You can use the CA Top Secret connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
The procedure to use the CA Top Secret Connector can be divided into the following topics:
These are the guidelines to apply while using the connector.
The subpool and the LDAP Gateway must be started before starting the Reconciliation Agent. If the LDAP Gateway is not available when the Reconciliation Agent is started, then an error is generated with RETCODE=-01 and ERRORNO=61.
The Top Secret connector LDAP gateway encrypts ASCII data transmitting the encrypted message to the mainframe. The mainframe decrypts this message, as the in bound message is in ASCII format, it is translated to EBCDIC for mainframe processing. As a result, any task that requires non-ASCII data transfer fails. In addition, there is no provision in the connector to indicate that the task has failed or that an error has occurred on the mainframe. To avoid errors of this type, you must exercise caution when providing inputs to the connector for the target system, especially when using a regional language interface. (See bug 18268599 for related information)
Passwords used on the mainframe must conform to stringent rules related to passwords on mainframes. These passwords are also subject to restrictions imposed by corporate policies and rules about mainframe passwords. Keep in mind these requirements when you create or modify target system accounts through provisioning operations on Oracle Identity Manager.
The scheduled tasks for lookup field synchronization populate lookup tables with facility, dataset, group, or profiles IDs that can be assigned during the user provisioning process.
The following are the scheduled tasks for lookup field synchronization:
Top Secret Find All Facilities
Top Secret Find All Datasets
Top Secret Find All Profiles
Top Secret Find All Groups
When you configure these scheduled tasks, they run at specified intervals and fetch a listing of all facility, dataset, group, or profiles IDs on the target system for reconciliation. Table 5-1 describes the attributes of the scheduled task.
Table 5-1 Attributes of the Find All Facilities, Find All Datasets, Find All Profiles and Find All Groups Scheduled Tasks
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Resource Object |
Enter the name of the resource object against which provisioning runs must be performed. Sample value: |
Lookup Code Name |
Enter the name of the lookup code where OIM will store the results of the scheduled task. Sample value: Note: The value supplied for the Lookup Code Name should match the value set in the properties of the Lookup Field in the corresponding Top Secret child table form. |
Recon Type |
Enter Append or Replace. This attribute determines whether the values from the target system will be appended to the current lookup, or replace the existing values in the lookup. If set to Replace, the existing lookup will be deleted. Sample value: |
SearchBaseDN |
This parameter is available only in the Top Secret Find All Groups and Top Secret Find All Profiles scheduled tasks. Enter the container in which the search for groups and profile IDs must be performed during reconciliation and loaded into Oracle Identity Manager. Sample value: The preceding sample value implies that the connector loads groups from the LDAP system backend (dc=system, dc=backend) into Oracle Identity Manager. Note: If you do not enter a value for this attribute, then the connector loads groups into Oracle Identity Manager directly from the target system (by using the Pioneer route). |
AttrsToReturn |
Enter a comma-separated list of object attributes that the connector must retrieve from LDAP. For example, enter a comma-separated list of group attributes that the connector must fetch from LDAP and load into Oracle Identity Manager. Note: The connector ignores this attribute if the SearchBaseDN attribute is empty. Also since groups are loaded into Oracle Identity Manager as a lookup, only two attributes are required. You must specify one for lookup value and one for lookup description. Sample value: |
DescTemplate |
By default, when lookup reconciliation is performed, the lookup description is same as the lookup value in the lookup window. Therefore, if required, use the DescTemplate attribute to specify the attribute whose value must be used as the lookup description and displayed in the lookup window. For example, consider that for one of the groups that is being fetched, the values of the If the lookup description has to be a combination of multiple attributes values, then enter multiple attribute names separated by a space character. For example, enter {{cn}} {{displayname}}. Note: This attribute value will be ignored if the value of the SearchBaseDN attribute is empty. |
R2 |
Enter whether the version of Oracle Identity Manager in use is 11.1.2.x. Sample value: |
The Lookup.SourceNames lookup definition is created in Oracle Identity Manager when you deploy the connector and is used to add and remove a user's access to a source on the mainframe.
This connector includes a scheduled task to automatically populate the lookup field used for storing Top Secret source IDs.
Note:
The Find All Sources scheduled task does not query the target system for data. Instead, the scheduled task automatically populates the lookup field with "itResourceKey~sourceName" pairs based on the IT Resource and Find All Sources scheduled task property values.
Scheduled Tasks for Lookup Field Synchronization describes the properties of the Find All Sources scheduled task.
Table 5-2 Attributes of the Find All Sources Scheduled Task for CA Top Secret
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Resource Object |
Enter the name of the resource object against which provisioning runs must be performed. Sample value: |
Sources List |
Enter a comma-separated list of Top Secret sources. Sample value: |
Lookup Code Name |
Enter the name of the lookup code where Oracle Identity Manager will store the source entries. Sample value: |
Recon Type |
Enter Append or Replace. This attribute determines whether "IT resource key~sourceName" pairs will be appended to the current lookup, or replace the existing values in the lookup. If set to Replace, the existing lookup will be deleted. Sample value: |
R2 |
Enter whether the version of Oracle Identity Manager in use is 11.1.2.x. Sample value: |
The CA Top Secret Advanced connector supports both incremental reconciliation (sometimes referred to as real-time reconciliation) and full reconciliation. This section discusses the following topics related to configuring reconciliation:
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager.
After you deploy the connector, you must first perform full reconciliation. When you run the Connector Installer, a scheduled job for user reconciliation (Top Secret Reconcile All Users) is automatically created in Oracle Identity Manager.
To perform full reconciliation, you must run the Top Secret Reconcile All Users scheduled job. See Top Secret Reconcile All Users for information about the scheduled job attributes.
When you run the Connector Installer, these reconciliation scheduled tasks are automatically created in Oracle Identity Manager.
Use the Top Secret Reconcile All Users scheduled task to reconcile user data in the target resource (account management) mode of the connector. This scheduled task runs at specified intervals and fetches create or modify events on the target system for reconciliation.
Table 5-3 describes the attributes of the scheduled task.
Table 5-3 Attributes of the Top Secret Reconcile All Users Scheduled Task
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
filter |
Enter a filter criteria to search for and retrieve user records that match the given filter criteria. You can use any target system attribute to create the filter criterion. The filter criterion that you enter must be a valid filter according to RFC2254. The filter can be either simple or complex. A simple filter uses only a single attribute whereas a complex filter is a combination of two or more attributes. Sample value for a simple filter: Sample value for a complex filter: This complex filter searches for and retrieves all user records whose commandflag attribute value is Note: If you specify a complex filter, then ensure that you have enabled the caching layer of the LDAP Gateway as described in Understanding the Caching Layer. If the caching layer is disabled, then the connector considers only the simple filter |
Resource Object |
Enter the name of the resource object against which reconciliation runs must be performed. Sample value: |
MultiAttrsWithoutITRKey | Enter a comma-separated list of multivalued attributes that connector must reconcile without the ITRKEY~ prefix.ITRKEY~ is the numeric code assigned to each IT resource in Oracle Identity Manager.
Sample value: |
MultiValuedAttributes |
Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: |
SingleValueAttributes |
Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in Oracle Identity Manager database. |
UID Case |
Enter either upper or lower to specify the case for the UID attribute. |
UsersList |
Enter a comma-separated list of UIDs that you want to reconcile from the target system. If this property is left blank, all users on the target system will be reconciled. Sample value: |
R2 |
Enter whether the version of Oracle Identity Manager in use is 11.1.2.x. Sample value: |
Secondary IT resource |
If you created a secondary IT resource for reconciliation or provisioning, then enter its name. |
The Top Secret Reconcile Deleted Users to OIM scheduled task is used to reconcile data about deleted users in the target resource (account management) mode of the connector.
When you configure this scheduled task, it runs at specified intervals and fetches a list of users on the target system. These user names are then compared with provisioned users in Oracle Identity Manager. Any user profiles that exist within Oracle Identity Manager, but not in the target system, are deleted from Oracle Identity Manager.
Table 5-4 describes the attributes of the scheduled task.
Table 5-4 Attributes of the Top Secret Reconcile Deleted Users to Oracle Identity Manager Scheduled Task
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Resource Object |
Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: |
Recon Matching Rule Attributes |
Enter a comma-separated list of attributes used in the matching rule. If the IT resource is used, enter "IT". Sample value: |
UID Case |
Enter either upper or lower to specify the case for the UID attribute. |
The Top Secret Reconcile Users to Internal LDAP scheduled task is used to process the CFILE extract from the target system to the internal LDAP store. When you configure this scheduled task, it runs at specified intervals and fetches a list of users and their profiles on the target system. Each of these users is then reconciled to the internal LDAP store. No reconciliation to Oracle Identity Manager is performed.
Table 5-5 describes the attributes of the scheduled task.
Table 5-5 Attributes of the Top Secret Reconcile Users to Internal LDAP Scheduled Task
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Domain OU |
Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: |
Use the Top Secret Reconcile LDAP Users to OIM scheduled task to reconcile users from the internal LDAP store to Oracle Identity Manager. When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager.
When changes occur on the target system, the Voyager agent passes the change event to the LDAPv3 Virtual Directory, and each event is stored in the internal “meta” directory. This can be used to run normal LDAPv3 searches by filtering the lastModificationDate and commandFlag LDAP attributes. The commandFlag LDAP attribute is used internally by Topsecret Reconcile All LDAP Users task to perform delete reconciliation from the backend.
Table 5-6 describes the attributes of the scheduled task.
Table 5-6 Attributes of the Top Secret Reconcile LDAP Users to OIM Scheduled Task
Attribute | Description |
---|---|
IT Resource |
Enter the name of the IT resource that was configured for the target system. Sample value: |
Resource Object |
Enter the name of the resource object against which the delete reconciliation runs must be performed. Sample value: |
Domain OU |
Enter the name of the internally-configured directory in the LDAP internal store where the contents of event changes will be stored.Sample value: |
filter |
Enter a filter criteria to search for and retrieve user records that match the given filter criteria. You can use any target system attribute to create the filter criterion. The filter criterion that you enter must be a valid filter according to RFC2254. The filter can be either simple or complex. A simple filter uses only a single attribute whereas a complex filter is a combination of two or more attributes. Sample value for a simple filter: Sample value for a complex filter: This complex filter searches for and retrieves all user records whose commandflag attribute value is |
MultiValuedAttributes |
Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma. Sample value: |
MultiAttrsWithoutITRKey | Enter a comma-separated list of multivalued attributes that connector must reconcile without the ITRKEY~ prefix.ITRKEY~ is the numeric code assigned to each IT resource in Oracle Identity Manager.
Sample value: |
SingleValueAttributes |
Enter a comma-separated list of single-valued attributes that you want to reconcile. Do not include a space after each comma. Do not include attributes already listed in the MultiValueAttributes field. Sample value: Note: By default, Oracle Identity Manager's design form only allows entering up to 150 characters in a text field. To increase this limit, change the value of the TSA_VALUE column in the Oracle Identity Manager database. |
LDAP Time Zone |
Enter the full timezone database name value. Do not use the abbreviated timezone value. To find out the timezone database value refer to List of tz database time zones. Sample value: |
UID Case |
Enter upper or lower to specify whether the user ID must be displayed in uppercase or lowercase. |
R2 |
If you are using Oracle Identity Manager release 11.1.2.x, then enter true. Otherwise, enter false. |
Secondary IT resouce |
If you created a secondary IT resource for reconciliation or provisioning, then enter its name. |
Some organizations use multiple resource objects to represent multiple user types in their system. The Resource Object property of the Top Secret Reconcile All Users scheduled task is used to specify the resource object used during reconciliation, and you can enter more than one resource object in the value of the Resource Object attribute. Further, you can include CA Top Secret attribute-value pairs to filter records for each resource object.
See Also:
Top Secret Reconcile All Users for information about the Top Secret Reconcile All Users scheduled task
The following is a sample format of the value for the Resource Object attribute:
(ATTRIBUTE1:VALUE1)RESOURCE_OBJECT1,RESOURCE_OBJECT2
As shown by RESOURCE_OBJECT2 in the sample format, specifying a filter attribute is optional, but if more than one resource object is specified, you must specify a filter for each additional resource object. If you do not specify a filter attribute, then all records are reconciled to the first resource object in the list. Further, the filters are checked in order, so the resource object without a filter attribute should be included last in the list.
Filter attributes should be surrounded by parentheses.
Apply the following guidelines while specifying a value for the Resource Object attribute:
The names of the resource objects must be the same as the names that you specified while creating the resource objects in the Oracle Identity Manager Design Console.
The CA Top Secret attribute names must be the same as the names used in the LDAP Gateway configuration files.
The value must be a regular expression as defined in the java.util.regex Java package. Note that the find() API call of the regex matcher is used rather than the matches() API call. This means that a substring matching rule can be specified in the pattern, rather than requiring the entire string matching rule.
Further, substring matching is case-sensitive. A "(tso)" filter will not match a user with the user ID "TSOUSER1".
Multiple values can be matched. Use a vertical bar (|) for a separator as shown in the following example:
(ATTRIBUTE:VALUE1|VALUE2|VALUE3)RESOURCE_OBJECT
Multiple filters can be applied to the attribute and to the same resource object. For example:
(ATTRIBUTE1:VALUE1)&(ATTRIBUTE2:VALUE2)RESOURCE_OBJECT
The following is a sample value for the Resource Object attribute:
(tsoProc:X)TSSR01,(instdata:value1|value2|value3)TopSecretResourceObject2,(tso)TopSecretResourceObject24000,Resource
In this sample value:
(tsoProc:X)TSSRO1 represents a user with X as the attribute value for the TSO Proc segment. Records that meet this criterion are reconciled with the TSSRO1 resource object.
(instdata:value1|value2|value3)TopSecretResourceObject2 represents a user with value1, value2, or value3 as their INSTDATA attribute value. Records that meet this criterion are reconciled with the TopSecretResourceObject2 resource object.
(tso)TopSecretResourceObject24000 represents a user with TSO privileges. A TSO attribute value is not specified. Records that meet this criterion are reconciled with the TopSecretResourceObject24000 resource object.
All other records are reconciled with the resource object.
When a user is disabled or enabled on the target system, the status of the user can be reconciled into Oracle Identity Manager.
Note:
This section describes an optional procedure. Perform this procedure only if you want reconciliation of user status changes on CA Top Secret.
To configure reconciliation of user status changes made on CA Top Secret:
Table Table 5-7 lists the scheduled tasks that you must configure.
Table 5-7 Scheduled Tasks for Lookup Field Synchronization and Reconciliation for CA Top Secret
Scheduled Task | Description |
---|---|
Top Secret Find All Groups |
This scheduled task is used to synchronize the values of group lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization. |
TopSecret Find All Facilities |
This scheduled task is used to synchronize the values of facilities lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization. |
Top Secret Find All Datasets |
This scheduled task is used to synchronize the values of dataset lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization. |
Top Secret Find All Profiles |
This scheduled task is used to synchronize the values of profiles lookup fields between Oracle Identity Manager and the target system. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization. |
Top Secret Find All Sources |
This scheduled task is used to synchronize the values of source lookup fields in Oracle Identity Manager. For information about this scheduled task and its attributes, see Scheduled Tasks for Lookup Field Synchronization. |
Top Secret Reconcile All Users |
This scheduled task is used to fetch user data during target resource reconciliation. For information about this scheduled task and its attributes, see Top Secret Reconcile All Users. |
Top Secret Reconcile Deleted Users to OIM |
This scheduled task is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user account on the target system, the Top Secret User resource is revoked for the corresponding OIM User. For information about this scheduled task and its attributes, see Top Secret Reconcile Deleted Users to OIM. |
Top Secret Reconcile Users to Internal LDAP |
This scheduled task is used to reconcile users from the target system to the internal LDAP store. For information about this scheduled task and its attributes, see Top Secret Reconcile Users to Internal LDAP. |
Top Secret Reconcile All LDAP Users |
This scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. For information about this scheduled task and its attributes, see Top Secret Reconcile LDAP Users to OIM. |
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.
You can apply this procedure to configure the reconciliation jobs for users and entitlements.
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Governance:
See Also:
Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page