5 Extending the Functionality of the Connector

This chapter discusses the following optional procedures that you can perform to extend the functionality of the connector for addressing your business requirements:

• Section 5.1, "Adding New Attributes for Target Resource Reconciliation"

• Section 5.2, "Adding New Attributes for Provisioning"

• Section 5.3, "Removing Attributes Mapped for Target Resource Reconciliation and Provisioning"

• Section 5.4, "Configuring the Connector for Provisioning to Multiple Installations of the Target System"

• Section 5.5, "Configuring the Connector for Reconciliation of Multiple Installations of the Target System"

• Section 5.6, "Reconciling Deleted Users to Oracle Identity Manager"

• Section 5.7, "Reconciling Users to the Internal LDAP"

• Section 5.8, "Reconciling Internal LDAP Users to Oracle Identity Manager"

5.1 Adding New Attributes for Target Resource Reconciliation

Note:

You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

By default, the attributes listed in Table 1-3 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes for target resource reconciliation.

For real-time/incremental reconciliation, the reconAttrs property contains the list of target system attributes that are mapped for real-time reconciliation with Oracle Identity Manager. This property found in the VOYAGER_ID.properties file. Attributes mapped for reconciliation are listed as the value of the reconAttrs property. If you want to add an attribute for reconciliation, then copy it from the "removed" list to the list in the reconAttrs property.

For full reconciliation, the reconciliation scheduled task contains two sections: SingleValueAttributes and MultiValuedAttributes. Attributes that can have multiple values (such as MEMBER_OF containing multiple group names) should be entered as a comma-separated list in the MultiValuedAttributes property. All other attributes should be entered in the SingleValueAttributes property. Attributes entered in the MultiValuedAttributes property should not be included in the SingleValueAttributes property and vice versa.

If you are adding a custom target system attribute, then you must also add it to the list of attributes specified as the value of the configAttrs property in the acf2.properties file. See Section 3.9, "Installing and Configuring the LDAP Gateway" for information about this property.

5.2 Adding New Attributes for Provisioning

By default, the attributes listed in Table 1-3 are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.

To add a new attribute for provisioning:

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps

1. Log in to the Oracle Identity Manager Design Console.

2. Add the new attribute on the process form as follows:

   1. Expand Development Tools.

   2. Double-click Form Designer.

   3. Search for and open the UD_IDF_ACF2 process form.

   4. Click Create New Version, and then click Add.

   5. Enter the details of the attribute.

   6. Click Save and then click Make Version Active.

3. Create an entry for the attribute in the lookup definition for provisioning as follows:

   1. Expand Administration.

   2. Double-click Lookup Definition.

   3. Search for and open the AtMap.ACF2 lookup definition.

   4. Click Add and then enter the Code Key and Decode values for the attribute.

      The Code Key value must be the name of the field on the process form. The Decode value is the name of the attribute on the target system.

4. To enable update of the attribute during provisioning operations, create a process task as follows:

   See Also:

   Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed information about these steps

   1. Expand Process Management, and double-click Process Definition.

   2. Search for and open the OIMAcf2ProvisioningProcess process definition.

   3. Click Add.

   4. On the General tab of the Creating New Task dialog box, enter a name and description for the task and then select the following:

      Conditional

      Required for Completion

      Allow Cancellation while Pending

      Allow Multiple Instances

   5. Click Save.

   6. On the Integration tab of the Creating New Task dialog box, click Add.

   7. In the Handler Selection dialog box, select Adapter, click adpMODIFYACF2USER, and then click the Save icon.

      The list of adapter variables is displayed on the Integration tab.

   8. To create the mapping for the first adapter variable:

      Double-click the number of the first row.

      In the Edit Data Mapping for Variable dialog box, enter the following values:

      Variable Name: Adapter return value

      Data Type: Object

      Map To: Response code

      Click the Save icon

   9. To create mappings for the remaining adapter variables, use the data given in the following table:

      Variable Number	Variable Name	Map To	Qualifier
      Second	idfResource	IT Resource	Not applicable
      Third	uid	Process Data	LoginId
      Fourth	attrName	Literal	cn string
      Fifth	attrValue	Process Data	UD_ACF2_ADV_NAME string

      
      

   10. Click the Save icon in the Editing Task dialog box, and then close the dialog box.

   11. Click the Save icon to save changes to the process definition.

5. If you are adding a custom attribute, then add it to the list of attributes specified as the value of the configAttrs property in the Properties in the acf2.properties file. See Step 3 of Section 3.9, "Installing and Configuring the LDAP Gateway" for information about this property.

5.3 Removing Attributes Mapped for Target Resource Reconciliation and Provisioning

Note:

You must not remove the uid, cn, sn, givenName, or userPassword attribute. These attributes are mandatory on the target system.

