Contents

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

What's New in the Oracle Identity Manager Advanced Connector for IBM RACF?

• Software Updates
• Documentation-Specific Updates

1 About the Connector

• 1.1 Certified Components
• 1.2 Certified Languages
• 1.3 Connector Architecture
  • 1.3.1 Connector Components
  • 1.3.2 Connector Operations
    • 1.3.2.1 Full Reconciliation Process
    • 1.3.2.2 Initial LDAP Population and Reconciliation Process
    • 1.3.2.3 Provisioning Process
• 1.4 Features of the Connector
  • 1.4.1 Full and Incremental Reconciliation
  • 1.4.2 Encrypted Communication Between the Target System and Oracle Identity Manager
  • 1.4.3 High Availability Feature of the Connector
• 1.5 Connector Objects Used During Reconciliation and Provisioning
  • 1.5.1 Supported Functions for Target Resource Reconciliation
  • 1.5.2 Supported Functions for Provisioning
  • 1.5.3 User Attributes for Target Resource Reconciliation and Provisioning
  • 1.5.4 Group Attributes for Target Resource Reconciliation and Provisioning
  • 1.5.5 Security Attributes for Provisioning
  • 1.5.6 Dataset Profile Attributes for Provisioning
  • 1.5.7 Resource Profile Attributes for Provisioning
  • 1.5.8 Reconciliation Rule
  • 1.5.9 Reconciliation Action Rules

2 Deploying the IDF Advanced Adapter for IBM RACF

• 2.1 IDF Mainframe Adapters Functional Characteristics
  • 2.1.1 Pioneer
  • 2.1.2 Voyager
• 2.2 Prerequisites
  • 2.2.1 Message Transport Requirements
  • 2.2.2 APF Authorization
• 2.3 Mainframe Adapter Installation
  • 2.3.1 Extracting the Files for Deployment from the Distribution Zip Archive File
  • 2.3.2 Uploading Files
  • 2.3.3 Extracting the XMIT Files
  • 2.3.4 Editing the Mainframe Batch Job Files to Match the Settings for the Customer's Site
  • 2.3.5 Submitting Batch Job Streams
  • 2.3.6 Activating and Loading the Exits
  • 2.3.7 Creating a RACF UserID for Pioneer and Voyager with Permissions
  • 2.3.8 Adding Pioneer/Voyager to the Facility Class Profiles (IRR)
  • 2.3.9 Testing the Installation

3 Connector Deployment on Oracle Identity Manager

• 3.1 Files and Directories That Comprise the Connector
• 3.2 Running the Connector Installer
• 3.3 Configuring the IT Resource
• 3.4 Configuring Oracle Identity Manager
  • 3.4.1 Creating Additional Metadata, Running Entitlement, and Catalog Synchronization Jobs
    • 3.4.1.1 Creating and Activating a Sandbox
    • 3.4.1.2 Creating a New UI Form
    • 3.4.1.3 Creating an Application Instance
    • 3.4.1.4 Publishing a Sandbox
    • 3.4.1.5 Harvesting Entitlements and Sync Catalog
    • 3.4.1.6 Updating an Existing Application Instance with a New Form
  • 3.4.2 Localizing Field Labels in UI Forms
  • 3.4.3 Clearing Content Related to Connector Resource Bundles from the Server Cache
  • 3.4.4 Enabling Logging
    • 3.4.4.1 Enabling Logging for the LDAP Gateway
    • 3.4.4.2 Enabling Logging on Oracle Identity Manager
• 3.5 Installing and Configuring the LDAP Gateway

4 Using the Connector

• 4.1 Guidelines on Using the Connector
• 4.2 Scheduled Tasks for Lookup Field Synchronization
• 4.3 Configuring the Security Attributes Lookup Field
• 4.4 Configuring Reconciliation
  • 4.4.1 Configuring Incremental Reconciliation
  • 4.4.2 Performing Full Reconciliation
  • 4.4.3 Reconciliation Scheduled Tasks
    • 4.4.3.1 RACF Reconcile All Users
    • 4.4.3.2 RACF Deleted User Reconciliation Using OIM
    • 4.4.3.3 RACF Reconcile Users to Internal LDAP
    • 4.4.3.4 RACF Reconcile All LDAP Users
  • 4.4.4 Configuring Filtered Reconciliation to Multiple Resource Objects
• 4.5 Configuring Account Status Reconciliation
• 4.6 Configuring Scheduled Tasks
• 4.7 Performing Provisioning Operations

5 Extending the Functionality of the Connector

• 5.1 Adding Custom Fields for Target Resource Reconciliation
  • 5.1.1 Adding Custom Fields for Reconciliation
  • 5.1.2 Adding Custom Fields to Oracle Identity Manager
• 5.2 Adding Custom Multivalued Fields for Reconciliation
  • 5.2.1 Adding Custom Multivalued Fields to the Reconciliation Component
  • 5.2.2 Adding Custom Multivalued Fields to Oracle Identity Manager
• 5.3 Adding Custom Fields for Provisioning
• 5.4 Removing Attributes Mapped for Target Resource Reconciliation
• 5.5 Using the Provisioning Agent to Run IBM z/OS Batch Jobs
• 5.6 Configuring the Connector for Provisioning to Multiple Installations of the Target System
• 5.7 Initial LDAP Gateway Population and Full Reconciliation
  • 5.7.1 Reconcile User Extract File
• 5.8 Configuring Windows Service
• 5.9 Customizing Log File Locations
• 5.10 LDAP Reconciliation Supported Queries
• 5.11 Handling PIONEER Error Messaging Exceptions in the Gateway

6 Troubleshooting

7 Known Issues and Workarounds

A APF-Authorized Libraries

B Pioneer Datasets

C Reconciliation Agent (Voyager) Messages

D Provisioning Agent (Pioneer) Messages

E Mainframe Problem Source Identification and Problem Determination

F Creating Custom Scheduled Tasks

• F.1 Code for Searching All Users and All User Data
• F.2 Code for Searching All Groups and All Group Data
• F.3 Code for Searching All Datasets and All Dataset Data

G Voyager and Pioneer Control File Parameters

H Configuring RACF Starter User ID and Access for Voyager Agent and Pioneer Agent Started Tasks

I Customizing AES Encryption Key

J Mainframe Language Environment Runtime Options

Index