3 Configuring the Connector

After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Configuring Reconciliation

• Configuring Provisioning

• Configuring the Connector for Multiple Installations of the Target System

3.1 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Partial Reconciliation

• Batched Reconciliation

• Configuring the Target System As a Trusted Source

• Configuring the Reconciliation Scheduled Tasks

3.1.1 Partial Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

Creating a filter involves specifying a value for a target system attribute, which will be used in the query SELECT criteria to retrieve the records to be reconciled. You can specify values for any one or a combination of the following filter attributes:

• Filter Auditor Privilege (Y/N)

• Filter Default Group

• Filter Group Access Privilege (Y/N)

• Filter Name

• Filter Operations Privilege (Y/N)

• Filter Owner

• Filter Special Privilege (Y/N)

• Filter User Id

• Filter Type (AND/OR)

If you want to use multiple target system attributes to filter records, then you must also specify the logical operator (AND or OR) that you want to apply to the combination of target system attributes that you select.

The value of the Filter Type (AND/OR) attribute is applied to the rest of the filter attribute values that you specify. For example, suppose you specify the following values:

• Filter Default Group: sales

• Filter User Id: jdoe

• Filter Type (AND/OR): AND

When this scheduled task is run, records for which the user ID is jdoe and the default group value is sales are reconciled. If you were to specify OR as the value of the Filter Type (AND/OR) attribute, then records that satisfy any one filter criteria are reconciled.

While deploying the connector, follow the instructions in the "Specifying Values for the Scheduled Task Attributes" section to specify values for these attributes and the logical operator that you want to apply.

3.1.2 Batched Reconciliation

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid these problems.

To configure batched reconciliation, you must specify values for the following user reconciliation scheduled task attributes:

• BatchSize: Use this attribute to specify the number of records that must be included in each batch. The default value is 1000.

• NumberOfBatches: Use this attribute to specify the total number of batches that must be reconciled. The default value is All.

If you specify a value other than All, then some of the newly added or modified user records may not get reconciled during the current reconciliation run. The following example illustrates this:

Suppose you specify the following values while configuring the scheduled tasks:

• BatchSize: 20

• NumberOfBatches: 10

Suppose that 314 user records were created or modified after the last reconciliation run. Of these 314 records, only 200 records would be reconciled during the current reconciliation run. The remaining 114 records would be reconciled during the next reconciliation run.

You specify values for the BatchSize and NumberOfBatches attributes by following the instructions described in the "Specifying Values for the Scheduled Task Attributes" section.

3.1.3 Configuring the Target System As a Trusted Source

While configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then during a reconciliation run:

• For each newly created user on the target system, an OIM User is created.

• Updates made to each user on the target system are propagated to the corresponding OIM User.

If you designate the target system as a target resource, then during a reconciliation run:

• For each account created on the target system, a resource is assigned to the corresponding OIM User.

• Updates made to each account on the target system are propagated to the corresponding resource.

Note:

Skip this section if you do not want to designate the target system as a trusted source for reconciliation.

To configure trusted source reconciliation, you import the RACFTrusted.xml file while performing the procedure described in the "Importing the Connector XML Files" section.

1. Import the XML file for trusted source reconciliation, RACFTrusted.xml, by using the Deployment Manager. This section describes the procedure to import the XML file.

   Note:

   Only one target system can be designated as a trusted source. If you import the RACFTrusted.xml file while you have another trusted source configured, then both connector reconciliations would stop working.

2. Set the value of the isTrusted scheduled task attribute to Yes while performing the procedure described in the "Submitjob User Reconciliation Scheduled Task" section.

To import the XML file for trusted source reconciliation:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for opening files is displayed.

4. Locate and open the RACFTrusted.xml file, which is in the OIM_HOME/XLIntegrations/racf/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Import.

8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

3.1.4 Configuring the Reconciliation Scheduled Tasks

When you perform the procedure described in the "Importing the Connector XML Files" section, the scheduled tasks for lookup fields, trusted source user, and target resource user reconciliations are automatically created in Oracle Identity Manager. To configure these scheduled tasks:

1. Open the Oracle Identity Manager Design Console.

2. Expand the Xellerate Administration folder.

3. Select Task Scheduler.

4. Click Find. The details of the predefined scheduled tasks are displayed.

5. Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the FAILED status to the task.

6. Ensure that the Disabled and Stop Execution check boxes are not selected.

7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.

8. In the Interval region, set the following schedule parameters:

   • To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

     If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.

   • To set the task to run only once, select the Once option.

9. Provide values for the attributes of the scheduled task. Refer to the "Specifying Values for the Scheduled Task Attributes" section for information about the values to be specified.

10. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

11. Repeat Steps 5 through 10 to create the second scheduled task.

After you create both scheduled tasks, proceed to the "Configuring Provisioning" section.

3.1.4.1 Specifying Values for the Scheduled Task Attributes

This section provides information about the values to be specified for the following scheduled tasks:

• Lookup Fields Reconciliation Scheduled Task

• Submitjob User Reconciliation Scheduled Task

• GetData User Reconciliation Scheduled Task

3.1.4.1.1 Lookup Fields Reconciliation Scheduled Task

You must specify values for the following attributes of the RACF lookup fields reconciliation lookup fields reconciliation scheduled task.

Note:

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Sample Value
Server	Name of the IT resource instance that the connector uses to reconcile data	RACF Server
LookupField Name	Name of the lookup field to be reconciled	The value can be any one of the following: Lookup.RACF.Groups Lookup.RACF.Procedures Lookup.RACF.Accounts
LookupField Target File	Name of the file that you create on the target system server to store temporary data Note: You must create this file on the target system before you begin using the connector.	Valid file name up to 8 characters in length
RACF Source Directory	Name of the directory on the IBM Mainframe server to you copy the RACF scripts while performing the procedure described in "Configuring the Target System".	ADTTAR.DT250207.CNTL
LookupType	Specifies the type of lookup reconciliation to be performed	The value can be any one of the following: Groups Procedures Accounts

After you specify values for these task attributes, go to Step 10 of the procedure to create scheduled tasks.

3.1.4.1.2 Submitjob User Reconciliation Scheduled Task

Fetching user data from the target system during reconciliation is a two-stage process. In the first stage, user data is extracted from the target system repository and copied to a file that you specify. In the second stage, the contents of the file are brought into Oracle Identity Manager.

The following scheduled tasks are used to submit the job that extracts user data and copies it into a file:

Note:

You must specify values for the attributes of one of these scheduled tasks.

• RACF submit job reconciliation

• RACF submit job trusted reconciliation

The following table describes the attributes of these scheduled tasks:

Note:

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Value
Filter Type (AND/OR)	Specifies whether or not, and in what combination the specified filter conditions are to be used	The value can be any one of the following: AND to specify that you want reconciliation to be performed only if all the specified filter conditions are met. OR to specify that you want reconciliation to be performed if any one or a combination of the specified filter conditions are met. NODATA to specify that you do not want the filter conditions to be used. This is the default value.
RACF Database Name	Fully qualified name for the partitioned data set (PDS) containing the IBM RACF database	Sample value: SYS1.EXAMPLE.RACFBACK
System Parameter file Name	Fully qualified PS name used to upload the SYSTMDAT file	Sample value: ADTTAR.SYSTMDAT
Filter User Id	Specifies the user ID of the user account to be reconciled	The value can be any one of the following: User ID of the user account to be reconciled NODATA to specify that this filter is to be ignored. This is the default value.
Filter Owner	Specifies the owner of the user accounts to be reconciled	The value can be any one of the following: User ID or group ID of the owner NODATA to specify that this filter is to be ignored. This is the default value.
Filter Name	Specifies the Name value of the user accounts to be reconciled	The value can be any one of the following: Name value of the user accounts to be reconciled NODATA to specify that this filter is to be ignored. This is the default value.
Filter Default Group	Specifies the default group of the user accounts to be reconciled	The value can be any one of the following: Default group ID of the user accounts to be reconciled NODATA to specify that this filter is to be ignored. This is the default value.
Filter Operations Privilege (Y/N)	Specifies that user accounts with operations privileges are to be reconciled	The value can be any one of the following: Yes to specify that users with the Operations privilege are to be reconciled No to specify that users with the Operations privilege are not to be reconciled NODATA to specify that this filter is to be ignored. This is the default value.
Filter Special Privilege (Y/N)	Specifies that user accounts with special privileges are to be reconciled	The value can be any one of the following: Yes to specify that users with the Special privilege are to be reconciled No to specify that users with the Special privilege are not to be reconciled NODATA to specify that this filter is to be ignored. This is the default value.
Filter Group Access Privilege (Y/N)	Specifies that user accounts with the Group Access privilege are to be reconciled	The value can be any one of the following: Yes to specify that users with the Group Access privilege are to be reconciled No to specify that users with the Group Access privilege are not to be reconciled NODATA to specify that this filter is to be ignored. This is the default value.
Filter Auditor Privilege (Y/N)	Specifies that user accounts with the Auditor privilege are to be reconciled	The value can be any one of the following: Yes to specify that users with the Auditor privilege are to be reconciled No to specify that users with the Auditor privilege are not to be reconciled NODATA to specify that this filter is to be ignored. This is the default value.
Trial	Specifies whether or not trial reconciliation is to be carried out	The value can be Yes or No.
trialCount	Specifies the number of batches into which the reconciliation data is to be divided for the trial run	The value can be any natural number (1, 2, 3 . . .).
Target System Recon - Resource Object name	Name of the resource object	Resource object name Sample value: RACF Server
Server	Name of the IT resource instance that the connector uses to reconcile data	IT Resource Instance name Sample value: RACF Server
RACF Source Directory	Specifies the IBM RACF directory in which IBM RACF scripts are stored	Sample value: ADTTAR.DT250207.CNTL
Target System New User File	Name of the file that IBM RACF uses to store the latest image of the IBM RACF database	Fully qualified PDS name Sample value: adttar.new
Target System Old User File	Name of the file that IBM RACF uses to store the old image of the IBM RACF database For first-time reconciliation, provide a dummy file name. You must ensure that this file does not exist on the IBM Mainframe. From the second reconciliation run onward, the value must be the same as the value of the Target System old User File attribute used during the first reconciliation run.	Fully qualified PDS name Sample value: adttar.oldfile.fri112
IsDebug	Specifies whether or not debugging must be performed	The value can be Yes or No. The default value is No.
isTrusted	Specifies whether or not trusted source reconciliation is to be performed	The value can be Yes or No.
File Path	Name and path of the file that stores information about the task running on the mainframe The next task checks this file to determine the status of the current task.	Sample value: C:/dummyfile.txt

After you specify values for these task attributes, go to Step 10 of the procedure to create scheduled tasks.

3.1.4.1.3 GetData User Reconciliation Scheduled Task

The following scheduled tasks are used to fetch user data from the file on the target system server to Oracle Identity Manager:

Note:

You must specify values for the attributes of one of these scheduled tasks. You must configure the GetData scheduled task to run after the SubmitJob scheduled task.

• RACF getdata job reconciliation

• RACF getdata job trusted reconciliation

Note:

• Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

• Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

Attribute	Description	Value
Server	Name of the IT resource instance that the connector uses to reconcile data	IT Resource Instance name For example, RACF Server
RACF Source Directory	Specifies the IBM RACF directory in which IBM RACF scripts are stored	ADTTAR.DT250207.CNTL
Target System Old User File	Name of the file that IBM RACF uses to store the old image of the IBM RACF database For first-time reconciliation, provide a dummy file name. You must ensure that this file does not exist on the IBM Mainframe. From the second reconciliation run onward, the value must be the same as the value of the Target System old User File attribute used during the first reconciliation run.	Fully qualified PDS name Sample value: adttar.oldfile.fri112
Job Name Path	Name and path of the file that stores information about the task running on the mainframe The next task checks this file to determine the status of the current task.	Sample value: C:/dummyfile.txt
Target System Filter File	Specifies the fully qualified name of the PS file that is used to store filter file information	Sample value: adttar.racf08.work
System Parameter file Name	Specifies the fully qualified name of the PS file that is used to upload the SYSTMDAT file	Sample value: adttar.systmdat
Target System Recon - Resource Object name	Name of the resource object	Resource object name Sample value: RACF Server
isTrusted	Specifies whether or not trusted source reconciliation is to be performed	The value can be Yes or No.

After you specify values for these task attributes, go to Step 10 of the procedure to create scheduled tasks.

3.2 Configuring Provisioning

As mentioned earlier in this guide, provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager.

Note:

You must perform the procedure described in this section if you want to use the provisioning features of Oracle Identity Manager for this target system.

You need not perform the procedure to compile adapters if you have performed the procedure described in "Installing the Connector on Oracle Identity Manager Release 9.1.0 or Later".

Adapters are used to implement provisioning functions. The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

See Also:

The "Supported Functionality" section for a listing of the provisioning functions that are available with this connector

• Create new RACF User

• RACF User Delete

• RACF User Enable

• addTsoToRacfUser

• setRacfUserPassword

• UpdateRacfUserAttribute

• connect to group

• Connect To Group

• removeTso

• RACF User Disable

• RACF Update Privilege

• PrepopulateRacfUsrId

You must compile these adapters before they can be used in provisioning operations.

To compile adapters by using the Adapter Manager form:

1. Open the Adapter Manager form.

2. To compile all the adapters that you import into the current database, select Compile All.

   To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.

   Note:

   Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have an OK compilation status.

3. Click Start. Oracle Identity Manager compiles the selected adapters.

4. If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_HOME/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

If you want to compile one adapter at a time, then use the Adapter Factory form.

See Also:

Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager forms

To view detailed information about an adapter:

1. Highlight the adapter in the Adapter Manager form.

2. Double-click the row header of the adapter, or right-click the adapter.

3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

3.3 Configuring the Connector for Multiple Installations of the Target System

Note:

Perform this procedure only if you want to configure the connector for multiple installations of IBM RACF.

You may want to configure the connector for multiple installations of IBM RACF. The following example illustrates this requirement:

The Tokyo, London, and New York offices of Example Multinational Inc. have their own installations of IBM RACF. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of IBM RACF.

To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of IBM RACF.

To configure the connector for multiple installations of the target system:

See Also:

Oracle Identity Manager Design Console Guide for detailed instructions on performing each step of this procedure

1. Create and configure one IT resource for each target system installation.

   The IT Resources form is in the Resource Management folder. An IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same IT resource type.

2. Configure reconciliation for each target system installation. Refer to the "Configuring Reconciliation" section for instructions. Note that you only need to modify the attributes that are used to specify the IT resource and to specify whether or not the target system installation is to be set up as a trusted source.

3. If required, modify the fields to be reconciled for the Xellerate User resource object.

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the IBM RACF installation to which you want to provision the user.