5 Using the CA Top Secret Connector

You can use the CA Top Secret connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.

The procedure to use the CA Top Secret Connector can be divided into the following topics:

• Guidelines on Using the Connector

• Scheduled Tasks for Lookup Field Synchronization

• Scheduled Task for Managing User's Access to Sources

• Configuring Reconciliation

• Configuring Account Status Reconciliation

• Configuring Reconciliation Jobs

• Performing Provisioning Operations

Guidelines on Using the Connector

These are the guidelines to apply while using the connector.

• The subpool and the LDAP Gateway must be started before starting the Reconciliation Agent. If the LDAP Gateway is not available when the Reconciliation Agent is started, then an error is generated with RETCODE=-01 and ERRORNO=61.

• The Top Secret connector LDAP gateway encrypts ASCII data transmitting the encrypted message to the mainframe. The mainframe decrypts this message, as the in bound message is in ASCII format, it is translated to EBCDIC for mainframe processing. As a result, any task that requires non-ASCII data transfer fails. In addition, there is no provision in the connector to indicate that the task has failed or that an error has occurred on the mainframe. To avoid errors of this type, you must exercise caution when providing inputs to the connector for the target system, especially when using a regional language interface. (See bug 18268599 for related information)

• Passwords used on the mainframe must conform to stringent rules related to passwords on mainframes. These passwords are also subject to restrictions imposed by corporate policies and rules about mainframe passwords. Keep in mind these requirements when you create or modify target system accounts through provisioning operations on Oracle Identity Manager.

• When using the connector with multiple LPAR(s), ensure to install both the Mainframe agents on each LPAR. The LDAP gateway can then be used to connect to multiple systems using a different Naming Context. See Configuring the LDAP Gateway for Multiple Installations of the Target System for more information.

Scheduled Tasks for Lookup Field Synchronization

The scheduled tasks for lookup field synchronization populate lookup tables with facility, dataset, group, or profiles IDs that can be assigned during the user provisioning process.

The following are the scheduled tasks for lookup field synchronization:

• Top Secret Find All Facilities

• Top Secret Find All Datasets

• Top Secret Find All Profiles

• Top Secret Find All Groups

When you configure these scheduled tasks, they run at specified intervals and fetch a listing of all facility, dataset, group, or profiles IDs on the target system for reconciliation. Table 5-1 describes the attributes of the scheduled task.

Table 5-1 Attributes of the Find All Facilities, Find All Datasets, Find All Profiles and Find All Groups Scheduled Tasks

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: TopSecretResource
Resource Object	Enter the name of the resource object against which provisioning runs must be performed. Sample value: OIMTopSecretResourceObject
Lookup Code Name	Enter the name of the lookup code where OIM will store the results of the scheduled task. Sample value: Lookup.profileNames Note: The value supplied for the Lookup Code Name should match the value set in the properties of the Lookup Field in the corresponding Top Secret child table form.
Recon Type	Enter Append or Replace. This attribute determines whether the values from the target system will be appended to the current lookup, or replace the existing values in the lookup. If set to Replace, the existing lookup will be deleted. Sample value: Replace
SearchBaseDN	This parameter is available only in the Top Secret Find All Groups and Top Secret Find All Profiles scheduled tasks. Enter the container in which the search for groups and profile IDs must be performed during reconciliation and loaded into Oracle Identity Manager. Sample value: ou=tops,ou=groups,dc=system,dc=backend The preceding sample value implies that the connector loads groups from the LDAP system backend (dc=system, dc=backend) into Oracle Identity Manager. Note: If you do not enter a value for this attribute, then the connector loads groups into Oracle Identity Manager directly from the target system (by using the Pioneer route).
AttrsToReturn	Enter a comma-separated list of object attributes that the connector must retrieve from LDAP. For example, enter a comma-separated list of group attributes that the connector must fetch from LDAP and load into Oracle Identity Manager. Note: The connector ignores this attribute if the SearchBaseDN attribute is empty. Also since groups are loaded into Oracle Identity Manager as a lookup, only two attributes are required. You must specify one for lookup value and one for lookup description. Sample value: cn, displayname
DescTemplate	By default, when lookup reconciliation is performed, the lookup description is same as the lookup value in the lookup window. Therefore, if required, use the DescTemplate attribute to specify the attribute whose value must be used as the lookup description and displayed in the lookup window. For example, consider that for one of the groups that is being fetched, the values of the cn and displayName attributes are FINGRPIN and Finance Group in India, respectively. Now suppose you set the value of the DescTemplate attribute to cn, then the lookup description that is displayed in the lookup window is FINGRPIN. However, if you set the value of the DescTemplate attribute to displayName, then the lookup description is Finance Group in India. If the lookup description has to be a combination of multiple attributes values, then enter multiple attribute names separated by a space character. For example, enter {{cn}} {{displayname}}. Note: This attribute value will be ignored if the value of the SearchBaseDN attribute is empty.
R2	Enter whether the version of Oracle Identity Manager in use is 11.1.2.x. Sample value: true