The reconAttrs property contains the list of target system attributes that are mapped for real-time reconciliation and provisioning. This property is found in the VOYAGER_ID.properties file. If you want to remove an attribute mapped for real-time reconciliation and provisioning, then remove it from the reconAttrs property.The SingleValueAttributes and MultiValuedAttributes properties contain the list of target system attributes that are mapped for initial reconciliation. These properties are found in the Reconcile All Users scheduled task. If you want to remove an attribute mapped for initial reconciliation, then remove it from the SingleValueAttributes or MultiValuedAttributes property.

5.4 Configuring the Connector for Provisioning to Multiple Installations of the Target System

You can configure the connector for multiple installations of the target system. You can also configure the connector for a scenario in which multiple logical partitions (LPARs), which are not associated with the first LPAR, are configured in the target system.

For each installation of the target system, you create an IT resource and configure an additional instance of the LDAP Gateway.

To configure the connector for the second installation of the target system:

Note:

Perform the same procedure for all installations of the target system.

1. Create an IT resource based on the OIMLDAPGatewayResourceType IT resource type.

   See Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about creating IT resources. See Section 3.5, "Configuring the IT Resource" for information about the parameters of the IT resource.

2. Copy the current LDAP_INSTALL_DIR directory, including all the subdirectories, to a new location.

   Note:

   In the remaining steps of this procedure, LDAP_INSTALL_DIR refers to the newly copied directory.

3. Extract the contents of the LDAP_INSTALL_DIR/dist/idfserver.jar file.

4. In the beans.xml file, change the value of the port in the <property name="port" value="xxxx"/> line to specify a port that is different from the port used for the first instance of the LDAP Gateway. The default port number is shown in the following example:

   <bean id="listener" class="com.identityforge.idfserver.nio.Listener">
   <constructor-arg><ref bean="bus"/></constructor-arg>
   <property name="admin"><value>false</value></property>
   <property name="config"><value>../conf/listener.xml</value></property>
   <property name="port" value="5389"/>
   </bean>
   

   When you change the port number, you must make the same change in the value of the idfServerPort parameter of the IT resource that you create.

5. Save and close the beans.xml file.

6. Open the LDAP_INSTALL_DIR/conf/acf2.properties file and set values for the following parameters:

   • _agentPort_= Enter the port number for the second instance of the Reconciliation agent.

     Note:

     The value of the _agentPort_ parameter must not be the same as that of the first instance if a second LPAR, which is not associated with the first LPAR, is configured in the target system. This value can be the same as the value of the idfServerPort parameter if you have two mainframe servers with CA ACF2 running on each server.

   • _host_= Enter the IP address or host name of the mainframe.

   • _port_= Enter the port number for the second instance of the Provisioning agent.

7. Save and close the acf2.properties file.

8. Open the LDAP_INSTALL_DIR/etc/VOYAGER_ID.properties file, and set a value for the following property:

   _itResource_: Enter the name of the IT resource for the second LDAP Gateway.

9. Save and close the VOYAGER_ID.properties file.

10. In a Linux or Solaris environment, if there are not enough socket file descriptors to open up all the ports needed for the server, then:

    1. In a text editor, open the run script from the LDAP_INSTALL_DIR/bin directory.

    2. Add the following line in the file:

       -Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.PollSelectorProvider
        
       

    3. Save and close the file.

When you perform provisioning operations:

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the CA ACF2 installation to which you want to provision the user.

5.5 Configuring the Connector for Reconciliation of Multiple Installations of the Target System

You can configure the connector for reconciling multiple installations of the target system. For each installation of the target system, you create a corresponding .properties file in the /ldapgateway/etc/ directory.

To configure the connector for the second installation of the target system:

Note:

Perform the same procedure for all installations of the target system.

1. Make of copy of the current LDAP_INSTALL_DIR/etc/.properties file, saving it in the /etc/ directory. The default name for this file is VOYAGER_ID.propeties; otherwise, select the .properties file whose name matches the VOYAGER_ID of the target system you would like to configure for reconciliation. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2" for information about the VOYAGER_ID property.

2. Open the copied file and set a value for the following properties:

   • _itResource__= Enter the name of the IT resource.

   • _userStatus_ _= Enter either Provisioned or Enabled depending on the status that must be set for accounts that are created through target resource reconciliation.

   • _xlAdminId_ = Enter the user ID of a user belonging to the SYSTEM ADMINISTRATORS group.

   • _xlAdminPwdEncrypt_ = Enter the password of the user whose user ID you specified as the value of the xlAdminId property. This property is used only on Oracle Identity Manager Release 11.1.1. If required, you can encrypt the password for security purposes using the propertyEncrypt script located in the scripts directory of the installation media. The procedure to use the script is given in Section 3.9, "Installing and Configuring the LDAP Gateway". After you run the script, copy the encrypted password as the value of the xladminPwd property.

   • _xlAdminPwdEncrypt_ = Enter true as the value of the xlAdminPwdEncrypt property if you have set an encrypted password as the value of the xlAdminPwd property. Otherwise, enter false. This property is used only on Oracle Identity Manager Release 11.1.1.

   • _xlJndiUrl_ = This property is only used on Oracle Identity Manager Release 11.1.1.

3. To determine the JNDI URL:

   In a text editor, open the following file:

   OIM_DR_HOME/xlclient/Config/xlconfig.xml

   Here, OIM_DC_HOME is the name and full path of the directory in which you install the Oracle Identity Manager Design Console.

   • Copy the value of the java.naming.provider.url element. Set the value for the xlJndiUrl property, Sample value: t3://localhost:14000/oim.

   • _xlJndiFactory_ = The default value is weblogic.jndi.WLInitialContextFactory. Do not change this default value. This property is used only on Oracle Identity Manager Release 11.1.1.

4. The Voyager reconciliation agent sends a unique identifier value, called VOYAGER_ID, each time a reconciliation event occurs. This value must match the name of the .properties file being used by the acf2-adv-agent-recon.jar for reconciliation.

   Rename the copied field to match the VOYAGER_ID property. For example, if the target system has VOYAGER_ID = VOYAGER14, then the .properties file should be named VOYAGER14.properties.

5.6 Reconciling Deleted Users to Oracle Identity Manager

The ACF2 Deleted User Reconciliation to OIM scheduled task allows the administrator to reconcile deleted users from the target system to Oracle Identity Manager. When you configure this scheduled task, it runs at specified intervals and fetches a list of users on the target system. These user names are then compared with provisioned users in Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not in the target system, are deleted from Oracle Identity Manager.

To configure the Deleted User Reconciliation to OIM scheduled task:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. Perform one of the following steps:

   a.) If you are using Oracle Identity Manager Release 9.1.0.x, expand Resource Management, and then click Manage Scheduled Task.

   b.) If you are using Oracle Identity Manager Release 11.1.1, then on the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

3. Search for and open the scheduled task as follows:

   If you are using Oracle Identity Manager Release 9.1.0.x, then:

   a.) On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.

   b.) In the search results table, click Edit column for the scheduled task.

   c.) On the Scheduled Task Details page, where the details of the scheduled task that you selected are displayed, click Edit.

   If you are using Oracle Identity Manager Release 11.1.1, then:

   a.) On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

   b.) On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

   c.) In the search results table on the left pane, click the scheduled job in the Job Name column.

4. Modify the details of the scheduled task as follows:

   a.) If you are using Oracle Identity Manager Release 9.1.0.x, then on the Edit Scheduled Task Details page, modify the following parameters, and then click Continue:

   Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

   Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 0.

   Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

   Frequency: Specify the frequency at which you want the task to run.

   b.) If you are using Oracle Identity Manager Release 11.1.1, then on the Job Details tab, you can modify the following parameters:

   Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

   Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   Note:

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.

5. Specify values for the attributes of the scheduled task as follows:

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   Table 5-1 describes the attributes of the scheduled task.

   Table 5-1 Attributes of the Deleted User Reconciliation to OIM Scheduled Task

   Attribute	Description
   IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: Acf2Resource
   Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMAcf2ResourceObject
   Domain OU	Enter the name of the internally-configured directory in the LDAP where the contents of event changes will be stored. Sample value: acf2
   UsersList	Enter a comma-separated list of user IDs that will be evaluated for delete reconciliation. Note: This field is optional. If no user IDs are listed, then all users will be evaluated. Sample value: testusr1,testusr2,testusr3

   
   

6. After specifying the attributes, perform one of the following steps:

   a.) If you are using Oracle Identity Manager Release 9.1.0.x, then click Save Changes to save the changes.

   Note:

   The Stop Execution option is not available in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.

   b.) If you are using Oracle Identity Manager Release 11.1.1, then click Apply to save the changes.

5.7 Reconciling Users to the Internal LDAP

The ACF2 Reconcile Users to Internal LDAP scheduled task allows the administrator to reconcile users from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of users and their profiles on the target system. Each of these users is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed.

To configure the Reconcile Users to Internal LDAP scheduled task:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. Perform one of the following steps:

   1. If you are using Oracle Identity Manager Release 9.1.0.x, expand Resource Management, and then click Manage Scheduled Task.

   2. If you are using Oracle Identity Manager Release 11.1.1, then on the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

3. Search for and open the scheduled task as follows:

   If you are using Oracle Identity Manager Release 9.1.0.x, then:

   1. On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.

   2. In the search results table, click Edit column for the scheduled task.

   3. On the Scheduled Task Details page, where the details of the scheduled task that you selected are displayed, click Edit.

   If you are using Oracle Identity Manager Release 11.1.1, then:

   1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

   2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

   3. In the search results table on the left pane, click the scheduled job in the Job Name column.

4. Modify the details of the scheduled task as follows:

   1. If you are using Oracle Identity Manager Release 9.1.0.x, then on the Edit Scheduled Task Details page, modify the following parameters, and then click Continue:

      Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

      Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 0.

      Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

      Frequency: Specify the frequency at which you want the task to run.

   2. If you are using Oracle Identity Manager Release 11.1.1, then on the Job Details tab, you can modify the following parameters:

      Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

      Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   Note:

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.

5. Specify values for the attributes of the scheduled task as follows:

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   Table 5-2 describes the attributes of the scheduled task.

   Table 5-2 Attributes of the Reconcile User to internal LDAP Scheduled Task

   Attribute	Description
   IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: Acf2Resource
   Domain OU	Enter the name of the internally-configured directory in the LDAP where the contents of event changes will be stored.Sample value: acf2

   
   

6. After specifying the attributes, perform one of the following steps:

   1. If you are using Oracle Identity Manager Release 9.1.0.x, then click Save Changes to save the changes.

      Note:

      The Stop Execution option is not available in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.

   2. If you are using Oracle Identity Manager Release 11.1.1, then click Apply to save the changes.

5.8 Reconciling Internal LDAP Users to Oracle Identity Manager

The ACF2 Reconcile LDAP Users scheduled task allows the administrator to reconcile users from the internal LDAP store to Oracle Identity Manager. When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager.

To configure the Deleted User Reconciliation to OIM scheduled task:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. Perform one of the following steps:

   1. If you are using Oracle Identity Manager Release 9.1.0.x, expand Resource Management, and then click Manage Scheduled Task.

   2. If you are using Oracle Identity Manager Release 11.1.1, then on the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.

3. Search for and open the scheduled task as follows:

   If you are using Oracle Identity Manager Release 9.1.0.x, then:

   1. On the Scheduled Task Management page, enter the name of the scheduled task as the search criteria and then click Search.

   2. In the search results table, click Edit column for the scheduled task.

   3. On the Scheduled Task Details page, where the details of the scheduled task that you selected are displayed, click Edit.

   If you are using Oracle Identity Manager Release 11.1.1, then:

   1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.

   2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

   3. In the search results table on the left pane, click the scheduled job in the Job Name column.

4. Modify the details of the scheduled task as follows:

   1. If you are using Oracle Identity Manager Release 9.1.0.x, then on the Edit Scheduled Task Details page, modify the following parameters, and then click Continue:

      Status: Specify whether you want to leave the task in the enabled state. In the enabled state, the task is ready for use.

      Max Retries: Enter an integer value in this field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR status to the task. The default value is 0.

      Next Start: Use the date editor to specify the date when you want the task to run. After you select a date value in the date editor, you can modify the time value that is automatically displayed in the Next Start field.

      Frequency: Specify the frequency at which you want the task to run.

   2. If you are using Oracle Identity Manager Release 11.1.1, then on the Job Details tab, you can modify the following parameters:

      Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

      Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   Note:

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.

5. Specify values for the attributes of the scheduled task as follows:

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   Table 5-3 describes the attributes of the scheduled task.

   Table 5-3 Attributes of the Reconcile LDAP Users Scheduled Task

   Attribute	Description
   IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: Acf2Resource
   Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed.Sample value: OIMAcf2ResourceObject
   Domain OU	Enter the name of the internally-configured directory in the LDAP where the contents of event changes will be stored.Sample value: acf2
   Trusted Resource Object	Enter the name of the resource object against which trusted reconciliation runs must be performed. Sample value: Xellerate User
   MultiValuedAttributes	Enter a comma-separated list of multi-valued attributes that you want to reconcile. Do not include a space after each comma. Sample value: attributes,memberOf
   SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.
   TrustedReconciliation	Enter whether the target system should be treated as a trusted source. Sample value: true
   LDAP Time Zone	Enter the time zone ID for the server on which the LDAP gateway is hosted. Sample value: America/New_York
   uidcase	Enter whether the user ID should be displayed in uppercase or lowercase. Sample value: upper

   
   

6. After specifying the attributes, perform one of the following steps:

   1. If you are using Oracle Identity Manager Release 9.1.0.x, then click Save Changes to save the changes.

      Note:

      The Stop Execution option is not available in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager. If you want to stop a task, then click Stop Execution on the Task Scheduler form of the Design Console.

   2. If you are using Oracle Identity Manager Release 11.1.1, then click Apply to save the changes.