1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. This guide discusses the procedure to deploy the connector that is used to integrate Oracle Identity Manager with IBM RACF Standard.

Note:

The Oracle Identity Manager Advanced connector for IBM RACF provides an agent-based architecture for integrating IBM RACF with Oracle Identity Manager. For more information, see the guide for that connector.

This chapter contains the following sections:

Section 1.1, "Certified Components"
Section 1.2, "Certified Languages"
Section 1.3, "Connector Architecture"
Section 1.4, "Features of the Connector"
Section 1.5, "Lookup Definitions Used During Reconciliation and Provisioning"
Section 1.6, "Connector Objects Used During Target Resource Reconciliation and Provisioning"
Section 1.7, "Connector Objects Used During Trusted Source Reconciliation"
Section 1.8, "Roadmap for Deploying and Using the Connector"

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, IBM RACF Standard has been referred to as the target system.

1.1 Certified Components

Table 1-1 lists the certified components for the connector.

Table 1-1 Certified Components

Component	Requirement
Oracle Identity Manager	You can use one of the following releases of Oracle Identity Manager: Oracle Identity Manager Release 9.0.1 through 9.0.3.x Oracle Identity Manager Release 9.1.0.1 and future releases in this release track Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector will support. Oracle Identity Manager 11g release 1 (11.1.1.3.0) and future releases in this release track Note: In this guide, Oracle Identity Manager release 11.1.1 has been used to denote Oracle Identity Manager release 11.1.1.3.0 and future releases in the 11.1.1.x series that the connector will support. Oracle Identity Manager 11g Release 1 PS1 (11.1.1.5.0) and future releases in this release track Oracle Identity Manager 11g Release 1 PS2 (11.1.1.7.0) and future releases in this release track Oracle Identity Manager 11g release 2 (11.1.2.0.0) and future releases in this release track Note: In this guide, Oracle Identity Manager release 11.1.2 has been used to denote Oracle Identity Manager release 11.1.2.0.0 and future releases in the 11.1.2.x series that the connector will support. Oracle Identity Manager 11g Release 2 PS1 (11.1.2.1.0) and future releases in this release track Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and future releases in this release track The connector does not support Oracle Identity Manager running on Oracle Application Server. For detailed information about certified components of Oracle Identity Manager, see the certification matrix on Oracle Technology Network at `http://www.oracle.com/technetwork/documentation/oim1014-097544.html`.
Target system	IBM RACF on z/OS V1.13
External code	The following Host Access Class Library (HACL) class files obtained from IBM Host On-Demand (HOD) version 11.0: hoddbg2.jar hacp.jar hasslite2.jar habasen2.jar WellKnownTrustedCAs.class WellKnownTrustedCAs.p12 Note: My Oracle Support Patch 16034946 provides the latest version of the RACF connector and is certified with HOD 11.0.
Target system user account	Instructions to create an IBM RACF user account with the required privileges are given in Section 2.3.3, "Postinstallation on the Target System." You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide. If the user account is not assigned the specified rights, then the "Authentication failure" message is displayed when Oracle Identity Manager tries to exchange data with the target system.
JDK	The JDK version can be one of the following: For Oracle Identity Manager release 9.0.1 through 9.0.3.x, use JDK 1.4.2 or a later release in the 1.4.2 series. For Oracle Identity Manager release 9.1.0.x, use JDK 1.5 or a later release in the 1.5 series. For Oracle Identity Manager release 11.1.1, use JDK 1.6 update 18 or later, or JRockit JDK 1.6 update 17 or later.

1.2 Certified Languages

The connector supports the following languages:

Arabic
Chinese Simplified
Chinese Traditional
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish

See Also:

For information about supported special characters supported by Oracle Identity Manager, see one of the following guides:

For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x:

Oracle Identity Manager Globalization Guide
For Oracle Identity Manager release 11.1.1:

Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2:

Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

1.3 Connector Architecture

The architecture of the connector is the blueprint for the functionality of the connector. Figure 1-1 shows the architecture of the connector.