Scheduled Task for Managing User's Access to Sources

The Lookup.SourceNames lookup definition is created in Oracle Identity Manager when you deploy the connector and is used to add and remove a user's access to a source on the mainframe.

This connector includes a scheduled task to automatically populate the lookup field used for storing Top Secret source IDs.

Note:

The Find All Sources scheduled task does not query the target system for data. Instead, the scheduled task automatically populates the lookup field with "itResourceKey~sourceName" pairs based on the IT Resource and Find All Sources scheduled task property values.

Scheduled Tasks for Lookup Field Synchronization describes the properties of the Find All Sources scheduled task.

Table 5-2 Attributes of the Find All Sources Scheduled Task for CA Top Secret

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: TopSecretResource
Resource Object	Enter the name of the resource object against which provisioning runs must be performed. Sample value: OIMTopSecretResourceObject
Sources List	Enter a comma-separated list of Top Secret sources. Sample value: TSO,R5
Lookup Code Name	Enter the name of the lookup code where Oracle Identity Manager will store the source entries. Sample value: Lookup.SourceNames
Recon Type	Enter Append or Replace. This attribute determines whether "IT resource key~sourceName" pairs will be appended to the current lookup, or replace the existing values in the lookup. If set to Replace, the existing lookup will be deleted. Sample value: Replace
R2	Enter whether the version of Oracle Identity Manager in use is 11.1.2.x. Sample value: true

However, you can also manually add additional values. To add additional sources for provisioning and reconciliation perform the following steps:

1. Log in to Oracle Identity Manager Design Console.
2. Expand Administration and then double-click Lookup Definition.
3. Search for the Lookup.SourceNames lookup definition, and then click Add.
4. In the Code Key column, enter the name of the source. Enter the same value in the Decode column. The following is a sample entry:
   • Code Key: R5
   • Decode: R5
5. Click the Save icon.

Configuring Reconciliation

The CA Top Secret Advanced connector supports both incremental reconciliation (sometimes referred to as real-time reconciliation) and full reconciliation. This section discusses the following topics related to configuring reconciliation:

• Performing Full Reconciliation

• Reconciliation Scheduled Tasks

• Guidelines for Configuring Filtered Reconciliation to Multiple Resource Objects

Performing Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager.

After you deploy the connector, you must first perform full reconciliation. When you run the Connector Installer, a scheduled job for user reconciliation (Top Secret Reconcile All Users) is automatically created in Oracle Identity Manager.

To perform full reconciliation, you must run the Top Secret Reconcile All Users scheduled job. See Top Secret Reconcile All Users for information about the scheduled job attributes.

Reconciliation Scheduled Tasks

When you run the Connector Installer, these reconciliation scheduled tasks are automatically created in Oracle Identity Manager.

• Top Secret Reconcile All Users

• Top Secret Reconcile Deleted Users to OIM

• Top Secret Reconcile Users to Internal LDAP

• Top Secret Reconcile LDAP Users to OIM

Top Secret Reconcile All Users

Use the Top Secret Reconcile All Users scheduled task to reconcile user data in the target resource (account management) mode of the connector. This scheduled task runs at specified intervals and fetches create or modify events on the target system for reconciliation.

Table 5-3 describes the attributes of the scheduled task.

Table 5-3 Attributes of the Top Secret Reconcile All Users Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: TopSecretResource
filter	Enter a filter criteria to search for and retrieve user records that match the given filter criteria. You can use any target system attribute to create the filter criterion. The filter criterion that you enter must be a valid filter according to RFC2254. The filter can be either simple or complex. A simple filter uses only a single attribute whereas a complex filter is a combination of two or more attributes. Sample value for a simple filter: (revoke=n) Sample value for a complex filter: (|(commandflag=UPDATE)(deptacid=OMVSDEPT)) This complex filter searches for and retrieves all user records whose commandflag attribute value is UPDATE or department ACID is OMVSDEPT. Note: If you specify a complex filter, then ensure that you have enabled the caching layer of the LDAP Gateway as described in Understanding the Caching Layer. If the caching layer is disabled, then the connector considers only the simple filter (uid=<userid>).
Resource Object	Enter the name of the resource object against which reconciliation runs must be performed. Sample value: OIMTopSecretResourceObject
MultiAttrsWithoutITRKey	Enter a comma-separated list of multivalued attributes that connector must reconcile without the ITRKEY~ prefix.ITRKEY~ is the numeric code assigned to each IT resource in Oracle Identity Manager. Sample value: adminresouce, admindataset
MultiValuedAttributes	Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: profiles,sources,groupIds,facilities
SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in Oracle Identity Manager database.
UID Case	Enter either upper or lower to specify the case for the UID attribute.
UsersList	Enter a comma-separated list of UIDs that you want to reconcile from the target system. If this property is left blank, all users on the target system will be reconciled. Sample value: userQA01,georgeb,marthaj,RST0354
R2	Enter whether the version of Oracle Identity Manager in use is 11.1.2.x. Sample value: true
Secondary IT resource	If you created a secondary IT resource for reconciliation or provisioning, then enter its name.

Top Secret Reconcile Deleted Users to OIM

The Top Secret Reconcile Deleted Users to OIM scheduled task is used to reconcile data about deleted users in the target resource (account management) mode of the connector.

When you configure this scheduled task, it runs at specified intervals and fetches a list of users on the target system. These user names are then compared with provisioned users in Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not in the target system, are deleted from Oracle Identity Manager.

Table 5-4 describes the attributes of the scheduled task.

Table 5-4 Attributes of the Top Secret Reconcile Deleted Users to Oracle Identity Manager Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value:TopSecretResource
Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMTopSecretResourceObject
Recon Matching Rule Attributes	Enter a comma-separated list of attributes used in the matching rule. If the IT resource is used, enter "IT". Sample value: UID,IT
UID Case	Enter either upper or lower to specify the case for the UID attribute.

Top Secret Reconcile Users to Internal LDAP

The Top Secret Reconcile Users to Internal LDAP scheduled task is used to process the CFILE extract from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of users and their profiles on the target system. Each of these users is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed.

Table 5-5 describes the attributes of the scheduled task.

Table 5-5 Attributes of the Top Secret Reconcile Users to Internal LDAP Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: TopSecretResource
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: tops

Top Secret Reconcile LDAP Users to OIM

Use the Top Secret Reconcile LDAP Users to OIM scheduled task to reconcile users from the internal LDAP store to Oracle Identity Manager. When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager.

When changes occur on the target system, the Voyager agent passes the change event to the LDAPv3 Virtual Directory, and each event is stored in the internal “meta” directory. This can be used to run normal LDAPv3 searches by filtering the lastModificationDate and commandFlag LDAP attributes. The commandFlag LDAP attribute is used internally by Topsecret Reconcile All LDAP Users task to perform delete reconciliation from the backend.

Table 5-6 describes the attributes of the scheduled task.

