4 Configuring the Connector

The connector enables real-time reconciliation of user data from the target system. After you deploy the connector and import existing user data from the target system to Oracle Identity Manager, you need not depend on a scheduled task to initiate reconciliation runs with the target system.

This chapter discusses the following topics:

• Configuring Trusted Source Reconciliation

• Configuring Limited Reconciliation

• Running Initial Reconciliation

• Configuring Account Status Reconciliation

• Adding New Fields for Provisioning

Configuring Trusted Source Reconciliation

The XML file for trusted source reconciliation, oimTopSecretTrustedXellerateUser.xml, contains definitions of the connector components that are used for trusted source reconciliation. To import this XML file:

Note:

The procedure described in this section enables trusted source reconciliation for both the initial reconciliation run and subsequent real-time reconciliation runs.

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation pane.

3. Click the Import link under Deployment Management. A dialog box for opening files is displayed.

4. Locate and open the oimTopSecretTrustedXellerateUser.xml file, which is in the OIM_HOME/xellerate/XLIntegrations/tops/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Import.

8. In the message that is displayed, click Import to confirm that you want to import the XML file, and then click OK.

Configuring Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can specify the subset of newly added or modified target system records that must be reconciled. You do this by using the _resourceObject_ parameter in the initialTopSecretAdv.properties file.

Note:

The "Running Initial Reconciliation" section provides information about the initialTopSecretAdv.properties file.

You use the _resourceObject_ parameter to specify the resource object that you want to use during reconciliation. You might have created multiple resource objects to represent multiple user types in your organization. You can enter more than one resource object in the value of the _resourceObject_ parameter. In addition, you can include TSS attribute-value pairs to filter records for each resource object.

The following is a sample format of the value for the _resourceObject_ parameter:

_resourceObject_:[ATTRIBUTE1:VALUE1]RESOURCE_OBJECT1,[ATTRIBUTE2:VALUE2]RESOURCE_OBJECT2, . . .

As shown in the sample format, specifying a filter attribute is optional. If you do not specify a filter attribute, then all records for that resource object are reconciled.

Apply the following guidelines while specifying a value for the _resourceObject_ parameter:

• The names of the resource objects must be the same as the names that you specified while creating the resource objects by using the Design Console.

• The TSS attribute names must be the same as the names used in the LDAP gateway configuration files.

  See Also:

  The "Installing and Configuring the LDAP Gateway" section for information about the LDAP gateway configuration files

• The value must be a regular expression as defined in the java.util.regex Java package. Note that the find methodology of the regex matcher is used rather than the matches methodology. This means that a substring matching rule can be specified in the pattern, rather than requiring the entire string matching rule.

• Multiple values can be matched, with each individual value being separated by a vertical bar (|). For example:

  [ATTRIBUTE:VALUE1|VALUE2|VALUE3]RESOURCE_OBJECT
  

• Multiple filters can be applied to the attribute and to the same resource object. For example:

  [ATTRIBUTE1:VALUE1]&[ATTRIBUTE2:VALUE2]RESOURCE_OBJECT
  

The following is a sample value for the _resourceObject_ parameter:

_resourceObject_:(tso.holdclass:X)TSSR01,(category:value1|value2|value3)TSSResourceObject2,(tso)TSSResourceObject24000,Resource

In this sample value:

• (tso.holdclass:X)TSSRO1 represents a user with X as the attribute value for the TSO Holdclass segment. Records that meet this criterion are reconciled with the TSSRO1 resource object.

• (category:value1|value2|value3)TSSResourceObject2 represents a user with value1, value2, or value3 as their category. Records that meet this criterion are reconciled with the TSSResourceObject2 resource object.

• (tso)TSSResourceObject24000 represents a user with TSO privileges. A TSO attribute value is not specified. Records that meet this criterion are reconciled with the TSSResourceObject24000 resource object.

• All other records are reconciled with the Resource resource object.

Running Initial Reconciliation

The initial reconciliation run involves importing user data from the target system into Oracle Identity Manager, immediately after you deploy the connector.

To start the initial reconciliation run:

1. Ensure that properties that are common to both the run script and the run_initial_recon_provisioning script have the same values.

   The run script is in the LDAP_INSTALL_DIR/bin directory. The run_initial_recon_provisioning script is in the OIM_HOME/xellerate/JavaTasks directory.

2. In a text editor, open the OIM_HOME/xellerate/JavaTasks/initialTopSecretAdv.properties file.

3. In the initialTopSecretAdv.properties file, specify values for the parameters that control the initial reconciliation script.

   Note:

   Ensure that properties that are common to both the initialTopSecretAdv.properties file and topsecretConnection.properties file have the same values.

   Specify values for the following parameters in the initialTopSecretAdv.properties file:

   • xlAdminId: Oracle Identity Manager administrator ID.

   • idfTrusted: Enter true as the value of this property to specify that you want to perform trusted source reconciliation with the target system. Enter false to specify target resource reconciliation.

   • _resourceObject_: Resource object for reconciliation. See "Configuring Limited Reconciliation" for information about specifying a value for this parameter.

   • _itResource_: IT resource for target resource reconciliation.

   • _dummyPwd_: Dummy password for initial reconciliation.

   • isFileRecon: The value for this is true, which specifies file-based initial reconciliation. You must not change this value.

   • userFile: Enter the name of the TXT file in which you have stored the user IDs of the target system users that you want to reconcile. This file must be placed in the following directory:

     OIM_HOME/xellerate/JavaTasks
     

     For more information about this file, see the sample user.txt file in the scripts directory on the installation media.

   • #REMOVED: Ignore this property.

   • reconAttrs: Fields that are reconciled.

   • tsoReconAttrs: TSO fields that are reconciled.

   • idfServerUrl: Enter the LDAP Gateway host and port.

   You must not change the values of the remaining properties in the initialTopSecretAdv.properties file.

   The following is a sample set of values for the properties in the initialTopSecretAdv.properties file:

   xlAdminId:xelsysadm
   idfTrusted:false
   _resourceObject_:OIMTopSecretResourceObject
   _itResource_:TopSecretResource
   _dummyPwd_:Pwd123
   isFileRecon:true
   userFile:user.txt
   #REMOVED: sn,givenName,revoke,identificationUID,cicsid,minDays,maxDays,prefix,reconAttrs:uid,cn,userPassword,department,instdata,division,lastModificationDate,createDate,type
   tsoReconAttrs:tsolacct,tsohclass,tsojclass,tsomclass,tsolproc,tsolsize,tsomsize,tsosclass,tsounit,tsoudata,tsocommand,tsodest,tsolopt
   idfServerUrl:ldap://localhost:5389
   idfAdminDn:cn=idfTopsAdmin, dc=tops,dc=com
   idfAdminPwd:idfTopsPwd
   ouPeople:ou=People
   ouGroups:ou=Groups
   ouDatasets:ou=Datasets
   ouResources:ou=Resources
   ouFacilities:ou=Facilities
   ouBaseDn:dc=tops,dc=com
   idfSystemAdminDn:cn=Directory Manager, dc=system,dc=backend
   idfSystemAdminPwd:testpass
   idfSystemDn:dc=system,dc=backend
   

4. In a text editor, open the OIM_HOME/xellerate/JavaTasks/run_initial_recon_provisioning script.

5. To perform trusted source reconciliation:

   Note:

   Ignore step 5 if you want to run target resource reconciliation only.

   1. Set the value of the JV parameter in the script to -X to reconcile Xellerate User.

   2. Run the script.

      When you run the script, it opens the file (whose name is the value of the userFile property) containing user data and reads the user IDs of the users that you want to reconcile. Then, the loader, which is the initial load script, connects to the LDAP Gateway and issues commands to fetch the required user data from the target system. This data is loaded in the LDAP Gateway cache and reconciliation events are submitted to Oracle Identity Manager. OIM User records are created for all the target system users identified by the userFile property in the initialTopSecretAdv.properties file.

   3. In the run_initial_recon_provisioning script, change the value of the JV parameter to -R to run target resource reconciliation.

   4. Run the script again.

      Because you have set the value of the JV parameter in the script to -R, target resource reconciliation is performed when you run the script. Resources are assigned to each OIM User that was created when you first ran the script.

6. To perform target resource reconciliation only:

   Note:

   Ignore step 6 if you want to run trusted source reconciliation.

   1. In a text editor, open the initialTopSecretAdv.properties file and enter false as the value of the idfTrusted property to specify that you want to perform target resource reconciliation with the target system.

      Make the same change in the topsecretConnection.properties file.

   2. In the run_initial_recon_provisioning script and change the value of the JV parameter to -P to run target resource reconciliation.

   3. Run the script again.

      Because you have set the value of the JV parameter in the script to -P, target resource reconciliation is performed when you run the script.

After the initial reconciliation run ends, real-time reconciliation takes over and newly created or modified user data is automatically reconciled into Oracle Identity Manager.

If a problem exists with fault tolerance and the LDAP Gateway and Reconciliation Agent are down for a long time, and if there is a possibility of losing user data, then run full reconciliation.

Configuring Account Status Reconciliation

When a user's account is disabled or enabled on the target system, the user is reconciled and the changed status is reflected in Oracle Identity Manager. To configure the reconciliation of account status data:

1. In the LDAP_INSTALL_DIR/topsecretConnectrion.properties file, add the name of the status field to the reconAttrs section.

   Make the same change in the initialTopSecretAdv.properties file, which is in the OIM_HOME/xellerate/JavaTasks directory.

2. Restart the LDAP Gateway for the changes to take effect.

3. In the Design Console:

   See Also:

   Oracle Identity Manager Design Console Guide for detailed information about the following steps

   • In the OIMTopSecretResourceObject resource object, create the Status reconciliation field.

   • In the OIMTopSecretProvisioningProcess process definition, map the field for the Status field to the OIM_OBJECT_STATUS field.

Adding New Fields for Provisioning

To add a new field for provisioning to CA Top Secret:

See Also:

Oracle Identity Manager Design Console Guide for detailed information about these steps

1. Log in to the Oracle Identity Manager Design Console.

2. Expand the Development Tools folder.

3. Double-click Form Designer.

4. Search for and open the CA Top Secret main process form, such as the UD_TOPS_ADV_MODEL process form.

5. Click Create New Version, and then click Add.

6. Enter the details of the field. For example, if you are adding the uid field, then enter USER in the Name field, and then enter the rest of the details of this field.

7. Click Save, and then click Make Version Active.

8. Expand the Administration folder.

9. Double-click Lookup Definition.

10. Add the new Attribute Form column name to the AtMap.TopSecret lookup definition. For example, Code Key value is UD_TOPS_ADV_MODEL and Decode value is model. The Code Key value is the column name in the CA Top Secret main process form, and the Decode value is the name of the field on the target CA Top Secret system, which maps to the corresponding LDAP field name.

11. If you want to add an update process task for a new custom field in Oracle Identity Manager, create a new process task associated with the Oracle Identity Manager field by using the adpMODIFYUSER adapter for CA Top Secret.