1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to integrate Oracle Identity Manager with target systems running AIX, HP-UX, Linux, and Solaris, using the SSH protocol. This connector enables you to use the target system as a managed (target) resource or as an authoritative (trusted) source of identity data for Oracle Identity Manager.

In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

In the identity reconciliation (trusted source) configuration of the connector, users are created or modified only on the target system and information about these users is reconciled into Oracle Identity Manager.

This chapter contains the following sections:

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

1.1 Certified Components

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager release 9.1.0.x or later

    Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector will support.

  • Oracle Identity Manager 11g release 1 (11.1.1)

    Note: In this guide, Oracle Identity Manager release 11.1.1 has been used to denote Oracle Identity Manager 11g release 1 (11.1.1).

Target systems

The target system can be any one of the following operating systems that support SSH 2.0:

  • HP-UX 11.11, 11.20, 11.31

  • IBM AIX 5L Version 5.2, 5.3, 6.1

  • Oracle Enterprise Linux 5.2

  • Red Hat Enterprise Linux AS 2.1, 3, 4.x, Red Hat Enterprise Linux ES 3, 4.x

  • Solaris 8, 9, 10

Note: See "Supported Shell Types" for information about the supported shell type for the preceding operating systems.

Target system user account

Depending on the target system that you are using, the target system user account can be one of the following:

  • For AIX, HP-UX, and Linux environments: root user or sudo user

  • For Solaris: root user, sudo user, RBAC user

You provide the credentials of this user account while configuring the IT resource. The procedure is described later in this guide.

If you do not use a target system user account of the specified type, then an error message similar to the following would be displayed when Oracle Identity Manager tries to exchange data with the target system:

SSH_USER_NORIGHTS_FAIL

External code

JSCAPE SSH/SSH Libraries (SSH factory)

Character encoding supported by the target system

The target system must support the default C (POSIX) locale.

Use the following command to check the locale that the target system supports:

locale –a

Other systems

OpenSSH, OpenSSL, operating system patches (HP-UX), and SUDO software (only if the SUDO Admin mode is required)

JDK

The JDK version can be one of the following:

  • For Oracle Identity Manager release 9.1.0.x, use JDK 1.5 or later in the 1.5 series.

  • For Oracle Identity Manager release 11.1.1, use JDK 1.6 update 18 or later, or JRockit JDK 1.6 update 17 or later.

Supported Shell Types

The supported shell types for various operating systems are given in the following table.

Solaris HP-UX Linux AIX

sh

csh

ksh

csh

csh

ksh

bash

ksh

-

sh

sh

sh

-

-

csh

-

1.2 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese Simplified

  • Chinese Traditional

  • Danish

  • English

  • French

  • German

  • Italian

  • Japanese

  • Korean

  • Portuguese (Brazilian)

  • Spanish

Note:

However, the connector does not support the entry of multibyte characters in some of the fields.

See Also:

Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about supported special characters

1.3 Connector Architecture

This connector enables management of target system accounts through Oracle Identity Manager. Figure 1-1 shows the architecture of the connector.

Figure 1-1 Architecture of the Connector

Description of Figure 1-1 follows
Description of "Figure 1-1 Architecture of the Connector "

The architecture of the connector can be explained in terms of the connector operations it supports:

1.3.1 Reconciliation Process

This connector can be configured to perform either trusted source reconciliation or target resource reconciliation.

When you configure the target system as a target resource, the connector enables you to create and manage target accounts for OIM Users through provisioning. In addition, data related to newly created and modified target system accounts can be reconciled and linked with existing OIM Users and provisioned resources.

When you configure the target system as a trusted source, the connector fetches into Oracle Identity Manager, data about newly created or modified target system accounts. This data is used to create or update OIM Users.

See Also:

For conceptual information about target resource reconciliation and trusted source reconciliation, see one of the following guides:

The following is an overview of the steps involved in reconciliation:

Note:

In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.

See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

  1. The scheduled task is run at the time or frequency that you specify. This scheduled task contains details of the mode of reconciliation (trusted source or target resource) that you want to perform.

  2. The scheduled task establishes a connection with the target system by using the SSH Factory.

  3. The scheduled task performs the following tasks:

    • Reads the values that you set for the task attributes.

    • Reads the differences in the etc/passwd, /etc/shadow and their corresponding mirror files to determine user records to be fetched into Oracle Identity Manager.

    • Fetches user records into Oracle Identity Manager.

  4. If you have configured your target system as a trusted source, then:

    1. Each user record fetched from the target system is compared with existing OIM Users. The reconciliation rule is applied during the comparison process. See Section 1.7.2, "Reconciliation Rule for Trusted Source Reconciliation" for information about the reconciliation rule.

    2. The next step of the process depends on the outcome of the matching operation:

      • If a match is found between the target system record and the OIM User, then the OIM User attributes are updated with changes made to the target system record.

      • If no match is found, then the target system record is used to create an OIM User.

  5. If you have configured your target system as a target resource, then:

    1. Each user record fetched from the target system is compared with existing target system resources assigned to OIM Users. The reconciliation rule is applied during the comparison process. See Section 1.6.2, "Reconciliation Rule for Target Resource Reconciliation" for information about the reconciliation rule.

