6 Extending the Functionality of the CA Top Secret Connector

The following optional procedures that you can perform to extend the functionality of the connector for addressing your business requirements can be divided into the following stages:

Adding Custom Fields for Target Resource Reconciliation

Note:

You must ensure that new attributes you add for reconciliation contain only string-format data. Binary attributes must not be brought into Oracle Identity Manager natively.

By default, the attributes listed in Table 1-4 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes for target resource reconciliation.

To add a custom field for reconciliation, you must first update the connector reconciliation component you are using, and then update Oracle Identity Manager. This section discusses the following topics:

Adding Custom Fields for Full Reconciliation for CA Top Secret Connector

You can add custom fields for full reconciliation by specifying a value for the SingleValueAttributes attribute of the Top Secret Reconcile All Users scheduled task. See Performing Full Reconciliation for more information.

To add a custom field for scheduled task reconciliation:

Log in to Oracle Identity System Administration.
In the left pane, under System Management, click Scheduler.
Search for and open the Top Secret Reconcile All Users scheduled task as follows:
1. In the left pane, in the Search field, enter Top Secret Reconcile All Users as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
2. In the search results table on the left pane, click the scheduled job in the Job Name column.
Add the custom field to the list of attributes in the SingleValueAttributes scheduled task attribute.
Click Apply.

Adding Custom Fields to Oracle Identity Manager

After adding the custom field to either the VOYAGER_ID.properties file (if using real-time reconciliation) or the Top Secret Reconcile All users scheduled task (if using scheduled task reconciliation), you must add the custom field to the Oracle Identity Manager components.

To update Oracle Identity Manager with the custom field:

Log in to the Oracle Identity Manager Design Console.
Add the custom field to the list of reconciliation fields in the resource object as follows:
1. Expand Resource Management and then double-click Resource Objects.
2. Search for and open the OIMTopSecretResourceObject resource object.
3. On the Object Reconciliation tab, click Add Field.
4. In the Add Reconciliation Field dialog box, enter the details of the field.
  
  For example, if you are adding a Top Secret attribute called "Description", then enter Description in the Field Name field and select String from the Field Type list.
5. Click Save and close the dialog box.
6. Click Create Reconciliation Profile. This copies changes made to the resource object into MDS.
7. Click Save.
Add the custom field on the process form as follows:
1. Expand Development Tools and then double-click Form Designer.
2. Search for and open the UD_IDF_TOPS process form.
3. Click Create New Version, and then click Add.
4. Enter the details of the field.
  
  For example, if you are adding the Description field, then enter UD_IDF_TOPS_DESCRIPTION in the Name field, and then enter the rest of the details of this field.
5. Click Save and then click Make Version Active.
Create a reconciliation field mapping for the custom field in the provisioning process as follows:
1. Expand Process Management and then double-click Process Definition.
2. Search for and open the OIMTopsProvisioningProcess process definition.
3. On the Reconciliation Field Mappings tab of the provisioning process, click Add Field Map.
4. In the Add Reconciliation Field Mapping dialog box, from the Field Name field, select the value for the field that you want to add.For example, from the Field Name field, select Description.
5. Double-click the Process Data field, and then select UD_IDF_TOPS_DESCRIPTION.
6. Click Save and close the dialog box.
7. Click Save.
If you are using Oracle Identity Manager release 11.1.2.x, then create a new UI form and attach it to the application instance to make this new attribute visible. See Creating a New UI Form and Updating an Existing Application Instance with a New Form for the procedures.
If you are adding a custom attribute or custom dataset, then set values for the _configAttrs_, _configDNames and _configDatasets_ properties in the tops.properties file.

Adding Custom Multivalued Fields for Reconciliation

To add a custom multivalued field to reconciliation, you must first update the IDF reconciliation component you are using, and then update Oracle Identity Manager.

Adding Custom Multivalued Fields for Full Reconciliation

You can add custom multivalued fields for full reconciliation by specifying a value for the multiValuedAttributes property of the Top Secret Reconcile All Users reconciliation scheduled task. See Top Secret Reconcile All Users for more information.

To add a custom field for scheduled task reconciliation:

Log in to Oracle Identity System Administration.
In the left pane, under System Management, click Scheduler.
Search for and open the Top Secret Reconcile All Users as follows:
1. On the left pane, in the Search field, enter Top Secret Reconcile All Users as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
2. In the search results table on the left pane, click the scheduled job in the Job Name column.
Add the custom field to the list of attributes in the MultiValuedAttributes property.
Click Apply.

Adding Custom Multivalued Fields to Oracle Identity Manager for CA Top Secret Connector

After adding the custom multivalued field to either the VOYAGER_ID.properties file (if using real-time reconciliation) or the Top Secret Reconcile All users scheduled task (if using scheduled task reconciliation), you must add the custom multivalued field to the Oracle Identity Manager components.To update Oracle Identity Manager with the multivalued field:

Log in to the Oracle Identity Manager Design Console.
Create a form for the multivalued field as follows:
1. Expand Development Tools and double-click Form Designer.
2. Create a form by specifying a table name and description, and then click Save.
3. Click Add and enter the details of the field.
4. Click Save and then click Make Version Active. Figure 6-1 shows the multivalued field added on a new form.
  
  Figure 6-1 Multivalued Field Added on a New Form for CA Top Secret Connector
  
  Description of "Figure 6-1 Multivalued Field Added on a New Form for CA Top Secret Connector"
Add the form created for the multivalued field as a child form of the process form as follows:
1. Search for and open the UD_IDF_TOPS process form.
2. Click Create New Version.
3. Click the Child Table(s) tab.
4. Click Assign.
5. In the Assign Child Tables dialog box, select the newly created child form, click the right arrow, and then click OK.
6. Click Save and then click Make Version Active. Figure 6-2 shows the child form added to the process form.
  
  Figure 6-2 Child Form Added to the Process Form for CA Top Secret Connector
  
  Description of "Figure 6-2 Child Form Added to the Process Form for CA Top Secret Connector"
Add the new multivalued field to the list of reconciliation fields in the resource object as follows:
1. Expand Resource Management and then double-click Resource Objects.
2. Search for and open the OIMTopsResourceObject resource object.
3. On the Object Reconciliation tab, click Add Field.
4. In the Add Reconciliation Field dialog box, enter the details of the field.
  
  For example, enter phoneNumber in the Field Name field and select Multi-Valued Attribute from the Field Type list.
5. Click Save and close the dialog box.
6. Right-click the newly created field and select Define Property Fields.
7. In the Add Reconciliation Fields dialog box, enter the details of the newly created field.
  
  For example, enter phonenumber in the Field Name field and select String from the Field Type list.
8. Click Save and then close the dialog box. Figure 6-3 shows the new reconciliation field added in the resource object.
  
  Figure 6-3 New Reconciliation Field Added in the Resource Object for CA Top Secret Connector
  
  Description of "Figure 6-3 New Reconciliation Field Added in the Resource Object for CA Top Secret Connector"
9. Click Create Reconciliation Profile. This copies changes made to the resource object into MDS.
Create an entry for the field in the AtMap.Tops lookup definition, as follows:
1. Expand Administration and then double-click Lookup Definition.
2. Search for the AtMap.TOPS lookup definition.
3. Click Add and enter the Code Key and decode values for the field. The Code Key value is the name of the process form field that you created for the multivalued custom field in Step 3.3.d. The Decode value is the name of the target system field.
  
  For example, enter UD_PHONENUM_PHONENUMBER in the Code Key field and then enter phonenumber in the Decode field. Figure 6-4 shows the lookup code added to the lookup definition.
  
  Figure 6-4 Entry Added in the Lookup Definition for CA Top Secret Connector
  
  Description of "Figure 6-4 Entry Added in the Lookup Definition for CA Top Secret Connector"
4. Click Save.
Create a reconciliation field mapping for the new multivalued field as follows:
1. Expand Process Management and then double-click Process Definition.
2. Search for and open the OIMTopsProvisioningProcess process definition.
3. On the Reconciliation Field Mappings tab of the provisioning process, click Add Table Map.
4. In the Add Reconciliation Table Mapping dialog box, select the field name and table name from the list, click Save, and then close the dialog box.
5. Right-click the newly created field and select Define Property Field Map.
6. In the Field Name field, select the value for the field that you want to add.
7. Double-click the Process Data field, and then select UD_PHONENUM_PHONENUMBER.
8. Select Key Field for Reconciliation Field Matching and click Save. Figure 6-5 shows the new reconciliation field mapped to a process data field in the process definition.
  
  Figure 6-5 New Reconciliation Field Mapped to a Process Data Field for CA Top Secret Connector
  
  Description of "Figure 6-5 New Reconciliation Field Mapped to a Process Data Field for CA Top Secret Connector"

Adding Custom Fields for Provisioning

By default, the attributes listed in Table 1-4 are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.

The connector does not support the use of custom attributes in CREATE USER operations that is, TSS CREATE. Instead, custom attribute modifications should be sent in an MODIFY USER operation that is, TSS ADDTO/REPLACE/REMOVE after the user has been provisioned a resource.

To add a new attribute for provisioning:

Log in to the Oracle Identity Manager Design Console.
Add the new attribute on the process form as follows:

If you have added the field on the process form by performing Step 4 of Adding Custom Fields to Oracle Identity Manager, then you need not add the field again. If you have not added the field, then:
1. Expand Development Tools.
2. Double-click Form Designer.
3. Search for and open the UD_IDF_TOPS process form.
4. Click Create New Version, and then click Add.
5. Enter the details of the attribute.
  
  For example, if you are adding the Description field, enter UD_IDF_TOPS_DESCRIPTION in the Name field, and then enter the rest of the details of this field.
6. Click Save and then click Make Version Active.
Note:

OMVS and NETVIEW attributes must not be added to the AtMap.TOPS lookup definition as they are not supported for create provisioning operations.

To enable update of the attribute during provisioning operations, create a process task as follows:

Expand Process Management, and double-click Process Definition.
Search for and open the OIMTopsProvisioningProcess process definition.
Click Add.
On the General tab of the Creating New Task dialog box, enter a name and description for the task and then select the following:

Conditional

Required for Completion

Disable Manual Insert

Allow Cancellation while Pending

Allow Multiple Instances
Click Save.
Go to the Integration tab and click Add.
In the Handler Selection dialog box, select Adapter, click adpMODIFYTOPSUSER, and then click the Save icon.

The list of adapter variables is displayed on the Integration tab.
To create the mapping for the first adapter variable:

Double-click the number of the first row.

In the Edit Data Mapping for Variable dialog box, enter the following values:

Variable Name: Adapter return value

Data Type: Object

Map To: Response code

Click the Save icon.

To create mappings for the remaining adapter variables, use the data given in the following table:

Table 6-1 Values for the Variables, Map To, Qualifier, and Literal Value lists for each variable

Variable Number	Variable Name	Map To	Qualifier
Second	idfResource	Process Data	LDAP_SERVER
Third	uid	Process Data	LoginId
Fourth	attrName	String Literal	Enter the LDAP attribute name in the Literal Value field. Example: description Table 1-5 for a list of unmapped user attributes and their LDAP Gateway attribute names.
Fifth	attrValue	Process Data	Select the process form field from the drop-down list.Example: DESCRIPTION

On the Responses task, click Add to add at least the SUCCESS response code, with status C. This ensures that if the custom task is successfully run, then the status of task is displayed as Completed in Oracle Identity Manager.
Click the Save icon in the Editing Task dialog box, and then close the dialog box.
Click the Save icon to save changes to the process definition.

Create a new UI form and attach it to the application instance to make this new attribute visible. See Creating a New UI Form and Section Updating an Existing Application Instance with a New Form for the procedures.

Removing Attributes Mapped for Target Resource Reconciliation

The reconAttrs property contains the list of target system attributes that are mapped for real-time reconciliation. This property is found in the VOYAGER_ID.properties file. If you want to remove an attribute mapped for real-time reconciliation, then remove it from the reconAttrs property.

The SingleValueAttributes and MultiValuedAttributes properties contain the list of target system attributes that are mapped for scheduled task reconciliation. These properties are found in the Top Secret Reconcile All Users and Top Secret Reconcile All LDAP Users scheduled tasks. If you want to remove an attribute mapped for scheduled task reconciliation, then remove it from the SingleValueAttributes or MultiValuedAttributes property.

Adding Admin Multivalued Attributes for Provisioning and Reconciliation

To manage fine grained-administrative privileges to a user from Oracle Identity Manager, you can add Admin attributes for provisioning and reconciliation.

To grant or revoke admin privileges to a user:

Log in to the Oracle Identity Manager Design Console.
Create a child form for the admin authority field, (for example, RESOURCE) as follows:
1. Expand Development Tools and double-click Form Designer.
2. Create a form by specifying a table name and description, and then click Save.
3. Click Add and enter the details of the field.
4. Click Save and then click Make Version Active.
5. Repeat Step 2.a through 2.d for each administrative authority whose grant or removal must be managed through Oracle Identity Manager.
Assign the form created for the admin authority field, (for example, RESOURCE) as a child form of the parent process form as follows:
1. Search for and open the UD_IDF_TOPS process form, and then click Create New Version.
2. Click the Child Table(s) tab and then click Assign.
3. In the Assign Child Tables dialog box, select the newly created child form, click the right arrow, and then click OK.
4. Click Save and then click Make Version Active.
Add the new admin authority field (for example, RESOURCE) to the list of reconciliation fields in the resource object as follows:
1. Expand Resource Management and then double-click Resource Objects.
2. Search for and open the OIMTopSecretResourceObject resource object. Then, on the Object Reconciliation tab, click Add Field.
3. In the Add Reconciliation Fields dialog box, enter the details of the field.
  For example, enter adminresource in the Field Name field and select Multi-Valued Attribute from the Field Type list.
4. Click Save and then close the dialog box.
5. Right-click the newly created field and select Define Property Fields.
6. In the Add Reconciliation Fields dialog box, enter the details of the field.
  For example, enter adminresource in the Field Name field and select String from the Field Type list.
7. Click Save, and then close the dialog box.
8. Click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.
Create an entry for the field in the AtMap.Tops lookup definition, as follows:
1. Expand Administration and then double-click Lookup Definition.
2. Search for and open the AtMap.Tops lookup definition.
3. Click Add and enter the Code Key and Decode values for the admin authority field. The Code Key value is the name of the process form field that you created Step 2. The Decode value is the name of the target system field.
  
  For example, enter UD_ADM_RES_RESOURCE in the Code Key field and then enter adminResource in the Decode field. Figure 5–4 shows the lookup code added to the lookup definition. (INSERT lookup_with_admin_field.png)
Create a reconciliation field mapping for the new field as follows:
1. Expand Process Management and then double-click Process Definition.
2. Search for and open the OIMTopsProvisioningProcess process definition. Then, on the Reconciliation Field Mappings tab, click Add Table Map.
3. In the Add Reconciliation Table Mapping dialog box, select the field name (for example, adminResource) and table name (for example, UD_ADM_RES) from the list, click Save, and then close the dialog box.
4. Right-click the newly created table map, and select Define Property Field Map.
5. In the Field Name field, select the value for the field that you want to add. Then double-click the Process Data Field field and select the field name (for example, UD_ADM_RES_RESOURCE).
6. Click Save and then close the dialog box.

Enable update provisioning operations on the admin authority field as follows:

Expand Process Management, and then double-click Process Definition.
Search for and open the OIMTopsProvisioningProcess process definition.
Click Add and enter the task name and description. For example, enter Administrative Authority Resource Granted as the task name and Grant Admin Authority Resource with Access to User as RESOURCE|ACCESS1,ACCESS2 as the task description.
In the Task Properties section, select Conditional, Disable Manual Insert, Required for Completion, Allow Cancellation while Pending, and Off-line. In addition, from the Child Table list, select UD_ADM_RES_RESOURCE and from the Trigger Type list, select insert. <<INSERT create_new_task_adm_auth.png>>
On the Integration tab, click Add. In the Handler Selection dialog box, select Adapter. Then from the list of adapter, select adpMODIFYUSERATTRTOPS, click Save and close the dialog box.
In the Adapter Variables region, click the paramValue variable. In the dialog box that is displayed, create the following mapping, click Save and close the dialog box:

Variable Name: paramValue

Map To: Process Data

Qualifier: adminResource

Repeat Step 7.f for the remaining variables listed in the Adapter Variables region. The following table lists values that you must select from the Map To, Qualifier, and Literal Value lists for each variable:

Variable	Map To	Qualifier	Literal Value
idfserver	Process Data	LDAP_SERVER	NA
opType	Literal	Integer	1
containsITResource	Literal	Boolean	Select True if the attribute value is expected to contain ~IT_RESOURCE_KEY as the prefix in your environment. Otherwise, select False.
auditInfo	Literal	String	Audit comment
uid	Process Data	USER_ID	NA
paramName	Literal	String	adminresource
Adapter return value	Response Code	NA	NA

Click the Save icon, close the dialog box, and then save the process definition.

Add a new process task by using the adpMODIFYUSERATTRTOPS adapter for removing the admin authority. To do so, repeat Step 7 with the following difference:
While performing Step 7.d, instead of selecting Insert from the Trigger Type list, select Delete.
Save the process task.
Replicate all changes made to the Form Designer of the Design Console in a new UI form as follows:
1. Log in to Oracle Identity System Administration.
2. Create and activate a sandbox.
3. Create a new UI form to view the newly added field along with the rest of the fields.
4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 10.c), and then save the application instance.
5. Publish the sandbox.

Configuring the Connector for Provisioning to Multiple Installations of the Target System

You can configure the connector for multiple installations of the target system. You can also configure the connector for a scenario in which multiple logical partitions (LPARs), which are not associated with the first LPAR, are configured in the target system.

For each installation of the target system, you create an IT resource and configure an additional instance of the LDAP Gateway.

To configure the connector for the second installation of the target system:

Note:

Perform the same procedure for all installations of the target system.

Create an IT resource based on the OIMLDAPGatewayResourceType IT resource type.
Copy the current LDAP_INSTALL_DIR directory, including all the subdirectories, to a new location on the Oracle Identity Manager computer.

Note:

In the remaining steps of this procedure, LDAP_INSTALL_DIR refers to the newly copied directory.
Extract the contents of the LDAP_INSTALL_DIR/dist/idfserver.jar file.
In the beans.xml file, change the value of the port in the <property name="port" value="xxxx"/> line to specify a port that is different from the port used for the first instance of the LDAP Gateway. The default port number is shown in the following example:
```
<bean id="listener" class="com.identityforge.idfserver.nio.Listener">
<constructor-arg><ref bean="bus"/></constructor-arg>
<property name="admin"><value>false</value></property>
<property name="config"><value>../conf/listener.xml</value></property>
<property name="port" value="5389"/>
</bean>
```
When you change the port number, you must make the same change in the value of the idfServerPort parameter of the IT resource that you create by performing Step 1.
Save and close the beans.xml file.
Open the LDAP_INSTALL_DIR/conf/tops.properties file and set values for the following parameters:
- _host_= Enter the IP address or host name of the mainframe.
- _port_= Enter the port number for the second instance of the Provisioning agent.
- _agentPort_= Enter the port number for the second instance of the Reconciliation agent.
  
  Note:
  
  The value of the _agentPort_ parameter must not be the same as that of the first instance if a second LPAR, which is not associated with the first LPAR, is configured in the target system. This value can be the same as the value of the idfServerPort parameter if you have two mainframe servers with CA Top Secret running on each server.
Save and close the tops.properties file.
Delete the LDAP_INSTALL_DIR/etc/VOYAGER_ID.properties file.
In a Linux or Solaris environment, if there are not enough socket file descriptors to open up all the ports needed for the server, then:
1. In a text editor, open the run script from the LDAP_INSTALL_DIR/bin directory.
2. Add the following line in the file:
```
-Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.PollSelectorProvider
 
```
3. Save and close the file.

Note:

When you perform provisioning in Identity Self Service, you can specify the IT resource corresponding to the CA Top Secret installation to which you want to provision the user.

Configuring the Generation of Single-Use Passwords for the Reset Password Operation

You can create and configure an adapter that generates single-use passwords when the Reset Password operation is performed.

To create the adapter:

Use the Adapter Factory to create a copy of the ResetPassword adapter.
Add the following variables to the adapter that you create:

passwordExpire: boolean or String

passwordExpireInterval: String
The idm.jar file is located in the JavaTasks directory. When you create and map the new adapter task, use the following functions defined in this file:
- public String resetPassword(String idfUserId, String idfNewPwd, boolean expire, String expireInDays)
- public String resetPassword(String idfUserId, String idfNewPwd, String expireNow, String expireInDays)
In these functions, the expire and expireNow parameters expect the value true to expire users' passwords.
Compile the adapter.
Create a process task, and associate it with the object corresponding to the event for which you want single-use passwords to be generated. For example, you can associate the process task with the Password Updated task or with the event that the PWD_EXP check box on the process form is selected.

Customizing Log File Locations

The name and log locations of the main LDAP gateway log file (idfserver.log) and the CFILE XML error log file (idf.xml.error.log) can be modified by adding additional arguments to the LDAP gateway server STARTUP command. These arguments are optional, and you can include one, both, or neither in the STARTUP command.

In a text editor, open the run script from the LDAP_INSTALL_DIR/bin directory. This run script is used to start and stop the LDAP gateway.
- If using a Windows system, open the run.bat file.
- If using a UNIX system, open the run.sh file.
Add the arguments to the start command, located at the end of the run script:
Add the arguments after the -cp %CLASSPATH% argument.

To modify the idfserver.log path, use the argument -Didf.logpath=

To modify the idf.xml.error.log path, use the argument -Didf.xmllogpath=

In the following example, the start command will set the idfserver.log path to C:/logs/ldap/idfserver.log and the idf.xml.error.log path to C:/logs/errors/idf.xml.error.log:
```
%JAVACMD% %DEBUG% %JVM_OPTS% %SECURE% -cp %CLASSPATH% -Didf.logpath="c:/logs/ldap/idfserver.log" -Didf.xmllogpath="c:/logs/errors/idf.xml.error.log" -Djava.library.path=%HOME%/lib com.identityforge.idfserver.Main %1 %2 %3 %4 %5 %6 %7 %8 %9
```

Handling Pioneer Error Messaging Exceptions in the Gateway

The error handling routines let you configure what error messages to look for when deciding that a request sent to Pioneer has succeeded or failed. Use these instructions to configure error handling.

Enable or Disable the Ability to Examine the Pioneer SAF Code

Some commands will return SAF codes whenever a command fails.

To enable the ability to automatically throw an error whenever codes greater than 0 are returned, add the check-return-codes property to the tops.properties file (created in Setting Connection Properties) and set its value to yes.

Note:

Warning codes may also show up as codes greater than 0 depending on the type of mainframe environment that you are using. Ensure to check for false positives with testing before determining whether this is an appropriate capability to turn on before deploying to a production environment.

Configuring Custom Error Messages

Many commands will require parsing out the return value looking for error messages. The error handling has been expanded to include a configuration file that allows for extending the set of error messages you might encounter.

Each error message which is being searched, is defined as a regex signature.

The Topsecret connector comes with a default signatures file, errorMsgSignatures.xml, that you can extract from within the LDAP_INSTALL_DIR/dist/idfserver.jar compilation file. The errorMsgSignatures.xml file is located in the com/identityforge/idfserver/backend/tops/repository/ directory of the idfserver.jar compilation file.

You can add, overwrite, or disable the defaults in favor of custom messages.

To do so, in the LDAP_INSTALL_DIR/conf directory, create a new XML file representing the messages to add, replace, or disable. For example, create a new XML file LDAP_INSTALL_DIR/conf/custom-tops-error-sig-file.xml and add your custom messages. Then, in the LDAP_INSTALL_DIR/conf/tops.properties file, add a reference to the newly created XML file by setting a value for the errormsg-sig-file property. For example:

errormsg-sig-file=../conf/custom-tops-error-sig-file.xml

Restart the LDAP gateway for the changes to take effect. At runtime, the contents of the custom signature file are merged into the default signatures file and the overrides or additions will be applied.

The following are examples of custom signatures:

Example 1: Suppose you create a new XML file LDAP_INSTALL_DIR/conf/custom-tops-error-sig-file.xml in the LDAP_INSTALL_DIR/conf directory with the following entries:

<?xml version="1.0" encoding="utf-8"?>
<Signatures>
    <Signature id="custom1" regex="^C4R541E .*" enabled="yes"/>
    <Signature id="custom2" regex="^ICH02005I .*" enabled="yes"/>
    <Signature id="custom3" regex="^IKJ56701I .*" enabled="yes"/>
</Signatures>

In this example, the first signature looks for C4R541E located at the beginning of the returned message from Pioneer. If found, it would get flagged as an error and the message returned.

The second signature looks for ICH02005I located at the beginning of the returned message from Pioneer. If found, it would get flagged as an error and the message returned. Modify as needed for example, signature 3 regex="^IKJ56701I .* to indicate. If found, it would get flagged as an error and the message returned.

In the preceding example, the enabled="yes" entry implies that the messages defined in the regex patterns must not be considered as errors.

Example 2: Suppose you create a new XML file LDAP_INSTALL_DIR/conf/custom-tops-error-sig-file.xml in the LDAP_INSTALL_DIR/conf directory with the following entries:

<?xml version="1.0" encoding="utf-8"?>
<Signatures>
    <Signature id="custom1" regex="^ICH\d{5}I .*" enabled="yes">
        <Exception regex="^ICH01432I .*"/>
        <Exception regex="^ICH05555I .*"/>
        <Exception regex="^ICH01024I .*"/>
    </Signature>
    <Signature id="custom2" regex=".*INVALID DEPARTMENT.*" enabled="yes"/>
    <Signature id="e2" enabled="no"/>
</Signatures>

In this example, the first signature looks for the ICHxxxxxxI pattern located at the beginning of the returned message from Pioneer. If found, it then examines the exceptions defined. If the message begins with ICH01432I or ICH05555I, then it is marked as a warning and ignored. Otherwise, it is flagged as an error and the message returned.

The second signature looks for INVALID DEPARTMENT to show up anywhere in the returned message. If found, then it is flagged as an error and the message returned.

The third signature is an example of disabling an existing default signature. All default signatures start with e in the id attribute followed by a number. By referencing the id, the default signature's regex, enablement flag, and or exceptions can be replaced with a custom override. The enabled="yes" entry implies that the messages defined in the regex patterns must not be considered as errors.

At any given point in time, locate and open the errorMsgSignatures.xml file to obtain the list of default signatures currently deployed.

Note:

Given that according to the CA Top Secret manual, "I" type messages are technically classified as informational and not error related, you need to make sure that it truly is a failure on the mainframe rather than something whereby the account gets created and Oracle Identity Manager considers it failed. We explicitly called out this SAF code as a warning as that is what the original implementation was doing.