What's New in the Oracle Identity Manager Advanced Connector for IBM RACF?

This chapter provides an overview of the updates made to the software and documentation for the Oracle Identity Manager Advanced Connector for IBM RACF in release 9.0.4.25.

The updates discussed in this chapter are divided into the following categories:

  • Software Updates

    This section describes updates made to the connector software. This section also points out the sections of this guide that have been changed in response to each software update.

  • Documentation-Specific Updates

    This section describes major changes made to this guide. These changes are not related to software updates.

Software Updates

The following sections discuss the software updates:

Software Updates in Release 9.0.4.25

The following are the software updates in release 9.0.4.25:

End of Life Support for Real-Time Reconciliation

From this release onward, the connector no longer supports the real-time mode of reconciliation and it is no longer included in the connector package.

Support for Oracle Identity Manager 11g Release 2 PS2 and PS3

From this release onward, the connector can be installed and used on the following versions:

  • Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and any later BP in this release track.

  • Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0) and any later BP in this release track.

These Oracle Identity Manager release versions are mentioned in Table 1-1, "Certified Components".

Support for New Version of the Target System

From this release onward, the connector adds support for z/OS 2.2 as a target system. This information is mentioned in Table 1-1, "Certified Components".

Note:

For z/OS 2.2 target system installation that supports special characters in passwords, the connector has been validated only for the at sign (@), number sign (#), and dollar sign ($) special characters.

Replacement of DNS_RECOVERY_INTERVAL and IP_RECOVERY_INTERVAL Voyager Control Cards Input

The DNS_RECOVERY_INTERVAL and IP_RECOVERY_INTERVAL Voyager control cards input have been removed as they are no longer supported in Voyager. They have been replaced with the following new Voyager Control File parameters:

  • CONNECT_INTV=

  • CONNECT_RETRY=

  • EXTRACT=

If no value is set for the EXTRACT= parameter, then VOYAGER defaults to EXTRACT=Y.

Note:

It is recommended not to use EXTRACT=N.

See Table G-1, "Voyager Control File Parameters" for more information about these new Voyager Control File parameters.

End of Life Support for Trusted Source Reconciliation

From this release onward, the connector no longer supports the trusted source mode of reconciliation and it is no longer included in the connector package. Target source mode of reconciliation is still supported by the connector.

Enhancement to the Scheduled Tasks for Lookup Field Synchronization

From this release onward, the scheduled tasks for lookup field synchronization can successfully reconcile deleted entitlements. In addition to the existing Append or Replace values for the Recon Type attribute, the scheduled jobs for lookup field synchronization provides support for a new value named Merge, which is the default value now.

See Section 4.2, "Scheduled Tasks for Lookup Field Synchronization" for more information about the values that you can set for the Recon Type attribute of the scheduled job.

Resolved Issues in Release 9.0.4.25

The following table lists issues resolved in release 9.0.4.25:

Bug Number Issue Resolution
18781115 When there was a mismatch between the encryption key used by the LDAP and mainframe agents, neither the LDAP gateway nor the agent specified the mismatch in the log file. This issue has been resolved.
19827155 The policy key in RACF groups or entitlement child table (UD_GROUP) was being updated to null when a full reconciliation run was performed. This issue has been resolved. The policy key is being updated with correct entitlements.
20167028 The RACF Advanced connector did not include timeouts in the LDAP connections to Oracle Identity Manager. This caused the connector to stop responding. This issue has been resolved. The IT resource for the target system now includes two new parameters namely idfConnectTimeoutMS and idfReadTimeoutMS.

If you are upgrading your connector to release 9.0.4.25 (not using a fresh installation) and there is customization in your production environment, then during connector upgrade, you must import IT Resource definition using the oimRacfAdvR2Connector.xml file.

You can import the oimRacfAdvR2Connector.xml file using the Deployment Manager, as described in Importing Deployments in Oracle Fusion Middleware Administering Oracle Identity Manager.

See Section 3.3, "Configuring the IT Resource" for more information about the new parameters.

20562252 The following Voyager message was incorrect:

IDMV109I PIONEER WRITE SUCCESSFUL and PIONEER_ID= control end of life

This issue has been resolved. The message has been corrected to "IDMV109I VOYAGER WRITE SUCCESSFUL and the PIONEER_ID= control card is no longer supported."
20564721 The idf.schema file missed definitions for the UUID, krb5PrincipalRealm, and ipServiceProtocol LDAP attributes. This issue has been resolved. The idf.schema file in LDAP has been updated now.
20681560 The RACF Deleted User Reconciliation Using OIM scheduled task caused a NullPointerException because it missed information about the domain from which deleted users were to be reconciled. This issue has been resolved. The RACF Deleted User Reconciliation Using OIM scheduled task has been updated to include the Users List and domainOu attributes. See Section 4.4.3.2, "RACF Deleted User Reconciliation Using OIM" for more details about this scheduled task.
20687226 The ADDSD command to add dataset profile to IBM RACF did not complete successfully and returned the following error message:

ERROR PERFORMING OPERATION: NO DATA RETURNED

This issue has been resolved.
21195665 Although uninstallation of the LDAP Gateway was successful, the following error was encountered when the IdentityForgeServiceUninstall.bat file was run:

Unrecognized cmd option -uninstall

This issue has been resolved. The error message is no longer displayed upon successful uninstallation of LDAP Gateway.
21419200 The run.sh and run.bat files had a dependency on the spring-expression-3.2.4.RELEASE library which failed to start the LDAP gateway. This issue has been resolved. The missing dependency has been corrected in the run.sh and run.bat files.
21542074 The idfserver logs size and amount need to be configured or at least go to 100 MB. The amount of log space for the idfserver log file can be modified now. The size of the log file can be configured from the default 10MB to the maximum size which can be set before the rollover. See Section 3.4.4.1, "Enabling Logging for the LDAP Gateway" for more details.
21659079 A Create User or Modify User provisioning operation failed and the following RACF message and code was encountered:

ICH01015I Command processing completed but unable to update SYS1.BRODCAST

This issue has been resolved. The connector processing has been corrected to ignore this message for successful creation or modification of a user.
21780125 The following exception was encountered during a RACF Reconcile Deleted Users scheduled task run:

JAVA.LANG.NULLPOINTEREXCEPTION

This issue has been resolved. The JAVA.LANG.NULLPOINTEREXCEPTION has been addressed now.
21869258 Although the sap-ecc-agent.jar file was not included with the RACF Gateway files, the run.sh and run.bat files contained the following entry:

${APP_HOME}/lib/sap-ecc-agent.jar

This issue has been resolved The reference to the sap-ecc-agent.jar file has been removed from the run.sh and run.bat files.
21869254 The run.sh and run.bat files contained the following incorrect entry due to which LDAP Gateway failed to start:

${APP_HOME}/lib/ofdl.jar

This issue has been resolved. The value of the jar file has been corrected in the run.sh and run.bat files. The correct value is ojdl.jar.
22451595 Passwords were being logged in clear text in DEBUG mode. This issue has been resolved. Passwords are now masked by asterisk (*) in the log file.
22553251 The DCB value for the CREATDSN member of the JCLLIB partition dataset and REXXOUT data set was incorrect. This caused reconciliation to not work accurately as some reconciliation records may not have been selected. This issue has been resolved. The DCB value has been updated to DSORG=PS,RECFM=FB,LRECL=300,BLKSIZE=0.

Reconciliation is now performed successfully.

22650535 The following error was encountered when the ALTUSER command contained an apostrophe (') in the INSTDATA or NAME attributes:

OIM connection LDAP Error Code 52 LDAP_UNAVAILABLE

This issue has been resolved. The ALTUSER command containing apostrophe in INSTDATA or NAME processing has been corrected now.
22717070 Pioneer displayed a success message when the DELDSD command was run, but idfserver.log reported it as failed. Therefore, DELUSER command was rejected with the following RACF message and code:

ICH04009I userid CANNOT BE DELETED. DATA SET PROFILES STILL EXIST.

This issue has been resolved. The DELDSD command processing has been corrected now and is no longer causing this issue.
23026137 Intermittent failures were reported for the ADDUSER and ALTUSER command processing. This issue has been resolved. The processing of the ADDUSER and ALTUSER commands has been corrected.
23107391 When RACF requested AddUserToGroup task, the request was rejected by the zSecure command verifier and Oracle Identity Manager received 0 response code.

To address this issue, the ability to customize the response code based on Pioneer error messaging exceptions in the gateway was required.

This issue has been resolved. The existing error handling routines have been enhanced to allow for the ability to configure that a request sent to Pioneer has succeeded or failed. See Section 5.11, "Handling PIONEER Error Messaging Exceptions in the Gateway" for more information.
23626975 Group assignments to users failed with the error code 1. This issue has been resolved. Group assignments are processed correctly.

Software Updates in Release 9.0.4.24

The following are the software updates in release 9.0.4.24:

Note:

Documentation for release 9.0.4.24 of the connector is skipped on Oracle Help Center because release 9.0.4.23 BPE of the connector is considered as release 9.0.4.24.

Support for the SECURE_ID Program

From this release onward, the connector supports a new SECURE_ID program that encrypts a RACF userid for usage with Pioneer. This information is also discussed in Section 2.1, "IDF Mainframe Adapters Functional Characteristics."

Support for the SECURE_ID= Pioneer Parameter

From this release onward, the connector supports the new SECURE_ID= Pioneer Parameter for SECURE_ID= processing. This information is also discussed in Section 2.1, "IDF Mainframe Adapters Functional Characteristics."

Support for MYRADMIN Function Usage Has Changed

From this release onward, this function is used for only RACF, LIST, and SEARCH functions in Pioneer and Voyager. This information is also discussed in Section 2.1.1, "Pioneer."

Support for Writing SMF Records During SECURE_ID Processing

From this release onward, the connector supports for writing SMF type 245 subtype 1 and 2 records. When the Pioneer parameter SMF=N is specified, all RACF non-LIST functions will use IDFRADMN to process the RACF commands. If SMF=Y is specified, then IDFRADMS will be used to process the RACF commands and create SMF records. This information is also discussed in Section 2.1.1, "Pioneer" and Appendix G, "Voyager and Pioneer Control File Parameters."

Support for Pioneer- RACF Validation Has Been Added

From this release onward, Pioneer start calls three programs that will aid in the validation of Pioneer's RACF Userid permissions. IDFGETIF extracts JOBNAME, JOBID and USERID. IDFCHKAU verifies that RACF userid has the permission to "read" the security facility that Pioneer requires. IDFCHKIR verifies that RACF userid has the permission to "read" the "irr.radmin.*" profiles required for MYRADMIN, IDFRADMN, and IDFRADMS. This information is also discussed in Section 2.3.9, "Testing the Installation."

Support for the DEFINE, DELETE, and LIST Functions Have Been Changed

From this release onward, IBMs IDCAM which are the 'DEFINE, DELETE, and LIST' functions are now incorporated internally by Pioneer. Batch execution is no longer required. This information is also discussed in Section 2.1.1, "Pioneer."

Resolved Issues in Release 9.0.4.24

The following table lists issues resolved in release 9.0.4.24:

Bug Number Issue Resolution
18272376 The Pioneer and Voyager agents that have to be installed on the Mainframe system as part of the RACF connector for Oracle Identity Manager needs to be enhanced. This issue has been resolved. For more information, see Oracle Identity Manager Connector Guide for IBM RACF Advanced.
19261863 A COBOL run-time condition, IGZ0074S, occurred during execution of program PIONEERX. This issue has been resolved. The sequential instruction to be executed in program PIONEERX was at displacement 00018A3C, and has now been fixed.

Software Updates in Release 9.0.4.23

The following are the software updates in release 9.0.4.23:

End of Life Support for Real-Time Reconciliation

From this release onward, the connector no longer supports the real-time mode of reconciliation and it is no longer included in the connector package.

Note:

As of RACF 9.0.4.23 and above, all reconciliation is performed via scheduled tasks.

Support for New Oracle Identity Manager Release

From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 2 (11.1.2.0.1) or later.

This information is also discussed in Section 1.1, "Certified Components."

Support for Provisioning Default Group Updates

From this release onward, the connector supports provisioning of updates to a user's default group. When a change default group request is provisioned to the target system, the LDAP gateway automatically adds the user to the new default group, and then updates the user's DFLTGRP attribute to the new group. This information is also discussed in Section 1.5.3, "User Attributes for Target Resource Reconciliation and Provisioning."

Support for Universal Groups

From this release onward, the connector supports the use of universal groups in provisioning and reconciliation operations. Universal groups can have unlimited number of AUTH(USE) userIDs on the target system. This information is also discussed in Table 3-5 in Section 3.9, "Installing and Configuring the LDAP Gateway."

Resolved Issues in Release 9.0.4.23

The following table lists issues resolved in release 9.0.4.23:

Bug Number Issue Resolution
16568815 The FindAllDatasets scheduled task did not reconcile datasets whose dataset name started with a pound (#) character. This issue has been resolved. The LDAP gateway can now reconcile datasets that begin with a pound character.
16444260 RACF form password did not follow UD_formname_PASSWORD naming convention, so password policies were not triggered. This issue has been resolved. The RACF form field for passwords has been renamed to follow the UD_formname_PASSWORD context so that password policies are automatically triggered.
13791726 User names containing apostrophes (') were truncated during provisioning operations. This issue has been resolved. Apostrophes are no longer causing the CN or NAME fields to be truncated.
16477390 Provisioning operations failed if user names contained special characters (for example, accent marks). This issue has been resolved. Use of special characters in user names is no longer causing provisioning operations to fail.

Software Updates in Release 9.0.4.22

The following are the software updates in release 9.0.4.22:

New Additions:

  • A new function "Delete Alias" has been added to the connector guide. See Table 1-2 for more details.

  • Table 3-5 has been updated for new properties.

Support for Reconciliation Agent

As of this release STARTUP is no longer required to build the Subpool for Voyager. There is a new Voyager control file parameter for the STARTUP integration into Voyager. The parameter is SUBPOOL_SIZE=. Additionally, a new feature has been added to Voyager. The feature is controlled by a Voyager control file parameter, PIONEER_ID=. Three parameters are now optional in the Voyager control file, these are:

  1. DELAY=

  2. STARTDELAY=

  3. PRTNCODE=

    The parameter section for Voyager has been updated to reflect the changes. No STC ddnames have changed in Voyager. WRAPUP also has been incorporated in Voyager. Both STARTUP and WRAP procedures and programs will be included in the distribution. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.

Support for Provisioning Agent

The batch interface for ALIAS processing and SEARCH classes has now been moved to be processed internally by Pioneer. Three control file parameters have been removed and are no longer needed, these are:

  1. RWAIT=

  2. JWAIT=

  3. QUEUE_DSN=

All parameters for Pioneer are now contained in the control file. Pioneer STC ddnames have been changed:

From To
//RECONJCL - Removed
//INJCLR- Removed

Support for TCPIP

Pioneers TCP message size has changed from 32K to 65K. Pioneer's INITAPI now sets MAXSOC to 5000 sockets. Pioneer's Read Socket logic was modified to ignore any inbound message size less than 1600 bytes. The LDAP sends only 1600 bytes.

Support for Pioneer's Support Clist

Pioneer's Rexx clist library now only contains following clists. They are called internally by Pioneer using "IRXJCL".

  • IDFRACFC

  • RACFUSRP

  • RACFUSRG

  • RACFUSRD

See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" more details.

Resolved Issues in Release 9.0.4.22

The following table lists issues resolved in release 9.0.4.22:

Bug Number Issue Resolution
15865759 The racf reconciliation gives error string index out of bound exception. This issue has been resolved. After the configuration change RACF reconciliation is successful now.
14761989 The DeleteAlias method is missing in racf-provisioning-adapter.jar. This issue has been resolved. Now the DeleteAlias function has been added to the provisioning jar.
14761829 While instant reconciliation the callingendofjobapi was not called. This issue has been resolved. The callingendofjob() has been added for 11G R1 and R2.
14693734 Users exist with multiple resource objects for the same account. This issue has been resolved. This is part of the new persistence architecture that has explained in the connector document.
14544980 The racf command crashes due to the racf advanced connector exits. This issue has been resolved. The exit has been fixed, now the racf command runs successfully.
14479084 The racf connector does not show job status for group, data set and resource reconciliation. This issue has been resolved. Now the connector shows job status successfully.
14137090 The racf advanced connector duplicates records. This issue has been resolved. This is a part of the new persistence architecture that has explained in the connector document.
13791726 The apostrophe (') makes name truncated in racf connector when provisioning from Oracle Identity Manager. This issue has been resolved. You need to add double quotes (" ") to Oracle Identity Manager name form field.

Software Updates in Release 9.0.4.21

The following are the software updates in release 9.0.4.21:

Support for New RACF CREATDSN Members

From this release onward, the connector supports new RACF CREATDSN members. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.

Voyager and Pioneer Audit Examples

From this release onward, the Voyager and Pioneer Audit Examples have been included in the connector. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.

Resolved Issues in Release 9.0.4.21

There are no resolved issues in release 9.0.4.21.

Software Updates in Release 9.0.4.20

The following are the software updates in release 9.0.4.20:

Support for New Dataset

From this release onwards, the connector supports new datasets for Voyager and pioneer. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.

Support for New Feature

From this release onwards, the connector supports a new feature Audit log.

See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.

Support for User-Defined Resources Reconciliation Queries

From this release onwards, the connector supports User-Defined Resources Reconciliation Queries. See Section 5.10, "LDAP Reconciliation Supported Queries" for more details.

Resolved Issues in Release 9.0.4.20

The following table lists issues resolved in release 9.0.4.20:

Bug Number Issue Resolution
13905563 Enhancement request for RACF connector for INJCLR1 and ReconJCL DD statements in Pioneer Started Tasks. This issue has been resolved. The INJCLR1 and ReconJCL DD statements in Pioneer Started Tasks have been enhanced.
14043036 The connector needs to extend the functionality to import resources for custom class types. This issue has been resolved. The latest RACF connector supports reconciling resources of class type.
14091677 The deployment fails with error when trying to deploy IBM RACF advanced connector on Oracle Identity Manager. This issue has been resolved. Now the IBM RACF advanced can be successfully deployed on Oracle Identity Manager.
14137090 RACF advanced connector duplicates records. This issue has been resolved. A parameter called Voyager Delay has been added.

Software Updates in Release 9.0.4.19

The following are the software updates in release 9.0.4.19:

Support for New Functions

From this release onwards, the connector supports new functions (create group, alter group, and delete group). See Section 1.5, "Connector Objects Used During Reconciliation and Provisioning," for details.

Support for New Parameters in Property File

From this release onwards, the connector supports new Parameters in the property file useExtractUser, _configExtractAttrs_, and _allowDeleteDS_. See Table 3-5 for more details.

Enhanced Reconciliation

From this release onwards, the connector supports enhanced reconciliation. See Section 5.11, "Use and Build Custom Real-Time Reconciliation Adapter," and Section 5.10, "LDAP Reconciliation Supported Queries" for more details.

Resolved Issues in Release 9.0.4.19

The following table lists issues resolved in release 9.0.4.19:

Bug Number Issue Resolution
13846604 When installing 13778002 patch, it show version as 9.0.4.17. This issue has been resolved. The version has been corrected in this patch.

Software Updates in Release 9.0.4.17

The following are the software updates in release 9.0.4.17:

Support for Multiple Target Resource Reconciliation Through a Single LPAR

From this release onward, change-based reconciliation using a single LDAP gateway installation from multiple target resource systems is supported. As part of this update, the VOYAGER_ID.properties file (previously known as racfConnection.properties) must be renamed to match the Voyager server's VOYAGER_ID control file property.

Change in Pioneer's Dataset Definition

Pioneer's Dataset Definition (DD) for SYSTSPRT has been changed from RECFM=F to RECFM=FB, Changes were in called programs RACFUSRP and RACFUSRG. Disk space for the file is now blocked, better utilizing the file space.

New Parameter for Voyager

Voyager has a new parameter in the control file. The parameter is VOYAGER_ID=xxxxxxxx, where xxxxxxxx is a 8 character unique identifier for Voyager. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for details.

Resolved Issues in Release 9.0.4.17

There are no resolved issues in release 9.0.4.17.

Software Updates in Release 9.0.4.16

There are no software updates in release 9.0.4.16.

Resolved Issues in Release 9.0.4.16

The following table lists issues resolved in release 9.0.4.16:

Bug Number Issue Resolution
13259031 Ensure that the product can support port reservation. This issue has been resolved. The IBM RACF Advanced Pioneer/Voyager agent has been enhanced to support port reservation.
13259151 Need to certify that the product functions correctly when RRSF is active. This issue has been resolved. The connector is certified to function correctly when RRSF is active.
13259097 The connector should work with RACF subsystem. This issue has been resolved. The connector has been certified to work with RACF subsystem.
13259110 Add PDS support to pioneer and voyager started tasks for parmlib members and for JCL references. This issue has been resolved. The IBM RACF Advanced Pioneer/Voyager agent has been added PDS support for parmlib members and for JCL references.

Software Updates in Release 9.0.4.15

The following are the software updates in release 9.0.4.15:

Support for New Lookup Definition Scheduled Tasks

From this release onward, the connector includes scheduled tasks for storing all resources, groups, and datasets in lookup definitions. These lookups are used during the provisioning process, allowing the user to select an existing group, resource, or dataset from a lookup list, instead of manually entering the name in the provisioning form.

Support for Initial Reconciliation Via Scheduled Task

From this release onward, initial reconciliation is no longer performed using the racf-initial-recon-adapter deployment. Instead, initial reconciliation is supported via the RACF Reconcile All Users scheduled task.

Support for User's Dataset Reconciliation

From this release onward, user's dataset membership can be reconciled using the RACF Find User's Datasets scheduled task. The list of datasets is stored by default in the Lookup.UsersDatasets lookup definition.

Resolved Issues in Release 9.0.4.15

The following table lists issues resolved in release 9.0.4.15:

Bug Number Issue Resolution
11809955 Need to certify the connector to operate with z/OS V1.12 This issue has been resolved. The connector is certified to operate with z/OS V1.12 in this release.
11738283 Need to enhance IBM RACF Advanced Pioneer/Voyager agent to support z/OS Mainframe Application. This issue has been resolved. The IBM RACF Advanced Pioneer/Voyager agent has been enhanced to support z/OS Mainframe Application.
10312927 Dataset reconciliation is not supported. This issue has been resolved. The dataset name reconciliation is now supported. Additional dataset attribute reconciliation will be included in a future release.
10279466 Unable to import RACFADV.XML This issue has been resolved. Importing RACFADV.XML file is now possible.
10264127 The Create Alias is not a defined z/OS process. This issue has been resolved. The proper command is an IDCAMS – DEFINE ALIAS.
9911671 Reconciliation agent does not shut down using the F Voyager shut down. This issue has been resolved. Reconciliation agent now shuts down using the F Voyager shut down.
7201081 Need to split Mainframe into four catalogs. This issue has been resolved. Mainframe is split into four catalogs.
7033009 Special characters are not supported in the user profile ID string. This issue has been resolved. Special characters are supported in this release.
6900952 Default group shows up in both parent and child forms. This is no longer considered an issue. RACF includes the default group in the group membership listing for a user, so default groups will continue to be listed on both forms.
5733395 Two LAST CONNECT DATE are displayed when provisioning OIMRACF. This issue has been resolved. LAST CONNECT DATE is no longer displayed when provisioning OIMRACF.
5566736 Hardcoded strings such as "Dataset Name" and "Dataset Access" appears when provisioning RACF Advanced resource. This issue has been resolved. The hardcoded strings does not appear when provisioning RACF Advanced resource.

Software Updates in Release 9.0.4.14

The following are the software updates in release 9.0.4.14:

Support for New Script for Oracle Identity Manager 11g Release (11.1.1)

From this release onward, new script and lib directories are provided for Oracle Identity Manager 11g release 1 (11.1.1) to enable jar and property files to be picked up directly from this new location. See Section 3.1, "Files and Directories That Comprise the Connector" and Section 3.3, "Before Running the Connector Installer" for usage instructions.

Resolved Issues in Release 9.0.4.14

The following table lists issues resolved in release 9.0.4.14:

Bug Number Issue Resolution
10224186 Reconciliation of multiple IT resource for the same target system is not supported. This issue has been resolved. Reconciliation of multiple IT resource for the same target system is now supported.
10304189 Unable to remove the IBM RACF user from the default group. This issue has been resolved. The IBM RACF user can now be removed from the default group.

Software Updates in Release 9.0.4.13

The following are the software updates in release 9.0.4.13:

Support for New Oracle Identity Manager Release

From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 1 (11.1.1). Where applicable, instructions specific to this Oracle Identity Manager release have been added in the guide.

See Section 1.1, "Certified Components" for the full list of certified Oracle Identity Manager releases.

Support for Request-Based Provisioning

From this release onward, the connector provides support for request-based provisioning on Oracle Identity Manager 11g release 1 (11.1.1).

See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more information.

Resolved Issues in Release 9.0.4.13

The following table lists issues resolved in release 9.0.4.13:

Bug Number Issue Resolution
10075543 The status of resource allocation on Oracle Identity Manager was Provisioned even when the Create User provisioning operation failed. This issue has been resolved. The status of the resource now correctly reflects the outcome of the provisioning operation.
9911671 The Reconciliation Agent could not be shut down by running the F VOYAGER,SHUTDOWN command. This issue has been resolved. The F VOYAGER,SHUTDOWN command now works as expected.

Software Updates in Release 9.0.4.12

The following table lists issues resolved in release 9.0.4.12:

Bug Number Issue Resolution
9962145 Passwords were displayed in clear text in the logs for the Provisioning Agent. This issue has been resolved. Passwords are not recorded in the logs.
9031465 During initial reconciliation, a trusted source reconciliation run was immediately followed by target resource reconciliation. This issue has been resolved. A trusted source reconciliation run is not followed by target resource reconciliation.
7199039 The Resume User (that is, Enable User) provisioning operation worked correctly on the target system. However, the status in Oracle Identity Manager was not correct. This issue has been resolved. The status in Oracle Identity Manager is now set correctly.
7193225 During a provisioning operation, the tsoProc attribute was updated on the target system even when the TSO Proc Updated process task was rejected on Oracle Identity Manager. This issue has been resolved. The tsoProc attribute on the target system is modified only when the TSO Proc Updated process task is successfully run on Oracle Identity Manager.
7024223 The initial reconciliation scripts for this connector and the Oracle Identity Manager Connector for CA ACF2 had the same name. This issue has been resolved. The initial reconciliation scripts have been given new names.
6901000 User status reconciliation was not available by default. After deploying the connector, you had to set up status reconciliation. This issue has been resolved. User status reconciliation is now available by default.

Software Updates in Release 9.0.4.11

Support for New Target System Attributes

The following target system attributes have been added for reconciliation and provisioning:

CICS_OPCLASS

CICS_OPIDENT

CICS_OPPRTY

CICS_RSLKEY

CICS_TIMEOUT

CICS_TSLKEY

CICS_XRFSOFF

NETVIEW_CONSNAME

NETVIEW_CTL

NETVIEW_DOMAINS

NETVIEW_IC

NETVIEW_MSGRECVR

NETVIEW_NGMFADMN

NETVIEW_NGMFVSPN

NETVIEW_OPCLASS

OMVS_ASSIZEMAX

OMVS_AUTOUID

OMVS_SHARED

OMVS_CPUTIMEMAX

OMVS_FILEPROCMAX

OMVS_MEMLIMIT

OMVS_MMAPAREAMAX

OMVS_PROCUSERMAX

OMVS_SHMEMMAX

OMVS_THREADSMAX

Support for Running IBM z/OS Batch Jobs Through the Provisioning Agent

From this release onward, the Provisioning Agent can be configured to run IBM z/OS batch jobs corresponding to provisioning functions you specify. See the following for more information:

Support for IBM z/OS version 1.11

From this release onward, IBM z/OS version 1.11 is one of the certified target system identity repositories. This operating system version has been added in Section 1.1, "Certified Components."

Resolved Issues in Release 9.0.4.11

The following table lists issues resolved in release 9.0.4.11:

Bug Number Issue Resolution
8935868 The Reconciliation Agent failed and would not recover correctly if the LDAP Gateway was stopped or failed and was then restarted. This issue has been resolved. The Reconciliation Agent does not fail if the LDAP Gateway is restarted after it fails or is stopped.
9037350 While deploying the connector, you had to copy the following files into the OIM_HOME/xellerate/JavaTasks directory:

scripts/initialRacfAdv.properties

scripts/run_initial_recon_provisioning.sh

scripts/run_initial_recon_provisioning.bat

scripts/racf-adv-initial-recon.jar

The properties file contains details of the target system host computer. If you had multiple nodes, then you had to modify the properties file each time you wanted to run it on a different node.

This issue has been resolved. For each node of the target system, you can create directories inside the JavaTasks directory and then create copies of all the script files inside each directory. For example, you can create directories with names JavaTasks/racf1, JavaTasks/racf1, JavaTasks/racf1, and so on, and create copies of the script files in each directory.
9182884 An error related to IBM RACF error code prefixes was sometimes thrown without due cause. This issue has been resolved.

Software Updates in Release 9.0.4.4

The following table lists issues resolved in release 9.0.4.4:

Bug Number Issue Resolution
7286016 On certain UK operating environments, a mainframe code page of GB was used instead of the default UK. This caused the mainframe agents to use the American pound symbol instead of the British pound symbol. This issue has been resolved. The mainframe agents have been rebuilt to include the GB code page.

Software Updates in Release 9.0.4.3

The following is a software updates in release 9.0.4.3:

Support for IBM z/OS version 1.9

From this release onward, IBM z/OS version 1.9 is one of the certified target system identity repositories. This operating system version has been added in Section 1.1, "Certified Components."

Software Updates Up to Release 9.0.4.2

The following are software updates up to release 9.0.4.2:

Documentation-Specific Updates

The following sections discuss documentation-specific updates:

Documentation-Specific Updates in Release 9.0.4.24

The following are the documentation-specific updates in revision "24" of this guide:

The following are the documentation-specific updates in revision "23" of this guide:

Note:

After release 9.0.4.23 of this connector, there has been no major release. Release 9.0.4.24 of the connector was a bundle patch release. Therefore, this document directly provides updates to release 9.0.4.25 of this connector.

The following are the documentation-specific updates in revision "22" of this guide:

Documentation-Specific Updates in Release 9.0.4.23

The following documentation-specific updates have been made in revision "21" of release 9.0.4.23:

The following documentation-specific updates have been made in revision "20" of release 9.0.4.23:

Documentation-Specific Updates in Release 9.0.4.22

The following are the documentation-specific updates in release 9.0.4.22:

Documentation-Specific Updates in Release 9.0.4.21

There are no documentation-specific updates in release 9.0.4.21.

Documentation-Specific Updates in Release 9.0.4.20

The following are the documentation-specific updates in release 9.0.4.20:

  • Table 3-3 has been added for the Log files and their contents.

  • The subpool size and the maximum amount of storage values have been updated.

  • A note on the requirement of //SYSOUT has been added.

  • The code for STC (Started Task) for Pioneer has been updated.

  • New source code lines have been added.

  • The flow for the full reconciliation for user IDs and groups has been updated with the new steps.

  • New Rexx clists SERCHDAT and SERCHFAC have been added.

  • A note on submitting the SERCHFAC and SERCHDAT via the LDAP has been added.

Documentation-Specific Updates in Release 9.0.4.19

The following are the documentation-specific updates in release 9.0.4.19:

Documentation-Specific Updates in Release 9.0.4.17

The following are the documentation-specific updates in release 9.0.4.17:

  • In the entire guide, racfConnection.properties has been changed to VOYAGER_ID.properties.

  • See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details on pioneer and voyager.

  • In chapter 5, "Extending the functionality of the connector", a new Section 5.7, "Configuring the Connector for Reconciliation of Multiple Installations of the Target System," has been added.

  • In Table 5-1, new attributes have been added.

Documentation-Specific Updates in Release 9.0.4.16

The following are the documentation-specific updates in release 9.0.4.16.

Documentation-Specific Updates in Release 9.0.4.15

There are no documentation-specific updates in release 9.0.4.15.

Documentation-Specific Updates in Release 9.0.4.14

There are no documentation-specific updates in release 9.0.4.14.

Documentation-Specific Updates in Release 9.0.4.13

There are no documentation-specific updates in release 9.0.4.13.

Documentation-Specific Updates in Release 9.0.4.2 through 9.0.4.12

The following sections discuss documentation-specific updates have been made in releases 9.0.4.2 to 9.0.4.12: