You deploy the Reconciliation Agent on the mainframe. The following sections describe the installation and configuration of the Reconciliation Agent and the exits used by the agent:
To deploy the Reconciliation Agent:
Transmit or FTP the etc/Provisioning and Reconciliation Connector/OIMIDFEX.SAVF file from the installation media to any directory on the mainframe.
Note:
In this guide, the directory to which the OIMIDFEX.SAVF file is transmitted is referred to as LSVALGAARD.
To view the contents of the OIMIDFEX.SAVF file, run the DSPSAVF command as follows:
DSPSAVF FILE(SAMPLIB/OIMIDFEX)
The following is the output of the DSPSAVF command:
==============================================================================
Display Saved Objects - Save File ,
Library saved . . . : ORIGLIB Release level . . . :
V4R5M0
ASP . . . . . . . . : 1 Data compressed . . : No
Save file . . . . . : OIMIDFEX Objects displayed . : 3
Library . . . . . : ORIGLIB Objects saved . . . : 3
Records . . . . . . : 688 Access paths . . . . : 0
Save command . . . . : SAVOBJ
Save active . . . . : *NO
Save date/time . . . : 01/20/07 01:28:35
Type options, press Enter.
5=Display saved data base file members
Opt Object Type Attribute Owner Size (K) Data
XUSRPWD *PGM CLE ORIGLIB 236 YES
NOTIFY *PGM CLE ORIGLIB 68 YES
QCSRC *FILE PF ORIGLIB 24 YES
F3=Exit F12=Cancel
===============================================================================
Restore the objects in the OIMIDFEX.SAVF file by running the RSTOBJ (restore object) command. The following is the syntax of this command:
RSTOBJ OBJ(*ALL) SAVLIB(ORIGLIB) DEV(*SAVF) SAVF(SAMPLIB/OIMIDFEX) RSTLIB(NEWLIB)
The RSTOBJ command saves the restored objects in a new target library. In the command:
The SAVLIB parameter accepts the original library name as input. In the command, replace ORIGLIB with the original library name.
DEV(*SAVF) indicates that a savefile is used.
The SAVF parameter accepts the directory name and file name of the savefile.
The RSTLIB parameter accepts the new library in which you restore the savefile objects. In the command, replace NEWLIB with the name of the new library.
If required, specify the general public library (QGPL) as the new target library. The QGPL is an existing library on IBM AS/400 that can be used by the system or a user.
The connector exits are engineered to be the last exits called in sequence, allowing existing exits to function normally. To install the exits for the Reconciliation Agent:
Note:
The Reconciliation Agent can be installed using either a menu-driven or a command-driven installation protocol. The following procedure assumes the use of a menu-driven protocol.
Log in to the IBM AS/400 system as a system administrator.
Ensure that the connector library files and objects are present in the LSVALGAARD directory. See the preceding section for more information.
Start the WRKREGINF User Exit Registration program, as shown:
Parameters or command
===> WRKREGINF
In IBM AS/400, exit programs are called dynamically. This means that if an exit program is registered with the system, then you can replace the program with a new version, without registering the new version.
You must register the exit points that are required for the Reconciliation Agent with IBM AS/400. From the menu that is displayed when you run the WRKREGINF program, select option 8 for the exit points that you want to register, either as a group or one at a time. The following exits are registered:
QIBM_QSY_CHG_PROFILE CHGP0100 *YES Change User Profile QIBM_QSY_CRT_PROFILE CRTP0100 *YES Create User Profile QIBM_QSY_DLT_PROFILE DLTP0200 *YES Delete User Profile - before QIBM_QSY_RST_PROFILE RSTP0100 *YES Restore User Profile QIBM_QSY_VLD_PASSWRD VLDP0100 *YES Validate Password
Each exit point has an exit point format associated with it. The format that is passed to the exit program determines the format of the other information passed to it.
The CHG_PROFILE (change), CRT_PROFILE (create), and DLT_PROFILE (delete) exit points are used to change, create, and delete user profiles, respectively.
Note:
Deleting a user profile can take a long time because a user may own multiple objects, and therefore, be present on many lists and internal tables. After a user is deleted, cleaning up all the entries for the user takes a long time to process. Therefore, you can use a batch job to run the cleanup process. There are two delete points: before the start of the cleanup job and at the end of the cleanup job. This means that in the process of deleting the user profile, there are only two times when actions are monitored. The Reconciliation Agent monitors only the delete point before the cleanup job.
Register the following exit points:
RST_PROFILE (restore): This is used when user profiles are restored from a save file during a normal operation, and not during the restore operation of the entire system.
VLD_PASSWRD: This is called when the password is changed by the user.
Note:
The RST_PROFILE exit point is not called when a user profile is created with the initial password or when the security administrator changes the password for a user. This IBM design limitation has been fixed in IBM AS/400 V5R4 by introducing another exit point called QIBM_QSY_CHK_PASSWRD.
XUSRPWD: This must be registered with QIBM_QSY_CHG_PROFILE. However, when you try to register, you might find that there is an existing exit program registered for this point. In the following code block, QGLDPUEXIT represents this exit point in the main system library QSYS, which implies that the IBM AS/400 system itself uses this exit point to extend its functionality.
Exit
Program Exit
Opt Number Program Library
1 XUSRPWD LSVALGAARD
2147483647 QGLDPUEXIT QSYS
You must also consider the Exit Program Number, which determines the order in which the exit programs run. The system exit program is typically the last to run in the processing order, and therefore, has a very large Exit Program Number (2147483647). Enter the Oracle Identity Manager custom user exit program and the library for it, and select option 1 for adding the exit program.
Press the Enter key. The Add screen is displayed with the following values:
Exit point . . . . . . . . . > QIBM_QSY_CHG_PROFILE Exit point format . . . . . > CHGP0100 Name Program number . . . . . . . > 1 1-2147483647, *LOW, *HIGH Program . . . . . . . . . . > XUSRPWD Name Library . . . . . . . . . > LSVALGAARD Name, *CURLIB Threadsafe . . . . . . . . . *UNKNOWN *UNKNOWN, *NO, *YES Multithreaded job action . . *SYSVAL *SYSVAL, *RUN, *MSG, *NORUN Text 'description' . . . . . *BLANK
Press the Enter key to add the program, and then press the F5 key to refresh the system to display the result.
Note:
An exit program runs in the environment (called an activation group) of the job or user issuing the command to call the exit program. Therefore, the current library (*CURLIB) value changes often and the system might not be able to locate the exit program. The library from which the system can find the exit program is usually hard coded into the exit program registration, as shown in the screen output.
Register the exit points as shown in the following screen output:
Note:
On IBM AS/400 V5R4, you also register the CHK_PASSWRD exit point.
Program Exit
Opt Number Program Library
1 XUSRPWD LSVALGAARD
2147483647 QGLDPUEXIT QSYS
Exit point: QIBM_QSY_CHG_PROFILE Format: CHGP0100
Exit point: QIBM_QSY_CRT_PROFILE Format: CRTP0100
Exit point: QIBM_QSY_DLT_PROFILE Format: DLTP0200
Exit point: QIBM_QSY_RST_PROFILE Format: RSTP0100
Exit point: QIBM_QSY_VLD_PASSWRD Format: VLDP0100
Enter the WRKSYSVAL command, and then scroll down to the following line:
QPWDVLDPGM *SEC Password validation program
The WRKSYSVAL command allows you to change the system values that control most of the system configuration.
Note:
Before the General Registration Facility was introduced, a password validation program was used. This was handled through the system value settings.
Select option 2 for QPWDVLDPGM.
After the XUSRPWD exit program is added to the various exit points, add the NOTIFY exit program to the exit points. The NOTIFY program notifies the LDAP Gateway of a real-time event. This exit program must be defined with Program Number 2, because it must be triggered after the XUSRPWD exit program is run. The NOTIFY exit program must be registered only for the CHGP0100, CRTP0100, and DLTP0200 exits.
This completes the installation of the Reconciliation Agent exits.
Note:
Do not specify an exit program instead of *REGFAC because this will interfere with an existing validation program. This method of specifying a validation program is no longer valid. The IBM AS/400 Advanced connector code does not support the obsolete validation program.
The QSECURITY system value determines the security level of the system. The highest (most secure) level is level 50. The IBM AS/400 Advanced connector is designed for and has been tested on level 50.
To configure the message transport layer on the IBM AS/400 system, you configure the NOTIFY exit IP address as follows:
Open the QCSRC/IPPARMS file for editing. This file contains the IP address and the port number of the LDAP Gateway. The NOTIFY exit takes the IP address and port number parameters for the LDAP Gateway (installed on the Oracle Identity Manager host computer) from the QCSRC/IPPARMS file.
The standard port number is 5490. This must be entered as a 6-digit number with zeros preceding the actual port number. For example, 5490 must be entered as 005490. The port number is followed by the colon (:) symbol, the LDAP Gateway host computer IP address, and then an additional colon symbol. For example:
005490:10.0.0.1:
The IP address and port number in the QCSRC/IPPARMS file identify the LDAP Gateway to notify real-time changes.
Note:
The port number must take up the first 6 character positions, with leading zeros in the number. A colon (:) is in the seventh character position. The IP address starts at the eighth character position and its size can vary, but it must be followed by a colon.
Save the QCSRC/IPPARMS file. This change for IBM AS/400 does not require an IPL.