1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use RSA ClearTrust either as a managed (target) resource or as an authoritative (trusted) source of identity data for Oracle Identity Manager.

Note:

At some places in this guide, RSA ClearTrust has been referred to as the target system.

In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

In the identity reconciliation (trusted source) configuration of the connector, users are created or modified only on the target system and information about these users is reconciled into Oracle Identity Manager.

Note:

It is recommended that you do not configure the target system as both an authoritative (trusted) source and a managed (target) resource.

This chapter contains the following sections:

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, RSA ClearTrust has been referred to as the target system.

1.1 Certified Components

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager release 9.0.1 through 9.0.3.2

  • Oracle Identity Manager release 9.1.0.1 or later

    Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector will support.

  • Oracle Identity Manager 11g release 1 (11.1.1) BP02

    Note: In this guide, Oracle Identity Manager release 11.1.1 has been used to denote Oracle Identity Manager 11g release 1 (11.1.1).

The connector does not support Oracle Identity Manager running on Oracle Application Server. For detailed information about certified components of Oracle Identity Manager, see the certification matrix on Oracle Technology Network at

http://www.oracle.com/technetwork/documentation/oim1014-097544.html

Target systems

The target system can be one of the following:

  • RSA ClearTrust V5.5.x

  • RSA Access Manager V6.0.x and V6.1.x

External code

The following files from the directory in which RSA ClearTrust is installed:

ct_admin_api.jar

ct_runtime_api.jar

Target system user account

RSA ClearTrust administrator account

You provide the credentials of this user account while performing the procedure in Section 2.2.2.2, "Configuring the IT Resource."

JDK

The JDK version can be one of the following:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.2, use JDK 1.4.2 or a later release in the 1.4.2 series.

  • For Oracle Identity Manager release 9.1.0.x, use JDK 1.5 or a later release in the 1.5 series.

  • For Oracle Identity Manager release 11.1.1, use JDK 1.6 update 18 or later, or JRockit JDK 1.6 update 17 or later.

1.2 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Danish

  • English

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Portuguese (Brazilian)

  • Spanish

See Also:

One of the following guides for information about supported special characters supported by Oracle Identity Manager:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.2 and release 9.1.0.x:

    Oracle Identity Manager Globalization Guide

  • For Oracle Identity Manager release 11.1.1:

    Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

1.3 Connector Architecture

The architecture of the connector is the blueprint for the functionality of the connector. Figure 1-1 shows the architecture of the connector.

Figure 1-1 Architecture of the Connector

Description of Figure 1-1 follows
Description of "Figure 1-1 Architecture of the Connector"

The connector can be configured to run in one of the following modes:

Note:

In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager releases 9.0.1 through 9.0.3.2 and 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.

See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

  • Identity reconciliation

    In the identity reconciliation mode, RSA ClearTrust is used as the trusted source and users are directly created and modified on it.

    During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager.

    Each record fetched from the target system is compared with existing OIM Users. If a match is found, then the update made to the record on the target system is applied to the OIM User record. If no match is found, then the target system record is used to create an OIM User.

  • Account Management

    In the account management mode, RSA ClearTrust is used as a target resource. The connector enables target resource reconciliation and provisioning operations. Through provisioning operations performed on Oracle Identity Manager, user accounts are created and updated on the target system for OIM Users. During reconciliation from the target resource, the RSA ClearTrust connector fetches into Oracle Identity Manager data about user accounts that are created or modified on the target system. This data is used to add or modify resources allocated to OIM Users.

    During provisioning operations, adapters carry provisioning data submitted through the process form to the target system. APIs on the target system accept provisioning data from the adapters, carry out the required operation on the target system, and return the response from the target system to the adapters. The adapters return the response to Oracle Identity Manager.

    During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager. The next step depends on the mode of connector configuration.

1.4 Features of the connector

1.4.1 Support for Both Target Resource and Trusted Source Reconciliation

You can use the connector to configure RSA ClearTrust as either a target resource or trusted source of Oracle Identity Manager.

See Section 3.3.4, "User Reconciliation Scheduled Task" for more information.

1.4.2 Specifying the Attributes That Must Be Used During Reconciliation

You can specify the subset of target system attributes that must be reconciled. See Section 3.3.3, "Specifying the Attributes That Must Be Used During Reconciliation" for more information.

1.4.3 Support for Both Full and Incremental Reconciliation

After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, change-based or incremental reconciliation is automatically enabled from the next run of the user reconciliation.