    2. The next step of the process depends on the outcome of the matching operation:

      • If a match is found between the target system record and a resource provisioned to an OIM User, then the database user resource is updated with changes made to the target system record.

      • If no match is found, then the target system user record is compared with existing OIM Users. The next step depends on the outcome of the matching operation:

        If a match is found, then the target system record is used to provision a resource for the OIM User.

        If no match is found, then the status of the reconciliation event is set to No Match Found.

1.3.2 Provisioning Process

See Also:

For conceptual information about provisioning, see one of the following guides:

Provisioning involves creating and managing user accounts. When you allocate (or provision) a UNIX SSH resource to an OIM User, the operation results in the creation of an account on the target system for that user. Similarly, when you update the resource on Oracle Identity Manager, the same update is made to the account on the target system.

The provisioning process can be started through one of the following events:

  • Direct provisioning

    The Oracle Identity Manager administrator uses the Administrative and User Console to create a target system account for a user.

  • Provisioning triggered by access policy changes

    An access policy related to accounts on the target system is modified. When an access policy is modified, it is reevaluated for all users to which it applies.

  • Request-based provisioning

    Note:

    Request-based provisioning can be performed only on Oracle Identity Manager release 11.1.1.

    In request-based provisioning, an individual creates a request for a target system account. The provisioning process is completed when an OIM User with the required privileges approves the request and provisions the target system account to the requester.

During provisioning operations, adapters carry provisioning data submitted through the process form to the SSH factory, which in turn submits the provisioning data to the target system. The user account maintenance commands accept provisioning data from the adapters, carry out the required operation on the target system, and return the response from the target system to the adapters. The adapters return the response to Oracle Identity Manager.

1.4 Features of the Connector

1.4.1 Support for Both Target Resource and Trusted Source Reconciliation

You can use the connector to configure the target system as either a target resource or trusted source of Oracle Identity Manager.

See Section 3.3, "Configuring Reconciliation" for more information.

1.4.2 Support for Limited Reconciliation

You can set a reconciliation filter as the value of the UserNameFilter attribute of the scheduled tasks. This filter specifies the subset of newly added and modified target system records that must be reconciled.

See Section 3.3.2, "Limited Reconciliation" for more information.

1.4.3 Support for Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

See Section 3.3.3, "Batched Reconciliation" for more information.

1.4.4 Support for Both Full and Incremental Reconciliation

After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, incremental reconciliation is automatically enabled from the next run of the user reconciliation.

You can perform a full reconciliation run at any time. See Section 3.3.1, "Full Reconciliation" for more information.

1.4.5 Support for Adding Custom Attributes for Reconciliation and Provisioning

If you want to add custom attributes for reconciliation and provisioning, then perform the procedures described in Chapter 4, "Extending the Functionality of the Connector."

1.4.6 Transformation of Account Data

You can configure transformation of account data that is brought into Oracle Identity Manager during reconciliation.

See Section 4.4, "Transforming Data Reconciled Into Oracle Identity Manager" for more information.

1.4.7 Support for Reconciliation of User Status from the Target System

From this release onward, the connector can reconcile user account status information from the target system

1.5 Lookup Definitions Used During Connector Operations

Lookup definitions used during connector operations can be divided into the following categories:

1.5.1 Lookup Definitions Synchronized with the Target System

During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Primary Group Name lookup field to select a group name for the user's initial login group. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

The UD_Lookup_SSH_PrimaryGroupNames lookup definition is populated with group names fetched from the target system by the scheduled task for lookup field synchronization.

See Also:

Section 3.2, "Scheduled Task for Lookup Field Synchronization" for information about this scheduled task

1.5.2 Other Lookup Definitions

Table 1-2 describes the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.

Table 1-2 Other Lookup Definitions

Lookup Definition Description of Values Method to Specify Values for the Lookup Definition

Lookup.Unix.Configuration

This lookup definition maps statuses of users accounts in the target system with the corresponding statuses to be displayed in the Status field of the OIM User form.

This lookup definition is preconfigured. It is used for performing user account status reconciliation.

You cannot add or modify entries in this lookup definition.

Lookup.Reconciliation.TransformationMap

This lookup definition is used to configure transformation of attribute values that are fetched from the target system during user reconciliation.

You manually create entries in this lookup definition. See Section 4.4, "Transforming Data Reconciled Into Oracle Identity Manager" for more information.

1.6 Connector Objects Used During Target Resource Reconciliation and Provisioning

The following sections provide information about connector objects used during target resource reconciliation and provisioning:

See Also:

The "Reconciliation" section in Oracle Identity Manager Connector Concepts for conceptual information about reconciliation

The following sections provide information about connector objects used during reconciliation:

1.6.1 User Attributes for Target Resource Reconciliation and Provisioning

Table 1-3 provides information about user attribute mappings for target resource reconciliation and provisioning.

Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning

Process Form Field Target System Field Description

User Login

User Login

New login name, specified as a string of printable characters

Password

passwd

Password

Secondary Group Names

supplementary groups

List of supplementary groups, of which the user is also a member

User UID

uid

Numeric value of the user ID

This value must be unique and nonnegative. The default is to use the smallest ID value greater than 99 and greater than the number used for any other user. Values between 0 and 99 are typically reserved for system accounts.

Primary Group Name

initial group

The group name or number of the user's initial login group.

Default Shell

shell

User's login shell

GECOS

comment

Generally, a short description of the login

It is used as the field for the user's full name. This information is stored in the user's /etc/passwd file entry.

Note: The entry of multibyte characters is supported for this attribute.

Home Directory

home directory

Login directory of the new user

The default directory name is obtained by appending the login name to the default home directory. For example, if the login name is jdoe, then the default home directory is /home/jdoe.

Note: The entry of multibyte characters is supported for this attribute.

Account Expiry Date

expire date

Date on which the user account is disabled

Note: For a trusted configuration, such as the HP-UX (trusted) mode, the Password Change Time and Account Expiry Date fields are not reconciled.

Password Change Time

maxdays

Maximum number of days for which a password is valid

Skeleton Directory

skeleton directory

Specifies the skeleton directory that contains information that can be copied to the new login's home directory

An existing directory must be specified. The system provides a skeleton directory, /etc/skel, that can be used for this purpose.

Note: The entry of multibyte characters is supported for this attribute.

Inactive Days

inactive days

Number of days after a password has expired before the account is disabled

1.6.2 Reconciliation Rule for Target Resource Reconciliation

See Also:

For generic information about reconciliation matching and action rules, see one of the following guides:

The following is the process-matching rule:

Rule name: SSH User Rule

Rule element: User Login equals Users.UserLogin

In this rule:

  • User Login is the User ID attribute on the OIM User form.

  • Users.UserLogin is the User Login attribute of the target system.

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Search for SSH User Rule. Figure 1-2 shows the reconciliation rule for target resource reconciliation.

    Figure 1-2 Reconciliation Rule for Target Resource Reconciliation

    Description of Figure 1-2 follows
    Description of "Figure 1-2 Reconciliation Rule for Target Resource Reconciliation"

1.6.3 Reconciliation Action Rules for Target Resource Reconciliation

Table 1-4 lists the action rules for target resource reconciliation.

Table 1-4 Action Rules for Target Resource Reconciliation

Rule Condition Action

No Matches Found

Assign to Authorizer With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the SSH User resource object.

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.

    Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation

    Description of Figure 1-3 follows
    Description of "Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation"

1.6.4 Provisioning Functions

Table 1-5 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.

Table 1-5 Provisioning Functions

Function Adapter

Create User

adpSSHCreateUser

Delete User

adpSSHDeleteUser

Update User UID

adpSSHupdateIntField

Update User Group

adpSSHupdateStrField

Update User Password Change Time

adpSSHupdateIntField

Update Shell

adpSSHupdateStrField

Update Home Directory

adpSSHupdateHomeDir

Update Account Expiry Date

adpSSHupdateDateField

Update User GECOS

adpSSHupdateStrField

Set Password

adpSSHsetpassword

Update Secondary Group Names

adpSSHupdateStrField

Update Inactive Days

Note: This function is not supported on AIX 5.2.

adpSSHupdateIntField

Update User Login

adpSSHupdateStrField

Disable User

adpSSHdisableUser

Enable User

adpSSHenableUser

1.7 Connector Objects Used During Trusted Source Reconciliation

The following sections provide information about connector objects used during trusted source reconciliation:

1.7.1 User Attributes for Trusted Source Reconciliation

Table 1-6 lists user attributes for trusted source reconciliation.

Table 1-6 User Attributes for Trusted Source Reconciliation

OIM User Form Field Target System Attribute Description

User ID

UserLogin

Common name

First Name

UserLogin

Given name

Last Name

UserLogin

Last name

Employee Type

NA

Default value: Consultant

User Type

NA

Default value: End-User Administrator

Organization

NA

Default value: Xellerate Users

1.7.2 Reconciliation Rule for Trusted Source Reconciliation

See Also:

For generic information about reconciliation matching and action rules, see one of the following guides:

The following is the process matching rule:

Rule name: SSH Xellerate User Rule

Rule element: User Login equals Users.UserLogin

In this rule element:

  • User Login is the User ID attribute on the OIM User form.

  • Users.UserLogin is the User Login attribute of the target system.

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Reconciliation Rules.

  4. Search for SSH Xellerate User Rule. Figure 1-5 shows the reconciliation rule for trusted source reconciliation.

    Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation

    Description of Figure 1-4 follows
    Description of "Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation"

1.7.3 Reconciliation Action Rules for Trusted Source Reconciliation

Table 1-7 lists the action rules for target resource reconciliation.

Table 1-7 Action Rules for Target Source Reconciliation

Rule Condition Action

No Matches Found

Create User

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Resource Management.

  3. Double-click Resource Objects.

  4. Search for and open the Xellerate User resource object.

  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rules for trusted source reconciliation.

    Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation

    Description of Figure 1-5 follows
    Description of "Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation"

1.8 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: