This chapter provides an overview of the updates made to the software and documentation for the Oracle Identity Manager Advanced Connector for IBM RACF in release 9.0.4.25.
The updates discussed in this chapter are divided into the following categories:
This section describes updates made to the connector software. This section also points out the sections of this guide that have been changed in response to each software update.
Documentation-Specific Updates
This section describes major changes made to this guide. These changes are not related to software updates.
The following sections discuss the software updates:
The following are the software updates in release 9.0.4.25:
Support for Oracle Identity Manager 11g Release 2 PS2 and PS3
Replacement of DNS_RECOVERY_INTERVAL and IP_RECOVERY_INTERVAL Voyager Control Cards Input
Enhancement to the Scheduled Tasks for Lookup Field Synchronization
From this release onward, the connector no longer supports the real-time mode of reconciliation and it is no longer included in the connector package.
From this release onward, the connector can be installed and used on the following versions:
Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and any later BP in this release track.
Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0) and any later BP in this release track.
These Oracle Identity Manager release versions are mentioned in Table 1-1, "Certified Components".
From this release onward, the connector adds support for z/OS 2.2 as a target system. This information is mentioned in Table 1-1, "Certified Components".
Note:
For z/OS 2.2 target system installation that supports special characters in passwords, the connector has been validated only for the at sign (@), number sign (#), and dollar sign ($) special characters.The DNS_RECOVERY_INTERVAL and IP_RECOVERY_INTERVAL Voyager control cards input have been removed as they are no longer supported in Voyager. They have been replaced with the following new Voyager Control File parameters:
CONNECT_INTV=
CONNECT_RETRY=
EXTRACT=
If no value is set for the EXTRACT= parameter, then VOYAGER defaults to EXTRACT=Y.
Note:
It is recommended not to use EXTRACT=N.See Table G-1, "Voyager Control File Parameters" for more information about these new Voyager Control File parameters.
From this release onward, the connector no longer supports the trusted source mode of reconciliation and it is no longer included in the connector package. Target source mode of reconciliation is still supported by the connector.
From this release onward, the scheduled tasks for lookup field synchronization can successfully reconcile deleted entitlements. In addition to the existing Append or Replace values for the Recon Type attribute, the scheduled jobs for lookup field synchronization provides support for a new value named Merge, which is the default value now.
See Section 4.2, "Scheduled Tasks for Lookup Field Synchronization" for more information about the values that you can set for the Recon Type attribute of the scheduled job.
The following table lists issues resolved in release 9.0.4.25:
| Bug Number | Issue | Resolution |
|---|---|---|
| 18781115 | When there was a mismatch between the encryption key used by the LDAP and mainframe agents, neither the LDAP gateway nor the agent specified the mismatch in the log file. | This issue has been resolved. |
| 19827155 | The policy key in RACF groups or entitlement child table (UD_GROUP) was being updated to null when a full reconciliation run was performed. |
This issue has been resolved. The policy key is being updated with correct entitlements. |
| 20167028 | The RACF Advanced connector did not include timeouts in the LDAP connections to Oracle Identity Manager. This caused the connector to stop responding. | This issue has been resolved. The IT resource for the target system now includes two new parameters namely idfConnectTimeoutMS and idfReadTimeoutMS.
If you are upgrading your connector to release 9.0.4.25 (not using a fresh installation) and there is customization in your production environment, then during connector upgrade, you must import IT Resource definition using the You can import the See Section 3.3, "Configuring the IT Resource" for more information about the new parameters. |
| 20562252 | The following Voyager message was incorrect:
|
This issue has been resolved. The message has been corrected to "IDMV109I VOYAGER WRITE SUCCESSFUL and the PIONEER_ID= control card is no longer supported." |
| 20564721 | The idf.schema file missed definitions for the UUID, krb5PrincipalRealm, and ipServiceProtocol LDAP attributes. | This issue has been resolved. The idf.schema file in LDAP has been updated now. |
| 20681560 | The RACF Deleted User Reconciliation Using OIM scheduled task caused a NullPointerException because it missed information about the domain from which deleted users were to be reconciled. | This issue has been resolved. The RACF Deleted User Reconciliation Using OIM scheduled task has been updated to include the Users List and domainOu attributes. See Section 4.4.3.2, "RACF Deleted User Reconciliation Using OIM" for more details about this scheduled task. |
| 20687226 | The ADDSD command to add dataset profile to IBM RACF did not complete successfully and returned the following error message:
|
This issue has been resolved. |
| 21195665 | Although uninstallation of the LDAP Gateway was successful, the following error was encountered when the IdentityForgeServiceUninstall.bat file was run:
|
This issue has been resolved. The error message is no longer displayed upon successful uninstallation of LDAP Gateway. |
| 21419200 | The run.sh and run.bat files had a dependency on the spring-expression-3.2.4.RELEASE library which failed to start the LDAP gateway. | This issue has been resolved. The missing dependency has been corrected in the run.sh and run.bat files. |
| 21542074 | The idfserver logs size and amount need to be configured or at least go to 100 MB. | The amount of log space for the idfserver log file can be modified now. The size of the log file can be configured from the default 10MB to the maximum size which can be set before the rollover. See Section 3.4.4.1, "Enabling Logging for the LDAP Gateway" for more details. |
| 21659079 | A Create User or Modify User provisioning operation failed and the following RACF message and code was encountered:
|
This issue has been resolved. The connector processing has been corrected to ignore this message for successful creation or modification of a user. |
| 21780125 | The following exception was encountered during a RACF Reconcile Deleted Users scheduled task run:
JAVA.LANG.NULLPOINTEREXCEPTION |
This issue has been resolved. The JAVA.LANG.NULLPOINTEREXCEPTION has been addressed now. |
| 21869258 | Although the sap-ecc-agent.jar file was not included with the RACF Gateway files, the run.sh and run.bat files contained the following entry:
|
This issue has been resolved The reference to the sap-ecc-agent.jar file has been removed from the run.sh and run.bat files. |
| 21869254 | The run.sh and run.bat files contained the following incorrect entry due to which LDAP Gateway failed to start:
|
This issue has been resolved. The value of the jar file has been corrected in the run.sh and run.bat files. The correct value is ojdl.jar. |
| 22451595 | Passwords were being logged in clear text in DEBUG mode. | This issue has been resolved. Passwords are now masked by asterisk (*) in the log file. |
| 22553251 | The DCB value for the CREATDSN member of the JCLLIB partition dataset and REXXOUT data set was incorrect. This caused reconciliation to not work accurately as some reconciliation records may not have been selected. | This issue has been resolved. The DCB value has been updated to DSORG=PS,RECFM=FB,LRECL=300,BLKSIZE=0.
Reconciliation is now performed successfully. |
| 22650535 | The following error was encountered when the ALTUSER command contained an apostrophe (') in the INSTDATA or NAME attributes:
|
This issue has been resolved. The ALTUSER command containing apostrophe in INSTDATA or NAME processing has been corrected now. |
| 22717070 | Pioneer displayed a success message when the DELDSD command was run, but idfserver.log reported it as failed. Therefore, DELUSER command was rejected with the following RACF message and code:
|
This issue has been resolved. The DELDSD command processing has been corrected now and is no longer causing this issue. |
| 23026137 | Intermittent failures were reported for the ADDUSER and ALTUSER command processing. |
This issue has been resolved. The processing of the ADDUSER and ALTUSER commands has been corrected. |
| 23107391 | When RACF requested AddUserToGroup task, the request was rejected by the zSecure command verifier and Oracle Identity Manager received 0 response code.
To address this issue, the ability to customize the response code based on Pioneer error messaging exceptions in the gateway was required. |
This issue has been resolved. The existing error handling routines have been enhanced to allow for the ability to configure that a request sent to Pioneer has succeeded or failed. See Section 5.11, "Handling PIONEER Error Messaging Exceptions in the Gateway" for more information. |
| 23626975 | Group assignments to users failed with the error code 1. | This issue has been resolved. Group assignments are processed correctly. |
The following are the software updates in release 9.0.4.24:
Note:
Documentation for release 9.0.4.24 of the connector is skipped on Oracle Help Center because release 9.0.4.23 BPE of the connector is considered as release 9.0.4.24.From this release onward, the connector supports a new SECURE_ID program that encrypts a RACF userid for usage with Pioneer. This information is also discussed in Section 2.1, "IDF Mainframe Adapters Functional Characteristics."
From this release onward, the connector supports the new SECURE_ID= Pioneer Parameter for SECURE_ID= processing. This information is also discussed in Section 2.1, "IDF Mainframe Adapters Functional Characteristics."
From this release onward, this function is used for only RACF, LIST, and SEARCH functions in Pioneer and Voyager. This information is also discussed in Section 2.1.1, "Pioneer."
From this release onward, the connector supports for writing SMF type 245 subtype 1 and 2 records. When the Pioneer parameter SMF=N is specified, all RACF non-LIST functions will use IDFRADMN to process the RACF commands. If SMF=Y is specified, then IDFRADMS will be used to process the RACF commands and create SMF records. This information is also discussed in Section 2.1.1, "Pioneer" and Appendix G, "Voyager and Pioneer Control File Parameters."
From this release onward, Pioneer start calls three programs that will aid in the validation of Pioneer's RACF Userid permissions. IDFGETIF extracts JOBNAME, JOBID and USERID. IDFCHKAU verifies that RACF userid has the permission to "read" the security facility that Pioneer requires. IDFCHKIR verifies that RACF userid has the permission to "read" the "irr.radmin.*" profiles required for MYRADMIN, IDFRADMN, and IDFRADMS. This information is also discussed in Section 2.3.9, "Testing the Installation."
From this release onward, IBMs IDCAM which are the 'DEFINE, DELETE, and LIST' functions are now incorporated internally by Pioneer. Batch execution is no longer required. This information is also discussed in Section 2.1.1, "Pioneer."
The following table lists issues resolved in release 9.0.4.24:
| Bug Number | Issue | Resolution |
|---|---|---|
| 18272376 | The Pioneer and Voyager agents that have to be installed on the Mainframe system as part of the RACF connector for Oracle Identity Manager needs to be enhanced. | This issue has been resolved. For more information, see Oracle Identity Manager Connector Guide for IBM RACF Advanced. |
| 19261863 | A COBOL run-time condition, IGZ0074S, occurred during execution of program PIONEERX. | This issue has been resolved. The sequential instruction to be executed in program PIONEERX was at displacement 00018A3C, and has now been fixed. |
The following are the software updates in release 9.0.4.23:
From this release onward, the connector no longer supports the real-time mode of reconciliation and it is no longer included in the connector package.
Note:
As of RACF 9.0.4.23 and above, all reconciliation is performed via scheduled tasks.From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 2 (11.1.2.0.1) or later.
This information is also discussed in Section 1.1, "Certified Components."
From this release onward, the connector supports provisioning of updates to a user's default group. When a change default group request is provisioned to the target system, the LDAP gateway automatically adds the user to the new default group, and then updates the user's DFLTGRP attribute to the new group. This information is also discussed in Section 1.5.3, "User Attributes for Target Resource Reconciliation and Provisioning."
From this release onward, the connector supports the use of universal groups in provisioning and reconciliation operations. Universal groups can have unlimited number of AUTH(USE) userIDs on the target system. This information is also discussed in Table 3-5 in Section 3.9, "Installing and Configuring the LDAP Gateway."
The following table lists issues resolved in release 9.0.4.23:
| Bug Number | Issue | Resolution |
|---|---|---|
| 16568815 | The FindAllDatasets scheduled task did not reconcile datasets whose dataset name started with a pound (#) character. | This issue has been resolved. The LDAP gateway can now reconcile datasets that begin with a pound character. |
| 16444260 | RACF form password did not follow UD_formname_PASSWORD naming convention, so password policies were not triggered. | This issue has been resolved. The RACF form field for passwords has been renamed to follow the UD_formname_PASSWORD context so that password policies are automatically triggered. |
| 13791726 | User names containing apostrophes (') were truncated during provisioning operations. |
This issue has been resolved. Apostrophes are no longer causing the CN or NAME fields to be truncated. |
| 16477390 | Provisioning operations failed if user names contained special characters (for example, accent marks). | This issue has been resolved. Use of special characters in user names is no longer causing provisioning operations to fail. |
The following are the software updates in release 9.0.4.22:
As of this release STARTUP is no longer required to build the Subpool for Voyager. There is a new Voyager control file parameter for the STARTUP integration into Voyager. The parameter is SUBPOOL_SIZE=. Additionally, a new feature has been added to Voyager. The feature is controlled by a Voyager control file parameter, PIONEER_ID=. Three parameters are now optional in the Voyager control file, these are:
DELAY=
STARTDELAY=
PRTNCODE=
The parameter section for Voyager has been updated to reflect the changes. No STC ddnames have changed in Voyager. WRAPUP also has been incorporated in Voyager. Both STARTUP and WRAP procedures and programs will be included in the distribution. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.
The batch interface for ALIAS processing and SEARCH classes has now been moved to be processed internally by Pioneer. Three control file parameters have been removed and are no longer needed, these are:
RWAIT=
JWAIT=
QUEUE_DSN=
All parameters for Pioneer are now contained in the control file. Pioneer STC ddnames have been changed:
| From | To |
|---|---|
| //RECONJCL - | Removed |
| //INJCLR- | Removed |
Pioneers TCP message size has changed from 32K to 65K. Pioneer's INITAPI now sets MAXSOC to 5000 sockets. Pioneer's Read Socket logic was modified to ignore any inbound message size less than 1600 bytes. The LDAP sends only 1600 bytes.
Pioneer's Rexx clist library now only contains following clists. They are called internally by Pioneer using "IRXJCL".
IDFRACFC
RACFUSRP
RACFUSRG
RACFUSRD
See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" more details.
The following table lists issues resolved in release 9.0.4.22:
| Bug Number | Issue | Resolution |
|---|---|---|
| 15865759 | The racf reconciliation gives error string index out of bound exception. | This issue has been resolved. After the configuration change RACF reconciliation is successful now. |
| 14761989 | The DeleteAlias method is missing in racf-provisioning-adapter.jar. | This issue has been resolved. Now the DeleteAlias function has been added to the provisioning jar. |
| 14761829 | While instant reconciliation the callingendofjobapi was not called. |
This issue has been resolved. The callingendofjob() has been added for 11G R1 and R2. |
| 14693734 | Users exist with multiple resource objects for the same account. | This issue has been resolved. This is part of the new persistence architecture that has explained in the connector document. |
| 14544980 | The racf command crashes due to the racf advanced connector exits. | This issue has been resolved. The exit has been fixed, now the racf command runs successfully. |
| 14479084 | The racf connector does not show job status for group, data set and resource reconciliation. | This issue has been resolved. Now the connector shows job status successfully. |
| 14137090 | The racf advanced connector duplicates records. | This issue has been resolved. This is a part of the new persistence architecture that has explained in the connector document. |
| 13791726 | The apostrophe (') makes name truncated in racf connector when provisioning from Oracle Identity Manager. | This issue has been resolved. You need to add double quotes (" ") to Oracle Identity Manager name form field. |
The following are the software updates in release 9.0.4.21:
From this release onward, the connector supports new RACF CREATDSN members. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.
From this release onward, the Voyager and Pioneer Audit Examples have been included in the connector. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.
The following are the software updates in release 9.0.4.20:
From this release onwards, the connector supports new datasets for Voyager and pioneer. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.
From this release onwards, the connector supports a new feature Audit log.
See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.
From this release onwards, the connector supports User-Defined Resources Reconciliation Queries. See Section 5.10, "LDAP Reconciliation Supported Queries" for more details.
The following table lists issues resolved in release 9.0.4.20:
| Bug Number | Issue | Resolution |
|---|---|---|
| 13905563 | Enhancement request for RACF connector for INJCLR1 and ReconJCL DD statements in Pioneer Started Tasks. | This issue has been resolved. The INJCLR1 and ReconJCL DD statements in Pioneer Started Tasks have been enhanced. |
| 14043036 | The connector needs to extend the functionality to import resources for custom class types. | This issue has been resolved. The latest RACF connector supports reconciling resources of class type. |
| 14091677 | The deployment fails with error when trying to deploy IBM RACF advanced connector on Oracle Identity Manager. | This issue has been resolved. Now the IBM RACF advanced can be successfully deployed on Oracle Identity Manager. |
| 14137090 | RACF advanced connector duplicates records. | This issue has been resolved. A parameter called Voyager Delay has been added. |
The following are the software updates in release 9.0.4.19:
From this release onwards, the connector supports new functions (create group, alter group, and delete group). See Section 1.5, "Connector Objects Used During Reconciliation and Provisioning," for details.
From this release onwards, the connector supports new Parameters in the property file useExtractUser, _configExtractAttrs_, and _allowDeleteDS_. See Table 3-5 for more details.
From this release onwards, the connector supports enhanced reconciliation. See Section 5.11, "Use and Build Custom Real-Time Reconciliation Adapter," and Section 5.10, "LDAP Reconciliation Supported Queries" for more details.
The following are the software updates in release 9.0.4.17:
From this release onward, change-based reconciliation using a single LDAP gateway installation from multiple target resource systems is supported. As part of this update, the VOYAGER_ID.properties file (previously known as racfConnection.properties) must be renamed to match the Voyager server's VOYAGER_ID control file property.
Pioneer's Dataset Definition (DD) for SYSTSPRT has been changed from RECFM=F to RECFM=FB, Changes were in called programs RACFUSRP and RACFUSRG. Disk space for the file is now blocked, better utilizing the file space.
Voyager has a new parameter in the control file. The parameter is VOYAGER_ID=xxxxxxxx, where xxxxxxxx is a 8 character unique identifier for Voyager. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for details.
There are no software updates in release 9.0.4.16.
The following table lists issues resolved in release 9.0.4.16:
The following are the software updates in release 9.0.4.15:
From this release onward, the connector includes scheduled tasks for storing all resources, groups, and datasets in lookup definitions. These lookups are used during the provisioning process, allowing the user to select an existing group, resource, or dataset from a lookup list, instead of manually entering the name in the provisioning form.
From this release onward, initial reconciliation is no longer performed using the racf-initial-recon-adapter deployment. Instead, initial reconciliation is supported via the RACF Reconcile All Users scheduled task.
From this release onward, user's dataset membership can be reconciled using the RACF Find User's Datasets scheduled task. The list of datasets is stored by default in the Lookup.UsersDatasets lookup definition.
The following table lists issues resolved in release 9.0.4.15:
| Bug Number | Issue | Resolution |
|---|---|---|
| 11809955 | Need to certify the connector to operate with z/OS V1.12 | This issue has been resolved. The connector is certified to operate with z/OS V1.12 in this release. |
| 11738283 | Need to enhance IBM RACF Advanced Pioneer/Voyager agent to support z/OS Mainframe Application. | This issue has been resolved. The IBM RACF Advanced Pioneer/Voyager agent has been enhanced to support z/OS Mainframe Application. |
| 10312927 | Dataset reconciliation is not supported. | This issue has been resolved. The dataset name reconciliation is now supported. Additional dataset attribute reconciliation will be included in a future release. |
| 10279466 | Unable to import RACFADV.XML | This issue has been resolved. Importing RACFADV.XML file is now possible. |
| 10264127 | The Create Alias is not a defined z/OS process. | This issue has been resolved. The proper command is an IDCAMS – DEFINE ALIAS. |
| 9911671 | Reconciliation agent does not shut down using the F Voyager shut down. | This issue has been resolved. Reconciliation agent now shuts down using the F Voyager shut down. |
| 7201081 | Need to split Mainframe into four catalogs. | This issue has been resolved. Mainframe is split into four catalogs. |
| 7033009 | Special characters are not supported in the user profile ID string. | This issue has been resolved. Special characters are supported in this release. |
| 6900952 | Default group shows up in both parent and child forms. | This is no longer considered an issue. RACF includes the default group in the group membership listing for a user, so default groups will continue to be listed on both forms. |
| 5733395 | Two LAST CONNECT DATE are displayed when provisioning OIMRACF. | This issue has been resolved. LAST CONNECT DATE is no longer displayed when provisioning OIMRACF. |
| 5566736 | Hardcoded strings such as "Dataset Name" and "Dataset Access" appears when provisioning RACF Advanced resource. | This issue has been resolved. The hardcoded strings does not appear when provisioning RACF Advanced resource. |
The following are the software updates in release 9.0.4.14:
From this release onward, new script and lib directories are provided for Oracle Identity Manager 11g release 1 (11.1.1) to enable jar and property files to be picked up directly from this new location. See Section 3.1, "Files and Directories That Comprise the Connector" and Section 3.3, "Before Running the Connector Installer" for usage instructions.
The following table lists issues resolved in release 9.0.4.14:
| Bug Number | Issue | Resolution |
|---|---|---|
| 10224186 | Reconciliation of multiple IT resource for the same target system is not supported. | This issue has been resolved. Reconciliation of multiple IT resource for the same target system is now supported. |
| 10304189 | Unable to remove the IBM RACF user from the default group. | This issue has been resolved. The IBM RACF user can now be removed from the default group. |
The following are the software updates in release 9.0.4.13:
From this release onward, the connector can be installed and used on Oracle Identity Manager 11g release 1 (11.1.1). Where applicable, instructions specific to this Oracle Identity Manager release have been added in the guide.
See Section 1.1, "Certified Components" for the full list of certified Oracle Identity Manager releases.
From this release onward, the connector provides support for request-based provisioning on Oracle Identity Manager 11g release 1 (11.1.1).
See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more information.
The following table lists issues resolved in release 9.0.4.13:
| Bug Number | Issue | Resolution |
|---|---|---|
| 10075543 | The status of resource allocation on Oracle Identity Manager was Provisioned even when the Create User provisioning operation failed. |
This issue has been resolved. The status of the resource now correctly reflects the outcome of the provisioning operation. |
| 9911671 | The Reconciliation Agent could not be shut down by running the F VOYAGER,SHUTDOWN command. |
This issue has been resolved. The F VOYAGER,SHUTDOWN command now works as expected. |
The following table lists issues resolved in release 9.0.4.12:
| Bug Number | Issue | Resolution |
|---|---|---|
| 9962145 | Passwords were displayed in clear text in the logs for the Provisioning Agent. | This issue has been resolved. Passwords are not recorded in the logs. |
| 9031465 | During initial reconciliation, a trusted source reconciliation run was immediately followed by target resource reconciliation. | This issue has been resolved. A trusted source reconciliation run is not followed by target resource reconciliation. |
| 7199039 | The Resume User (that is, Enable User) provisioning operation worked correctly on the target system. However, the status in Oracle Identity Manager was not correct. | This issue has been resolved. The status in Oracle Identity Manager is now set correctly. |
| 7193225 | During a provisioning operation, the tsoProc attribute was updated on the target system even when the TSO Proc Updated process task was rejected on Oracle Identity Manager. | This issue has been resolved. The tsoProc attribute on the target system is modified only when the TSO Proc Updated process task is successfully run on Oracle Identity Manager. |
| 7024223 | The initial reconciliation scripts for this connector and the Oracle Identity Manager Connector for CA ACF2 had the same name. | This issue has been resolved. The initial reconciliation scripts have been given new names. |
| 6901000 | User status reconciliation was not available by default. After deploying the connector, you had to set up status reconciliation. | This issue has been resolved. User status reconciliation is now available by default. |
The following target system attributes have been added for reconciliation and provisioning:
See Also:
Section 1.5.3, "User Attributes for Target Resource Reconciliation and Provisioning" for the full list of supported attributes.CICS_OPCLASS
CICS_OPIDENT
CICS_OPPRTY
CICS_RSLKEY
CICS_TIMEOUT
CICS_TSLKEY
CICS_XRFSOFF
NETVIEW_CONSNAME
NETVIEW_CTL
NETVIEW_DOMAINS
NETVIEW_IC
NETVIEW_MSGRECVR
NETVIEW_NGMFADMN
NETVIEW_NGMFVSPN
NETVIEW_OPCLASS
OMVS_ASSIZEMAX
OMVS_AUTOUID
OMVS_SHARED
OMVS_CPUTIMEMAX
OMVS_FILEPROCMAX
OMVS_MEMLIMIT
OMVS_MMAPAREAMAX
OMVS_PROCUSERMAX
OMVS_SHMEMMAX
OMVS_THREADSMAX
From this release onward, the Provisioning Agent can be configured to run IBM z/OS batch jobs corresponding to provisioning functions you specify. See the following for more information:
From this release onward, IBM z/OS version 1.11 is one of the certified target system identity repositories. This operating system version has been added in Section 1.1, "Certified Components."
The following table lists issues resolved in release 9.0.4.11:
| Bug Number | Issue | Resolution |
|---|---|---|
| 8935868 | The Reconciliation Agent failed and would not recover correctly if the LDAP Gateway was stopped or failed and was then restarted. | This issue has been resolved. The Reconciliation Agent does not fail if the LDAP Gateway is restarted after it fails or is stopped. |
| 9037350 | While deploying the connector, you had to copy the following files into the OIM_HOME/xellerate/JavaTasks directory:
scripts/initialRacfAdv.properties scripts/run_initial_recon_provisioning.sh scripts/run_initial_recon_provisioning.bat scripts/racf-adv-initial-recon.jar The properties file contains details of the target system host computer. If you had multiple nodes, then you had to modify the properties file each time you wanted to run it on a different node. |
This issue has been resolved. For each node of the target system, you can create directories inside the JavaTasks directory and then create copies of all the script files inside each directory. For example, you can create directories with names JavaTasks/racf1, JavaTasks/racf1, JavaTasks/racf1, and so on, and create copies of the script files in each directory. |
| 9182884 | An error related to IBM RACF error code prefixes was sometimes thrown without due cause. | This issue has been resolved. |
The following table lists issues resolved in release 9.0.4.4:
| Bug Number | Issue | Resolution |
|---|---|---|
| 7286016 | On certain UK operating environments, a mainframe code page of GB was used instead of the default UK. This caused the mainframe agents to use the American pound symbol instead of the British pound symbol. |
This issue has been resolved. The mainframe agents have been rebuilt to include the GB code page. |
The following is a software updates in release 9.0.4.3:
From this release onward, IBM z/OS version 1.9 is one of the certified target system identity repositories. This operating system version has been added in Section 1.1, "Certified Components."
The following are software updates up to release 9.0.4.2:
IBM RACF user profile, group profile, and data set and resource profile commands supported by the Provisioning Agent have been added in the "Functionality Supported by the Pioneer Provisioning Agent" section.
The list of functions supported by the Provisioning Agent has been updated in Section 1.5.2, "Supported Functions for Provisioning."
The commands supported by the Reconciliation Agent have been added in Section 1.5.1, "Supported Functions for Target Resource Reconciliation."
The list of functions supported by the Reconciliation Agent has been updated in Section 1.5.1, "Supported Functions for Target Resource Reconciliation."
The list of fields reconciled between IBM RACF and Oracle Identity Manager has been updated in the Section 1.5.3, "User Attributes for Target Resource Reconciliation and Provisioning."
The IT resource parameters and their corresponding descriptions and sample values have been updated in Section 2.5, "Importing the Connector XML File."
The procedure to configure the connector for multiple installations of the target system has been added in Section 5.5, "Configuring the Connector for Multiple Installations of the Target System."
Known issues related to the following bugs have been added in Chapter 7, "Known Issues and Workarounds":
Bug 6668844
Bug 6904041
Bug 6920042
Bug 7033009
The following sections discuss documentation-specific updates:
The following are the documentation-specific updates in revision "24" of this guide:
The titles for Section 1.5.6, "Dataset Profile Attributes for Provisioning" and Section 1.5.7, "Resource Profile Attributes for Provisioning" have been modified to remove the "Target Resource Reconciliation" phrase.
Steps 4, 5c, and 7 of Section 3.5, "Installing and Configuring the LDAP Gateway" have been modified.
The Note in Step 3n of Section 5.3, "Adding Custom Fields for Provisioning" has been modified.
A Note about populating IMPORTG into backend of the LDAP Gateway is added to Step 5 of Section 5.7, "Initial LDAP Gateway Population and Full Reconciliation".
The "CONNECT_INTV" row of Table G-1, "Voyager Control File Parameters" has been updated from "CONNECT-INTV" to "CONNECT_INTV".
The description for parameter "VOYAGER_ID=" of Table G-2, "Pioneer Control File Parameters" has been modified.
The description for parameter "SMF=" of Table G-2, "Pioneer Control File Parameters" has been modified.
The description for parameter "DEBUGOUT=" of Table G-2, "Pioneer Control File Parameters" has been modified.
Additional parameters such as EBCDIC_COUNTRY_CODE and EBCDIC_TILDE_CHR have been added to Table G-1, "Voyager Control File Parameters" and Table G-2, "Pioneer Control File Parameters".
Information regarding the byte key to use for encrypting data has been modified from 160byte to 16 byte in Step 1 of Appendix I, "Customizing AES Encryption Key".
References to ICHPWX01 and ICHRIX02 exits have been removed from the guide as they are no longer supported.
In Section 2.3.1, "Extracting the Files for Deployment from the Distribution Zip Archive File", "loadlib.xmi" has been replaced with "loadlib.xmi or linklib.xmi".
A note regarding extension file has been added in Section 2.3.1, "Extracting the Files for Deployment from the Distribution Zip Archive File".
The following updates have been made in Table 3-5, "Properties in the racf.properties File".
The property "configAttrs" is modified to "_configAttrs_".
The property "configDNames" is modified to "_configDNames_".
New properties "errormsg-sig-file" and "check-return-codes" have been added.
In Section 3.5, "Installing and Configuring the LDAP Gateway", step 8 and 9 have been modified to include information on JAVA versions.
The following are the documentation-specific updates in revision "23" of this guide:
Note:
After release 9.0.4.23 of this connector, there has been no major release. Release 9.0.4.24 of the connector was a bundle patch release. Therefore, this document directly provides updates to release 9.0.4.25 of this connector.Section 2.3.1, "Extracting the Files for Deployment from the Distribution Zip Archive File," the third bullet list was changed from "linklib.xmi" to "loadlib.xmi."
Information specific to the /ldapgateway/idfserver.jar beans.xml directory in Step 6.a of Section 3.5, "Installing and Configuring the LDAP Gateway," has been updated.
Appendix J, "Mainframe Language Environment Runtime Options" has been added.
SRCHLG has been changed to SEARCH CLASS (GROUP) throughout the guide.
KEYMODER has been changed to KEYMODR throughout the guide.
Ebcdic has been changed to EBCDIC throughout the guide.
The following are the documentation-specific updates in revision "22" of this guide:
The following information and sections have been removed as they are no longer supported by the connector:
References to Oracle Identity Manager releases 11.1.1 and 9.1.0.x releases.
All information pertaining to trusted source reconciliation.
VOYAGER_ID.properties and all the related content of this property.
JCL examples have been removed throughout the documentation as they can change in a Bundle Patch.
The occurrences of real-time reconciliation have been removed throughout the documentation as this is a deprecated function.
The following rows have been removed from Table 1-2, "Supported Provisioning Functions":
Modify group
Revoke user from group
Delete Group
Add Dataset
Modify Dataset
Delete Dataset
Define Resource
Modify Resource
Delete Resource
Define Alias
Delete Alias
Appendix D, "Relationship between the Pioneer (DDs), Voyager (DDs) and the INDDs"
Information in the following sections has been modified:
The name of the "RACF Reconcile Deleted Users to Oracle Identity Manager" scheduled task has been changed to "RACF Deleted User Reconciliation Using Oracle Identity Manager" throughout the doc.
Rows "agentPort", "configAttrs", "configDNames" and "port" of Table 3-5, "Properties in the racf.properties File".
The "Lookup Code Name" row of Table 4-1, "Attributes of the Find All Datasets and Find All Groups Scheduled Tasks" and Table 4-2, "Attributes of the Find All Resources Scheduled Task".
Scenarios have been updated in Section 1.4.3, "High Availability Feature of the Connector."
Section 5.1, "Adding Custom Fields for Target Resource Reconciliation"
Section 5.2, "Adding Custom Multivalued Fields for Reconciliation"
Section 5.4, "Removing Attributes Mapped for Target Resource Reconciliation"
The following information has been added:
Rows "Pioneer and Voyager" and "LDAP Gateway operating system and JDK" to Table 1-1, "Certified Components".
The following rows have been added to Table 3-5, "Properties in the racf.properties File":
isStreamingUsers
isStreamingGroups
_extractGrp_
resumeOnReset
secretKeyValue
trimOmvsUid
trimNum
newOmvsUidAttr
usePwdComplexLength
idMinLength
idMaxLength
pwdMinLength
pwdMaxLength
type
Section 4.4.4, "Configuring Filtered Reconciliation to Multiple Resource Objects"
The following rows have been added to Table 4-8, "Scheduled Tasks for Lookup Field Synchronization and Reconciliation":
RACF Reconcile Deleted Users to OIM
RACF Reconcile Users to Internal LDAP
RACF Reconcile All LDAP Users
Section 5.4, "Removing Attributes Mapped for Target Resource Reconciliation"
Section 5.11, "Handling PIONEER Error Messaging Exceptions in the Gateway"
The following documentation-specific updates have been made in revision "21" of release 9.0.4.23:
The "Oracle Identity Manager" row of Section 1.1, "Certified Components" has been modified.
Section 2.1, "IDF Mainframe Adapters Functional Characteristics" has been added.
CREATDSN: sample has been updated. For more details, see Section 2.3.4, "Editing the Mainframe Batch Job Files to Match the Settings for the Customer's Site."
Section 2.3.9, "Testing the Installation" has been updated with latest information.
VSAMPLE row has been updated with latest information. For more details, see Appendix B, "Pioneer Datasets."
Appendix D, "Provisioning Agent (Pioneer) Messages" has been updated with latest information.
Appendix G, "Voyager and Pioneer Control File Parameters" has been updated with latest information.
Appendix H, "Configuring RACF Starter User ID and Access for Voyager Agent and Pioneer Agent Started Tasks" has been added.
Appendix I, "Customizing AES Encryption Key" has been added.
The following documentation-specific updates have been made in revision "20" of release 9.0.4.23:
A new Supported Provisioning Function Grant security attribute to user has been added. For more details, see Table 1-2.
Additional High Availability scenarios have been added to the connector guide. For more details, see Section 1.4.3, "High Availability Feature of the Connector."
Group Attributes for Target Resource Reconciliation and Provisioning have been updated. For more details, see Section 1.5.4, "Group Attributes for Target Resource Reconciliation and Provisioning."
Security Attributes for Target Resource Reconciliation and Provisioning have been added. For more details, see Section 1.5.5, "Security Attributes for Provisioning."
Dataset Profile Attributes for Target Resource Reconciliation and Provisioning have been updated. For more details, see Section 1.5.6, "Dataset Profile Attributes for Provisioning."
Resource Profile Attributes for Target Resource Reconciliation and Provisioning have been updated. For more details, see Section 1.5.7, "Resource Profile Attributes for Provisioning."
Table 3-1 has been updated for location of files and directories.
Instructions specific to Oracle Identity Manager release 11.1.2.x have been added in the following sections:
Section 3.3, "Before Running the Connector Installer"
Table 3-3 has been updated for Last Modified Time Stamp.
A section about the information on enabling logging for the LDAP Gateway and enabling logging in Oracle Identity Manager has been added. For more details, see Section 3.4.4, "Enabling Logging."
Section 4.2, "Scheduled Tasks for Lookup Field Synchronization" has been updated for the scheduled tasks for lookup field synchronization.
Section 4.3, "Configuring the Security Attributes Lookup Field" has been updated for new security attributes.
The information on Configuring Reconciliation has been added. For more details, see Section 4.4.1, "Configuring Incremental Reconciliation," Section 4.4.2, "Performing Full Reconciliation" and Section 4.4.3, "Reconciliation Scheduled Tasks."
Account Status Reconciliation section has been added to the connector guide. For more details, see Section 4.5, "Configuring Account Status Reconciliation."
The information on Configuring Scheduled Tasks has been added. For more details, see Section 4.6, "Configuring Scheduled Tasks."
The information to perform provisioning operations in Oracle Identity Manager Release 11.1.2 or later has been added. For more details, see Section 4.7, "Performing Provisioning Operations."
Custom Fields for Target Resource Reconciliation have been updated. For more details, see Section 5.1, "Adding Custom Fields for Target Resource Reconciliation."
Section 5.2, "Adding Custom Multivalued Fields for Reconciliation" has been added for Custom Multivalued Fields for Reconciliation.
Custom Fields for Provisioning have been updated. For more details, see Section 5.3, "Adding Custom Fields for Provisioning."
Section 5.7, "Initial LDAP Gateway Population and Full Reconciliation" has been updated for Initial LDAP Gateway Population and Full Reconciliation.
In Appendix D.1, "LISTINR and IDCAMS," LISTINR and IDCAMS functions have been added.
The following are the documentation-specific updates in release 9.0.4.22:
New sections on initial LDAP population and reconciliation process, and initial LDAP gateway population and reconciliation process have been added to the connector guide. See Section 1.3.2.2, "Initial LDAP Population and Reconciliation Process" and Section 5.7, "Initial LDAP Gateway Population and Full Reconciliation" for more details.
In Section 2.3.4, "Editing the Mainframe Batch Job Files to Match the Settings for the Customer's Site," CREATDSN: has been updated.
Section 2.3.9, "Testing the Installation" has been updated for executing voyager and JCL for Pioneer and Voyager started task.
In Section 2.3.8, "Adding Pioneer/Voyager to the Facility Class Profiles (IRR)," a note on IRR.RADMIN has been updated.
Appendix B, "Pioneer Datasets" has been updated for the file content value of the VSAMPLE.
Appendix D has been updated for the new values of the Pioneer DD, Voyager DD and INDDs.
There are no documentation-specific updates in release 9.0.4.21.
The following are the documentation-specific updates in release 9.0.4.20:
Table 3-3 has been added for the Log files and their contents.
The subpool size and the maximum amount of storage values have been updated.
A note on the requirement of //SYSOUT has been added.
The code for STC (Started Task) for Pioneer has been updated.
New source code lines have been added.
The flow for the full reconciliation for user IDs and groups has been updated with the new steps.
New Rexx clists SERCHDAT and SERCHFAC have been added.
A note on submitting the SERCHFAC and SERCHDAT via the LDAP has been added.
The following are the documentation-specific updates in release 9.0.4.19:
Four new files to support full imports on user IDs and groups have been added. See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details.
In Section 5.3, "Adding Custom Fields for Provisioning," a note on enabling password interval provisioning has been added.
The following are the documentation-specific updates in release 9.0.4.17:
In the entire guide, racfConnection.properties has been changed to VOYAGER_ID.properties.
See Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" for more details on pioneer and voyager.
In chapter 5, "Extending the functionality of the connector", a new Section 5.7, "Configuring the Connector for Reconciliation of Multiple Installations of the Target System," has been added.
In Table 5-1, new attributes have been added.
The following are the documentation-specific updates in release 9.0.4.16.
A new step (6) has been added in the Section 3.5, "Installing and Configuring the LDAP Gateway" providing information about the configurations for setting up SSL in the LDAP Gateway.
A new Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF" has been added providing details about the processes that Pioneer does via LDAP initiation.
In Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF", commands and examples have been updated for Voyager and Pioneer specific information.
There are no documentation-specific updates in release 9.0.4.15.
There are no documentation-specific updates in release 9.0.4.14.
There are no documentation-specific updates in release 9.0.4.13.
The following sections discuss documentation-specific updates have been made in releases 9.0.4.2 to 9.0.4.12:
Guidelines that were earlier documented in Chapter 7, "Known Issues and Workarounds" have been moved to Chapter 2, "Deploying the IDF Advanced Adapter for IBM RACF"
Information about enabling logging on the LDAP Gateway server has been added in Section 3.5, "Installing and Configuring the LDAP Gateway."
In Section 1.2, "Certified Languages," Arabic has been added to the list of languages that the connector supports.
The IBM MQ Series protocol for the message transport layer is no longer supported for this connector. All content related to this protocol has been removed from the guide.
In Section 1.1, "Certified Components," changes have been made in the second row.
Major changes have been made in the structure of the guide. In addition, all references to the prclib.xmi and parmlib.xmi files have been removed from the guide. These files will be introduced in a later release of the connector.
In Section 1.1, "Certified Components," the minimum Oracle Identity Manager release has been changed to 9.1.0.1 and the JDK requirement of release 1.5 or later has been added.
Appendix F, "Creating Custom Scheduled Tasks" provides code for creating custom scheduled tasks.
From this release onward:
The minimum certified release of Oracle Identity Manager is release 9.1.0.1 or later.
The minimum certified release of JDK is release 1.5.
See Section 1.1, "Certified Components" for the complete listing of certified components.