This chapter provides an overview of the updates made to the software and documentation for the UNIX SSH connector in release 9.0.4.15.
Note:
Release 9.0.4.15 of the connector comes after release 9.0.4.12. Release numbers 9.0.4.13 and 9.0.4.14 have not been used.
The updates discussed in this chapter are divided into the following categories:
This section describes updates made to the connector software.
Documentation-Specific Updates
This section describes major changes made to this guide. These changes are not related to software updates.
The following sections discuss software updates:
The following are software updates implemented in release 9.0.4.15:
From this release onward, the connector adds support for HP-UX version 11iv3 (11.31) as the target system.
See Section 1.1, "Certified Components" for the full list of certified target systems.
From this release onward, the connector provides support for importing a request dataset XML file into Oracle Identity Manager by using the Deployment Manager on Oracle Identity Manager 11g release 1 (11.1.1).
The installation media of this release includes a request dataset file, SSHConnectorRequestDatasets.xml, which is available in the xml directory.
See Section 2.5.5.1, "Importing Request Datasets Using Deployment Manager" for more information.
The following table describes issues resolved in release 9.0.4.15:
Bug Number | Issue | Resolution |
---|---|---|
12547932 |
The performance of the connector was slow. |
This issue has been resolved. The reconciliation of records can now be initiated in parallel, which reduces the time taken for reconciliation. |
9314911 |
The connector did not support AIX 6.1 as a target resource. |
This issue has been resolved. AIX 6.1 is now supported as a target resource. |
11737066 |
When running the SSH User Target Resource Reconciliation Task, if the number of users to be reconciled is greater than the batch size, an exception is thrown. |
This issue has been resolved. The reconciliation task runs successfully for multiple batches. |
7498112 |
The connector did not support HP-UX11I V2,V3 as a target resource. |
This issue has been resolved. HP-UX11I V2,V3 is now supported as a target resource. |
The following are the software updates in release 9.0.4.12:
From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 1 (11.1.1). Where applicable, instructions specific to this Oracle Identity Manager release have been added in the guide.
See Section 1.1, "Certified Components" for the full list of certified Oracle Identity Manager releases.
From this release onward, the connector provides support for request-based provisioning on Oracle Identity Manager 11g release 1 (11.1.1).
See Section 3.6.2, "Request-Based Provisioning" for more information.
From this release onward, the connector adds support for IBM AIX 5L Version 6.1 as the target system.
See Section 1.1, "Certified Components" for the full list of certified target systems.
From this release onward, the connector can reconcile user account status information from the target system
The following table lists issues resolved in release 9.0.4.12:
Bug Number | Issue | Resolution |
---|---|---|
7374688 |
Reconciliation of user records in the sudo mode failed because the connector attempted to run a shell. |
This issue has been resolved. |
9295029 |
When an update task failed, the status of the corresponding process task adapters changed from |
This issue has been resolved. The status of the process task adapters do not change when the corresponding update task fails. |
9611960 |
When performing a Create User provisioning operation on AIX, the group name must be specified as the value of the Primary Group Name lookup field. However, instead of displaying group names, the Primary Group Name lookup field displayed group IDs. The happened due to the following reason: After performing lookup field synchronization by running the TelnetSSHGroupLookupReconTask scheduled task, the Code Key column of the UD_Lookup_SSH_PrimaryGroupNames lookup definition contained the group IDs, and the Decode column contained the group names. |
This issue has been resolved. After you perform lookup field synchronization, the connector now reconciles group names into the Code Key column, and group IDs into the Decode column of the UD_Lookup_SSH_PrimaryGroupNames lookup definition. Therefore, for AIX and the other target systems, the connector passes the group name instead of the group ID. |
9611211 |
The Confirm Password field on the process form required users to enter their passwords 2 times. |
The Confirm Password field has been removed from the process form. |
The following table lists issues resolved in release 9.0.4.11:
Bug Number | Issue | Resolution |
---|---|---|
9100879 |
The Delete User provisioning operation did not work. |
This issue has been resolved. The Delete User provisioning operation now works correctly. |
9195323 |
The Create User provisioning operation failed when it was retried. |
This issue has been resolved. The Create User provisioning operation can be retried. |
The following table lists issues resolved in release 9.0.4.7:
Bug Number | Issue | Resolution |
---|---|---|
7520249 |
During reconciliation, you could not transform values of the target system field before they were stored in Oracle Identity Manager. |
This issue has been resolved. You can now transform the values of the target system fields before they are stored in Oracle Identity Manager. See the "Transforming Data Reconciled Into Oracle Identity Manager" chapter in the connector guide for more information. |
7563415 |
During reconciliation, the Group Name field was reconciled as a number and not as the exact name because it was stored directly as the group ID in the target system. |
This issue has been resolved. During reconciliation, the exact name of the Group Name field is reconciled. |
8341984 |
In the Create User process task, the default value of the Map To variable was IT Resource. This value was incorrect. |
This issue has been resolved. The |
8396795 |
During connector deployment, the lib/xliSSH.jar file on the installation media was not automatically copied into the OIM_HOME/xellerate/ScheduleTask directory. |
This issue has been resolved. The lib/xliSSH.jar file is now automatically copied to the OIM_HOME/xellerate/ScheduleTask directory. |
The following table lists issues resolved in release 9.0.4.6:
Bug Number | Issue | Resolution |
---|---|---|
7478452 |
You use the IT resource to specify the credentials of the SUDO user that you want to use for connector operations. If this SUDO user did not have the required permissions, then the target system did not allow you to perform Disable User provisioning operations. This is expected behavior. However, the status of the user was set to Disabled on Oracle Identity Manager even though the status of the user on the target system remained unchanged. |
This issue has been resolved. If the SUDO user does not have the permissions required to disable users on the target system, then an appropriate message is displayed on the Administrative and User Console. |
7503701 |
The target system does not allow you to delete a user who is logged in to the system. This is expected behavior. However, even when the target system did not allow the deletion of a user, the status of the user (resource) on Oracle Identity Manager was changed to Deleted (Revoked). |
This issue has been resolved. If the target system does not allow the deletion of a user, then an appropriate message is displayed as the outcome of the Delete User provisioning operation. The item describing this issue has been removed from Chapter 6, "Known Issues". |
The following are software updates in release 9.0.4.5:
In earlier releases, you had to provide the credentials of the root or sudo user for letting Oracle Identity Manager communicate with the Solaris target system. This release supports the role-based access control (RBAC) feature of Solaris. From this release onward, Oracle Identity Manager can communicate with Solaris by using a user account to which you assign the minimum required privileges.
See Section 2.3.3.1.2, "Creating an RBAC User Account for Connector Operations" on for more information.
The following are some of the changes made in the IT resource:
The Whether SUDO Admin Mode
parameter has been renamed to Sudo Or RBAC
.
Descriptions of the Admin UserId
and Admin Password/Private file Pwd
parameters have been modified.
The RBAC Role Name
and RBAC Role Passwd
parameters have been added.
See Chapter 2, "Deploying the Connector" for information about these parameters.
The following table lists issues resolved in release 9.0.4.5:
Bug Number | Issue | Resolution |
---|---|---|
5503263 |
The "Create Home Directory" field is a check box on the Administrative and User Console. If you selected this check box, the numeral 1 was displayed on the page that summarizes input you provide during provisioning operations. |
The check box has been changed to a radio button. If you select the "Create Home Directory" option, then the word "Yes" is displayed on the page that summarizes input. If you do not select the option, then the word "No" is displayed. |
7133380 |
A user for whom an SSH account was created on AIX through a provisioning operation was forced to change the password at first login. |
Password change at first login is not enforced for newly created SSH accounts on AIX. |
7225692 |
To stop a scheduled task, you use the Stop Execution option in the Design Console. This option did not work in earlier releases. |
You can now use the Stop Execution option to stop scheduled tasks. Note: When you stop a batched reconciliation run, reconciliation stops at the end of the batch being reconciled. |
7345302 |
During a provisioning operation, the home directory was not created if you specified an invalid path on the target system host computer. However, the status of the process task was Completed. |
If an invalid home directory path is specified, then the "Invalid Home directory" error message is displayed on the Administrative and User Console. |
7347256 |
An error was thrown when a user connected to an HP-UX target system was updated through a provisioning operation performed on Oracle Identity Manager. The response from the target system was not correctly parsed and displayed as an error message on the Administrative and User Console. |
The "User currently in use" message is displayed if you try to update any attribute of a user who is currently logged in to the target system. |
The following are software updates in release 9.0.4.4:
From Oracle Identity Manager release 9.1.0 onward, the Administrative and User Console provides the Connector Installer feature. This feature can be used to automate the connector installation procedure.
See Section 2.4, "Installing the Connector on Oracle Identity Manager Release 9.1.0.x or Release 11.1.1" for details.
The following are software updates in release 9.0.4.3:
The Primary Group Name
field on the process form has been converted into a lookup field. During a provisioning operation, you can now select a primary group instead of entering the name of the group. The TelnetSSHGroupLookupReconTask
scheduled task has been added to reconcile (synchronize) the values in the lookup definition with primary group names in the target system.
The name of the target resource reconciliation scheduled task has been changed from SSH User Non Trusted Reconciliation task
to SSH Target Resource User Reconciliation Task
.
The level of detail has been increased for data logged when you set the log level to DEBUG
. With this log level, it is now easier to track down the cause of an error recorded in the log file.
The following table lists issues resolved in release 9.0.4.3:
Bug Number | Issue | Resolution |
---|---|---|
7121688 |
On AIX 5.3, the |
This issue has been resolved. You can now update the User Login attribute through a provisioning operation. Note: The Update User Login provisioning operation is not supported by default on AIX 4.x and 5.1. However, if you upgrade these versions of AIX to support the useradd, usermod, and userdel commands, then you can perform the Update User Login provisioning operation. |
7143460 |
During a reconciliation run on AIX, the |
This issue has been resolved. An exception is not thrown if the number of deleted records fetched from the target system is more than the number of newly created or updated records fetched from the target system. |
7143486 |
If a reconciliation run ended in an exception, then the connection with the target system was not closed. |
This issue has been resolved. The connection with the target system is closed even if a reconciliation run ends in an exception. |
The following are software updates in release 9.0.4.2:
In Step 2 of the "Installing and Configuring SUDO" section for Solaris, the usermod
command has been added to the list of commands used by the target system.
In Section 2.5.4, "Enabling Logging," the name of the adapter for this connector has been changed from ADAPTERS.TELNETSSH
to OIMCP.TELNETSSH
.
In the "Compiling Adapters" section, the SSH updateHomeDir
adapter has been added to the list of adapters.
In the IT resource definition, the following parameters have been removed:
Login Prompt
Password Prompt
Target Locale
Supported Character Encoding (en_US) – Target
The following scheduled task attributes have been converted into IT resource parameters:
Passwd Mirror File/User Mirror File
Shadow Mirror File
Target Date Format
The following table lists issues resolved in release 9.0.4.2:
Bug Number | Issue | Resolution |
---|---|---|
6375896 |
Target resource reconciliation threw exceptions when users were reconciled from Linux using a SUDO admin user. |
Target resource reconciliation issues related to Linux used in the SUDO mode have been resolved. |
6609731 |
The |
The |
6642345 |
The connection retry feature of the connector was not working correctly. |
Issues related to the connection retry feature have been resolved. |
6680047 |
If a connection retry attempt was made, then previous sessions were not released and new sessions were established each time. |
Connectivity issues related to session leakage have been resolved. |
6728741 |
An incorrect response was received from the connector if the username value was greater than 8 characters and the Create Home directory check box was checked. |
The responses received from the connector have been corrected. |
6742869 |
A user could not be provisioned if there were spaces in value of the GECOS field. |
Spaces are now allowed in the GECOS field. |
6766705 and 6801405 |
The status of the resource object stayed at |
Issues related to the resource object status and response during provisioning have been resolved. |
6786399 |
The connector was unable to handle responses from target systems running a non-English locale. |
Responses from target systems running a non-English locale are now handled correctly. |
6801537 |
During reconciliation, temporary files were created in the |
During reconciliation, temporary files are now created in the |
6837471 |
A user could not be provisioned with spaces in the values of any of the user attributes. |
Spaces are now allowed in many of the user attributes. |
5180204 |
On AIX computers, the connector was not able to reconcile a large number of records. |
Issues related to the reconciliation of a large number of users on AIX have been resolved. |
5502324 |
Date format parsing errors were encountered during reconciliation. |
The date format parsing error that was encountered during the user reconciliation has been resolved. |
5503100 |
The message displayed when the user name had multibyte characters during a Create User provisioning operation was incorrect. |
The message displayed when the user name has multibyte characters during a Create User provisioning operation has been modified. |
5647992 |
On Linux, Solaris, and AIX computers, the Home Directory attribute could not be updated. |
The Home Directory attribute is updated correctly on Linux, Solaris, and AIX targets. |
5180227 |
The IT Resources contained two redundant parameters, |
The |
6604117 |
The Password and Confirm Password fields on the process form were not encrypted. |
The Password and Confirm Password fields have been modified to accept encrypted values. |
6310073 |
During provisioning, if user creation on the target system failed at some stage, then the user was not cleaned up from the target system although the status of the resource was |
During provisioning, if the user is not created properly on the target, then the user is deleted from the target system and the resource object status is set to |
The following sections discuss documentation-specific updates:
The following are documentation-specific updates in release 9.0.4.15:
In Chapter 1, "About the Connector," in Section 1.1, "Certified Components," HP-UX 11.31 has been added to the list of target systems.
