You can install the LDAP gateway on Windows and Linux platforms.
The following topics describe the system requirements, LDAP gateway concepts, and procedures to install and configure the LDAP gateway:
These are the recommended system requirements that are designed to give you optimal system performance from the LDAP gateway.
license.lic
) available in the connector installation media.If you do not have Java, the installer will redirect you to the Oracle website to install Java. Re-run the LDAP Gateway installer once Java is installed.
An encryption.properties
file exists in the conf/
directory. This file allows the ability to configure what properties associated with connectors should be managed as encrypted values.
file.customer-configuration=adminUserPassword,altAdminUserPassword
This example defines that there exists a properties file called customer-configuration.properties
that contains the sensitive properties adminUserPassword
and altAdminPassword
. This definition is consumed when the gateway first starts up. If the property file exists on the disk, the gateway searches for that property file and replaces any cleartext values in those properties with an encrypted version.
It is similar to connector definitions. For example, for the CA ACF2 connector, class.ACF2Module=_SecretKeyValue_
defines that there exists a connector called ACF2Module whose associated property files contain the sensitive property of _SecretKeyValue_
that needs to be secured by the gateway.
When the gateway starts, it uses the encryption.properties
file to examine the properties that need to be represented in their encrypted format. Encrypted values within property fields are always represented using the format - ENC(<ENCRYPTED STRING>). To add or replace an existing encrypted value with a new value, replace the entire encryption string if present (including the ENC()
) with a new clear text value, and then restart the gateway. Once the gateway restarts, the newly added clear text value goes through an encryption process with the result being written back out to the property file replacing the original clear text value.
During the encryption process, the encryption framework used by the gateway automatically detects the highest level of encryption possible by examining the version of the Java Virtual Machine running along with any additional encryption libraries that may have been installed alongside the JVM. By default, Java 1,8 support 128-bit AES encryption and Java 1.7 support 40-bit AES encryption. Additional encryption libraries by BouncyCastle can be installed into the JVM allowing for up to 256-bit AES encryption.
The encryption process in the gateway also allows for automatic migration of encryption values from a lower bit strength to a higher strength as it becomes available. For example, if the gateway is initially deployed on a system running Java 1.7 with 40-bit AES and that system is upgraded to Java 1.8 running 128-bit AES, then upon the next restart of the gateway, all encrypted values remaining at the 40-bit AES level are automatically re-encrypted at the higher 128-bit and stored back out in the property files. This process eliminates the need to manually replace the values in every property file in order to take advantage of the higher bit strength.
The private key located in the idf.properties
file is used for all the encryption and decryption performed by the gateway. It is recommended that access should be restricted to this file.
Note:
Once the gateway is deployed and started up for the first time, the value of the autogenerated encryption key in theidf.properties
file should not be changed. However, the file name and its location can be easily changed. For example, to store the idf.properties file to a more secure location, the default location (where the gateway resides) can be overridden and defined as system.idfprops.filepath=<absolute path of the new file>
in the customer-configuration.properties
file.A Caching layer is a temporary storage area where frequently accessed data is stored for rapid access.
The IDF LDAP Gateway features an optional and configurable caching layer.
An expiration policy defines the time dependency for the cached resource. For example, the cachingMaxAge
parameter specifies the maximum time in minutes when the data is not in sync with the target systems. You can pair the caching layer with a real-time reconciliation or with a scheduled reconciliation to maintain the most recently updated data in the caching layer. This improves the performance of the LDAP Gateway. The caching layer also opens the LDAP Gateway up to more advanced features defined by the LDAPv3 RFC.
Note:
In an environment where the items noted above may not be required, the caching layer can be turned off entirely by setting thecnctr.coreBean.nexus.cachingEnabled=false
in the customer-configuration.properties
.The LDAP Gateway can suffer a performance penalty when all of the following conditions are met:
ou=People
Performing an LDAP search operation against such adapters to retrieve the children of an Organization Unit returns only DNs (along with RDN components).
cachingIterateBehavior
property remains set to the default of AUTO
and not overwritten within the customer-configuration.properties
file.In this case, an LDAP search operation initially retrieves the list of results, containing only DN and RDN values. The LDAP Gateway caching layer then iterates through each result, fetching and caching the details from the target Adapter. Finally, the full set of results will be returned to the LDAP client.
Note:
Scheduled Reconciliation allows for establishing a periodic synchronization between the Identity Store associated with the LDAP Gateway and that is represented by a target system reachable by way of a connector.
dist/scheduled-recon.jar
) is a tool that ships with the IdentityForge LDAP Gateway. It provides the ability to perform a full recon against a configurable target system, placing the results in the Gateway's internal identity store.
For connectors that already support reconciliation against the Internal identity store such as ACF2.
For connectors that do not support reconciliation, the connectors rely solely on the Scheduled Recon Utility for both scheduling and providing the capabilities necessary to simulate a traditional batch recon process.
An example properties file that defines the reconciliation setup and behavior - scheduledrecon.properties.example
- is provided in the conf/
folder.
Configuration
An example properties file, scheduled-recon.properties.example
file that defines the reconciliation setup and behavior is available at (…/IDFLDAPGateway-6/conf/… folder
). Use this file to configure the scheduled recon. Create a scheduled-recon.properties
file in the conf folder and copy all the settings from the scheduled-recon.properties.example
file. A scheduled-recon.properties
file containing the configuration details for the recon operation can be provided via the -h
argument.
A batch file called run-recon.bat
located in the “bin” folder can be used to start the scheduled recon utility. The basic command structure for executing this batch file is as follows:
…\ldapgateway6\bin>run-recon.bat -l "warning" <location of the log file> -p "D:\ldapgateway6\conf\scheduled-recon.properties”.
Execute the run-recon.bat
with a minimum set of arguments passed in. For example,
Grammar is necessary for properly parsing user and group listings that come into the gateway from the mainframe agent during search requests and reconciliation events.
The grammar represents line-by-line parsing instructions that convert the semi-structured textual data into LDAP attributes and their respective values. Each line (ending in CRLF) of the listing received from the agent can be represented by an individual grammar definition and specified in the grammar file. The grammar file is present in the <conf/parser-grammar/ >
folder.
PIONEER PIONEER VPIONEER-STC CLIENT() COMPANY() DEPT() GRP() LEVEL() LOCATION() PROFILE() REGION() SBCLIENT() PRIVILEGES ACCOUNT SECURITY STC ACCESS ACC-CNT(0) ACC-DATE(00/00/00) ACC-TIME(00:00) PASSWORD KERB-VIO(0) KERBCURV() PSWA1TOD(00/00/00-00:00) PSWD-DAT(00/00/00) PSWD-INV(0) PSWD-TOD(00/00/00-00:00) PSWD-VIO(0) PSWDCVIO(0) PWP-DATE(00/00/00) PWP-VIO(0) TPXPROF() TSO DFT-PFX(PIONEER) STATISTICS CRE-TOD(05/17/18-00:13) SEC-VIO(0) UPD-TOD(05/17/18-00:13) RESTRICTIONS PREFIX(PIONEER) UXHOLD5()
Using the above listing, if you want to parse out the KERB-VIO value from the listing and assign it to an LDAP attribute called “kerbvio”, the following <Line> element can be constructed in the grammar file.
<Line id=”kerbvioVal” enabled=”yes” sig=”[ ]*KERB-VIO = (?<kerbvio>.*)"/>
The signature attribute (sig) in the Line element above is a regex that represents the rules for pulling out the value and assigning it to an LDAP attribute. Regex named groups are used as the convention for assigning the discovered values to LDAP attributes exposed through the connector.
The following table lists the attributes of a line element. The allowed values for these attributes are yes or no.