Figure 1-1 Architecture of the Connector

Description of ''Figure 1-1 Architecture of the Connector''

The connector can be configured to run in one of the following modes:

Note:

In Oracle Identity Manager release 11.1.1 or Oracle Identity Manager release 11.1.2, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1 or Oracle Identity Manager release 11.1.2.

See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

Identity reconciliation

In the identity reconciliation mode, IBM RACF Standard is used as the trusted source and users are directly created and modified on it.

During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager.

Each record fetched from the target system is compared with existing OIM Users. If a match is found, then the update made to the record on the target system is copied to the OIM User attributes. If no match is found, then the target system record is used to create an OIM User.
Account Management

In the account management mode, IBM RACF Standard is used as a target resource. The connector enables the target resource reconciliation and provisioning operations. Through provisioning operations performed on Oracle Identity Manager, user accounts are created and updated on the target system for OIM Users. During reconciliation from the target resource, the IBM RACF Standard connector fetches into IBM RACF Standard data about user accounts that are created or modified on the target system. This data is used to add or modify resources allocated to OIM Users.

During provisioning operations, adapters carry provisioning data submitted through the process form to the target system. APIs on the target system accept provisioning data from the adapters, carry out the required operation on the target system, and return the response from the target system to the adapters. The adapters return the response to Oracle Identity Manager.

During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager. The next step depends on the mode of connector configuration.

1.4 Features of the Connector

The following are features of the connector:

Section 1.4.1, "Support for Full Reconciliation"
Section 1.4.2, "Support for Target Resource and Trusted Source Reconciliation"
Section 1.4.3, "Support for Limited Reconciliation"
Section 1.4.4, "Support for Batched Reconciliation"

1.4.1 Support for Full Reconciliation

After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager.

See Section 3.3.1, "Full Reconciliation" for more information.

1.4.2 Support for Target Resource and Trusted Source Reconciliation

You can use the connector to configure IBM RACF Standard as either a target resource or trusted source of Oracle Identity Manager.

See Section 3.3, "Configuring Reconciliation" for more information.

1.4.3 Support for Limited Reconciliation

You can set a reconciliation filter by specifying values for one or more of the following scheduled task attributes:

Filter Auditor Privilege (Y/N)
Filter Default Group
Filter Group Access Privilege (Y/N)
Filter Name
Filter Operations Privilege (Y/N)
Filter Owner
Filter Special Privilege (Y/N)
Filter User Id
Filter Type (AND/OR)

This filter specifies the subset of newly added and modified target system records that must be reconciled.

See Section 3.3.2, "Limited Reconciliation" for more information.

1.4.4 Support for Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

See Section 3.3.3, "Batched Reconciliation" for more information.

1.5 Lookup Definitions Used During Reconciliation and Provisioning

Lookup definitions used during connector operations can be divided into the following categories:

Section 1.5.1, "Lookup Definitions Synchronized with the Target System"
Section 1.5.2, "Other Lookup Definitions"

1.5.1 Lookup Definitions Synchronized with the Target System

During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Group lookup field to select a group to which a user must belong to from the list of available groups. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

The following lookup definitions are populated with values fetched from the target system by the scheduled tasks for lookup field synchronization:

See Also:

Section 3.2, "Lookup Field Synchronization" for information about these scheduled tasks

Lookup.RACF.Groups
Lookup.RACF.Accounts
Lookup.RACF.Procedures

1.5.2 Other Lookup Definitions

This section describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.

Table 1-2 Other Lookup Definitions

Lookup Definition	Description of Values	Method to Specify Values for the Lookup Definition
Connect	This lookup definition holds information about the authority that you can select for a target system account that you create through Oracle Identity Manager.	This lookup definition is preconfigured. You can add or modify entries in this lookup definition. See one of the following guides for more information about modifying entries in a lookup definition: For Oracle Identity Manager release 9.0.1. through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Design Console Guide For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

Lookup Definition

Description of Values

Method to Specify Values for the Lookup Definition

Connect

This lookup definition holds information about the authority that you can select for a target system account that you create through Oracle Identity Manager.

This lookup definition is preconfigured. You can add or modify entries in this lookup definition.

See one of the following guides for more information about modifying entries in a lookup definition:

For Oracle Identity Manager release 9.0.1. through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Design Console Guide
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

1.6 Connector Objects Used During Target Resource Reconciliation and Provisioning

See Also:

One of the following guides for conceptual information about reconciliation:

For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Connector Concepts
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

Section 1.6.1, "User Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.2, "Group Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.3, "TSO Attributes for Target Resource Reconciliation and Provisioning"
Section 1.6.4, "Reconciliation Rule for Target Resource Reconciliation"
Section 1.6.5, "Reconciliation Action Rules for Target Resource Reconciliation"
Section 1.6.6, "Provisioning Functions"

1.6.1 User Attributes for Target Resource Reconciliation and Provisioning

Table 1-3 provides information about user attribute mappings for target resource reconciliation and provisioning.

Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning

Process Form Field	Target System Field	Description
userid	USBD_NAME	User ID that is determined from the user profile name
owner	USBD_OWNER_ID	User ID or group that owns the profile
name	USBD_PROGRAMMER	Display name associated with the user ID
default group	USBD_DEFGRP_ID	Default group associated with the user
operations	USBD_OPER	Specifies whether the user has the Operations privilege
auditor	USBD_AUDITOR	Specifies whether the user has the Auditor privilege
special	USBD_SPECIAL	Specifies whether the user has the Special privilege
grp access	USBD_GRPACC	Specifies whether the user has the GRPACC privilege
department	USWRK_DEPARTMENT	Department name

1.6.2 Group Attributes for Target Resource Reconciliation and Provisioning

Table 1-4 provides information about group attribute mappings for target resource reconciliation and provisioning.

Table 1-4 Group Attributes for Target Resource Reconciliation and Provisioning

Process Form Field	Target System Support Group Attribute	Description
Group	USCON_GRP_ID	Name of the group name with which the user is associated
Revoke Date	USCON_REVOKE_DATE	Date on which the user's association with the group ends
Authorisation	GPMEM_AUTH	Authorization privilege

1.6.3 TSO Attributes for Target Resource Reconciliation and Provisioning

Table 1-5 provides information about TSO attribute mappings for target resource reconciliation and provisioning.

Table 1-5 TSO Attributes for Target Resource Reconciliation and Provisioning

Process Form Field	Target System TSO Attribute	Description
Account Number	USTSO_ACCOUNT	Default account number
Procedure	USTSO_LOGON_PROC	Default procedure name
Size	USTSO_SIZE	Default memory space allocated to the user in TSO
Unit	USTSO_UNIT	Default unit of measurement of memory size
Maximum Size	USTSO_MAXIMUM_SIZE	Default maximum memory space that can be allocated to the user in TSO

1.6.4 Reconciliation Rule for Target Resource Reconciliation

See Also:

For generic information about reconciliation matching and action rules, see one of the following guides:

For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Connector Concepts
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

The following is the process-matching rule:

Rule Name: reconcile RACF data

Rule Element: User Login Equals userid

In this rule:

User Login is one of the following:
- For Oracle Identity Manager release 9.0.1 through 9.0.3.x:
  
  User ID attribute on the Xellerate User form.
- For Oracle Identity Manager release 9.1.0.x or release 11.1.1:
  
  User ID attribute on the OIM User form.
- For Oracle Identity Manager release 11.1.2:
userid is the USBD_NAME attribute of the target system.

After you deploy the connector, you can view the reconciliation rule by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for and open reconcile RACF data. Figure 1-2 shows this reconciliation rule.

Figure 1-2 Reconciliation Rule for Target Resource Reconciliation

Description of ''Figure 1-2 Reconciliation Rule for Target Resource Reconciliation''

1.6.5 Reconciliation Action Rules for Target Resource Reconciliation

Table 1-6 lists the action rules for target resource reconciliation.

Table 1-6 Action Rules for Target Resource Reconciliation

Rule Condition	Action
No Matches Found	Assign to Administrator With Least Load
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:

For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Design Console Guide
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the RACF User resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.

Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation

Description of ''Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation''

1.6.6 Provisioning Functions

Table 1-7 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.

Table 1-7 Provisioning Functions

Function	Adapter
Create a RACF User	adpCREATENEWRACFUSER
Delete a RACF User	adpRACFUSERDELETE
Name Updated	adpUPDATERACFUSERATTRIBUTE
Password Updated	adpSETRACFUSERPASSWORD
Department Updated	adpUPDATERACFUSERATTRIBUTE
Default Group Updated	adpUPDATERACFUSERATTRIBUTE
Installation data Updated	adpUPDATERACFUSERATTRIBUTE
Operations Updated	adpRACFUPDATEPRIVILEDGE
Special Updated	adpRACFUPDATEPRIVILEDGE
Auditor Updated	adpRACFUPDATEPRIVILEDGE
Group Access Updated	adpRACFUPDATEPRIVILEDGE
Owner Updated	adpUPDATERACFUSERATTRIBUTE
Enable a RACF User	adpRACFUSERENABLE
Disable a RACF User	adpRACFUSERDISABLE
Connect Group	adpCONNECTTOGROUP
Disconnect Group	adpDISCONNECTFROMGROUP
Add TSO to a User	adpADDTSOTORACFUSER
Remove TSO	adpREMOVETSO

1.7 Connector Objects Used During Trusted Source Reconciliation

The following sections provide information about connector objects used during trusted source reconciliation:

Section 1.7.1, "User Attributes for Trusted Source Reconciliation"
Section 1.7.2, "Reconciliation Rule for Trusted Source Reconciliation"
Section 1.7.3, "Reconciliation Action Rules for Trusted Source Reconciliation"

1.7.1 User Attributes for Trusted Source Reconciliation

Table 1-8 lists user attributes for trusted source reconciliation.

Table 1-8 User Attributes for Trusted Source Reconciliation

OIM User Form Field	Target System Attribute	Description
User ID	USBD_NAME	Common name
First Name	FName	First name
Last Name	LName	Last name
Employee Type	NA	Default value: `Consultant`
User Type	NA	Default value: `End-User Administrator`
Organization	NA	Default value: `Xellerate Users`

1.7.2 Reconciliation Rule for Trusted Source Reconciliation

See Also:

For generic information about reconciliation matching and action rules, see one of the following guides:

For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Connector Concepts
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

The following is the process matching rule:

Rule name: RACF Trusted Rule

Rule element: User Login Equals userid

In this rule element:

User Login is the User ID field on the OIM User form.
userid is the USBD_NAME field of RACF Standard.

After you deploy the connector, you can view the reconciliation rule for target source reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

Log in to the Oracle Identity Manager Design Console.
Expand Development Tools.
Double-click Reconciliation Rules.
Search for RACF Trusted Rule. Figure 1-4 shows the reconciliation rule for trusted source reconciliation.

Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation

Description of ''Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation''

1.7.3 Reconciliation Action Rules for Trusted Source Reconciliation

Table 1-9 lists the action rules for target source reconciliation.

Table 1-9 Action Rules for Target Source Reconciliation

Rule Condition	Action
No Matches Found	Create User
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

Note:

For Oracle Identity Manager release 9.0.1 through 9.0.3.x and release 9.1.0.x: Oracle Identity Manager Design Console Guide
For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
For Oracle Identity Manager release 11.1.2: Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the Xellerate User resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rules for trusted source reconciliation.

Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation

Description of ''Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation''

1.8 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide:

Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
Chapter 4, "Extending the Functionality of the Connector" describes procedures that you can perform if you want to extend the functionality of the connector.
Chapter 5, "Testing and Troubleshooting" describes the procedure to use the connector testing utility for testing the connector.
Chapter 6, "Known Issues" lists known issues associated with this release of the connector.