You can perform a full reconciliation run at any time. See Section 3.3.1, "Full Reconciliation vs. Incremental Reconciliation" for more information.

1.4.4 Support for Paged Reconciliation

Paged reconciliation is the reconciliation of a specified set of target system records at a time, within a reconciliation run. Multiple pages of records are fetched to complete the reconciliation run. This feature helps reduce memory issues that might arise when there are a large number of records to be reconciled.

Paged reconciliation is implemented using the Paging Range attribute of the scheduled task. See Section 3.3.2, "Paged Reconciliation" for more information about paged reconciliation.

1.5 Lookup Definitions Used During Connector Operations

Lookup definitions used during connector operations can be divided into the following categories:

1.5.1 Lookup Definitions Synchronized with the Target System

During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Group lookup field to select the group to which the user must be assigned. When you deploy the connector, the CTGroups and Property Names lookup definitions are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the list of groups and properties on the target system into the CTGroups and Property Names lookup definitions in Oracle Identity Manager.

See Also:

Section 3.2, "Scheduled Task for Lookup Field Synchronization" for information about this scheduled task

1.5.2 Other Lookup Definitions

Table 1-2 describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.

Table 1-2 Other Lookup Definitions

Lookup Definition Description of Values Method to Specify Values for the Lookup Definition

Lookup.CTReconciliation.Fieldmap

This lookup definition is used to store mappings of attributes that you add for reconciliation.

You can add entries in this lookup definition if you want to map new target system attributes for reconciliation. Section 3.3.3, "Specifying the Attributes That Must Be Used During Reconciliation" describes the procedure.

1.6 Connector Objects Used During Target Resource Reconciliation

This section discusses the following topics:

1.6.1 User Attributes for Target Resource Reconciliation

Table 1-3 lists the user attributes of the target system from which values are fetched during reconciliation. The ClearTrust Reconciliation Task scheduled task is used to reconcile user data.

Table 1-3 User Attributes for Target Resource Reconciliation

Resource Object Field Target System Attribute Description

UserID

User ID

User ID

FirstName

First Name

First Name

LastName

Last Name

Last Name

EmailID

E-mail

E-mail address

StartDate

Account Starts

Date and time when the user's account must become active

EndDate

Account Expires

Date and time when the user's account must expire

PasswordExpDate

Password Expires

Date and time the user's password expires

IsPublic

Visibility

Flag that specifies whether the user account is visible to all administrators or only to administrators of this administrative group

IsUserlocked

Lock Out

Flag that indicates whether or not the user account is locked

PropertyName

Property Name

Name of the property

PropertyValue

Property Value

Depending on the data type of the selected property, the value can be a string or integer.

GroupName

User Group

Group

1.6.2 Reconciliation Rules for Target Resource Reconciliation

See Also:

For generic information about reconciliation matching and action rules, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.2 and release 9.1.0.x: Oracle Identity Manager Connector Concepts

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

The following sections provide information about the reconciliation rules for this connector:

1.6.2.1 Reconciliation Rule for Target Resource Reconciliation

The following is the process-matching rule:

Rule name: CT Recon Rule

Rule element: User Login Equals (userId)

In the rule element:

  • User Login is one of the following:

    • For Oracle Identity Manager releases 9.0.1 through 9.0.3.2:

      User ID attribute on the Xellerate User form

    • For Oracle Identity Manager release 9.1.0.x or release 11.1.1:

      User ID attribute on the OIM User form

  • userId is the user ID field of the account on RSA ClearTrust.

1.6.2.2 Viewing Reconciliation Rules for Target Resource Reconciliation in the Design Console

After you deploy the connector, you can view the reconciliation rule for reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for and open CT Recon Rule. Figure 1-2 shows this reconciliation rule.

    Figure 1-2 Reconciliation Rule for Target Resource Reconciliation

    Description of Figure 1-2 follows
    Description of "Figure 1-2 Reconciliation Rule for Target Resource Reconciliation"

1.6.3 Reconciliation Action Rules for Target Resource Reconciliation

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.2 and release 9.1.0.x: Oracle Identity Manager Design Console Guide

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

The following sections provide information about the reconciliation rules for this connector:

1.6.3.1 Reconciliation Action Rules for Target Resource Reconciliation

Table 1-4 lists the action rules for target resource reconciliation.

