| Oracle® Identity Manager Connector Guide for CA ACF2 Advanced Release 9.0.4 Part Number E10423-03 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for CA ACF2 Advanced Release 9.0.4 Part Number E10423-03 |
|
|
View PDF |
The Oracle Identity Manager CA ACF2 Advanced connector provides a native interface between Oracle Identity Manager and CA ACF2 installed on a z/OS mainframe. The connector functions as a trusted virtual administrator on the target system, performing tasks, such as creating login IDs and changing passwords. In addition, it automates some of the functions that administrators usually perform manually.
The connector enables provisioning and reconciliation with CA ACF2. This guide discusses the connector that enables you to use CA ACF2 either as a managed (target) resource or as an authoritative (trusted) source of user information for Oracle Identity Manager.
This chapter discusses the following topics:
Table 1-1 lists the certified deployment configurations.
Table 1-1 Certified Deployment Configurations
| Item | Requirement |
|---|---|
|
Oracle Identity Manager release 8.5.3.1 or later |
|
|
CA ACF2 r6.2, r8.0 SP4 or later, r9.0 SP1 or later, r12 |
|
|
TCP/IP with Advanced Encryption Standard (AES) encryption |
|
|
Target system user account for Oracle Identity Manager |
IBM Authorized Program Facility (APF)-authorized account with SystemAdministrators privileges |
Note:
The LDAP Gateway uses the target system user account that you create for Oracle Identity Manager. Therefore, it has the privileges required to access and operate with the Reconciliation Agent and Provisioning Agent. See "Connector Architecture" for information about the Reconciliation Agent and Provisioning Agent.Between the Oracle Identity Manager and mainframe environments, Oracle Identity Manager supports the TCP/IP message transport layer.
For the TCP/IP message transport layer, ports 5190 and 5790 are the default ports for the Reconciliation Agent and Provisioning Agent respectively. You can change the ports for these agents.
The procedure to configure this message transport layer is described later in this guide.
Granting the IBM Authorized Program Facility (APF) Authorized status to a program is similar to granting superuser status. This process will allow a program to run without allowing system administrators to query or interfere with its operation. The program that runs on the mainframe system and the user account it runs under must both have APF authorization. For example, the Provisioning Agent user account must also have APF authorization.
Note:
APF authorization is usually done by a mainframe administrator. If you do not have the required authority to perform such tasks, you should arrange to enlist the assistance of someone who is qualified to perform these tasks.The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
This section discusses the following topics:
The CA ACF2 Advanced connector consists of the following components:
LDAP Gateway: The LDAP Gateway is built on Java 1.4 and allows portability across various platforms and operating systems. The LDAP Gateway receives LDAP protocol commands from distributed applications and translates them to native mainframe commands. After the commands are run, LDAP-formatted responses are returned to the requesting application. It is recommended that you install the LDAP Gateway on the same computer as Oracle Identity Manager.
Pioneer Provisioning Agent: The CA ACF2 Advanced connector provides the provisioning functionality through the Pioneer Provisioning Agent, which is a mainframe component. The Provisioning Agent receives native mainframe identity and authorization change events from the LDAP Gateway. These events are processed against the mainframe authentication repository, in which all provisioning updates from the LDAP Gateway are stored. The response is parsed and returned to the LDAP Gateway.
Voyager Reconciliation Agent: The CA ACF2 Advanced connector provides the reconciliation functionality through the Voyager Reconciliation Agent, which is a mainframe component. The Reconciliation Agent captures native mainframe events by using exit technology. Exits are programs that are run after a system event in the mainframe is processed. The Reconciliation Agent captures in real time events occurring from the TSO logins, the command prompt, batch jobs, and other native mainframe events. The Reconciliation Agent transforms these events into notification messages for Oracle Identity Manager through the LDAP Gateway.
Message Transport Layer: The message transport layer enables the exchange of messages between the LDAP Gateway and the Reconciliation Agent and Provisioning Agent. You can use the following messaging protocol for the message transport layer:
TCP/IP with AES encryption: This uses 128-bit cryptographic keys. The CA- ACF2 Advanced connector supports a message transport layer by using the TCP/IP protocol, which is functionally similar to proprietary message transport layer protocols.
The architecture of the connector can be explained in terms of the connector operations it supports:
Figure 1-1 shows the flow of data during reconciliation.
Reconciliation involves the following steps:
Mainframe identity and authorization events take place in the mainframe target system. The mainframe events are processed through appropriate exits.
Note:
Identity and authorization events in the mainframe system consist of TSO logon, running of a command, real-time password synchronization, creation or deletion of a user, or a change in the user attributes.The mainframe events are stored in the subpool 231 cache of the Voyager Reconciliation Agent. Subpool 231 is an area of z/OS storage that the Reconciliation Agent uses to temporarily store CA ACF2 events. The subpool 231 cache enables the Reconciliation Agent to handle a large number of events from the mainframe.
The Reconciliation Agent reads these events and transforms them into notification messages for the LDAP Gateway. Reconciliation Agent opens a new socket to the LDAP Gateway and sends the notification messages. The messages are sent to the LDAP Gateway through the message transport layer. These messages contain the minimum amount of data required to reconcile the event, such as message type, user id, and password (for a password change event).
Note:
When the mainframe system is shut down, event records are stored offline. These offline events are reloaded in the Reconciliation Agent when the mainframe is started up.The LDAP Gateway receives the messages from the Reconciliation Agent and decrypts them for the connector.
The connector sends a request to the Provisioning Agent to retrieve all the current user data that is generated as a result of the mainframe identity and authorization events.
If an event fetched from the target system matches with the notification data, then the connector returns an error and the process stops. If the event does not match, then the connector sends the event to Oracle Identity Manager for reconciliation processing and updates the internal meta-store of event records. This process is repeated for all the events that are fetched from the target system.
Figure 1-2 shows the flow of data during provisioning.
Provisioning involves the following steps:
A user is created, updated, or deleted in Oracle Identity Manager.
The Oracle Identity Manager process task adapter for CA ACF2 forwards the change request to the LDAP Gateway.
The LDAP Gateway translates the change request from the LDAP Gateway to mainframe commands. The CA ACF2 Advanced connector encrypts the data, and sends it to the Provisioning Agent through the message transport layer.
The connector also updates the internal meta-store of the LDAP Gateway with the changes in user data.
On the target system, the Provisioning Agent decrypts the data, sends the data to the mainframe repository, and returns success or error messages back to the LDAP Gateway.
The Pioneer Provisioning Agent supports the following functions:
Standard CA ACF2 user profile commands:
[INSERT]: Creates a CA ACF2 user profile
[CHANGE]: Modifies a CA ACF2 user profile
[DELETE]: Deletes a CA ACF2 user profile
Standard CA ACF2 group profile commands:
[CHANGE]: Adds a CA ACF2 user to a group. This command works based on the variables that set access rights. To add a CA ACF2 user to a group, the variables are R(A), W(A), EXEC(A), and ALLOC(A).
[CHANGE]: Removes a CA ACF2 user from a group. To remove a CA ACF2 user from a group, the variables are R(P), W(P), EXEC(P), and ALLOC(P).
Standard CA ACF2 data set and resource profile commands:
[SET RULE]: Provides data set or resource profile access to a user
Table 1-2 describes the functions supported by the Provisioning Agent:
Table 1-2 Functionality Supported for Provisioning
| Function | Description |
|---|---|
|
Create Users |
Adds new users in CA ACF2. |
|
Modify Users |
Modifies user information in CA ACF2. |
|
Change Passwords |
Changes user passwords on CA ACF2 in response to password changes made on Oracle Identity Manager through user self-service. |
|
Reset Passwords |
Resets user passwords on CA ACF2. The passwords are reset by the administrator. |
|
Disable User Accounts |
Disables users in CA ACF2. |
|
Enable User Accounts |
Enables users in CA ACF2. |
|
Delete Users |
Removes users from CA ACF2. |
|
Grant Users Access To Data Sets |
Sets ACF2 rule by adding the user to a ACF2 resource. |
|
Grant Users Access To Privileges (TSO) |
Provides TSO login access to users. |
The Voyager Reconciliation Agent supports reconciliation of changes that are made to user profiles by using commands such as ADDUSER or ALTUSER. These commands also contain users' passwords for reconciliation, if any.
The Reconciliation Agent supports the following functions:
Change passwords
Password resets
Create user data
Modify user data
Disable users
Delete users
Enable users
This section discusses the following topics:
Table 1-3 lists the user field mappings that are reconciled between Oracle Identity Manager and the target system:
Table 1-3 Field Mapping Between Oracle Identity Manager and CA ACF2
| Oracle Identity Manager Field | CA ACF2 Field | Description |
|---|---|---|
|
uid |
USER |
User's login ID. |
|
cn |
NAME |
User full name. |
|
sn |
NAME |
User last name. |
|
givenName |
NAME |
User first name. |
|
userPassword |
PASSWORD |
Password used to login. |
|
privileges |
SECURITY (Including custom privileges) |
Privileges for the user, including custom privileges. |
|
activeDate |
ACTIVE |
Privilege to allow or deny access based on a date. |
|
group |
GROUP (Restriction Group) |
Default restriction group for the user. |
|
passwordExpire |
PSWD-EXP|NOPSWD-EXP |
Indicates that a user's password has been manually expired. This field lets a security administrator force this user to change password. |
|
cicsid |
CICSID |
CICS operator ID. |
|
accessCnt |
ACC-CNT |
Count of times a user accessed the system. |
|
accessDate |
ACC-DATE |
Date when the user accessed the system for the last time. |
|
accessSrce |
ACC-SRCE |
The system component accessed by the user. |
|
accessTime |
ACC-TIME |
Time when the user accessed the system for the last time. |
|
prefix |
PREFIX |
The zero to eight character key of the rule used to validate access to a data set. |
|
kerbVio |
KERB-VIO |
The number of Kerberos key violations. |
|
kerbCurv |
KERBCURV |
The Kerberos key version. |
|
pwsdDate |
PSWD-DAT |
The date of the last invalid password attempt. The date is displayed in the mm/dd/yy, dd/mm/yy, or yy/mm/dd formats depending on the DATE field of the GSO OPTS record. Year designations of 70-99 assume a date in the 20th century (1970-1999). Year designations of 00-69 assume a date in the 21st century (2000-2069). Note: Refer to the target system documentation for information about GSO. |
|
pwsdInv |
PWSD-INV |
The number of password violations that occurred since the last successful logon. This field can be reset to zero by a security administrator. |
|
pwsdTod |
PWSD-TOD |
The date and time when a user changed password. CA ACF2 lists the date in the mm/dd/yy, dd/mm/yy, or yy/mm/dd formats depending on the DATE field of the GSO OPTS record. You cannot set this field. CA ACF2 maintains and displays it. Year designations of 70-99 assume a date in the 20th century (1970-1999). Year designations of 00-69 assume a date in the 21st century (2000-2069). |
|
pwsdVio |
PWSD-VIO |
The number of password violations that occurred on PSWD-DAT. |
|
minDays |
MINDAYS |
The minimum number of days that must elapse before a user can change password. Zero indicates no limit. |
|
maxDays |
MAXDAYS |
The maximum number of days (based on the date specified in the PSWD-TOD field) that the user is permitted to change password before the password expires. Zero indicates no limit. |
|
tsocommand |
TSOCMDS |
Command to be run during TSO/E logon. |
|
tsodest |
DFT-DEST |
Default SYSOUT destination. |
|
tsoDefaultPrefix |
DFT-PFX |
The one to eight character default TSO prefix that is set in the user's profile at logon time. |
|
tsounit |
TSOUNIT |
Default UNIT name for allocations. |
|
tsoRba |
TSORBA |
The Mail Index Record Pointer (MIRP) for the user. |
|
tsoacctnum |
TSOACCT |
Default TSO account number on the TSO/E logon panel. |
|
tsoholdclass |
DFT-SUBH |
Default hold class. |
|
tsoSubmitClass |
DFT-SUBC |
Default submit class. |
|
tsomaxsize |
TSOSIZE |
The maximum region size the user can request at logon. |
|
tsomsgclass |
DFT-SUBM |
Default message class. |
|
tsoproc |
TSOPROC |
Default login procedure on the TSO/E logon panel. |
|
tsosize |
TSORGN |
Minimum region size if not requested at logon. |
|
tsosysoutclass |
DFT-SOUT |
Default SYSOUT class. |
|
revoke |
NA |
Value is |
|
tsoPerf |
TSOPERF |
The user's default TSO performance group. |
|
tsoMail |
|
Indicates that a user can receive mail messages from TSO at logon time. |
|
tsoAcctPriv |
ACCTPRIV |
Indicates that the user has TSO accounting privileges. |
|
tsoAllCmds |
ALLCMDS |
Indicates the ability to bypass the CA ACF2 restricted command lists by entering a special prefix character. |
|
tsoJcl |
JCL |
Indicates the ability to submit batch jobs from TSO and to use SUBMIT, STATUS, CANCEL, and OUTPUT commands. |
|
tsoWtp |
WTP |
Indicates that CA ACF2 displays write-to-programmer messages. |
|
tsoFscrn |
TSOFSCRN |
Indicates that a user can use the full-screen logon display. |
|
tsoMount |
MOUNT |
Indicates permission to issue mounts for devices. |
|
tsoOperator |
OPERATOR |
Indicates that a user has TSO operator privileges. |
|
tsoNotices |
NOTICES |
Indicates that a user can receive TSO notices at logon time. |
|
tsoPrompt |
PROMPT |
Indicates that CA ACF2 prompts a user for missing or incorrect parameters. |
|
tsoLgnAcct |
LGN-ACCT |
Indicates the permission to specify an account number at logon time. |
|
tsoLgnMsg |
LGN-MSG |
Indicates that the user has permission to specify a message class at logon time. |
|
tsoLgnPerf |
LGN-PERF |
Indicates the permission to specify a performance group at logon time. |
|
tsoLgnProc |
LGN-PROC |
Indicates the permission to specify the TSO procedure name at logon time. |
|
tsoLgnTime |
LGN-TIME |
Indicates the permission to specify the TSO session time limit at logon time. |
|
tsoLgnRcvr |
LGN-RCVR |
Indicates the permission to use the recover option of the TSO or TSO/E command package. |
|
tsoLgnSize |
LGN-SIZE |
Indicates that the user is authorized to specify any region size at logon time by overriding TSOSIZE. |
|
tsoLgnUnit |
LGN-UNIT |
Indicates permission to specify the TSO unit name at logon time. |
|
tsoIntercom |
INTERCOM |
Indicates that the user is willing to accept messages from other users through the TSO SEND command. |
|
secVio |
SEC-VIO |
Indicates the number of cumulative security violations for a user. |
|
updTod |
UPD-TOD |
Indicates the date and time when a login ID record was last updated. |
Table 1-4 lists resource profile field mappings between Oracle Identity Manager and the target system.
Table 1-4 Dataset Resource Profile Field Descriptions
| Oracle Identity Manager Field | CA ACF2 Field | Description |
|---|---|---|
|
cn |
PROFILE NAME |
The profile id |
|
standardAccessList |
ID,ACCESS,ACCESS COUNT |
The standard access list of ID and access for the dataset |
|
conditionalAccessList |
ID,ACCESS,ACCESS COUNT |
The condition access list of ID and access for the dataset |
|
owner |
OWNER |
The owner of the dataset |
|
auditing |
AUDITING |
Indicates whether auditing should be enabled |
|
notify |
NOTIFY |
Indicates whether notification is enabled for any changes to resource profiles |
|
instdata |
DATA |
The installation data for the dataset |
The CA ACF2 Advanced connector deployment involves deploying the LDAP Gateway, Reconciliation Agent, and Provisioning Agent. The Reconciliation Agent and Provisioning Agent are deployed on the mainframe.
These procedures are described in the following chapters:
Chapter 2, "Connector Deployment on Oracle Identity Manager" provides instructions for deploying the connector on the Oracle Identity Manager system. This procedure involves configuring Oracle Identity Manager, importing the connector XML file, compiling adapters, installing the LDAP Gateway, and configuring the message transport layer.
Chapter 3, "Connector Deployment on CA ACF2" describes the procedure to deploy the Reconciliation Agent and Provisioning Agent on the mainframe. It is recommended that you perform this procedure with the assistance of the systems programmer.
Chapter 4, "Configuring the Connector" describes the procedure to run initial reconciliation and to configure trusted source reconciliation and account status reconciliation. In addition, this chapter describes how to add a new field for provisioning.
Chapter 5, "Troubleshooting" discusses the problems that you might encounter while using the connector. In addition, this chapter discusses guidelines on using the connector.
Chapter 6, "Known Issues" lists the known issues associated with this release of the connector.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
