4 Using the Connector

This chapter discusses the following topics:

• Section 4.1, "Guidelines on Using the Connector"

• Section 4.2, "Scheduled Tasks for Lookup Field Synchronization"

• Section 4.3, "Configuring the Security Attributes Lookup Field"

• Section 4.4, "Configuring Reconciliation"

• Section 4.5, "Configuring Account Status Reconciliation"

• Section 4.6, "Configuring Scheduled Tasks"

• Section 4.7, "Performing Provisioning Operations"

4.1 Guidelines on Using the Connector

Apply the following guidelines while using the connector:

• The LDAP Gateway does not send the full attribute value when provisioning attribute values that contain one or more space characters. If this problem occurs, surround the attribute value in single quotation marks when populating the form field.

• The RACF connector LDAP gateway encrypts ASCII data transmitting the encrypted message to the mainframe. The mainframe decrypts this message, as the inbound message is in ASCII format, it is translated to EBCDIC for mainframe processing. As a result, any task that requires non-ASCII data transfer fails. In addition, there is no provision in the connector to indicate that the task has failed or that an error has occurred on the mainframe. To avoid errors of this type, you must exercise caution when providing inputs to the connector for the target system, especially when using a regional language interface.

• Passwords used on the mainframe must conform to stringent rules related to passwords on mainframes. These passwords are also subject to restrictions imposed by corporate policies and rules about mainframe passwords. Keep in mind these requirements when you create or modify target system accounts through provisioning operations on Oracle Identity Manager.

• The subpool must be started before starting the Reconciliation Agent. If the agent is started before the subpool, then an error message stating, "NO TOKEN FOUND", will be printed. Additionally, if the LDAP Gateway is not available when the Reconciliation Agent is started, then an error message is generated stating, "NO LDAP FOUND" will be printed.

• When you update the TSO_SIZE and TSO_MAXSIZE attributes during a provisioning operation, you must not include leading zeros in the value that you specify. For example, if you want to change the value of the SIZE attribute from 000001 to 000002, then enter 2 in the SIZE field on the Identity Self Service.

  See Also:

  Section 1.5.3, "User Attributes for Target Resource Reconciliation and Provisioning" for mapping information about the TSO_SIZE and TSO_MAXSIZE attributes

4.2 Scheduled Tasks for Lookup Field Synchronization

The following are the scheduled tasks for lookup field synchronization:

• RACF Find All Resources

• RACF Find All Datasets

• RACF Find All Groups

These scheduled tasks populate lookup fields in Oracle Identity Manager with resource profiles, datasets, or group IDs. Values from these lookup fields can be assigned during user provisioning operations and reconciliation runs. When you configure these scheduled tasks, they run at specified intervals and fetch a listing of all resource, dataset, or group IDs on the target system for reconciliation.

Table 4-1 describes the attributes of the Find All Datasets and Find All Groups scheduled task.

Table 4-1 Attributes of the Find All Datasets and Find All Groups Scheduled Tasks

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Resource Object	Enter the name of the resource object against which provisioning runs must be performed. Sample value: OIMRacfResourceObject
Lookup Code Name	Enter the name of the lookup definition where Oracle Identity Manager will store the names of any datasets or groups to which the user belongs. Sample value: Lookup.DatasetNames or Lookup.GroupNames
Recon Type	This attribute determines how datasets or group memberships from the target system are populated in Oracle Identity Manager lookup definitions. You can use one of the following options: Append adds datasets or group membership entries from the target system that do not exist in the Lookup.DatasetNames or Lookup.GroupNames lookup definitions. Any existing entries remain untouched. Replace removes all the existing entries in Lookup.DatasetNames or Lookup.GroupNames lookup definition and replaces them with datasets or group membership entries from the target system. Merge handles entries in the following manner: If you are using the connector for a single installation of the target system, then datasets and group membership entries that exist in both the target system and Oracle Identity Manager are updated in the Lookup.DatasetNames or Lookup.GroupNames lookup definitions. Datasets and group membership entries that exist only in the target system are added to the Lookup.DatasetNames or Lookup.GroupNames lookup definitions. If you are using the connector for multiple installations of the target system, then only datasets and group membership entries corresponding to the target system installation that you are using are updated or added. Entries that exist in both the target system and Oracle Identity Manager are updated in the Lookup.DatasetNames or Lookup.GroupNames lookup definitions. Entries that exist only in the target system are added to the Lookup.DatasetNames or Lookup.GroupNames lookup definitions. Default value: Merge

Table 4-2 describes the attributes of the Find All Resources scheduled task.

