| Oracle® Identity Manager Connector Guide for CA Top Secret Advanced Release 9.0.4 Part Number E10424-06 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for CA Top Secret Advanced Release 9.0.4 Part Number E10424-06 |
|
|
View PDF |
The Oracle Identity Manager CA Top Secret Advanced connector provides a native interface between Oracle Identity Manager and CA Top Secret installed on a z/OS mainframe. The connector functions as a trusted virtual administrator on the target system, performing tasks, such as creating login IDs and changing passwords. In addition, it automates some of the functions that administrators usually perform manually.
This guide discusses the connector that enables you to use CA Top Secret either as a managed (target) resource or as an authoritative (trusted) source of user information for Oracle Identity Manager.
This chapter contains the following topics:
Table 1-1 lists the certified deployment configurations.
Table 1-1 Certified Deployment Configurations
| Item | Requirement |
|---|---|
|
Oracle Identity Manager release 8.5.3.1 or later |
|
|
CA Top Secret r8 SP4 or later, r9 SP1or later, r12 SP2 or later |
|
|
TCP/IP with Advanced Encryption Standard (AES) encryption |
|
|
Target system user account for Oracle Identity Manager |
IBM Authorized Program Facility (APF) authorized account with SystemAdministrators privileges |
Note:
The LDAP Gateway uses the target system user account that you create for Oracle Identity Manager. Therefore, it has the privileges required to access and operate with the Reconciliation Agent and Provisioning Agent. See "Connector Architecture" for information about the Reconciliation Agent and Provisioning Agent.Between the Oracle Identity Manager and mainframe environments, Oracle Identity Manager uses the TCP/IP secure message transport layer.
Ports 5190 and 5790 are the default ports for the Reconciliation Agent and Provisioning Agent, respectively. You can change the ports for these agents.
Granting the APF-authorized status to a program is similar to granting superuser status. This process allows a program to run without allowing system administrators to query or interfere with its operation. The program that runs on the mainframe system and the user account it runs under must both have APF authorization. The Provisioning Agent user account must also have APF authorization.
Note:
APF authorization is usually granted by a mainframe administrator. If you do not have the required authority to perform such tasks, then enlist the assistance of someone who is qualified to perform these tasks.The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
This section discusses the following topics:
The connector consists of the following components:
LDAP Gateway: The LDAP Gateway is built on Java 1.4 and allows portability across various platforms and operating systems. The LDAP Gateway receives LDAP protocol commands from distributed applications and translates them to native mainframe commands. After the commands are run, LDAP-formatted responses are returned to the requesting application. It is recommended that you install the LDAP Gateway on the same computer as Oracle Identity Manager.
Pioneer Provisioning Agent: The connector provides the provisioning functionality through the Pioneer Provisioning Agent, which is a mainframe component. The Provisioning Agent receives native mainframe identity and authorization change events from the LDAP Gateway. These events are processed against the mainframe authentication repository, in which all provisioning updates from the LDAP Gateway are stored. The response is parsed and returned to the LDAP Gateway.
Voyager Reconciliation Agent: The connector provides the reconciliation functionality through the Voyager Reconciliation Agent, which is a mainframe component. The Reconciliation Agent captures native mainframe events by using exit technology. Exits are programs that are run after a system event in the mainframe is processed. The Reconciliation Agent captures in real time events occurring from TSO logins, the command prompt, batch jobs, and other native mainframe events. The Reconciliation Agent transforms these events into notification messages for Oracle Identity Manager through the LDAP Gateway.
Message Transport Layer: The message transport layer enables the exchange of messages between the LDAP Gateway and the Reconciliation Agent and Provisioning Agent. TCP/IP with AES encryption is the message transport layer that uses 128-bit cryptographic keys. The connector supports a message transport layer by using the TCP/IP protocol, which is functionally similar to proprietary message transport layer protocols.
The architecture of the connector can be explained in terms of the operations it supports:
Figure 1-1 shows the flow of data during reconciliation.