Table 1-4 Action Rules for Target Resource Reconciliation

Rule Condition Action

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

1.6.3.2 Viewing Reconciliation Action Rules for Target Resource Reconciliation in the Design Console

After you deploy the connector, you can view the reconciliation action rules for reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management, and double-click Resource Objects.

  3. If you want to view the reconciliation action rules for reconciliation, then search for and open the ClearTrust resource object.

  4. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rules for reconciliation.

    Figure 1-3 Action Rules for Target Resource Reconciliation

    Description of Figure 1-3 follows
    Description of "Figure 1-3 Action Rules for Target Resource Reconciliation"

1.7 Connector Objects Used During Trusted Source Reconciliation

This section discusses the following topics:

1.7.1 User Attributes for Trusted Source Reconciliation

Table 1-5 provides information about user attribute mappings for trusted source reconciliation.

Table 1-5 User Attributes for Trusted Source Reconciliation

Field on the Xellerate User Resource Object Target System Attribute Description

UserID

User ID

User ID

FirstName

First Name

First name

LastName

Last Name

Last name

Email Address

E-mail

E-mail address

Start Date

Account Starts

Date and time when the user's account must become active

End Date

Account Expires

Date and time when the user's account must expire

Lock User

Lock Out

Flag that indicates whether or not the user is locked out

Is Public

Visibility

Flag that specifies whether the user account is visible to all administrators or only to administrators of this administrative group

User Group Name

User Group

Group

Property Name

Property Name

Name of the property

Property Value

Property Value

Depending on the data type of the selected property, the value can be a string or integer.

Property Value (Date)

Property Value (Boolean)

If the RSA ClearTrust property type is Date, then the corresponding value for the property can only be set by using the Property Value (Date) field in the RSA ClearTrust User Properties form.

If the ClearTrust property type is Boolean, then the corresponding value for the property can only be set by using the Property Value (Boolean) check box in the ClearTrust User Properties form.

To set the value of any other type of property, use the Property Value field.

Property value as date

Property value as Boolean

1.7.2 Reconciliation Rule for Trusted Source Reconciliation

See Also:

For generic information about reconciliation matching and action rules, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.2 and release 9.1.0.x: Oracle Identity Manager Connector Concepts

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

The following sections provide information about the reconciliation rules for this connector:

1.7.2.1 Reconciliation Rule for Trusted Source Reconciliation

The following is the process-matching rule:

Rule name: Trusted Source Recon Rule

Rule element: User Login Equals User ID

In this rule element:

  • User Login is one of the following:

    • For Oracle Identity Manager releases 9.0.1 through 9.0.3.2:

      User ID attribute on the Xellerate User form

    • For Oracle Identity Manager release 9.1.0.x or release 11.1.1:

      User ID attribute on the OIM User form

  • User ID is the user ID of the account on RSA ClearTrust.

1.7.2.2 Viewing Reconciliation Rules for Trusted Source Reconciliation in the Design Console

After you deploy the connector, you can view the reconciliation rule for reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for and open Trusted Source Recon Rule. Figure 1-4 shows this reconciliation rule.

    Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation

    Description of Figure 1-4 follows
    Description of "Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation"

1.7.3 Reconciliation Action Rules for Trusted Source Reconciliation

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. For information about modifying or creating reconciliation action rules, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.2 and release 9.1.0.x: Oracle Identity Manager Design Console Guide

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

The following sections provide information about the reconciliation rules for this connector:

1.7.3.1 Reconciliation Action Rules for Trusted Source Reconciliation

Table 1-6 lists the action rules for reconciliation.

Table 1-6 Action Rules for Trusted Source Reconciliation

Rule Condition Action

No Matches Found

Assign to Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

1.7.3.2 Viewing Reconciliation Action Rules for Trusted Source Reconciliation in the Design Console

After you deploy the connector, you can view the reconciliation action rules for reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management, and double-click Resource Objects.

  3. If you want to view the reconciliation action rules for reconciliation, then search for and open the Xellerate User resource object.

  4. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rules for reconciliation.

    Figure 1-5 Action Rules for Trusted Source Reconciliation

    Description of Figure 1-5 follows
    Description of "Figure 1-5 Action Rules for Trusted Source Reconciliation"

1.8 Connector Objects Used During Provisioning

Provisioning involves creating or modifying user data on the target system through Oracle Identity Manager.

See Also:

For conceptual information about provisioning, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.2 and release 9.1.0.x: Oracle Identity Manager Connector Concepts

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

This section discusses the following topics:

1.8.1 User Attributes for Provisioning

Table 1-7 lists the process form fields for which you can specify or modify values during provisioning operations.

