The Oracle Identity Manager Reconciliation Agent captures native mainframe events using advanced exit technology for seamless reconciliation to Oracle Identity Manager through the LDAP Gateway. The Reconciliation Agent captures events occurring from the TSO logins, command prompt, batch jobs, and other native events in real time. The Reconciliation Agent captures these events and transforms them into notification messages for Oracle Identity Manager through the LDAP Gateway.
Message Transport Layer: The message transport layer enables the exchange of messages between the LDAP Gateway and the IBM RACF Provisioning and Reconciliation Agent. You can use the following messaging protocols for the message transport layer:
- IBM MQ Series
- TCP/IP with internal Advanced Encryption Standard (AES) encryption using 128-bit cryptographic keys. The IBM RACF Advanced connector supports a manually configured message transport layer using the TCP/IP protocol, which is functionally similar to proprietary message transport layer protocols.

In addition, the Advanced connector is engineered for high-performance environments and transactions.

Supported Functionality

The following sections list the features supported by the IBM RACF Advanced Connector:

Provisioning Agent Functionality
Reconciliation Agent Functionality
Reconciled Attributes

Provisioning Agent Functionality

The Provisioning Agent provides the following functionality:

Change passwords
Reset passwords
Create users
Modify users
Revoke user accounts
Add user to groups
Delete users
Resume user accounts
List users
List groups
List users by groups
List resource profiles by user
Grant user access to data sets
Grant user access to resource profiles
Grant user access to TSO

Reconciliation Agent Functionality

The Reconciliation Agent provides the following functionality:

Change passwords
Password resets
Create user data
Modify user data
Revoke users
Add users to groups
Delete users
Resume users

Reconciled Attributes

This section discusses the elements that the Reconciliation Agent extracts from the target system to construct reconciliation event records. The attributes that are reconciled between the IBM RACF and Oracle Identity Manager systems are listed in the following table:

Reconciled Attributes with IBM RACF
uid	userPassword	sn
cn	givenName	resumeDate
revokeDate	dataset	lastaccessdate
lastconnectdate	defaultgroup	owner
memberOf	attributes	tsoacctnum
tsoholdclass	tsojobclass	tsomsgclass
tsoproc	tsosize	tsomaxsize
tsosysoutclass	tsounit	tsouserdata
tsocommand	tsodest	tsoseclabel

Multilanguage Support

In addition to English, this release of the connector supports the following languages:

English
Brazilian Portuguese
French
German
Italian
Japanese
Korean
Simplified Chinese
Spanish
Traditional Chinese

Files and Directories That Comprise the Connector

The files and directories that comprise this connector are located in the following directory on the installation media:

Security Applications/IBM RACF/IBM RACF Advanced

Copy the contents of this file to the oim_home directory. The contents of this file are described in brief in the following table:

Files and Directories	Description of Files and Contents
`etc/LDAP Gateway/ldapgateway.zip`	Files required for LDAP Gateway deployment in the Oracle Identity Manager system.
`etc/Provisioning and Reconciliation Connector/Mainframe_RACF_version.zip`	Files required for the installation of the Provisioning Agent and Reconciliation Agent on the mainframe.
`lib/idm.jar`	The connector JAR file to be deployed on the Oracle Identity Manager system.
`lib/racf-adv-agent-recon.jar` `lib/racfConnection.properties`	Files required for real-time reconciliation between Oracle Identity Manager and the target system.
Files in the `resources` directory	Each of these files contain locale-specific information that is used by the connector. Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console.
`scripts/run_initial_recon_provisioning.sh` `scripts/run_initial_recon_provisioning.bat` `scripts/racf-adv-initial-recon.jar` `scripts/initialRacfAdv.properties`	Files that are used for performing the initial reconciliation run.
`scripts/run_initial_recon_disable.sh` `scripts/run_initial_recon_disable.bat`	These files are scripts that perform the initial reconciliaton run. In addition, these scripts also check for users disabled on the target system and disable them on Oracle Identity Manager.
`xml/oimRacfAdvancedConnector.xml`	The XML file that contains component definitions for the connector.

How to Use This Guide

The IBM RACF Advanced connector deployment primarily consists of installing the LDAP Gateway, Reconciliation Agent, and Provisioning Agent. The LDAP Gateway is installed on the same system as the Oracle Identity Manager server. The Provisioning Agent and Reconciliation Agents are installed on the mainframe.

The deployment procedure on the Oracle Identity Manager server is different in nature from the deployment procedure on the mainframe. For simplicity, these instructions have been divided into two chapters in this guide:

Chapter 2, "Deployment on the Oracle Identity Manager Server" covers instructions for deploying the connector on the Oracle Identity Manager system. This consists of configuring the Oracle Identity Manager server, importing the connector XML file, compiling adapters, installing the LDAP Gateway, configuring the message transport layer, and so on.
Chapter 3, "Connector Deployment on the Target IBM RACF System" includes the second set of instructions to deploy the connector on the mainframe to interface with Oracle Identity Manager. While it may be possible for the Oracle Identity Manager administrator to perform these tasks, it is recommended that these tasks be performed with the assistance of the mainframe administrator.