1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use CA Top Secret as a managed (target) resource of identity data for Oracle Identity Manager.

The advanced connector for CA Top Secret provides a native interface between CA Top Secret installed on an IBM z/OS mainframe and Oracle Identity Manager. The connector functions as a trusted virtual administrator on the target system, performing tasks related to creating and managing users.

In the account management (target resource) mode of the connector, information about users (ACIDs) created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

Users on CA Top Secret correspond to accounts or resources assigned to OIM Users.

This chapter contains the following topics:

• Section 1.1, "Certified Components"

• Section 1.2, "Certified Languages"

• Section 1.3, "Connector Architecture"

• Section 1.4, "Features of the Connector"

• Section 1.5, "Connector Objects Used During Reconciliation and Provisioning"

1.1 Certified Components

Table 1-1 lists the certified components.

Table 1-1 Certified Components

Item	Requirement
Oracle Identity Manager	You can use one of the following releases of Oracle Identity Manager: Oracle Identity Manager 11g release 2 (11.1.2.0.1) and any later BP in this release track Note: In this guide, Oracle Identity Manager release 11.1.2.x has been used to denote Oracle Identity Manager 11g release 2 (11.1.2.0.1) or any later BP in this release track in the 11.1.2.x series that the connector supports. Oracle Identity Manager 11g release 2 PS1 (11.1.2.1.0) and any later BP in this release track Oracle Identity Manager 11g release 2 PS2 (11.1.2.2.0) and any later BP in this release track Note: Prerequisites for this connector to work with 11.1.2.2.0 are: ARU 17421629. ADF patch ARU 17714568. SP procedure for Recon Oracle Identity Manager 11g release 2 PS3 (11.1.2.3.0)
JDK	The JDK version can be one of the following: For Oracle Identity Manager release 11.1.1.x, use JDK 1.6 update 18 or later. For Oracle Identity Manager release 11.1.2.x or later, use JDK 1.6 update 31 or later.
Target Systems	CA Top Secret r8, r9, r12, or r14
Infrastructure Requirements: Message transport layer between the Oracle Identity Manager and the mainframe environment	TCP/IP with Advanced Encryption Standard (AES) encryption
Target system user account for reconciliation and provisioning operations	IBM Authorized Program Facility (APF) authorized account with System Administrators privileges See Section 3.6, "Creating a CA Top Secret Account for Connector Operations" for more information about this account.
Pioneer and Voyager	Pioneer and Voyager are written in single thread LE Cobol. They were developed to run above the 16M line. Options that can adversely affect these STCs are LE run options: ALL31(OFF) instead of ON STACK(,,,BELOW,,) instead of STACK(,,,ANYWHERE,,)
LDAP Gateway	Operating system: Microsoft Windows, or Linux, any flavor except AIX JDK 1.7 or above

1.2 Certified Languages

The connector supports the following languages:

• Arabic

• Chinese (Simplified)

• Chinese (Traditional)

• Danish

• English

• French

• German

• Italian

• Japanese

• Korean

• Portuguese (Brazilian)

• Spanish

See Also:

Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about supported special characters supported by Oracle Identity Manager

1.3 Connector Architecture

This section contains the following topics:

• Section 1.3.1, "Connector Components"

• Section 1.3.2, "Connector Operations"

1.3.1 Connector Components

The CA Top Secret Advanced connector contains the following components:

• LDAP Gateway: The LDAP Gateway receives instructions from Oracle Identity Manager in the same way as any LDAP version 3 identity store. These LDAP commands are then converted into native commands for CA Top Secret and sent to the Provisioning Agent. The response, which is also native to CA Top Secret, is parsed into an LDAP-format response and returned to Oracle Identity Manager.

  During reconciliation, the LDAP Gateway receives event notification, converts the events to LDAP format, and then forwards them to Oracle Identity Manager, or events can be stored in the LDAP Gateway internal store and pulled into Oracle Identity Manager by a scheduled task.