Table 1-7 User Attributes for Provisioning

Process Form Field Target System Attribute Adapter

UserID

User ID

User ID

FirstName

First Name

First name

LastName

Last Name

Last name

Email Address

E-mail

E-mail address

Start Date

Account Starts

Date and time when the user's account must become active.

End Date

Account Expires

Date and time when the user's account must expire.

Lock User

Lock Out

Flag that indicates whether or not the user is locked out.

Is Public

Visibility

Flag that specifies whether the user account is visibleto all administrators or only to administrators of this administrative group.

User Group Name

User Group

Group

Property Name

Property Name

Name of the property

Property Value

Property Value

Depending on the data type of the selected property, the value can be a string or integer.

Property Value (Date)

Property Value (Date) field

If the RSA ClearTrust property type is Date, then the value for the property can be set only by using the Property Value (Date) field on the RSA ClearTrust User Properties form.

Property Value (Boolean)

Property Value (Boolean) check box

If the RSA ClearTrust property type is Boolean, then the value for the property can be set only by using the Property Value (Boolean) check box on the RSA ClearTrust User Properties form.

Table 1-8 lists special characters that are supported in process form fields.

Table 1-8 Special Characters Supported in Process Form Fields

Name of the Character Character

ampersand

&

asterisk

*

at sign

@

caret

^

comma

,

dollar sign

$

equal sign

=

exclamation point

!

hyphen

-

left brace

{

left bracket

[

number sign

#

percent sign

%

period

.

plus sign

+

question mark

?

right brace

}

right bracket

]

slash

/

single quotation

'

underscore

_

Note:

The following special characters are not supported in process form fields:

  • Double quotation mark (")

  • Left parenthesis (()

  • Right parenthesis ())

1.8.2 User Provisioning Functions

Table 1-9 lists the user provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.

See Also:

For generic information about process tasks and adapters, see one of the following guides:

  • For Oracle Identity Manager release 9.0.1 through 9.0.3.2 and release 9.1.0.x: Oracle Identity Manager Connector Concepts

  • For Oracle Identity Manager release 11.1.1: Oracle Fusion Middleware User's Guide for Oracle Identity Manager

Table 1-9 User Provisioning Functions Supported by the Connector

Process Task Description Adapter

Create User

Creates a user

CTCreateUser

Delete User

Deletes a provisioned user

CTDeleteUser

Disable User

Disables an existing user by setting the Account Expires attribute to the current date

CTDisableUser

Enable User

Enables a disabled user by setting the Account Expires attribute to a date that is one year ahead of the current date

CTenableuser

Email Address Updated

Updates the e-mail address

CTModifyUser

Start Date Updated

Updates the start date

CTModifyUser

End Date Updated

Updates the end date

CTModifyUser

Change User Password

Updates the user's password

CTStringTask

First Name Updated

Updates the first name

CTModifyUser

Last Name Updated

Updates the last name

CTModifyUser

Lock User Updated

Updates the locked or unlocked status of the user

CTModifyUser

Change First Name

This adapter is used to copy a change in the first name from the user object form to the process form.

CTStringTask

Change Last Name

This adapter is used to copy a change in the last name from the user object form to the process form.

CTStringTask

Change User Password

This adapter is used to copy a change in the user's password from user object form to the process form.

CTStringTask

Change email

This adapter is used to copy a change in the e-mail address from the user object form to the process form.

CTStringTask

Password Expiration Date Updated

Updates the password expiration date

CTModifyUser

Assign User to Group

Add a user to a group in RSA ClearTrust

CTAddGroup

Delete User from Group

Deletes a user from a group

CTDeleteGroup

Update Group For A User

Removes a user from one group and adds the user to another group

CTUpdateGroup

Add Default Group

Adds a default group to a user

CTAssign Default Group

Add Property to User

Adds a property value

If the RSA ClearTrust property type is Date, then the corresponding value for the property can be set only by using the Property Value (Date) field in the RSA ClearTrust User Properties form.

If the RSA ClearTrust property type is Boolean, then the corresponding value for the property can be set only by using the Property Value (Boolean) check box in the ClearTrust User Properties form.

To set the value of any other type of property, use the Property Value field.

CTUpdateUserProperty

Delete Property to User

Deletes a property value

CTUpdateUserProperty

1.9 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: