5 Using the Connector

You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

This chapter discusses the following topics:

• Guidelines on Using the Connector

• Performing Full Reconciliation

• Performing Filtered (Limited) Reconciliation

• Reconciling Internal LDAP Users to Oracle Identity Manager

• Reconciling Deleted Users to Oracle Identity Manager

• Configuring Resource and Access Rule PrePopulation Scheduled Tasks

• Reconciling Internal LDAP Users to Oracle Identity Manager

• Uninstalling the Connector

Guidelines on Using the Connector

These are the guidelines that you apply while using the connector.

• The subpool and the LDAP Gateway must be started before starting the Reconciliation Agent. If the LDAP Gateway is not available when the Reconciliation Agent is started, then an error is generated with RETCODE=-01 and ERRORNO=61.

• The connector can accept and transmit any non-ASCII data to the mainframe, but the mainframe does not accept non-ASCII characters. As a result, any task that requires non-ASCII data transfer fails. In addition, there is no provision in the connector to indicate that the task has failed or that an error has occurred on the mainframe. To avoid errors of this type, you must exercise caution when providing inputs to the connector for the target system, especially when using a regional language interface.

• Passwords used on the mainframe must conform to stringent rules related to passwords on mainframes. These passwords are also subject to restrictions imposed by corporate policies and rules about mainframe passwords. Keep in mind these requirements when you create or modify target system user profiles through provisioning operations on Oracle Identity Manager.

Performing Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation.

The ACF2 Reconcile All Users scheduled task performs full reconciliation. When you configure this scheduled task, it runs at specified intervals and fetches create and modify events on the target system for reconciliation.

To configure the Reconcile All Users scheduled task:

1. Log in to the Oracle Identity Manager Administrative and User Console.
2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
3. Search for and open the scheduled task as follows:
   1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
   2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
   3. In the search results table on the left pane, click the scheduled job in the Job Name column.
4. Modify the details of the scheduled task as follows:
   1. On the Job Details tab, modify the following parameters:

      Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

      Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

      See Also:

      Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types

      In addition to modifying the job details, you can enable or disable a job.
5. Specify values for the attributes of the scheduled task as follows:

   Note:

   Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task. Table 5-1 describes the attributes of the scheduled task.

   Table 5-1 Attributes of the Reconcile All Users Scheduled Task

   Attribute	Description
   IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: Acf2Resource
   Resource Object	Enter the name of the resource object against which reconciliation runs must be performed. Sample value: OIMAcf2ResourceObject
   MultiValuedAttributes	Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: privileges
   SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, the design form of Oracle Identity Manager allows entering only up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.
   Tso Attributes	Enter comma-seperated list of tsoattributes of type string. Sample value: tsoDftPfx,tsoAcctNum,tsoProc,tsoSize,tsoRba
   TsoBooleanAttributes	Enter comma-separated list of TSO Boolean attributes. Sample value: tsoMail,tsoAcctPriv,tsoAllCmds,tsoJcl,tsoWtp,tsoFscrn,tsoMount
   TsoLgnBooleanAttributes	Enter comma-separated list of TSO LOGON Boolean attributes. Sample: tsoLgnAcct,tsoLgnMsg,tsoLgnPerf,tsoLgnProc,tsoLgnTime,tsoLgnRcvr
   UsersList	Enter a comma-separated list of user IDs to be reconciled. Note: This attribute is optional. If you do not enter any user IDs, then the connector performs full reconciliation. Sample value: testusr1,testusr2,testusr3
   UID Case	Enter lower case if OIM accounts to be reconciled should be in lower case, otherwise enter upper case. Sample value: lower

6. After specifying the attributes, click Apply to save the changes.

   Note:

   The Stop Execution option is available in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager. You can use the Scheduler Status page to either start, stop, or re-initialize the scheduler.

Performing Filtered (Limited) Reconciliation

You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.

You might have created multiple resource objects to represent multiple user types in your organization. You use the Resource Object attribute of the Reconcile All Users scheduled task to specify the resource object that you want to use during reconciliation. You can enter more than one resource object in the value of the Resource Object property. In addition, you can include CA ACF2 attribute-value pairs to filter records for each resource object.

See Also:

Performing Full Reconciliation for information about the Reconcile All Users scheduled task

The following is a sample format of the value for the Resource Object property:

(ATTRIBUTE1:VALUE1)RESOURCE_OBJECT1,RESOURCE_OBJECT2

As shown in the sample format, specifying a filter attribute is optional, but if more than one resource object is specified, you must specify a filter for each additional resource object. If you do not specify a filter attribute, then all records are reconciled to the first resource object. Further, the filters are checked in order, so the resource object without a filter attribute should be included last in the list.

Filter attributes should be surrounded by parentheses.

Apply the following guidelines while specifying a value for the Object attribute:

• The names of the resource objects must be the same as the names that you specified while creating the resource objects by using the Design Console.

• The CA ACF2 attribute names must be the same as the names used in the LDAP Gateway configuration files.

  See Also:

  Installing and Configuring the LDAP Gateway for information about the LDAP Gateway configuration files.

• The value must be a regular expression as defined in the java.util.regex Java package. Note that the find methodology of the regex matcher is used rather than the matches methodology. This means that a substring matching rule can be specified in the pattern, rather than requiring the entire string matching rule.

• Substring matching is case-sensitive. A "(tso)" filter will not match a user with the user ID "TSOUSER1".

• Multiple values can be matched. Use a vertical bar (|) for a separator as shown in the following example:

  (ATTRIBUTE:VALUE1|VALUE2|VALUE3)RESOURCE_OBJECT

• Multiple filters can be applied to the attribute and to the same resource object. For example:

  (ATTRIBUTE1:VALUE1)&(ATTRIBUTE2:VALUE2)RESOURCE_OBJECT

The following is a sample value for the Object attribute:

(tsoProc:X)ACF2R01,(active:value1|value2|value3)ACF2ResourceObject2,(tso)ACF2ResourceObject24000,Resource

In this sample value:

• (tsoProc:X)ACF2RO1 represents a user with X as the attribute value for the TSO Proc segment. Records that meet this criterion are reconciled with the ACF2RO1 resource object.

• (active:value1|value2|value3)ACF2ResourceObject2 represents a user with value1, value2, or value3 as their active date. Records that meet this criterion are reconciled with the ACF2ResourceObject2 resource object.

• (tso)ACF2ResourceObject24000 represents a user with TSO privileges. A TSO attribute value is not specified. Records that meet this criterion are reconciled with the ACF2ResourceObject24000 resource object.

• All other records are reconciled with the Resource resource object.

Reconciling Internal LDAP Users to Oracle Identity Manager

The ACF2 Reconcile LDAP Users scheduled task allows the administrator to reconcile users from the internal LDAP store to Oracle Identity Manager.

When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager.

To configure the Reconcile LDAP Users to OIM scheduled task:

1. Log in to the Oracle Identity Manager Administrative and User Console.
2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
3. Search for and open the scheduled task as follows:
   1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
   2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
   3. In the search results table on the left pane, click the scheduled job in the Job Name column.
4. Modify the following parameters of the scheduled task on the Job Details tab as follows:
   Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
   Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   Note:

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.
5. Specify values for the attributes of the scheduled task as follows:

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   Table 5-2 describes the attributes of the scheduled task.

   Table 5-2 Attributes of the Reconcile LDAP Users Scheduled Task

   Attribute	Description
   IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: Acf2Resource
   Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMAcf2ResourceObject
   Domain OU	Enter the name of the internally-configured directory in the LDAP where the contents of event changes will be stored. Sample value: acf2
   MultiValuedAttributes	Enter a comma-separated list of multi-valued attributes that you want to reconcile. Do not include a space after each comma. Sample value: privileges
   SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.
   LDAP Time Zone	Enter the time zone ID for the server on which the LDAP gateway is hosted. Sample value: EST, IST
   UID Case	Enter whether the user ID should be displayed in uppercase or lowercase. Sample value: upper

6. After specifying the attributes, click Apply to save the changes.

Reconciling Deleted Users to Oracle Identity Manager

The ACF2 Deleted User Reconciliation to OIM scheduled task allows the administrator to reconcile deleted users from the target system to Oracle Identity Manager.

When you configure this scheduled task, it runs at specified intervals and fetches a list of users on the target system. These user names are then compared with provisioned users in Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not in the target system, are deleted from Oracle Identity Manager.

To configure the Deleted User Reconciliation to OIM scheduled task:

1. Log in to the Oracle Identity Manager Administrative and User Console.
2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
3. Search for and open the scheduled task as follows:
   1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
   2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
   3. In the search results table on the left pane, click the scheduled job in the Job Name column.
4. Modify the following parameters of the scheduled task on the Job Details tab as follows:
   Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
   Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   Note:

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.
   In addition to modifying the job details, you can enable or disable a job.
5. Specify values for the attributes of the scheduled task as follows:

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   Table 5-3describes the attributes of the scheduled task.

   Table 5-3 Attributes of the Deleted User Reconciliation to OIM Scheduled Task

   Attribute	Description
   IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: Acf2Resource
   Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMAcf2ResourceObject
   Domain OU	Enter the name of the internally-configured directory in the LDAP where the contents of event changes will be stored. Sample value: acf2
   UID Case	Enter the same value as used in scheduled tasks ACF2 Reconcile All Users and ACF2 Reconcile LDAP Users. Note: If the UID Case value is different from the other jobs, all provisioned accounts might get revoked.

6. After specifying the attributes, click Apply to save the changes.

Configuring Resource and Access Rule PrePopulation Scheduled Tasks

The ACF2 Find All Access Rules Task and ACF2 Find All Resource Rules Task scheduled tasks populate lookup tables with resource or access rule keys that can be assigned during user provisioning.

When you configure these scheduled tasks, they run at specified intervals and fetch a listing of all resource or access keys on the target system for reconciliation.

To configure the ACF2 Find All Access Rules Task and ACF2 Find All Resource Rules scheduled task:

1. Log in to Oracle Identity Manager Administrative and User Console.
2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
3. Search for and open the scheduled task as follows:
   1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
   2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
   3. In the search results table on the left pane, click the scheduled job in the Job Name column.
4. Modify the following parameters of the scheduled task on the Job Details tab:

   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   See Also:

   Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types
5. Specify values for the attributes of the scheduled task as follows:

   Note:

   Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   Table 5-4 Attributes of the FindAllAccessRules and FindAllResourceRules Scheduled Tasks

   Attribute	Description
   IT Resource	Provide the IT Resource name required to fetch the values from the target.

6. After specifying the attributes, click Apply to save the changes.

   Note:

   The Stop Execution option is available in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager. You can use the Scheduler Status page to start, stop, or reinitialize the scheduler.
7. Running the ACF2 Find All Access Rules Task and ACF2 Find All Resource Rules Task populates the lookup tables Lookup.AccessRuleNames and Lookup.ResourceNames respectively.

   Note:

   Everytime these tasks are run, the existing lookup values are replaced by the latest values reconciled from the ACF2 target.

Reconciling Internal LDAP Users to Oracle Identity Manager

The ACF2 Reconcile LDAP Users scheduled task allows the administrator to reconcile users from the internal LDAP store to Oracle Identity Manager.

When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager.

To configure the Reconcile LDAP Users to OIM scheduled task:

1. Log in to the Oracle Identity Manager Administrative and User Console.
2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
3. Search for and open the scheduled task as follows:
   1. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Search Scheduled Jobs.
   2. On the left pane, in the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
   3. In the search results table on the left pane, click the scheduled job in the Job Name column.
4. Modify the following parameters of the scheduled task on the Job Details tab as follows:
   Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
   Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

   Note:

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about schedule types.

   In addition to modifying the job details, you can enable or disable a job.
5. Specify values for the attributes of the scheduled task as follows:

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

   Table 5-2 describes the attributes of the scheduled task.

   Table 5-5 Attributes of the Reconcile LDAP Users Scheduled Task

   Attribute	Description
   IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: Acf2Resource
   Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMAcf2ResourceObject
   Domain OU	Enter the name of the internally-configured directory in the LDAP where the contents of event changes will be stored. Sample value: acf2
   MultiValuedAttributes	Enter a comma-separated list of multi-valued attributes that you want to reconcile. Do not include a space after each comma. Sample value: privileges
   SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.
   LDAP Time Zone	Enter the time zone ID for the server on which the LDAP gateway is hosted. Sample value: EST, IST
   UID Case	Enter whether the user ID should be displayed in uppercase or lowercase. Sample value: upper

6. After specifying the attributes, click Apply to save the changes.

Uninstalling the Connector

Uninstalling the connector deletes all the account related data associated with resource objects of the connector.

If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.