Table 5-6 Attributes of the Top Secret Reconcile LDAP Users to OIM Scheduled Task

Attribute	Description
IT Resource	Enter the name of the IT resource that was configured for the target system. Sample value: TopSecretResource
Resource Object	Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: OIMTopSecretResourceObject
Domain OU	Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: tops
filter	Enter a filter criteria to search for and retrieve user records that match the given filter criteria. You can use any target system attribute to create the filter criterion. The filter criterion that you enter must be a valid filter according to RFC2254. The filter can be either simple or complex. A simple filter uses only a single attribute whereas a complex filter is a combination of two or more attributes. Sample value for a simple filter: (revoke=n) Sample value for a complex filter: (&(commandflag=UPDATE)(attributes=ASUSPEND)) This complex filter searches for and retrieves all user records whose commandflag attribute value is UPDATE and attribute is ASUSPEND.
MultiValuedAttributes	Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: profiles,sources,facilities,groupIds
MultiAttrsWithoutITRKey	Enter a comma-separated list of multivalued attributes that connector must reconcile without the ITRKEY~ prefix.ITRKEY~ is the numeric code assigned to each IT resource in Oracle Identity Manager. Sample value: adminresouce, admindataset
SingleValueAttributes	Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: uid,owner,defaultGroup,waddr1,tsoMaxSize Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database.
LDAP Time Zone	Enter the full timezone database name value. Do not use the abbreviated timezone value. To find out the timezone database value refer to List of tz database time zones. Sample value: America/New York
UID Case	Enter upper or lower to specify whether the user ID must be displayed in uppercase or lowercase.
R2	If you are using Oracle Identity Manager release 11.1.2.x, then enter true. Otherwise, enter false.
Secondary IT resouce	If you created a secondary IT resource for reconciliation or provisioning, then enter its name.

Guidelines for Configuring Filtered Reconciliation to Multiple Resource Objects

Some organizations use multiple resource objects to represent multiple user types in their system. The Resource Object property of the Top Secret Reconcile All Users scheduled task is used to specify the resource object used during reconciliation, and you can enter more than one resource object in the value of the Resource Object attribute. Further, you can include CA Top Secret attribute-value pairs to filter records for each resource object.

See Also:

Top Secret Reconcile All Users for information about the Top Secret Reconcile All Users scheduled task

The following is a sample format of the value for the Resource Object attribute:

(ATTRIBUTE1:VALUE1)RESOURCE_OBJECT1,RESOURCE_OBJECT2

As shown by RESOURCE_OBJECT2 in the sample format, specifying a filter attribute is optional, but if more than one resource object is specified, you must specify a filter for each additional resource object. If you do not specify a filter attribute, then all records are reconciled to the first resource object in the list. Further, the filters are checked in order, so the resource object without a filter attribute should be included last in the list.

Filter attributes should be surrounded by parentheses.

Apply the following guidelines while specifying a value for the Resource Object attribute:

• The names of the resource objects must be the same as the names that you specified while creating the resource objects in the Oracle Identity Manager Design Console.

• The CA Top Secret attribute names must be the same as the names used in the LDAP Gateway configuration files.

• The value must be a regular expression as defined in the java.util.regex Java package. Note that the find() API call of the regex matcher is used rather than the matches() API call. This means that a substring matching rule can be specified in the pattern, rather than requiring the entire string matching rule.

  Further, substring matching is case-sensitive. A "(tso)" filter will not match a user with the user ID "TSOUSER1".

• Multiple values can be matched. Use a vertical bar (|) for a separator as shown in the following example:

  (ATTRIBUTE:VALUE1|VALUE2|VALUE3)RESOURCE_OBJECT

• Multiple filters can be applied to the attribute and to the same resource object. For example:

  (ATTRIBUTE1:VALUE1)&(ATTRIBUTE2:VALUE2)RESOURCE_OBJECT

The following is a sample value for the Resource Object attribute:

(tsoProc:X)TSSR01,(instdata:value1|value2|value3)TopSecretResourceObject2,(tso)TopSecretResourceObject24000,Resource

In this sample value:

• (tsoProc:X)TSSRO1 represents a user with X as the attribute value for the TSO Proc segment. Records that meet this criterion are reconciled with the TSSRO1 resource object.

• (instdata:value1|value2|value3)TopSecretResourceObject2 represents a user with value1, value2, or value3 as their INSTDATA attribute value. Records that meet this criterion are reconciled with the TopSecretResourceObject2 resource object.

• (tso)TopSecretResourceObject24000 represents a user with TSO privileges. A TSO attribute value is not specified. Records that meet this criterion are reconciled with the TopSecretResourceObject24000 resource object.

• All other records are reconciled with the resource object.

Configuring Account Status Reconciliation

When a user is disabled or enabled on the target system, the status of the user can be reconciled into Oracle Identity Manager.

Note:

This section describes an optional procedure. Perform this procedure only if you want reconciliation of user status changes on CA Top Secret.

To configure reconciliation of user status changes made on CA Top Secret:

1. In the LDAP_INSTALL_DIR/VOYAGER_ID.properties file, add the Status attribute to the reconAttrs property.
2. If using scheduled task reconciliation, in the Top Secret Reconcile All Users scheduled task, add the Status attribute to the SingleValueAttributes property list.
3. In the Design Console:

   • In the OIMTopSecretResourceObject resource object, create a reconciliation field to represent the Status attribute.

   • In the OIMTopsProvisioningProcess process definition, map the field for the Status field to the OIM_OBJECT_STATUS field.

Scheduled Tasks for CA Top Secret Connector

Table Table 5-7 lists the scheduled tasks that you must configure.

Table 5-7 Scheduled Tasks for Lookup Field Synchronization and Reconciliation for CA Top Secret

Scheduled Task	Description
Top Secret Find All Groups	This scheduled task is used to synchronize the values of group lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization.
TopSecret Find All Facilities	This scheduled task is used to synchronize the values of facilities lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization.
Top Secret Find All Datasets	This scheduled task is used to synchronize the values of dataset lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization.
Top Secret Find All Profiles	This scheduled task is used to synchronize the values of profiles lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization.
Top Secret Find All Sources	This scheduled task is used to synchronize the values of source lookup fields in Oracle Identity Manager. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization.
Top Secret Reconcile All Users	This scheduled task is used to fetch user data during target resource reconciliation. For information about this scheduled task and its attributes, see Top Secret Reconcile All Users.
Top Secret Reconcile Deleted Users to OIM	This scheduled task is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the Top Secret User resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see Top Secret Reconcile Deleted Users to OIM.
Top Secret Reconcile Users to Internal LDAP	This scheduled task is used to reconcile users from the target system to the internal LDAP store. For information about this scheduled task and its attributes, see Top Secret Reconcile Users to Internal LDAP.
Top Secret Reconcile All LDAP Users	This scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. For information about this scheduled task and its attributes, see Top Secret Reconcile LDAP Users to OIM.

Configuring Reconciliation Jobs

Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.

You can apply this procedure to configure the reconciliation jobs for users and entitlements.

To configure a reconciliation job:

1. Log in to Identity System Administration.
2. In the left pane, under System Management, click Scheduler.
3. Search for and open the scheduled job as follows:
   1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
   2. In the search results table on the left pane, click the scheduled job in the Job Name column.
4. On the Job Details tab, you can modify the parameters of the scheduled task:
   • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
   • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type. See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Governance.

   In addition to modifying the job details, you can enable or disable a job.

5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled task.

   Note:

   Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

6. Click Apply to save the changes.

   Note:

   You can use the Scheduler Status page in Identity System Administration to either start, stop, or reinitialize the scheduler.

Performing Provisioning Operations

You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Governance:

1. Log in to Identity Self Service.
2. Create a user as follows:
   1. In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
   2. From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
   3. Enter details of the user in the Create User page.
3. On the Account tab, click Request Accounts.
4. In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
5. Specify value for fields in the application form and then click Ready to Submit.
6. Click Submit.

See Also:

Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page