5 Extending the Functionality of the Connector

The following are optional procedures that you can perform to extend the functionality of the connector for addressing your business requirements:

5.1 Adding New Attributes for Target Resource Reconciliation

Note:

You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

By default, the attributes listed in Table 1-3 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes for target resource reconciliation.

To add a new attribute for target resource reconciliation:

  1. The SingleValueAttributes and MultiValue Attributes properties of the AS400 User Reconciliation scheduled task contain the list of target system attributes that are mapped for reconciliation with Oracle Identity Manager. If you want to add an attribute for reconciliation, then add it to the list of attributes in the appropriate section.

  2. In the resource object definition, add a reconciliation field corresponding to the new attribute as follows:

    1. Open the Resource Objects form. This form is in the Resource Management folder.

    2. Click Query for Records.

    3. On the Resource Objects Table tab, double-click the OIMAs400ResourceObject resource object to open it for editing.

    4. On the Object Reconciliation tab, click Add Field to open the Add Reconciliation Field dialog box.

    5. Specify a value for the field name.

      You must specify the name that is to the left of the equal sign in the line that you uncomment or add while performing Step 1.

    6. From the Field Type list, select a data type for the field.

      For example: String

    7. Save the values that you enter, and then close the dialog box.

    8. If required, repeat Steps d through g to map more fields.

    9. If you are using Oracle Identity Manager release 11.1.1, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

  3. If a corresponding field does not exist in the process form, then add a new column in the process form.

    1. Expand Development Tools.

    2. Double-click Form Designer.

    3. Search for and open the UD_AS400ADV process form.

    4. Click Create New Version, and then click Add.

    5. Enter the details of the field.

    6. Click Save and then click Make Version Active.

  4. Modify the process definition to include the mapping between the newly added attribute and the corresponding reconciliation field:

    1. Open the Process Definition form. This form is in the Process Management folder of the Design Console.

    2. Click the Query for Records icon.

    3. On the Process Definition Table tab, double-click the OIMAS400AdvProvisioningProcess process definition.

    4. On the Reconciliation Field Mappings tab, click Add Field Map to open the Add Reconciliation Field Mapping dialog box.

    5. From the Field Name list, select the name of the resource object that you add in Step 2.e.

    6. Double-click Process Data Field and select the corresponding process form field from the Lookup dialog box. Then, click OK.

    7. Click Save and close the dialog box.

5.2 Adding New Attributes for Provisioning

By default, the attributes listed in Table 1-3 are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.

To add a new attribute for provisioning:

See Also:

Oracle Identity Manager Design Console Guide for detailed information about these steps

  1. Log in to the Design Console.

  2. Add the new attribute (field) on the process form as follows:

    1. Expand Development Tools.

    2. Double-click Form Designer.

    3. Search for and open the UD_AS400ADV process form.

    4. Click Create New Version, and then click Add.

    5. Enter the details of the field.

    6. Click Save and then click Make Version Active.

  3. To enable update of the attribute during provisioning operations, create a process task as follows:

    See Also:

    Oracle Identity Manager Design Console Guide for detailed information about these steps

    1. Expand Process Management, and double-click Process Definition.

    2. Search for and open the OIMAS400AdvProvisioningProcess process definition.

    3. Click Add.

    4. On the General tab of the Creating New Task dialog box, enter a name and description for the task and then select the following:

      Conditional

      Required for Completion

      Allow Cancellation while Pending

      Allow Multiple Instances

    5. Click Save.

    6. On the Integration tab of the Creating New Task dialog box, click Add.

    7. In the Handler Selection dialog box, select Adapter, click adpMODIFYUSER, and then click the Save icon.

      The list of adapter variables is displayed on the Integration tab. The following screenshot shows the list of adapter variables:

    8. To create the mapping for the first adapter variable:

      Double-click the number of the first row.

      In the Edit Data Mapping for Variable dialog box, enter the following values:

      Variable Name: Adapter return value

      Map To: Process Data

      Qualifier: Return status

      Click the Save icon.

    9. To create mappings for the remaining adapter variables, use the data given in the following table:

      Variable Number Variable Name Map To Qualifier

      Second

      idfResource

      IT Resource

      Not applicable

      Third

      uid

      Process Data

      LoginId

      Fourth

      attrName

      Literal

      cn string

      Fifth

      attrValue

      Process Data

      UD_AS400_NAME string

    10. Click the Save icon in the Editing Task dialog box, and then close the dialog box.

    11. Click the Save icon to save changes to the process definition.

5.3 Removing Attributes Mapped for Target Resource Reconciliation and Provisioning

Note:

You must not remove the uid, cn, password, or defaultGroup attribute. These attributes are mandatory on the target system.

The SingleValueAttributes and MultiValueAttributes sections of the User Recon Scheduled Task contain the list of target system attributes that are mapped for reconciliation. If you want to remove an attribute mapped for reconciliation, then remove it from the list in the appropriate section.

5.4 Using the Additional Reconciliation Scheduled Tasks

In addition to the standard AS400 User Reconciliation scheduled task, the connector also includes additional tasks to assist in user reconciliation. Table 5-1 describes each of the scheduled tasks and the properties they utilize.

Table 5-1 Scheduled Tasks and Properties

Scheduled Task Description Can utilize Last Modified Time Stamp Requires LDAP Time Zone Can utilize Users List Requires Domain OU Requires Store Internal (users are reconciled to internal LDAP store)

AS400 User Reconciliation

This task reconciles user profiles by retrieving a list of users from the target system, querying the target system for the profile of each user, and reconciling that user to Oracle Identity Manager.

X

X

X

    

AS400 Single Connection User Reconciliation

This task reconciles user profiles by retrieving a list containing both users IDs and their profiles from the target system and stores those profiles in the internal LDAP store if needed. Then, all retrieved users are reconciled to Oracle Identity Manager.

X

X

  

X

X

AS400 Reconcile All Changed Users

This task reconciles user profiles by retrieving a list of modified users from an encrypted file on the target operating system, then querying the target system for the updated user profiles, and reconciling those profiles to Oracle Identity Manager.

X

X

  

X

  

AS400 Delete User Reconciliation Using LDAP

This task reconciles deleted users from the target system to the internal LDAP store and Oracle Identity Manager. Any user profiles that exist within the internal LDAP store, but not on the target system, are updated in the internal LDAP store and deleted from Oracle Identity Manager.

  

X

X

X

X

AS400 Delete User Reconciliation Using Oracle Identity Manager

This task reconciles deleted users from the target system to Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not on the target system, are deleted from Oracle Identity Manager.

  

X

X

X

  

5.5 Configuring the Connector for Multiple Installations of the Target System

Depending on your requirements, you can apply one of the following approaches to configure the connector for multiple installations of the target system:

5.5.1 Configuring One LDAP Gateway for Each Installation of the Target System

You can configure the connector for multiple installations of the target system. You can also configure the connector for a scenario in which multiple logical partitions (LPARs), which are not associated with the first LPAR, are configured in the target system.

For each installation of the target system, you create an IT resource that is configured to communicate with a single instance of the LDAP Gateway.

To configure the connector for the second installation of the target system:

Note:

Perform the same procedure for each additional installation of the target system.

  1. Create an IT resource based on the OIMLDAPGatewayResourceType IT resource type.

    See Also:

  2. Copy the current LDAP_INSTALL_DIR directory, including all the subdirectories, to a new location.

    Note:

    In the remaining steps of this procedure, LDAP_INSTALL_DIR refers to the newly copied directory.

  3. Open the LDAP_INSTALL_DIR/conf/as400.properties file and edit the following properties:

    • _host_=IP_ADDRESS_OR_HOST_NAME_OF_THE_MAINFRAME

    • _port_=PORT_OF_THE_SECOND_INSTANCE_OF_THE_PROVISIONING_AGENT

    • _agentPort_=PORT_OF_THE_SECOND_INSTANCE_OF_THE_RECONCILIATION_AGENT

      Note:

      The value of the _agentPort_ property must not be the same as that of the first instance if a second LPAR, which is not associated with the first LPAR, is configured in the target system. This value can be the same as the value of the idfServerPort property if you have two mainframe servers with IBM AS/400 running on each server.

5.5.2 Configuring the LDAP Gateway to Work with Multiple Installations of the Target System

You can configure a single LDAP Gateway installation to work with multiple installations of the target system. This is an alternative to setting up one LDAP Gateway for each target system installation.

To configure the LDAP Gateway to work with a second installation of the target system:

Note:

Repeat this procedure for each installation of the target system.

  1. Create a directory inside the LDAP_INSTALL_DIR directory.

  2. Create a copy of the existing as400.properties file, and place the copy inside the newly created directory.

  3. Open the newly created properties file, and set values for the _host_ and _port_ properties so that they match the values of the LPAR/Provisioning Agent on the second installation of the target system.

  4. Extract the contents of the LDAP_INSTALL_DIR/dist/idfserver.jar file.

  5. Open the beans.xml file in a text editor. This XML file is bundled in the idfserver.jar file.

  6. In the beans.xml file, create a second instance of the <beans name=As400> element by copying and pasting it in the file itself.

  7. In the newly copied element, change the value of the element from As400 to some other string. For example: <beans name=As400LPAR2>

  8. In the newly copied element, edit the properties that are shown in bold font in the following sample code block:

    <bean name=" As400LPAR2" singleton="true" class="com.identityforge.idfserver.backend.as400.AS400Module">
        <property name="suffix" value="dc=as400,dc=com"/>
        <property name="workingDirectory" value="../as4002"/>
        <property name="adminUserDN" value="cn=idfAs400Admin, dc=as400,dc=com"/>
        <property name="adminUserPassword" value="idfAs400Pwd"/>
        <property name="allowAnonymous" value="true"/>
        <property name="entryCacheSize" value="1000"/>
        <property name="defaultUacc" value="read"/>
        <property name="searchUsersType" value="user"/>
        
        <property name="schema" ref="schemas"/>
        <property name="metaBackend"><ref bean="hpbe2"/></property>
        
        <property name="configLocation" value="../conf/as4002.properties"/>
        
        <property name="agent" value="false"/>
        <property name="agentAdapters">
            <list>
                <value> </value>
            </list>
        </property>
    </bean>

  9. As shown in bold font in the following example, add an entry for each new <bean name= . . . > element in the NEXUS bean element for processing commands:

    <property name="backends">
    <list>
        <ref bean="hpbe2"/>
        <!-- <ref bean="racf"/> -->
        <!-- <ref bean="tops"/> -->
        <!-- <ref bean="acf2"/> -->
        <ref bean="as400"/>
        <ref bean="as400LPAR2"/>
    </list>
</property>

  10. Save the beans.xml file, and then re-create the idfserver.jar.

Note:

If you configure the connector for trusted source reconciliation, then it must be set to true on all installations that connect to the same LDAP Gateway. Otherwise, the connector will fail.