Table 4-2 Attributes of the Find All Resources Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Resource Object	Enter the name of the resource object against which provisioning runs must be performed. Sample value: OIMRacfResourceObject
Lookup Code Name	Enter the name of the lookup definition where Oracle Identity Manager will store the names of any resources to which the user belongs. Sample value: Lookup.ResourceNames
Recon Type	This attribute determines how resources from the target system are populated in Oracle Identity Manager lookup definitions. You can use one of the following options: Append adds resources from the target system that do not exist in the Lookup.ResourceNames lookup definition. Any existing entries remain untouched. Replace removes all the existing entries in the Lookup.ResourceNames lookup definition and replaces them with resource entries from the target system. Merge handles entries in the following manner: If you are using the connector for a single installation of the target system, then resource entries that exist in both the target system and Oracle Identity Manager are updated in the Lookup.ResourceNames lookup definition. Resource entries that exist only in the target system are added to the Lookup.ResourceNames lookup definitions. If you are using the connector for multiple installations of the target system, then only resource entries corresponding to the target system installation that you are using are updated or added. Entries that exist in both the target system and Oracle Identity Manager are updated in the Lookup.ResourceNames lookup definition. Entries that exist only in the target system are added to the Lookup.ResourceNames lookup definition. Default value: Merge
Resource Class Type	Enter the name of the type of resource class you are reconciling. You can enter multiple resource class types as a comma-separated list. If you want to reconcile all resources, enter *. Sample value: FACILITY,CONSOLE,PROGRAM

4.3 Configuring the Security Attributes Lookup Field

The Lookup.RacfSecurityAttributeNames lookup definition is one of the lookup definitions that is created in Oracle Identity Manager when you deploy the connector. This lookup field is populated with standard RACF nonvalue security attributes such as ADSP, AUDIT, SPECIAL, and so on. The IBM RACF Advanced connector includes a scheduled task to automatically populate the lookup field used for storing RACF security attributes. Table 4-3 describes the attributes of the Find All Security Attributes scheduled task.

Note:

The Find All Security Attributes scheduled task does not query the target system for data. Instead, the scheduled task automatically populates the lookup field with "itResourceKey~securityAttributeName" pairs based on the IT Resource and Security Attribute scheduled task property values.

Table 4-3 Attributes of the Find All Security Attributes Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Security Attributes	Enter a comma-separated list of RACF non-value security attributes. Sample value: ADSP, AUDIT, RESTRICTED, SPECIAL, UAUDIT
Lookup Code Name	Enter the name of the lookup definition where Oracle Identity Manager will store the security attribute entries fetched from the target system. Sample value: Lookup.RacfSecurityAttributes
Recon Type	This attribute determines how security attributes from the target system are populated in Oracle Identity Manager lookup definitions. You can use one of the following options: Append adds security attributes from the target system that do not exist in the Lookup.RacfSecurityAttributes lookup definition. Any existing entries remain untouched. Replace removes all the existing entries in the Lookup.RacfSecurityAttributes lookup definition and replaces them with security attributes from the target system. Merge handles entries in the following manner: If you are using the connector for a single installation of the target system, then security attributes that exist in both the target system and Oracle Identity Manager are updated in the Lookup.RacfSecurityAttributes lookup definition. Security attributes that exist only in the target system are added to the Lookup.RacfSecurityAttributes lookup definitions. If you are using the connector for multiple installations of the target system, then only security attributes corresponding to the target system installation that you are using are updated or added. Security attributes that exist in both the target system and Oracle Identity Manager are updated in the Lookup.RacfSecurityAttributes lookup definition. Security attributes that exist only in the target system are added to the Lookup.RacfSecurityAttributes lookup definition. Default value: Merge

However, you can also manually add additional values.

To add additional security attributes for provisioning and reconciliation:

1. Log in to Oracle Identity Manager Design Console.

2. Expand Administration and then double-click Lookup Definition.

3. Search for the Lookup.RacfSecurityAttributesNames lookup definition.

4. Click Add.

5. In the Code Key column, enter the name of the security attribute. Enter the same value in the Decode column. The following is a sample entry:

   Code Key: ITResource~ADSP Decode: ITResource~ADSP

6. Click the Save icon.

4.4 Configuring Reconciliation

The IBM RACF Advanced connector supports both incremental reconciliation and full reconciliation. This section discusses the following topics related to configuring reconciliation:

• Section 4.4.1, "Configuring Incremental Reconciliation"

• Section 4.4.2, "Performing Full Reconciliation"

• Section 4.4.3, "Reconciliation Scheduled Tasks"

4.4.1 Configuring Incremental Reconciliation

The Voyager agent and the LDAP gateway perform incremental reconciliation using the RACF Reconcile All LDAP Users scheduled task. To configure incremental reconciliation:

1. Ensure the racf.properties has the following set:

   • USE INTERNAL META STORE

     [true|false]_internalEnt_=true

   • USE GROUP INTERNAL META STORE

     [true|false]_internalGrpEnt_=true

2. Use the Last Modified Timestamp parameter of the IT resource to set a date range that will reconcile all users that have changed since that date.

   Note:

   If the _internalEnt_ property, located in LDAP_INSTALL_DIR/conf/racf.properties, is set to true, then the LDAP internal store will also be populated on an ongoing basis by the "real-time" event capture using Voyager and the EXIT(s). So after initial population and reconciliation the process will still continue to use the RACF Reconcile All LDAP Users scheduled task using a Date range to reconcile these real-time event changes from data captured in the LDAP internal store.

4.4.2 Performing Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. After first-time reconciliation, the connector will automatically switch to performing incremental reconciliation based on the time stamp value present in the IT resource.

To perform full reconciliation in a set up that involves LDAP gateway as an intermediary datastore between the RACF target system and Oracle Identity Manager, choose one of the options:

• If you are performing reconciliation for the first time, then:

  1. Generate an EXTRACT reconciliation file on the RACF target system.

  2. Set the value of the Last Modified Time Stamp parameter of the IT resource parameter to 0.

  3. Run the RACF Reconcile Users to Internal LDAP scheduled task.

  4. Run the RACF Reconcile All LDAP Users scheduled task.

  Note:

  If you do not run the RACF Recon Users to Internal LDAP scheduled task with the EXTRACT recon file, then the RACF Reconcile LDAP Users scheduled task will always perform in incremental mode.

• If this is not the first time that you are performing full reconciliation, then:

  1. Set the value of the Last Modified Time Stamp parameter of the IT resource parameter to 0.

  2. Run the RACF Reconcile All LDAP Users scheduled task.

This completes full reconciliation and from the next reconciliation run onward, the connector will automatically switch to incremental reconciliation by using the value in the Last Modified Time Stamp parameter of the IT resource.

To perform full reconciliation in a set up that does not involve LDAP gateway, run the RACF Reconcile All Users scheduled task. The scheduled job will always run in full reconciliation mode.

4.4.3 Reconciliation Scheduled Tasks

When you run the Connector Installer, the following reconciliation scheduled tasks are automatically created in Oracle Identity Manager:

• Section 4.4.3.1, "RACF Reconcile All Users"

• Section 4.4.3.2, "RACF Deleted User Reconciliation Using OIM"

• Section 4.4.3.3, "RACF Reconcile Users to Internal LDAP"

• Section 4.4.3.4, "RACF Reconcile All LDAP Users"

4.4.3.1 RACF Reconcile All Users

The RACF Reconcile All Users scheduled task is used to reconcile user data in the target resource (account management) mode of the connector. This scheduled task runs at specified intervals and fetches create or modify events on the target system for reconciliation.

Table 4-4 describes the attributes of RACF Reconcile All Users scheduled task.

Table 4-4 Attributes of the RACF Reconcile All Users Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Resource Object	Enter the name of the resource object against which reconciliation runs must be performed. Sample value: OIMRacfResourceObject
MultiValuedAttributes	Enter a comma-separated list of multi-valued attributes that you want to reconcile. Do not include a space after each comma. Sample value: attributes,memberOf
SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.
UID Case	Enter either upper or lower for the case of the UID attribute value. Sample value: upper
UsersList	Enter a comma-separated list of UIDs that you want to reconcile from the target system. If this property is left blank, then all users on the target system will be reconciled. Sample value: userQA01,georgeb,marthaj,RST0354

4.4.3.2 RACF Deleted User Reconciliation Using OIM

The RACF Deleted User Reconciliation Using OIM scheduled task is used to reconcile data about deleted users in the target resource (account management) mode of the connector.

When you run this scheduled task, it fetches a list of users on the target system. These user names are then compared with provisioned users in Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not in the target system, are deleted from Oracle Identity Manager.

Table 4-5 describes the attributes of RACF Deleted User Reconciliation Using OIM scheduled task.

Table 4-5 Attributes of the RACF Deleted User Reconciliation Using OIM Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Resource Object	Enter the name of the resource object against which the delete reconciliation runs will be performed. Sample value: OIMRacfResourceObject
Recon Matching Rule Attributes	Enter a comma-separated list of attributes used in the matching rule. If the IT resource is used, enter IT. Sample value: UID,IT

4.4.3.3 RACF Reconcile Users to Internal LDAP

The RACF Reconcile Users to Internal LDAP scheduled task is used to reconcile users from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of users and their profiles on the target system. Each of these users is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed. Table 4-6 describes the attributes of the scheduled task.

Table 4-6 Attributes of the RACF Reconcile Users to Internal LDAP Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: racf

4.4.3.4 RACF Reconcile All LDAP Users

The RACF Reconcile All LDAP Users scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager. Table 4-7 describes the attributes of the scheduled task.

Table 4-7 Attributes of the RACF Reconcile All LDAP Users Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: RacfResource
Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMRacfResourceObject
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored. Sample value: racf
MultiValuedAttributes	Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: memberOf,attributes
SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.
LDAP Time Zone	Enter the time zone ID for the server on which the LDAP gateway is hosted. Sample value: EST
UID Case	Enter whether the user ID should be displayed in uppercase or lowercase. Sample value: upper

4.4.4 Configuring Filtered Reconciliation to Multiple Resource Objects

Some organizations use multiple resource objects to represent multiple user types in their system. The Resource Object property of the scheduled tasks is used to specify the resource object used during reconciliation, and you can enter more than one resource object in the value of the Resource Object property. Further, you can include IBM RACF attribute-value pairs to filter records for each resource object.

See Also:

Section 4.4.3.1, "RACF Reconcile All Users" for information about the RACF Reconcile All Users scheduled task

The following is a sample format of the value for the Resource Object attribute:

ATTRIBUTE1:VALUE1)RESOURCE_OBJECT1,RESOURCE_OBJECT2

As shown by RESOURCE_OBJECT2 in the sample format, specifying a filter attribute is optional, but if more than one resource object is specified, you must specify a filter for each additional resource object. If you do not specify a filter attribute, then all records are reconciled to the first resource object in the list. Further, the filters are checked in order, so the resource object without a filter attribute should be included last in the list.

Filter attributes should be surrounded by parentheses.

Apply the following guidelines while specifying a value for the Resource Object attribute:

• The names of the resource objects must be the same as the names that you specified while creating the resource objects in the Design Console.

• The IBM RACF attribute names must be the same as the names used in the LDAP Gateway configuration files.

See Also:

Section 3.5, "Installing and Configuring the LDAP Gateway" for information about the LDAP Gateway configuration files

• The value must be a regular expression as defined in the java.util.regex Java package. Note that the find() API call of the regex matcher is used rather than the matches() API call. This means that a substring matching rule can be specified in the pattern, rather than requiring the entire string matching rule.

  Further, substring matching is case-sensitive. A "(tso)" filter will not match a user with the user ID "TSOUSER1".

• Multiple values can be matched. Use a vertical bar (|) for a separator as shown in the following example:

  (ATTRIBUTE:VALUE1|VALUE2|VALUE3)RESOURCE_OBJECT

• Multiple filters can be applied to the attribute and to the same resource object. For example:

  (ATTRIBUTE1:VALUE1)&(ATTRIBUTE2:VALUE2)RESOURCE_OBJECT

The following is a sample value for the Resource Object attribute:

(tsoProc:X)RACFR01,(instdata:value1|value2|value3)RacfResourceObject2,(tso)RacfResourceObject24000,Resource

In this sample value:

• (tsoProc:X)RACFRO1 represents a user with X as the attribute value for the TSO Proc segment. Records that meet this criterion are reconciled with the RACFRO1 resource object.

• (instdata:value1|value2|value3)RacfResourceObject2 represents a user with value1, value2, or value3 as their INSTDATA attribute value. Records that meet this criterion are reconciled with the RacfResourceObject2 resource object.

• (tso)RacfResourceObject24000 represents a user with TSO privileges. A TSO attribute value is not specified. Records that meet this criterion are reconciled with the RacfResourceObject24000 resource object.

• All other records are reconciled with the resource object.

4.5 Configuring Account Status Reconciliation

Note:

This section describes an optional procedure. Perform this procedure only if you want reconciliation of user status changes from IBM RACF.

When a user is disabled or enabled on the target system, the status of the user can be reconciled into Oracle Identity Manager. To configure reconciliation of user status changes made on IBM RACF:

1. In the RACF Reconcile All Users scheduled task, add the Status attribute to the SingleValueAttributes property list.

2. Log in to the Design Console:

   1. In the OIMRacfResourceObject resource object, create a reconciliation field to represent the Status attribute.

   2. In the OIMRacfProvisioningProcess process definition, map the field for the Status field to the OIM_OBJECT_STATUS field.

4.6 Configuring Scheduled Tasks

This section describes the procedure to configure scheduled tasks. You can apply this procedure to configure the scheduled tasks for lookup field synchronization and reconciliation.

Table 4-8 lists the scheduled tasks that you must configure.

Table 4-8 Scheduled Tasks for Lookup Field Synchronization and Reconciliation

Scheduled Task	Description
RACF Find All Resources	This scheduled task is used to synchronize the values of resource profile lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."
RACF Find All Datasets	This scheduled task is used to synchronize the values of dataset lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."
RACF Find All Groups	This scheduled task is used to synchronize the values of group IDs lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Section 4.2, "Scheduled Tasks for Lookup Field Synchronization."
RACF Find All Security Attributes	This scheduled task is used to automatically populate the security attributes lookup field with IT Resource Key~Security Attribute Name pairs. For information about this scheduled task and its attributes, see Section 4.3, "Configuring the Security Attributes Lookup Field."
RACF Reconcile All Users	This scheduled task is used to fetch user data during target resource reconciliation. For information about this scheduled task and its attributes, see Section 4.4.3.1, "RACF Reconcile All Users."
RACF Reconcile Deleted Users to OIM	This scheduled task is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the RACF User resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see Section 4.4.3.2, "RACF Deleted User Reconciliation Using OIM."
RACF Reconcile Users to Internal LDAP	This scheduled task is used to reconcile users from the target system to the internal LDAP store. For information about this scheduled task and its attributes, see Section 4.4.3.3, "RACF Reconcile Users to Internal LDAP."
RACF Reconcile All LDAP Users	This scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. For information about this scheduled task and its attributes, see Section 4.4.3.4, "RACF Reconcile All LDAP Users."

To configure a scheduled task:

1. Log in to Identity System Administration.

2. In the left pane, under System Management, click Scheduler.

3. Search for and open the scheduled task as follows:

   1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

   2. In the search results table on the left pane, click the scheduled job in the Job Name column.

4. On the Job Details tab, you can modify the following parameters of the scheduled task:

   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

     Note:

     See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.

5. In addition to modifying the job details, you can enable or disable a job.

6. On the Job Details tab, in the Parameters region specify values for the attributes of the scheduled task.

   Note:

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   • See "Reconciliation Scheduled Tasks" for the list of scheduled tasks and their attributes.

   Click Apply to save the changes.

   Note:

   You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

4.7 Performing Provisioning Operations

To perform provisioning operations in Oracle Identity Manager:

1. Log in to Oracle Identity Self Service.

2. Create a user. See Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for more information about creating a user.

3. On the Account tab, click Request Accounts.

4. In the Catalog page, search for and add to cart the application instance created in Section 3.4.1.3, "Creating an Application Instance", and then click Checkout.

5. Specify value for fields in the application form and then click Ready to Submit.

6. Click Submit.

7. If you want to provision entitlements, then:

   1. On the Entitlements tab, click Request Entitlements.

   2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.

   3. Click Submit.