This chapter provides an overview of the updates made to the software and documentation for the Oracle Identity Manager Connector for CA ACF2 in release 9.0.4.20.
The updates discussed in this chapter are divided into the following categories:
This section describes updates made to the connector software. This section also points out the sections of this guide that have been changed in response to each software update.
Documentation-Specific Updates
This section describes major changes made to this guide. These changes are not related to software updates.
The following sections discuss software updates:
The following are the software updates in release 9.0.4.20:
Removal of clistlib.xmi - this function is now internal to Pioneer.
Removal of batch submitted IDCAM's Alias functions - now internal to Pioneer.
Removal of batch submitted ACF2 rules - now internal to Pioneer.
Removal of batch submitted ACF2 - LDAP searches - see clistlib.xmi above.
The following are the software updates in release 9.0.4.19:
Support for Pioneer changes
From this release onward the following changes are applicable to Pioneer:
Parameter Changes:
Removal of MVS PARM= parameters, the following parameters are now being added to the control file.
TCPN=
IPAD=
PORT=
DEBUG=
See Section 2.3.9, "Testing the Installation" for more details.
The following control file parameters are now obsolete (required for batch processing):
RWAIT=
JWAIT=
QUEUE_DSN=
Obsolete DDNAMES:
In conjunction with the parameters in Step3 2, the following Pioneer DDNAMES are now obsolete:
//RECONJCL = For external batch ACF2 searches
//INJCLR = For external batch ALIAS functions
Search Functions:
All ACF2 search functions and ALIAS functions are now handled by Pioneer internally. To support this functionally, the following three new DDNAMES are added:
//IDCAMSD - IDCAMS controls records from LDAP
//ACF2CTL -ACF2 control records from LDAP
//ACF2OUT -ACF2 Sysprint output
Note:
IDCAMS control parameters are DEFINE/DELETE ALIAS and LISTC functions only. The ACF2 control file will only contain ACF2 LIST functions no passwords. All three of these files are small in size. Please see the connector guide more information.See Appendix D for more details.
Support for Voyager Changes
From this release onward the following changes have been made to Voyager:
Additional New Parameters:
SUBPOOL_SIZE=7500K - values are 0200K to 7500K and is the size of Subpool requested. See Appendix F for more details.
STARTUP to create the subpool is now obsolete and WRAPUP for delete the subpool is now also obsoleted. Voyager will now create the subpool and build the storage token based on the new SUBPOOL_SIZE= parameter. When a normal shutdown occurs the Voyager will delete the storage token and delete the subpool storage allocated. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2" for more details.
The following Voyager Parameters have been removed and are no longer supported:
- STARTDELAY=
- DELAY=
- PRTNCODE=
Support for Scheduled Task – Delete User Reconciliation Using Oracle Identity Manager
From this release onward, the connector supports an additional scheduled task for reconciling deleted users on the target system. This task retrieves a list of users from the target system and compares that list with a list of users from Oracle Identity Manager. If a user is found to exist within OIM, but not on the target system, then a delete reconciliation event for the user is sent to Oracle Identity Manager. See Section 4.3.3.2, "ACF2 Reconcile Deleted Users" for more details.
Support for Scheduled Task – Reconcile Users to Internal LDAP
From this release onward, the connector supports an additional scheduled task for reconciling users on the target system to the internal LDAP store. This task retrieves a list of users and their profiles from the target system and reconciles each user to the internal LDAP gateway metastore. See Section 4.3.3.3, "ACF2 Reconcile Users to the Internal LDAP" for more details.
Support for Scheduled Task – Reconcile LDAP Users
From this release onward, the connector supports an additional scheduled task for reconciling users from the internal LDAP store to Oracle Identity Manager. This task retrieves a list of users from the internal LDAP store and reconciles those users to Oracle Identity Manager. The task can reconcile either all users, or only users that have changed since the Last Modified Time Stamp (LMTS) IT resource property. See Section 4.3.3.4, "ACF2 Reconcile Internal LDAP Users to Oracle Identity Manager" for more details.
The following table lists issues resolved in release 9.0.4.19:
| Bug Number | Issue | Resolution |
|---|---|---|
| 15845201 | CN and givenName attributes are parsing incorrectly, depending on whether UID NUMBER comes before or after NAME. | This issue has been resolved. CN and givenName attributes now parse correctly. |
| 13968611 | Real-time reconciliation throwing an error: "tt13yct: duplicated key detected for oimcp_main_generic_120415.2000". | This issue has been resolved. New LDAP reconciliation scheduled tasks no longer cause this error. |
| 14178184 | Real-time reconciliation throwing an error: "t13yct: duplicated key detected for oimcp_main_generic_120603.2001". | This issue has been resolved. New LDAP reconciliation scheduled tasks no longer cause this error. |
| 15890816 | Delete reconciliation events are stuck in "Data Received" state. | This issue has been resolved. Delete reconciliation events now includes a call to finishReconciliationEvent() to close the event. |
| 13653082 | Pioneer/Voyager unable to filter events based on user privileges. | This issue has been resolved. Pioneer and Voyager can now filter processing of events based on user attributes (such as privileges). |
| 15914553 | While adding custom CICS-related privileges, no ACF2 command is generated from OIM to the target system. | This issue has been resolved. Custom privileges that include the CICS-prefix are no longer ignored. |
The following are the software updates in release 9.0.4.18:
Support for Pioneer and Voyager Filtering and New Parameters
From this release onwards, the connector supports new Pioneer and Voyager filtering, new Pioneer for shutdown statistics, and new parameters to support the filtering in both applications. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2" for more details.
Support for New JCL Members and Pioneer/Voyager Audit Log
From this release onwards, the connector supports new JCL members and Pioneer/Voyager Audit Log. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2" for more details.
The following table lists issues resolved in release 9.0.4.18:
| Bug Number | Issue | Resolution |
|---|---|---|
| 13968611 | SGT T13Y scan tool reports few duplicated keys defined in the resource bundle. | This issue has been resolved. The duplicated keys have been removed. |
| 12921588 | The current version of the CA-AFC2 Oracle Identity Manager connector does not support the ability to filter data in shared mainframe application. | This issue has been resolved. Now the connector supports the ability to filter data in both types of application. |
| 14167389 | When trying to reconcile users from the target system an exception is thrown. | This issue has been resolved. Now the reconciliation of the users from the target system is successful. |
The following is a software update in release 9.0.4.17:
Support for Multiple Target Resource Reconciliation Through a Single LPAR
From this release onward, change-based reconciliation using a single LDAP gateway installation from multiple target resource systems is supported. As part of this update, the VOYAGER_ID.properties file (previously known as acf2Connection.properties) must be renamed to match the Voyager server's VOYAGER_ID control file property.
See Section 5.5, "Configuring the Connector for Reconciliation of Multiple Installations of the Target System," and Section 4.3.3.2, "ACF2 Reconcile Deleted Users".
The following are the software updates in release 9.0.4.16:
All batch submitted "Searchalls" that are LDAP initiated to Pioneer are now internal to Pioneer by calling ACF2 directly. See the Chapter 2, "Deploying the IdF Advanced Adapter for ACF2" for more details.
RWAIT= control parameter has now been removed from the control file. This parameter was used for the external batch "Searchall" submissions.
New SYSOUT "DD" (data definition) JCL statements have been added for the internal ACF2 call. See the Chapter 2, "Deploying the IdF Advanced Adapter for ACF2" for more details.
Voyager now requires a new facility permission, "IRR.RADMIN.LISTUSER". <For guideline examples, see the Chapter 2, "Deploying the IdF Advanced Adapter for ACF2," and Chapter 2, "Deploying the IdF Advanced Adapter for ACF2" for moe information. Voyager also requires an additional ACF2 permissions.
Voyager now uses a control file, which is similar to Pioneer. All parameters are passed via the control file.
Voyager has a new parameter for the control file, "FILTER=YES/NO". The new parameter permits filtering of ACF2 events being read from the subpool. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2" for more information.
The following are the software updates in release 9.0.4.15:
New Subpool Record Size for Voyager from 20 bytes to 100 bytes
Enhanced Message Control (Suppression) in Both Pioneer and Voyager
From this release onward, initial reconciliation is no longer performed using the acf2-initial-recon-adapter deployment. Instead, initial reconciliation is supported via the ACF2 Reconcile All Users scheduled task. See Section 4.3.2, "Full Reconciliation" for details about this scheduled task.
In this release of the connector, auditing data to the subpool has been included. The data consists the details about who made the change to the user, the user affected by the change, timestamp, IP address, and ACF2 command issued.
This feature gives the ability to search all users, which allows the use of the scheduled tasks.
If DEBUG=N, then unnecessary output is removed to the log. If DEBUG=Y, then full messages will flow to SYSOUT and z/OS master console. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2," for more information.
This feature provides the STC parameters for Pioneer. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2" for more information.
This feature enables Pioneer for post processing. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2" for more information.
The following table lists issues resolved in release 9.0.4.15:
| Bug Number | Issue | Resolution |
|---|---|---|
| 5566654 | Hardcoded and uppercase string when provisioning ACF2 resource | This issue has been resolved. There are no hardcoded and uppercase string when provisioning ACF2 resource in this release. |
| 6800001 | Active_Date is not a data type in the process form | This issue has been resolved. Active_Date is now a data type in the process form. |
| 6846000 | Too many unnecessary reconciliation events | This issue has been resolved. ignoreEvent() is used to avoid some of the reconciliation events in this release. |
| 7201072 | Multiple alias user catalogs | This issue has been resolved by running Pioneer on each LPAR. |
| 10378079 | Oracle Identity Manager Voyager task does not prefix two (2) messages with message prefix for automation | This issue has been resolved. The correct prefix and date/time to missing automation messages have been added in this release. |
| 11659466 | ACF2 9.0.4.14 FAILS - IDMP200E | This issue has been resolved. The connector guide has been updated for Mainframe configurations. |
| 11924937 | UID string information is not being parsed and/or sent down to Open Systems component | This issue has been resolved. UID string information is now being parsed and/or sent down to Open Systems component. |
| 12367608 | The 9.0.4.14 version of the CA ACF2 Advanced connector cannot be installed without certain intervention in the installation kit | This issue has been resolved. A new installation kit has been included that no longer causes an installation error. |
The following are the software updates in release 9.0.4.14:
From this release onward, new script and lib directories are provided for Oracle Identity Manager 11g release 1 (11.1.1) to enable jar and property files to be picked up directly from this new location. See Section 3.1, "Files and Directories that Comprise the Connector" for usage instructions.
From this release onward, all CICS-related login ID record attributes are supported by the provisioning agent. The list of functions supported by the provisioning agent has been updated in the Section 1.5.2, "Supported Functions for Provisioning".
The following are the software updates in release 9.0.4.13:
From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 1 (11.1.1). Where applicable, instructions specific to this Oracle Identity Manager release have been added in the guide.
See Section 1.1, "Certified Components" for the full list of certified Oracle Identity Manager releases.
From this release onward, the connector provides support for request-based provisioning on Oracle Identity Manager 11g release 1 (11.1.1).
See Section 4.5.1.2, "Request-Based Provisioning" for more information.
The following are issues resolved in release 9.0.4.12:
| Bug Number | Issue | Resolution |
|---|---|---|
| 7282209 | During reconciliation, if the value of the Name attribute fetched from the target system did not match the format specified in the nameFormat property in the acf2.properties file, then the Index Out Of Range error was encountered. | This issue has been resolved. If the format of the Name attribute does not match the specified format, then a message is recorded in the log file. |
| 7375999 | If the file system did not have sufficient disk space, then the LDAP Gateway threw an error when you tried to start it up. | To resolve this issue, ensure that there is sufficient disk space and then retry starting the LDAP Gateway. |
| 7478625 | During initial (full) reconciliation, an error was encountered when the record of a user with no privileges was processed. | This issue has been resolved. Records of users with no privileges are correctly processed. |
| 9005394 | Users' passwords were stored in clear text in reconciliation events created during a target resource reconciliation run. | This issue has been resolved. Passwords are not stored in reconciliation events created during a target resource reconciliation run. |
| 9921954 | When a user logs in to Oracle Identity Manager and changes the password, the Update Password operation is triggered on the target system. However, this operation fails on the target system. | This issue has been resolved. The Update Password operation is successfully completed on the target system. |
The following are software updates in release 9.0.4.11:
CA ACF2 r14 has been added to the list of supported target system versions. See Section 1.1, "Certified Components" for the full list of certified target system versions.
The following are issues resolved in release 9.0.4.11:
| Bug Number | Issue | Resolution |
|---|---|---|
| 6802885 | Provisioning a user using MODEL made data related to that user inconsistent in the target system and Oracle Identity Manager. | This issue has been resolved. Provisioning using MODEL is not supported anymore. |
| 7189194 | Some of the comments in the run.sh file were not correct. | This issue has been resolved. |
| 7209124 | Reconciliation of the Revoke User operation did not work. | This issue has been resolved. Reconciliation of the Revoke User operation now works as expected. |
| 9176318 | During reconciliation, StringIndexOutOfBoundsException was encountered if user profile data contained reserved CA ACF2 keywords. Reconciliation events were not created for such user profiles. | This issue has been resolved. A reconciliation event is created for a user profile even if any of the user profile attributes contain reserved keywords. |
| 9317037 | The following issue was observed on Oracle Identity Manager installed on Oracle3 WebLogic Server 10.3.0:
When Oracle Identity Manager was upgraded from release 9.1.0 to 9.1.0.1 or 9.1.0.2 with JDK upgrade to jre1.6_16, the LDAP Gateway stopped responding and had to be restarted. |
This issue has been resolved. |
The following are software updates in releases 9.0.4.1 through 9.0.4.4:
CA ACF2 user profile, group profile, and data set and resource profile commands supported by the Provisioning Agent have been added in "Functionality Supported by the Pioneer Provisioning Agent" on page 1-6.
The list of functions supported by the Provisioning Agent has been updated in "Supported Functions for Provisioning" on page 1-9.
The commands supported by the Reconciliation Agent have been added in "Functionality Supported by the Voyager Reconciliation Agent" on page 1-7.
The list of functions supported by the Reconciliation Agent has been updated in "Functionality Supported for Reconciliation" on page 1-7.
The list of fields reconciled between CA ACF2 and Oracle Identity Manager has been updated in "User Attributes for Target Resource Reconciliation and Provisioning" on page 1-10.
The IT resource parameters and their corresponding descriptions and sample values have been updated in "Importing the Connector XML File" on page 2-6.
The procedure to configure the connector for multiple installations of the target system has been added in "Configuring the Connector for Multiple Installations of the Target System" on page 2-11.
Information about reconciliation based on user status has been added in "Configuring Account Status Reconciliation" on page 4-4.
The steps to add a new field for provisioning have been added in "Adding New Fields for Provisioning" on page 4-4.
Known issues related to the following bugs have been added in Chapter 7, "Known Issues":
Bug 6668844
Bug 6904041
Bug 7189194
Bug 7033009
The following sections discuss documentation-specific updates:
The following documentation-specific updates have been made in revision "17" of release 9.0.4.21:
Section 2.1, "IDF Mainframe Adapters Functional Characteristics" has been added.
Information about setting the 'SECURITY SERVER' to disabled state has been added to the "Note" in Section 2.3.8, "Adding Pioneer/Voyager to the Resource Rule Facilities (BPX and IRR)".
The entire Section 3.6.2, "Enabling Logging" has been modified to include updated content regarding log levels and loggers.
Table 6-1, "Troubleshooting Tips" has been updated to include the solution when The PIONEER STC fails.
Table 6-1, "Troubleshooting Tips" has been updated to include the solution when CA-ACF2 connector requires RACF API to make calls to R_ADMIN.
The sample value of "IPAD" row of Table F-1, "Voyager Control File Parameters" has been updated.
Appendix G, "Mainframe Language Environment Runtime Options" has been added.
The following documentation-specific update has been made in revision "16" of this guide:
The "Target System" row of Table 1-1, "Certified Components" has been updated to include r15.
The following documentation-specific updates have been made in the earlier revision of release 9.0.4.20:
Section 2.3.6, "Loading and Activating the Exits" has been updated for new screenshot.
From this release onward, "Connector Deployment on the Mainframe" chapter has been removed.
The PDS IDF.JCLLIB member "IEBCOPYP" has been removed from the members list and information on "YOURHLQ" has been updated. See Section 2.3.4, "Editing the Mainframe Batch Job Files to Match the Settings for the Customer's Site."
Chapter 6, "Troubleshooting" has been updated with new troubleshooting tips.
Table 6-2, "Three Options Settings and their Effects" has been added for the three options settings and their effects.
Appendix C, "Provisioning Agent (Startup) Messages has been removed from the connector guide.
Table F-2, "Pioneer Control File Parameters" has been updated with new parameters.
The following are the documentation-specific updates in this release:
Table 3-2, "IT Resource Parameters" has been updated with new parameter.
Table 3-4, "Properties in the acf2.properties File" has been updated with new parameter.
Section 4.3.3.2, "ACF2 Reconcile Deleted Users" has been updated for information on deleted user reconciliation to Oracle Identity Manager.
The following is a documentation-specific update in this release:
Table 3-4 has been updated with new parameters.
The following are the documentation-specific updates in this release:
In the entire guide, acf2Connection.properties has been changed to VOYAGER_ID.properties.
Parmfle Parameters has been added. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2,"
Pioneer 'DD's (Data Definition statements) has been added. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2"
A note on lost message recovery has been added. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2"
Procedure for Pioneer STC has been updated, and procedure for Pioneer reconciliation search flow has been added. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2"
Procedure for Integrating exits has been added. See Chapter 2, "Deploying the IdF Advanced Adapter for ACF2"
Section 5.1, "Adding New Attributes for Target Resource Reconciliation" has been modified for the information on reconAttrs property and full reconciliation.
Section 5.3, "Removing Attributes Mapped for Target Resource Reconciliation and Provisioning" has been updated for the information on reconAttrs property and its attributes.
The following are the documentation-specific updates in this release:
A new section is added in Chapter 4, which provides details about configuring FindAllAccessRules and FindAllResourceRules scheduled tasks populate lookup tables with resource or access rule keys that can be assigned during user provisioning. See Section 4.2, "Scheduled Tasks for Lookup Field Synchronization" and Section 4.5, "Configuring Scheduled Tasks" for more details.
A new step (8) has been added in the Section 3.9, "Installing and Configuring the LDAP Gateway" providing information about the configurations for setting up SSL in the LDAP Gateway.
Data Set Resource Profile name has been changed to Resource Rule Attributes in this release. See Section 1.5.2, "Supported Functions for Provisioning" and Section 1.5.3.1, "Resource Rule Attributes for Target Resource Reconciliation and Provisioning" for details.
A new section providing information about Access Rule attribute mappings has been added in this release. See Section 1.5.3.2, "Access Rule Attributes for Target Resource Reconciliation and Provisioning" for details.
There are no documentation-specific updates in release 9.0.4.15.
There are no documentation-specific updates in release 9.0.4.14.
There are no documentation-specific updates in this release.
There are no documentation-specific updates in this release.
Major changes have been made in the structure of the guide.
The user profile field mappings and resource profile field mappings between Oracle Identity Manager and the target system have been added in "User Attributes for Target Resource Reconciliation and Provisioning" on page 1-10. "Appendix A: Attribute Mapping Between CA ACF2 and Oracle Identity Manager" has been removed.
The components of the CA ACF2 Advanced connector and the connector architecture for reconciliation and provisioning have been added in "Connector Architecture" on page 1-3. "Appendix B: Connector Architecture" has been removed.
Guidelines that were earlier documented in Chapter 7, "Known Issues" have been moved to "Guidelines on Using the Connector" on page 5-2.
In "Certified Languages" on page 1-2, Arabic has been added to the list of languages that the connector supports.
In "Certified Components" on page 1-2, major changes have been made in the "Target System" row. Information about certified deployment configurations has been removed from "Reviewing Deployment Requirements" on page 3-2.
The IBM MQ Series protocol for the message transport layer is no longer supported for this connector. All content related to this protocol has been removed from the guide.
In "Certified Components" on page 1-2, the minimum Oracle Identity Manager release has been changed to 9.1.0.1 and the JDK requirement of release 1.5 or later has been added.