• Provisioning Agent (Pioneer): The Pioneer Provisioning Agent is a mainframe component. It receives native mainframe CA Top Secret identity and authorization change events from the LDAP Gateway. These events are processed against the CA Top Secret authentication repository, in which all provisioning updates from the LDAP Gateway are stored. The response is parsed and returned to the LDAP Gateway.

  Note:

  At some places in this guide, the Provisioning Agent is referred to as Pioneer.

• Reconciliation Agent (Voyager): The Reconciliation Agent captures mainframe events by using a Top Secret exit, which is a program run after events in CA Top Secret are processed. These events include the ones generated at TSO logins, the command prompt, batch jobs, and other native events. These events are stored in the subpool cache area that is established by a supplied, standard z/OS procedure (STARTUP). The Reconciliation Agent captures these events, transforms them into LDAPv3 protocol notification messages, and then sends them to Oracle Identity Manager through the LDAP Gateway.

  Note:

  At some places in this guide, the Reconciliation Agent is referred to as Voyager.

• Message Transport Layer: The message transport layer enables the exchange of messages between the LDAP Gateway and the Reconciliation Agent and Provisioning Agent. TCP/IP is used for the transport of messages.

  TCP/IP with Advanced Encryption Standard (AES) encryption using 128-bit cryptographic keys. The connector supports a message transport layer by using the TCP/IP protocol, which is functionally similar to proprietary message transport layer protocols.

1.3.2 Connector Operations

This section provides an overview of the following processes:

• Section 1.3.2.1, "Full Reconciliation Process"

• Section 1.3.2.2, "CFILE Reconciliation Process"

• Section 1.3.2.3, "Incremental (Real-Time) Reconciliation Process"

• Section 1.3.2.4, "Provisioning Process"

1.3.2.1 Full Reconciliation Process

Full reconciliation involves fetching existing user data from the mainframe to Oracle Identity Manager. This user data is converted into accounts or resources for OIM Users.

Figure 1-1 shows the flow of data during full reconciliation.

Figure 1-1 Full Reconciliation Process

Description of ''Figure 1-1 Full Reconciliation Process''

The following is a summary of the full reconciliation process:

Note:

The detailed procedure is explained later in this guide.

1. Set values for the properties defined in the TSS Reconcile All Users scheduled task.

2. Run the scheduled task. The task sends a search request to the LDAP Gateway.

3. The LDAP Gateway encrypts the search request and then sends it to the Provisioning Agent on the mainframe.

4. The Provisioning Agent encrypts user profile data received from CA Top Secret and then passes this data to the LDAP Gateway.

5. The LDAP Gateway decrypts the user profile data. If the user profile data does not include any changes when compared to the OIM user's existing resource data, then the event is ignored and reconciliation continues with the next user on the target system. If the user profile data includes a change, then the LDAP Gateway passes the data on to Oracle Identity Manager.

6. This user profile data is converted into accounts or resources for OIM Users.

1.3.2.2 CFILE Reconciliation Process

CFILE reconciliation involves fetching existing user data in the form of a TSSCFILE extract from the mainframe to Oracle Identity Manager. This user data is converted into accounts or resources for OIM Users.

The following is a summary of the CFILE reconciliation process:

Note:

The detailed procedure is explained later in this guide.

1. Generate an extract file of user data by executing the TSSCFILE command on the CA Top Secret system.

2. Convert the CFILE data into XML format by running the Conv2XML process on the CA Top Secret system. The XML is stored in a dataset.

3. Set values for the properties defined in the TSS Reconcile Users to Internal LDAP scheduled task.

4. Run the scheduled task. The task sends a request to the LDAP gateway to retrieve the XML file from Pioneer.

5. The Provisioning Agent receives the request from LDAP Gateway and reads the data from the XML dataset.

6. The Provisioning Agent encrypts the user data and passes it to the LDAP Gateway.

7. The LDAP Gateway decrypts the user profile data. The data is stored in the LDAP Gateway's internal data-store.

8. Set values for the properties defined in the TSS Reconcile LDAP Users to OIM scheduled task.

9. Run the scheduled task. The next step depends on the setting in the IT resource as mentioned below:

   1. If you set the "Last Modified Time Stamp" property to zero (0), then all user profile data will be retrieved from the LDAP internal store.

   2. If you configure "Last Modified Time Stamp" property with a timestamp, then only user profile data updated since the timestamp will be retrieved from the LDAP internal store.

10. The next step depends on the user data as mentioned below:

    1. If the user profile data does not include any changes when compared to the OIM user's existing resource data, then the event is ignored and reconciliation continues with the next retrieved user.

    2. If the user profile data includes a change, then the LDAP Gateway passes the data on to Oracle Identity Manager. The user profile data is converted into accounts or resources for OIM Users.

1.3.2.3 Incremental (Real-Time) Reconciliation Process

Incremental or real-time reconciliation is initiated by the exit that works in conjunction with the Reconciliation Agent. Figure 1-2 shows the flow of data during this form of reconciliation.

Figure 1-2 Reconciliation Process

Description of ''Figure 1-2 Reconciliation Process''

The following is a summary of the reconciliation process:

1. Incremental reconciliation begins when a user is created or, updated on CA Top Secret. This event might take place either directly on the mainframe or in response to a provisioning operation on Oracle Identity Manager.

2. TSSINSTX is a standard CA Top Secret exit. This exit is used in conjunction with the Reconciliation Agent. The exit detects the event and sends a message containing user data to Subpool 231 (cache).

3. The Reconciliation Agent polls Subpool 231. When it finds the message in the subpool, it reads the message into its buffer. This frees up the subpool.

4. The Reconciliation Agent opens up a connection with the LDAP Gateway, and then sends the message to the gateway over TCP/IP.

   Note:

   Messages sent to the LDAP Gateway are encrypted using AES-128 encryption.

5. The LDAP Gateway decrypts the user profile data. If the user profile data does not include any changes when compared to the OIM user's existing resource data, then the event is ignored and reconciliation continues with the next user on the target system. If the user profile data includes a change, then the LDAP Gateway can store the data internally for use by a scheduled task, or it can pass the data on to Oracle Identity Manager.

6. Oracle Identity Manager processes the message and creates or updates either the corresponding CA Top Secret resource or the OIM User.

1.3.2.4 Provisioning Process

Figure 1-3 shows the flow of data during provisioning.

Figure 1-3 Provisioning Process

Description of ''Figure 1-3 Provisioning Process''

The following is a summary of the provisioning process:

1. Provisioning data submitted from the Oracle Identity System Administration is sent to the LDAP Gateway.

2. The LDAP Gateway converts the provisioning data into mainframe commands, encrypts the commands, and converts the message from ASCII to EBCDIC.

3. The Provisioning Agent executes the commands and runs them on the mainframe and within the Pioneer STC (Started Task) using the RACF API (IRRSEQ00).

4. The Provisioning Agent converts the RACF API output to ASCII and encrypts the message prior to sending it back to the LDAP Gateway.

5. The outcome of the operation on the mainframe is displayed on the Oracle Identity Manager console. A more detailed message is recorded in the connector log file.

1.4 Features of the Connector

The following are features of the connector:

• Section 1.4.1, "Target Resource Reconciliation"

• Section 1.4.2, "Full and Incremental Reconciliation"

• Section 1.4.3, "Encrypted Communication Between the Target System and Oracle Identity Manager"

• Section 1.4.4, "High Availability Feature of the Connector"

1.4.1 Target Resource Reconciliation

You can use the connector to configure CA Top Secret as a target resource of Oracle Identity Manager.

1.4.2 Full and Incremental Reconciliation

After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, change-based or incremental reconciliation is automatically enabled and active. Incremental reconciliation is a real-time process. User changes on the target system are directly sent to Oracle Identity Manager or stored in the LDAP Gateway internal store.

You can perform a full reconciliation run at any time. See Section 4.4.1, "Full Reconciliation" for more information.

1.4.3 Encrypted Communication Between the Target System and Oracle Identity Manager

AES-128 encryption is used to encrypt data that is exchanged between the LDAP Gateway and the Reconciliation Agent and Provisioning Agent on the mainframe.