String | Definition |
---|---|
id | Unique ID that is given to the Line definition. Used primarily for internal referencing purposes, such as with the 'dependson' attribute Values Allowed: [any] Behavior: Required |
enabled | Specifies whether the Line is eligible for participating in the Parsing process. This flag is used mainly to allow the customers to override files (turn off lines). Behavior: Optional Defaults to: yes |
signature | Defines the rules for what values are to be extracted for each line of the listing and which LDAP attribute(s) should be assigned the values. Behavior: Required |
required | Defines if an attribute is required or not. Default to: yes |
multiline_sig | An optional regex expression to define the signature of a follow-on line that could represent whether the value was wrapped around two additional lines in the document Values Allowed: [any valid regex containing attribute matching key and attribute name]. Behavior: Optional Defaults to: empty value |
repeats | Represents whether the line can show up multiple times in the document. If set to "no", once the line is found, this Line definition is not evaluated again for the rest of the document. Behavior: Optional Defaults to: No |
overflow | Represents whether data for an associated attribute can overflow to next line. In case of an overflow, the final value of an attribute will be derived by concatenating all values. Behavior: Optional Defaults to: No |
multivalue_parser | An optional regex expression that defines how the found values are to be parsed out and turned into a multivalued list, such as using '(\S+)' to parse values that are space delimited. Values Allowed: [any valid regex ] Behavior: Optional Defaults to: empty value |
applyCompositeRef | An optional comma separated list of composite attributes to be built immediately after processing the line. Each value in the comma separated list should correspond to the "id" attribute of a CompositeAttribute definition. |
defaultvalue | Defines the default value for an attribute. If this line does not match with any line of input, then this default value will be assigned to attribute. Behavior: Optional |
Customizing Grammar Rules
The grammar file with the default grammar is present in the conf folder. It parses user and group listings that come into the gateway from the mainframe agent during search requests and reconciliation events. You can apply new grammar rules to append to or override rules that come out of the box. To define new grammar rules or override the existing rules, create a grammar file parser-grammars.cust
file in the <conf/parser-grammar/ >
folder.
Note:
If the Id of the existing attribute matches with the attribute in the grammar line, it overrides the existing grammar definition.
If the Id of the existing attribute does not match with the attribute in the grammar line, it creates a new grammar definition.
The parser-grammars.cust
grammar file must be at the same location where the parser-grammars
file.
The name of the grammar file must be the same except the cust
extension.
For the grammar definitions to override, the ID attribute from both the files should match.
Nomenclature of the parsing grammar files
Each grammar file is named for the type of operation and listing it is responsible for parsing.
For example, for ACF2:
acf2_FindAllUsers.xml
– fetches the IDs of all users.
acf2_FindUserById.xml
– fetches all the details of a single user (for the given ID).
Overriding default existing grammar definitions
The grammar definitions specified in the grammar file parser-grammars.cust override the default grammar definitions specified in the property files. To enable overriding of the particular line, the ID attribute in the custom provided attribute should match with the default grammar definition.
<Protocol><Lines> <Line id="elId" enabled="yes" sig="[ ]*ELID[ ]*=[ ]*(?<ELID>.*)"/> </Lines>/Lines>
<Protocol><Lines> <Line id="elId" enabled="no" sig="[ ]*ELID[ ]*=[ ]*(?<ELID>.*)"/> </Lines></Protocol>
New grammar definitions
parser-grammars.cust
. For example, the following grammar definition is used to get values of DEPT_ACID=001 DEPT_NAME=hr
.
<Protocol><Lines> ="deptAcid" enabled="yes" sig="[ ]*DEPT_ACID[ ]*=[ ]*(?<deptacid>.*?) [ ]*DEPT_NAME[ ]*=[ ]*(?<department>.*)" /> </Lines></Protocol>
These are the files and directories that comprise the LDAP Gateway.
Table 3-1 Files and Directories that Comprise the Gateway
Files and Directories | Description |
---|---|
bin | The bin/ folder contains run scripts for the components of the LDAP Gateway:
|
conf | The conf/ folder contains the files required to configure a connector. For example,
|
dist | The dist/ folder contains the distributable JAR files. For example:
|
dsroot | The dsroot/ folder contains configuration files and data related to our Embedded DS persistence layer. |
logs | The logs/ folder contains all the audit logs of the transactions. |
schema | The schema/ folder contains files that determine the attributes types supported by the LDAP Gateway. |
Install the LDAP Gateway on Windows and Linux platforms.
Note:
During installation of the LDAP Gateway, if a previous installation is detected, you can either upgrade or continue with the fresh installation. If you plan to upgrade, ensure to perform the following preupgrade steps:Configure the LDAP gateway to connector to the target system and access the data.
Note:
The following procedures are for a fresh installation only. If you already have a running setup or if you want to upgrade, then you do not have to perform these procedures.To allow IDF Gateway to work with a target system, it must be configured for the type of connector and its related parameters for the operations.
customer-configuration.properties
file from the conf/
folder in a text editor to configure the connectors. Copy the connector specific configurations to this file.
Refer to the customer-configuration.properties.example
file from the conf/
folder to get the connector specific configuration properties. Each connector comes with an example configuration that can be found in the customer-configuration.properties.example
file. Find the connector definition that you want to turn on and copy that definition in the customer-configuration.properties
file.
For more information and example settings, see the customer-configuration.properties
file.
cnctr.acf2.class=com.identityforge.idfserver.backend.acf2.Acf2Module cnctr.acf2.acf21.schema=schemas cnctr.acf2.acf21.suffix=dc=acf2,dc=com cnctr.acf2.acf21.adminUserDN=cn=idfAcf2Admin,dc=acf2,dc=com cnctr.acf2.acf21.adminUserPassword=idfAcf2Pwd cnctr.acf2.acf21.altAdminUserDN=cn=oimAcf2Admin,dc=acf2,dc=com cnctr.acf2.acf21.altAdminUserPassword=oimAcf2Pwd cnctr.acf2.acf21.configLocation=../conf/acf2.properties cnctr.acf2.acf21.allowAnonymous=false cnctr.acf2.acf21.metaBackend=ldapds cnctr.acf2.acf21.agent=true cnctr.acf2.acf21.people.multiCallAttributes=userpassword,revoke,revoked,revoke|revokeDate,userpassword|userpassword,userpassword|passwordexpire
customer-configuration.properties
file if it is not already there: cnctr.coreBean.nexus.cachingEnabled = false
Note:
This step is mandatory. Otherwise, the cache can become stale and any ACF2 Reconcile All Users Task in Oracle Identity Manager will not be able to reconcile data from the ACF2 target system.Modify the system admnistrator credentials to authenticate access with the Gateway.
Note:
Sensitive data is automatically encrypted when the LDAP Gateway starts. For more information, see About Encrypting Data.conf/customer-configuration.properties
in an editor and set values for the following:
cnctr.<foo>.<foo>1.adminUserDN=cn=idf<Foo>Admin,dc=<foo>,dc=com
cnctr.<foo>.<foo>1.adminUserPassword=idf<Foo>Pwd
Note:
<foo>
and <Foo>
with connector specific values. For example, replace <foo>
with acf2 and <Foo>
with Acf2 for the ACF2 connector.adminUserDn
, it is mandatory to use cn
as the RDN identifier.customer-configuration.properties
file, make sure you restart the LDAP Gateway Server to have the changes take effect.For example, the required format for ACF2 is: cn=adminId,dc=acf2,dc=com
(the dc=acf2,dc=com
must match the suffix property).
The same type of connector can be instantiated multiple times to represent multiple different endpoints of the same target system. This is, in addition, to the gateway supporting the ability to run various kinds of connectors within a single gateway instance.
It is assumed that you have already configured a single instance of your connector and wish to configure an additional instance. For more information on configuring the LDAP Gateway with a single connector, see Configuring the LDAP Gateway.
To configure the LDAP Gateway with multiple connectors, do the following:
customer-configuration.properties
file located in the conf/
folder for editing.customer-configuration.properties.example
file to the conf/customer-configuration.properties file.
For example, copy the following snippet to the /conf/customer-configuration.properties
file:
cnctr.<foo>.class=com.identityforge.idfserver.backend.<foo>.<Foo>Module cnctr.<foo>.<foo>1.schema=schemas cnctr.<foo>.<foo>1.suffix=dc=<foo>,dc=com cnctr.<foo>.<foo>1.adminUserDN=cn=idf<Foo>Admin,dc=<foo>,dc=com cnctr.<foo>.<foo>1.adminUserPassword=idf<Foo>Pwd cnctr.<foo>.<foo>1.altAdminUserDN=cn=oim<Foo>Admin,dc=<foo>,dc=com cnctr.<foo>.<foo>1.altAdminUserPassword=testpass cnctr.<foo>.<foo>1.configLocation=../conf/<foo>.properties cnctr.<foo>.<foo>1.allowAnonymous=false cnctr.<foo>.<foo>1.defaultUacc=read cnctr.<foo>.<foo>1.metaBackend=ldapds cnctr.<foo>.<foo>1.agent=true
Note:
Replace the term<foo>
and <Foo>
with connector specific values. For example, for ACF2 replace <foo>
with acf2 and <Foo>
with Acf2. For more information, see the customer-configuration.properties.example
file located in the <LDAP_INSTALL_DIR>/ldapgateway/conf/
directory../conf/customer-configuration.properties
file, rename the instance ID for the pasted entries if the connector is already defined. For example, rename acf21
to acf22
.adminUserPassword
- change this for security reasons.suffix
- represents a unique baseDN. For example, dc=<foo>dev,dc=com
.adminUserDN
- full DN of the administrative user account that can use the connector for performing reconciliation and provisioning operations. DN suffix must match the value supplied for suffix
.altAdminUserDN
- DN suffix must match the value supplied for suffix
.configLocation
- location of the connector property file - e.g. conf/<foo>.properties
. If the intent is to point these two connector instances to different target systems, the configLocation
param should point to a different connector properties file for each connector instance. The new properties file can be a copy of the original properties file with changes in the necessary properties to point to the new system.customer-configuration.properties
file after the configurations are defined.You can override the default system configurations for serveral reasons. For example, you may want to change the default passwords for the system backend persistence store or change the listening port when the default collides with another service or when the policies of the company require using a different port.
configuration.properties
file (located in the conf/
folder) and copy it to customer-configuration.properties
file and provide a new value.
Note:
Not all properties can be modified and must be done in consultation with Support.To change the default system backend passwords, open the customer-configuration.properties
file (located in the conf/
folder) and specify values for the following entries:
cnctr.proxy.ldapds.adminUserPassword=<admin-password> cnctr.proxy.ldapds.altAdminUserPassword=<alt-admin-password>
In the preceding snippet, replace <admin-password> with the desired password and <alt-admin-password> with the desired alternative password for accessing the system backend (dc=system,dc=backend
).
To change the default port, open the customer-configuration.properties
file (located in the conf/
folder) and specify values for the following entries:
system.port=6389 system.ssl_port=7389
Replace 6389 with the desired listening port for LDAP and 7389 with the desired port for LDAPS.
Note:
conf/configuration.properties
can be re-defined in conf/customer-configuration.properties
. Copy the value from conf/configuration.properties
to conf/customer-configuration.properties
and modify the value accordingly.conf/configuration.properties
directly as it will be overwritten when upgrading.acf2.properties
file in the conf folder by renaming the acf2.properties.example
file located inside the <LDAP_INSTALL_DIR>/ldapgateway/conf>
folder.acf2.properties
file. Edit, specify, and verify that the host, port, user credentials, and other properties are correctly updated to match your environment: The following properties can be configured:
Host – Host name or IP address to connect to the Pioneer Agent. For example, _host_=localhost
.
Port – Enter the number of the port on the mainframe that you are going to reserve for the Provisioning Agent. The LDAP Gateway will send provisioning messages to this port. This value should match the PORT parameter specified in the Pioneer provisioning agent STC. For example, _port_=5790
.
Note:
_defaultDelete_=revoke
._defaultDelete_=delete
._secretKeyValue_=
._agentport_=5791
.stcID - This property allows the real-time agent to ignore events that have been submitted to the target system by the Pioneer STC (such as by request from Oracle Identity Manager). For example, _stcID_=PIONEERN
.
internalEnt - This property is used to allow the real-time agent to store users in the LDAP internal store. Values are true or false.
_domainOu=acf2
.
Note:
ACF2 now supports a new OU called ResourceXRef. It represents the secondary Auth Ids that users can be included and excluded from. The new LDAP attributes represent assignment: "includeids", "includedns", "excludeids", and "excludedns". All these attributes can be used to add and remove users to and from. There must exist at least one include user. However, exclusions can be an empty list.Note:
For example, username=<Acf2 User>
and credentials.password=<Password>
errormsg-sig-file=
.
Define an error message signature XML file that contains new error message signatures # (or overrides existing error message signatures by specifying the same id). # #The format of the file should follow # <Signatures> # <Signature id="[unique id]" regex="[regex]" enabled="yes|no"> # <!-- Optional Exceptions to reduce false positives --> # <Exception regex="[regex]"/> # : # </Signature> # : # </Signatures> # # Value: File path (relative to the folder where the gateway was executed in) errormsg-sig-file=
_nameFormat_=fn|sp|ln
.To specify the components of the format:
fn
to represent the first name.sp
to represent the space character.ln
to represent the last name.The Windows Service for the LDAP Gateway is installed with a supplied IdentityForge batch file.
The Windows Service installer uses the Apache Procrun utility prunsrv.exe
to create a fully managed Windows Service for the LDAP Gateway. For more information about Procrun, see http://commons.apache.org/proper/commons-daemon/procrun.html.
cmd
).IDF_Win_Service install
in the win_service/
directory.> net start IdentityForgeService > net stop IdentityForgeService
Note:
If there are any problems with the installation of the service from the batch file, uncomment theCG_PATH_TO_JVM
variable and ensure that the path is accurate.
> rem -- 7. Set this if you want to use a different JVM than the one configured in your registry, or if it is not configured in the windows registry > rem set CG_PATH_TO_JVM=C:\Program Files\Java\jre7\bin\server\jvm.dll
If any modifications are required, it is recommended to uninstall the service, make the modifications, and then re-install the service until it installs and runs correctly.
cmd
)IDF_Win_Service remove
in the win_service/
directory.You can configure the memory pool size for the Windows service by setting values for the CG_JVMMS
and CG_JVMMX
variables in the LDAP_INSTALL_DIR/win_service/IDF-Win-Service.bat
file.
CG_JVMMS
and CG_JVMMX
variables are set to 1024 MB and 2048 MB, respectively. If the LDAP gateway processes a large number of records, then you might encounter the "Out of memory" exception. In such a scenario, you can allocate higher memory for your Windows service by increasing the values of the CG_JVMMS
and CG_JVMMX
variables.run.bat
script on Windows or run.sh
on Linux.The LDAP Gateway begins its startup sequence and eventually displays a banner representing the version of the gateway. This banner symbolizes that the gateway is now ready to receive LDAP requests.
User DN: cn=Directory Manager,dc=system,dc=backend
Password: testpass