Reconciliation involves the following steps:
Mainframe identity and authorization events take place in the mainframe target system. These mainframe events are processed through appropriate exits.
Note:
Identity and authorization events in the mainframe system consist of Top-Secret ACID logon, running of a command, real-time password synchronization, creation or deletion of a user, or a change in the user attributes.The mainframe events are stored in the subpool 231 cache of the Voyager Reconciliation Agent. Subpool 231 is an area of z/OS storage that the Reconciliation Agent uses to temporarily store CA Top Secret events. The subpool 231 cache enables the Reconciliation Agent to handle a large number of events from the mainframe.
The Reconciliation Agent reads these events, converts them from EBCDIC to ASCII, and then encrypts them using AES encryption. The Reconciliation Agent opens a new socket to the LDAP Gateway and sends the encrypted notification messages through the message transport layer. These messages contain the minimum amount of data required to reconcile the event, such as message type, user ID, and password (for a password change event).
Note:
When the mainframe system is shut down, event records are stored offline. These offline events are reloaded in the Reconciliation Agent when the mainframe is started up.The LDAP Gateway receives the messages from the Reconciliation Agent and decrypts them for the connector.
The connector sends a request to the Provisioning Agent to retrieve all the current user data that is generated as a result of the mainframe identity and authorization events.
If an event fetched from the target system matches with the user data, then the connector returns an error and the process stops. If the event does not match, then the connector sends the event to Oracle Identity Manager for reconciliation processing and updates the internal meta-store of event records. This process is repeated for all the events that are fetched from the target system.
Figure 1-2 shows the flow of data during provisioning.
Provisioning involves the following steps:
A user is created, updated, or deleted in Oracle Identity Manager.
The Oracle Identity Manager process task adapter for CA Top Secret forwards the change request to the LDAP Gateway.
The LDAP Gateway translates the change request from the LDAP Gateway to mainframe commands. The CA Top Secret Advanced connector encrypts the data, and sends it to the Provisioning Agent through the message transport layer.
The connector also updates the internal meta-store of the LDAP Gateway with the changes in user data.
On the target system, the Provisioning Agent decrypts the data, sends the data to the mainframe repository, and returns the success or error messages back to the LDAP Gateway.
The Pioneer Provisioning Agent supports the following functions:
Standard CA Top Secret user profile commands:
[TSS CREATE]: Creates a CA Top Secret user profile
[TSS REPLACE]: Modifies an existing CA Top Secret user profile
[TSS DELETE]: Deletes a CA Top Secret user profile
Standard CA Top Secret group profile commands:
[TSS ADDTO]: Adds a CA Top Secret user to a profile
[TSS REMOVE]: Removes a CA Top Secret user from a profile
Standard CA Top Secret facility commands:
[TSS ADDTO]: Adds a CA Top Secret user to a facility
[TSS REMOVE]: Removes a CA Top Secret user from a facility
Standard CA Top Secret data set and resource profile commands:
[TSS PERMIT]: Provides data set or resource profile access to a user
Table 1-2 describes the functions supported by the Provisioning Agent.
Table 1-2 Functionality Supported for Provisioning
| Function | Description |
|---|---|
|
Create Users |
Adds new users in CA Top Secret. |
|
Modify Users |
Modifies user information in CA Top Secret. |
|
Change Passwords |
Changes user passwords on CA Top Secret in response to password changes made on Oracle Identity Manager through user self-service. |
|
Reset Passwords |
Resets user passwords on CA Top Secret. The passwords are reset by the administrator. |
|
Suspend User Accounts |
Disables user accounts. in CA Top Secret |
|
Unsuspend User Accounts |
Enables user accounts in CA Top Secret. |
|
Delete Users |
Removes user accounts from CA Top Secret. |
|
Grant User Access To Data Sets |
Adds user to data set with access rights. |
|
Grant User Access To Privileges (TSO) |
Provides TSO login access to the user. |
The Voyager Reconciliation Agent supports reconciliation of changes that are made to user profiles by using commands such as ADDUSER or ALTUSER. These commands may also contain users' passwords for reconciliation, if any.
The Reconciliation Agent supports the following functions:
Change passwords
Password resets
Create user data
Modify user data
Suspend users
Suspend users until
Delete users
Unsuspend users
UnSuspend uses until
This section discusses the following topics:
Table 1-3 lists the user fields that are reconciled between Oracle Identity Manager and the target system.
Table 1-3 Field Mapping Between Oracle Identity Manager and CA Top Secret
| Oracle Identity Manager Field | CA Top Secret Field | Description |
|---|---|---|
|
uid |
USER |
Login ID of the user |
|
cn |
NAME |
Full name of the user |
|
sn |
NAME |
Last name of the user |
|
givenName |
NAME |
First name of the user |
|
userPassword |
PASSWORD |
Password |
|
attributes |
SPECIAL, AUDITOR, GPRACC, OPERATIONS |
Attributes of the user |
|
department |
DEPARTMENT |
Default department of the user |
|
instdata |
DATA |
Installation-defined data of the user |
|
createdate |
CREATED |
Date user was created |
|
passwordExpireDate |
EXPIRES |
Date the user's password expires |
|
passwordExpireInterval |
INTERVAL |
Number of days the user's password remains valid |
|
suspendUntilDate |
SUSPENDED DATE |
Future date on which the user will be prevented from accessing the system |
|
memberOf |
PROFILE |
Profile information for the user |
|
facilities |
FACILITY |
Facility information for the user |
|
division |
DIVISION |
Default division for the user |
|
lastmodificationdate |
LAST MOD |
Last time the user connected |
|
tsocommand |
COMMAND |
Command to be run during TSO/E logon |
|
tsodest |
DEST |
Default SYSOUT destination |
|
tsounit |
UNIT |
Default unit name for allocations |
|
tsoudata |
USERDATA |
Site-defined data field for a TSO user |
|
tsoalcct |
ACCTNUM |
Default TSO account number on the TSO/E logon panel |
|
tsohclass |
HOLDCLASS |
Default hold class |
|
tsojclass |
JOBCLASS |
Default job class |
|
tsomaxsize |
MAXSIZE |
Maximum region size the user can request at logon |
|
tsomclass |
MSGCLASS |
Default message class |
|
tsolproc |
PROC |
Default logon procedure on the TSO/E logon panel |
|
tsolsize |
SIZE |
Minimum region size if not requested at logon |
|
tsolopt |
OPT |
TSO options, such as MAIL and NOTICES |
|
tsosclass |
SYSOUTCLASS |
Default SYSOUT class |
|
revoke |
NA |
Value 'Y' if user is revoked or 'N' if user is not revoked |
Table 1-4 lists the profile field mappings between Oracle Identity Manager and the target system.
Deploying the connector involves deploying the LDAP Gateway, Reconciliation Agent, and Provisioning Agent. The Reconciliation Agent and Provisioning Agent are deployed on the mainframe.
These procedures are described in the following chapters:
Chapter 2, "Connector Deployment on Oracle Identity Manager" provides instructions for deploying the connector on the Oracle Identity Manager system. This procedure involves configuring Oracle Identity Manager, importing the connector XML file, compiling adapters, installing the LDAP Gateway, and configuring the message transport layer.
Chapter 3, "Connector Deployment on CA Top Secret" describes the procedure to deploy the Reconciliation Agent and Provisioning Agent on the mainframe. It is recommended that you perform this procedure with the assistance of the systems programmer.
Chapter 4, "Configuring the Connector" describes the procedure to run initial reconciliation and to configure trusted source reconciliation and account status reconciliation.
Chapter 5, "Troubleshooting" discusses the problems that you might encounter while using the connector. In addition, this chapter discusses guidelines on using the connector.
Chapter 6, "Known Issues" lists known issues associated with this release of the connector.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