1.4.4 High Availability Feature of the Connector

The following are component-failure scenarios and the response of the connector to each scenario:

• Scenario 1: The Reconciliation Agent is running and the LDAP Gateway stops responding

  1. The Reconciliation Agent stops sending messages (event data) to the LDAP Gateway.

  2. Messages that are not sent are stored in the subpool cache.

  3. When the LDAP Gateway is brought back online, the Reconciliation Agent reads data from the subpool cache and then sends messages to the LDAP Gateway.

• Scenario 2: The LDAP Gateway is running and the Reconciliation Agent stops responding

  1. Event data is sent to the subpool cache.

  2. When the Reconciliation Agent is brought back online, it reads data from the subpool cache and then sends messages to the LDAP Gateway.

     Note:

     During SHUTDOWN, there is a possibility that events that had been sent to the LDAP might be saved and re-sent again once the Agent is brought back online. This is to ensure no data lose and this process will re-list the event data to provide the most current view.

• Scenario 3: The LDAP Gateway is running and the mainframe stops responding

  1. Messages that are in the subpool cache are written to disk.

  2. When the mainframe is brought back online, event data written to disk is again stored in the subpool cache.

  3. The Reconciliation Agent reads data from the subpool cache and then sends messages to the LDAP Gateway.

     Note:

     During SHUTDOWN, there is a possibility that events that had been sent to the LDAP might be saved and re-sent again once the Agent is brought back online. This is to ensure no data lose and this process will re-list the event data to provide the most current view.

• Scenario 4: The LDAP Gateway is running and the Provisioning Agent or mainframe stops responding

  The process task that sends provisioning data to the LDAP Gateway retries the task.

• Scenario 5: The subpool is stopped by an administrator

  If the subpool is stopped by an administrator, then it shuts down the Reconciliation Agent, thereby destroying any messages that are not transmitted. However, the messages in the AES-encrypted file are not affected and can be recovered.

1.5 Connector Objects Used During Reconciliation and Provisioning

The following sections provide information about connector objects used during reconciliation and provisioning:

• Section 1.5.1, "Supported Functions for Target Resource Reconciliation"

• Section 1.5.2, "Supported Functions for Provisioning"

• Section 1.5.3, "User Attributes for Target Resource Reconciliation and Provisioning"

• Section 1.5.4, "PROFILE Attributes for Target Resource Reconciliation and Provisioning"

• Section 1.5.5, "GROUP Attributes for Target Resource Reconciliation and Provisioning"

• Section 1.5.6, "SOURCE Attributes for Provisioning"

• Section 1.5.7, "FACILITY Attributes for Target Resource Reconciliation and Provisioning"

• Section 1.5.8, "DATASET Attributes for Provisioning"

• Section 1.5.9, "Provisioning GENCERT Operations"

• Section 1.5.10, "Provisioning GENREQ Operations"

• Section 1.5.11, "Reconciliation Rule"

• Section 1.5.12, "Reconciliation Action Rules"

1.5.1 Supported Functions for Target Resource Reconciliation

The connector supports reconciliation of user data from the following events:

• Create user

• Modify user

• Rename user

• Change password

• Reset password

• Suspend user

• Suspend user until

• Delete user

• Unsuspend user

• Unsuspend user until

1.5.2 Supported Functions for Provisioning

Table 1-2 lists the provisioning functions supported by the connector.