In Chapter 2, "Deploying the Connector," Table 2-1, "Files and Directories on the Installation Media" has been modified.
In Chapter 2, "Deploying the Connector," a note on converting the system to trusted system has been added to Section 2.3.1.3, "Configuration Steps for HP-UX."
In Chapter 2, "Deploying the Connector," Section 2.3.4.2, "Configuring SSH Public Key Authentication" has been modified.
In Chapter 2, "Deploying the Connector," Section 2.4.2, "Copying the sshfactory.jar File" has been added.
In Chapter 3, "Using the Connector," the following changes have been made to Table 3-2, "Attributes of the User Reconciliation Scheduled Tasks":
The description of the Server attribute has been changed.
A new attribute IsRoRecon has been added.
In Chapter 5, "Testing and Troubleshooting," the following changes have been made: a note on the testing utility has been added.
A note on the testing utility has been added.
The expiry date format has been added in the table.
Information specific to Oracle Identity Manager release 11.1.1 has been added to the following sections:
Major changes have been made to the structure of the guide. The objective of these changes is to synchronize the guide with the changes made to the connector and to improve the usability of the information provided by the guide.
The following are documentation-specific updates in release 9.0.4.11:
The minimum certified release of Oracle Identity Manager is release 9.1.0.x.
The minimum certified release of JDK is release 1.4.2.
See Section 1.1, "Certified Components" for the full list of certified target systems.
The following are documentation-specific updates in release 9.0.4.7:
Changes have been made in the following sections:
Section 4.4, "Transforming Data Reconciled Into Oracle Identity Manager" has been added.
The following point has been removed from Chapter 6, "Known Issues":
During reconciliation, the Group Name field is reconciled as a number and not as the exact name because it is stored directly as the group ID in the target system.
The following appendixes have been added:
At some places in this guide, corrections have been made to address some documentation issues.
The following are documentation-specific updates in release 9.0.4.5:
In Chapter 2, "Deploying the Connector," the Protocol
parameter has been added in the table that describes the IT resource parameters.
Bug numbers have been added for all the known issues.
The following guidelines have been moved from Chapter 6, "Known Issues" to other parts of this guide:
This connector does not support logins that differ by case only. It also requires all logins to be distinct considering that their values are automatically converted to uppercase by Oracle Identity Manager.
For example, the user logins jdoe
and JDOE
would be considered different on a UNIX server. However, from Oracle Identity Manager, the input would always be passed as JDOE
, because user ID values are stored only in uppercase in Oracle Identity Manager.
During provisioning, the maximum permitted date value for account expiry is 31/12/2099.
The following point has been removed from Chapter 6, "Known Issues":
The Update Secondary Group Names and Update User Login functions do not work simultaneously.
The following documentation-specific updates have been made in releases 9.0.4.1 through 9.0.4.4:
Changes have been made in the following sections:
Adding Custom Attributes for Reconciliation
Adding Custom Attributes for Provisioning
In Chapter 6, "Known Issues," the following items have been added:
"The Update User Login function is not supported on most versions of AIX."
A reconciliation run stops if the scheduled task code encounters target system user data containing the character or characters that are same as the shell prompt of the target system.
In Chapter 6, "Known Issues," the following item has been removed:
When you configure an IT resource for an SSH user account and then directly provision it to a user, the Create User Task function is rejected. The user account is not created on the target system. The following message is displayed:
"SSH_USERCREATION_NOTCONNECTED_FAIL not able to connect successfully to the Target System Server
".