Table 1-2 Supported Functions for Provisioning

Function	Description	Mainframe Command
Create user	Adds new users on CA Top Secret	TSS CREATE
Modify user	Modifies user information on CA Top Secret	TSS REPLACE
Rename user	Modifies user's UID on CA Top Secret	TSS RENAME
Change password	Changes user passwords on CA Top Secret in response to password changes made on Oracle Identity Manager through user self-service	TSS REPLACE
Reset password	Resets user passwords on CA Top Secret The passwords are reset by the administrator.	TSS REPLACE
Suspend user	Disables users on CA Top Secret	TSS ADDTO
Suspend user until	Disables users up to the specified date on CA Top Secret	TSS ADDTO
Unsuspend user	Enables users on CA Top Secret	TSS REMOVE
Delete users	Removes users from CA Top Secret	TSS DELETE
Grant user access to data sets	Adds users to data set and assigns the specified access rights	TSS PERMIT
Grant user access to privileges (TSO)	Provides TSO login access to users	TSS REPLACE
Removes user access to data sets	Removes users from data sets	TSS REVOKE
Grant user access to facilities	Adds users to facilities and assigns the specified access rights	TSS ADDTO
Removes user access to facilities	Removes users from facilities	TSS REMOVE
Grant user access to groups	Adds users to groups	TSS ADDTO
Remove user access to groups	Removes users from groups	TSS REMOVE
Grant user access to profiles	Add users to profiles	TSS ADDTO
Remove user access to profiles	Removes users from profiles	TSS REMOVE
Grant user access to sources	Adds users to sources	TSS ADDTO
Remove user access to sources	Removes users from sources	TSS REMOVE
Generate certificate	Generates a digital certificate associated with the user	TSS GENCERT
Generate certificate request	Generates a PKCS#10 base64-encoded digital certificate request and writes it to a data set	TSS GENREQ

1.5.3 User Attributes for Target Resource Reconciliation and Provisioning

The CA Top Secret connector uses three categories of attributes: mapped, unmapped, and custom.

Mapped and unmapped attributes are supported in the LDAP Gateway, but unmapped attributes are not shipped with preconfigured OIM metadata such as form fields, process tasks, or reconciliation mappings.

Custom attributes require additional configuration steps in the LDAP Gateway. See Section 5.1, "Adding Custom Fields for Target Resource Reconciliation" through Section 5.3, "Adding Custom Fields for Provisioning" for more information.

Table 1-3 lists the major differences between attribute types.

Table 1-3 Attribute Characteristics

Attribute Type	Out-of-the-box OIM Metadata Support	Out-of-the-box LDAP Support	Additional LDAP Configuration Required
Mapped	Yes	Yes	No
Unmapped	No	Yes	No
Custom	No	No	Yes

Table 1-4 lists mapped attribute mappings between CA Top Secret and Oracle Identity Manager. The OnBoardUser and ModifyTopsUser adapters are used for Create User and Modify User provisioning operations, respectively.

Table 1-4 Mapped User Attributes for Target Resource Reconciliation and Provisioning

Process Form Field	CA Top Secret Attribute Display Name	Description
USER_ID	USER	Login ID of the user
FULL_NAME	NAME	Full name of the user You can specify the format in which Full Name values are stored on the target system. Step 3 of Section 2.6, "Installing and Configuring the LDAP Gateway"describes the procedure.
Password	PASSWORD	Password
department	DEPARTMENT	Default department of the user Note: Provisioning is done using "department" attribute but reconciliation brings department's full name in "department" attribute and the acid value is brought in DEPTACID.
deptacid	DEPARTMENT	Default department of the user Note: Provisioning is done using "department" attribute but reconciliation brings department's full name in "department" attribute and the acid value is brought in DEPTACID.
instdata	DATA	Installation-defined data of the user
createdate	CREATED	Date user was created
passwordExpire	EXPIRES	Expire the user's password
passwordExpireInterval	INTERVAL	Number of days the user's password remains valid
suspendUntilDate	SUSPENDED DATE	Future date on which the user will be prevented from accessing the system
divacid	DIVISION	Default division for the user Note: Provisioning is done using "division" attribute but reconciliation brings division's full name in "division" attribute and the acid value is brought in "divacid."
division	DIVISION	Default division for the user Note: Provisioning is done using "division" attribute but reconciliation brings division's full name in "division" attribute and the acid value is brought in "divacid."
lastmodificationdate	LAST MOD	Last time the user connected
tsocommand	COMMAND	Command to be run during TSO/E logon
tsodest	DEST	Default SYSOUT destination
tsounit	UNIT	Default unit name for allocations
tsoudata	USERDATA	Site-defined data field for a TSO user
tsolacct	ACCTNUM	Default TSO account number on the TSO/E logon panel
tsohclass	HOLDCLASS	Default hold class
tsojclass	JOBCLASS	Default job class
tsomsize	MAXSIZE	Maximum region size the user can request at logon
tsomclass	MSGCLASS	Default message class
tsolproc	PROC	Default logon procedure on the TSO/E logon panel
tsolsize	SIZE	Minimum region size if not requested at logon
tsoopt	OPT	TSO options, such as MAIL and NOTICES
tsosclass	SYSOUTCLASS	Default SYSOUT class
zone	ZONE	Display name of default zone for the user
zoneAcid	ZONE ACID	Default zone for the user

The Top Secret connector supports provisioning and reconciliation of additional attributes that are not included on the main process form or preconfigured with process tasks and reconciliation mappings.

Table 1-5 lists unmapped attribute mappings between CA Top Secret and Oracle Identity Manager. The adpModifyTopsUser adapter is used for Modify User provisioning operations, respectively.

Table 1-5 Unmapped User Attributes for Target Resource Reconciliation and Provisioning

LDAP Gateway Name	CA Top Secret Attribute	Description	Supported Operations
lu62#appl	#APPL	LU 6.2 #APPL	Both
lu62#entity	#ENTITY	LU 6.2 #ENTITY	Both
lu62bc1chain	BC1CHAIN	LU 6.2 BC1CHAIN	Both
lu62bc2chain	BC2CHAIN	LU 6.2 BC2CHAIN	Both
lu62set1disp	SET1DISP	LU 6.2 SET1DISP	Both
lu62set2disp	SET2DISP	LU 6.2 SET2DISP	Both
waaccnt	WAACCNT	APPC SYSOUT ACCT NUMBER	Both
waaddr1	WAADDR1	APPC SYSOUT ADDRESS 1	Both
waaddr2	WAADDR2	APPC SYSOUT ADDRESS 2	Both
waaddr3	WAADDR3	APPC SYSOUT ADDRESS 3	Both
waaddr4	WAADDR4	APPC SYSOUT ADDRESS 4	Both
wabldg	WABLDG	APPC SYSOUT BUILDING	Both
wadept	WADEPT	APPC SYSOUT DEPARTMENT	Both
waname	WANAME	APPC SYSOUT NAME	Both
waroom	WAROOM	APPC SYSOUT ROOM	Both
tsodefprfg	TSODEFPRFG	DEFAULT PERFORMANCE GROUP	Both
tsompw	TSOMPW	MULTIPLE PASSWORDS	Both NOTE: In reconciliation, the attribute is stored as "attributes" with value of "TSOMPW".
tsoacct	TSOACCT	SECURE TSO LOGON ACCOUNT CODES	Provisioning Only
tsoauth	TSOAUTH	SECURE TSO USER ATTRIBUTES	Provisioning Only
tsoprfg	TSOPRFG	SECURE TSO PERFORMANCE GROUPS	Provisioning Only
tsoproc	TSOPROC	SECURE TSOP LOGON PROCS	Provisioning Only
defaultGroup	DFLTGRP	OMVS DEFAULT GROUP	Both
omvsProgram	OMVSPGM	OMVS PROGRAM	Both
omvsUid	UID	OMVS USER ID	Both
omvsHome	HOME	OMVS HOME SUBDIRECTORY	Both
omvsGid	GID	OMVS GROUP ID	Both
omvsAssize	ASSIZE	OMVS MAX ADDRESS SPACE SIZE	Both
omvsMmaparea	MMAPAREA	OMVS MAX DATASPACE PAGES	Both
omvsOecputm	OECPUTM	OMVS MAX CPU TIME	Both
omvsoefilep	OEFILEP	OMVS MAX FILES PER PROCESS	Reconciliation Only
omvsProcuser	PROCUSER	OMVS MAX PROCESSES	Both
omvsThreads	THREADS	OMVS MAX PTHREADS CREATED	Both
netviewMsgrecvr	MSGRECVR	NETVIEW RECEIVE UNSOLICITED MESSAGES	Both
netviewInitcmd	IC	NETVIEW INITIAL COMMAND	Both
netviewControl	CTL	NETVIEW SECURITY CHECK TYPE	Both
netviewOpclass	OPCLASS	NETVIEW SCOPE CLASS	Both
netviewDomains	DOMAINS	NETVIEW CROSS-DOMAIN SESSIONS	Both
netviewNgmfadmn	NGMFADMN	NETVIEW GRAPHICAL DISPLAY ADMIN	Both
netviewConsName	CONSNAME	NETVIEW EXTENDED CONSOLE NAME	Both
cicsOpclass	OPCLASS	CICS OPERATOR CLASSES	Both
cicsOpident	OPIDENT	CICS OPERATOR IDENTIFICATION VALUE	Both
cicsOpprty	OPPRTY	CICS OPERATOR PRIORITY	Both
cicsSctykey	SCTYKEY	CICS SECURITY KEYS	Both
cicsSitran	SITRAN	CICS TRANSACTION FOLLOWING FACILITY SIGN-IN	Both Note: To provision cicsSitran, you must map the process task to the adpModifySitranTopsUser adapter instead of adpModifyTopsUs.
cicsSitranFacility	SITRAN FACILITY	CICS FACILITY ASSOCIATED WITH TRANSACTION	Both Note: To provision cicsSitranFacility, you must map the process task to the adpModifySitranTopsUser adapter instead of adpModifyTopsUser.
misc1	MISC1	ADMIN MISC	Reconciliation Only
misc2	MISC2	ADMIN MISC	Reconciliation Only
misc3	MISC3	ADMIN MISC	Reconciliation Only
misc4	MISC4	ADMIN MISC	Reconciliation Only
misc5	MISC5	ADMIN MISC	Reconciliation Only
misc7	MISC7	ADMIN MISC	Reconciliation Only
misc8	MISC8	ADMIN MISC	Reconciliation Only
misc9	MISC9	ADMIN MISC	Reconciliation Only

1.5.4 PROFILE Attributes for Target Resource Reconciliation and Provisioning

The connector supports reconciliation and provisioning of the PROFILE multivalued attribute. For any particular user, a child form is used to hold values of the PROFILE attributes listed in the table.

The AddUserToProfile and RemoveUserFromProfile adapters are used for PROFILE provisioning operations. Table 1-6 lists PROFILE attribute mappings between CA Top Secret and Oracle Identity Manager.

Table 1-6 PROFILE Attribute Mappings

Child Form Field	CA Top Secret Attribute	Description
UD_TSSPROF_ID	PROFILE	Profile ID

1.5.5 GROUP Attributes for Target Resource Reconciliation and Provisioning

The connector supports reconciliation and provisioning of the GROUP multivalued attribute. For any particular user, a child form is used to hold values of the GROUP attributes listed in the table.

The AddUserToGroup and RemoveUserFromGroup adapters are used for GROUP provisioning operations.

Table 1-7 lists GROUP attribute mappings between CA Top Secret and Oracle Identity Manager.

Table 1-7 GROUP Attribute Mappings

Child Form Field	CA Top Secret Attribute	Description
UD_TSSGROUP_ID	GROUP	Group ID

1.5.6 SOURCE Attributes for Provisioning

The connector supports provisioning of the SOURCE multivalued attribute. For any particular user, a child form is used to hold values of the SOURCE attributes listed in the table.

The AddUserToSource and RemoveUserFromSource adapters are used for SOURCE provisioning operations. Table 1-8 lists SOURCE attribute mappings between CA Top Secret and Oracle Identity Manager.

Table 1-8 SOURCE Attribute Mappings

Child Form Field	CA Top Secret Attribute	Description
UD_TSSSOURC_ID	SOURCE	Source ID

1.5.7 FACILITY Attributes for Target Resource Reconciliation and Provisioning

The connector supports reconciliation and provisioning of the FACILITY multivalued attribute. For any particular user, a child form is used to hold values of the FACILITY attributes listed in the table.

The AddUserToFacility and RemoveUserFromFacility adapters are used for FACILITY provisioning operations. Table 1-9 lists FACILITY attribute mappings between CA Top Secret and Oracle Identity Manager.

Table 1-9 FACILITY Attribute Mappings

Child Form Field	CA Top Secret Attribute	Description
UD_TSSFAC_ID	FACILITY	Facility ID

1.5.8 DATASET Attributes for Provisioning

The connector supports provisioning of the DATASET multivalued attribute. For any particular user, a child form is used to hold values of the DATASET attributes listed in the table.

The AddUserToDataset and RemoveUserFromDataset adapters are used for DATASET provisioning operations. Table 1-10 lists DATASET attribute mappings between CA Top Secret and Oracle Identity Manager.

Table 1-10 DATASET Attribute Mappings

Child Form Field	CA Top Secret Attribute	Description
DATASET_ID	DATASET	Dataset ID
DATASET_ACCESS	ACCESS	Users level of access to the dataset

1.5.9 Provisioning GENCERT Operations

The connector supports provisioning operations for the TSS GENCERT command, however a pre-configured child form, process task, and adapter are not included in with the release. To provision GENCERT actions, the OIM administrator will need to create an adapter and map it to the GenerateCertificate function in the topsecret-provisioning-adapter.jar file. Below is the function header for GenerateCertificate:

public String generateCertificate(String idfUserId, String digicert, String dcdsn, String keysize, String keyusage,String nbdate, String nbtime, String nadate, String natime, String lablcert, String altname, String subjects, String signwith, String icsf, String dsa, String pcicc)

For boolean attributes such as ICSF or DSA, the administrator should map these values as literal String values equal to either true or false.

1.5.10 Provisioning GENREQ Operations

The connector supports provisioning operations for the TSS GENREQ command, however a pre-configured child form, process task, and adapter are not included in with the release. To provision GENREQ actions, the OIM administrator will need to create an adapter and map it to the GenerateCertificateRequest function in the topsecret-provisioning-adapter.jar file. Below is the function header for GenerateCertificateRequest:

public String generateCertificateRequest(String idfUserId, String digicert, String dcdsn, String lablcert)

1.5.11 Reconciliation Rule

See Also:

Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for generic information about reconciliation matching and action rules

During target resource reconciliation, Oracle Identity Manager tries to match each user fetched from CA Top Secret with existing CA Top Secret resources provisioned to OIM Users. This is known as process matching. A reconciliation rule is applied for process matching. If a process match is found, then changes made to the user on the target system are copied to the resource on Oracle Identity Manager. If no match is found, then Oracle Identity Manager tries to match the user against existing OIM Users. This is known as entity matching. The reconciliation rule is applied during this process. If an entity match is found, then a CA Top Secret resource is provisioned to the OIM User. Data for the newly provisioned resource is copied from the user.

Rule name: IdfReconUserRule

Rule element: User Login Equals uid

In this rule element:

• User Login is the User ID field on the process form and the OIM User form.

• uid is the USER attribute on CA Top Secret.

After you deploy the connector, you can view this reconciliation rule by performing the following steps:

1. On the Design Console, expand Development Tools and then double-click Reconciliation Rules.

2. Search for and open the IdfReconUserRule rule. Figure 1-4 shows this rule.

   Figure 1-4 Reconciliation Rule

   
   Description of ''Figure 1-4 Reconciliation Rule''
   
   

1.5.12 Reconciliation Action Rules

Reconciliation action rules specify actions that must be taken depending on whether or not matching CA Top Secret resources or OIM Users are found when the reconciliation rule is applied. Table 1-11 lists the reconciliation action rules.

Table 1-11 Reconciliation Action Rules

Rule Condition	Action
No Matches Found	None
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

1. On the Design Console, expand Resource Management and then double-click Resource Objects.

2. Search for and open the OIMTopSecretResourceObject resource object.

3. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rule for target resource reconciliation.

   Figure 1-5 Reconciliation Action Rules

   
   Description of ''Figure 1-5 Reconciliation Action Rules''