1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. This guide discusses the procedure to deploy the connector that is used to integrate Oracle Identity Manager with IBM RACF Standard.

This chapter contains the following sections:

Reconciliation Module
Provisioning Module
Supported Functionality
Multilanguage Support
Files and Directories on the Installation Media
Determining the Release Number of the Connector

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, IBM RACF Standard has been referred to as the target system.

1.1 Reconciliation Module

Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.

See Also:

The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about reconciliation configurations

Based on the type of data reconciled from the target system, reconciliation can be divided into the following types:

Lookup Fields Reconciliation
User Reconciliation

1.1.1 Lookup Fields Reconciliation

Lookup fields reconciliation involves reconciling the following lookup fields of IBM RACF:

Group
TSO Procedure
TSO Account Number

1.1.2 User Reconciliation

User reconciliation involves reconciling the following user attributes in IBM RACF Standard.

Name	Description	Data Type
User General Data
userid	User ID on the RACF system	String
owner	Owner of the user	String
name	Display name of the user	String
default group	Default group associated with the user	String
operations	Operations privilege	Number
auditor	Auditor privilege	Number
special	Special privilege	Number
grp access	Group access privilege	Number
department	Department name	String
User Group Data
Groups	Child table	Multivalued attribute
group name	Group name	String
revoke date	Revoke date associated with group	String
authorisation	Authorization privilege	String
User TSO Data
TSO	Child table	Multivalued attribute
account number	TSO account number	String
procedure	TSO procedure name	String

1.1.3 Reconciled Xellerate User (OIM User) Fields

The following target system fields are reconciled only if trusted source reconciliation is implemented:

User ID
First Name
Last Name
Organization
User Type
Employee Type

1.2 Provisioning Module

Provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. You use the Oracle Identity Manager Administrative and User Console to perform provisioning operations.

See Also:

The "Deployment Configurations of Oracle Identity Manager" section in Oracle Identity Manager Connector Concepts Guide for conceptual information about provisioning

For this target system, the following fields are provisioned:

User Id
RACF Server
Password
Owner
Name
Installation Data
Default Group
Department
Operations
Auditor
Special
Group Access
Group
Revoke Date
Authorisation
Account Number
Procedure
Size
Unit
Maximum Size

1.3 Supported Functionality

The following table lists the functions that are available with this connector.

Function	Type	Description
Create RACF New User	Provisioning	Creates a user account
Delete a RACF User	Provisioning	Deletes a user account
Name Updated	Provisioning	Changes the name of a user account
Password Updated	Provisioning	Changes the password of a user account
Department Updated	Provisioning	Changes the department of a user account
Default Group Updated	Provisioning	Changes the default group of a user account
Installation data Updated	Provisioning	Changes the installation data of a user account Installation data is a field that can contain any installation, system, or project-related data.
Operations Updated	Provisioning	Changes the Operations attribute of a user account
Special Updated	Provisioning	Changes the Special attribute of a user account
Auditor Updated	Provisioning	Changes the Auditor attribute of a user account
Group Access Updated	Provisioning	Changes the Group Access attribute of a user account
Enables a RACF User	Provisioning	Enables a user account so that the user is able to log in to the IBM Mainframe server
Disables a RACF User	Provisioning	Disables a user account so that the user is not able to log in to the IBM Mainframe server
Connect Group	Provisioning	Connects a user to a group in IBM RACF
Disconnect Group	Provisioning	Removes a user from a group in IBM RACF
Add TSO to a User	Provisioning	Provides Time Sharing Options (TSO) access to a user TSO is one of the subsystems in z/OS in IBM Mainframes.
Remove TSO	Provisioning	Removes TSO access from a user
Reconcile Lookup Field	Reconciliation	Reconciles the lookup fields
Reconcile User Data	Reconciliation	Reconciles user data

See Also:

Appendix A for information about attribute mappings between Oracle Identity Manager and IBM RACF Standard.

1.4 Multilanguage Support

The connector supports the following languages:

Arabic
Chinese Simplified
Chinese Traditional
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish

Note:

IBM RACF does not support the entry of non-ASCII characters. Refer to Chapter 5 for more information about this limitation.

See Also:

Oracle Identity Manager Globalization Guide for information about supported special characters

1.5 Files and Directories on the Installation Media

The files and directories on the installation media are listed and described in Table 1-1.

Table 1-1 Files and Directories on the Installation Media

File in the Installation Media Directory	Description
configuration/IBM RACF Standard-CI.xml	This XML file contains configuration information that is used during connector installation.
lib/xlUtilHostAccess.jar	This JAR file contains the class files that are required for provisioning. During connector deployment, this file is copied into the following directory: OIM_HOME/xellerate/JavaTasks
lib/xlReconRACF.jar	This JAR file contains the class files that are required for reconciliation. During connector deployment, this file is copied into the following directory: OIM_HOME/xellerate/ScheduleTask
ext/CustomizedCAs.jar	This file is used to set up an SSL connection between Oracle Identity Manager and the IBM Mainframe server.
config/InitialLoginSequence.txt	This file contains the login sequence that the connector uses to connect to the IBM Mainframe server. The login sequence contains the sequence of values to be provided to the Telnet session between the connector and the IBM Mainframe server. These values are required to navigate through the various screens that are part of the TSO login process before reaching the `READY` prompt on the mainframe target server. The values in this file are supplied in the form of variables that hold IT resource values and literals. This machine-dependent file must be altered after deployment.
config/InputFields.txt	This file contains values for the connection parameters that are required to connect to the IBM Mainframe server. This file is used with the testing utility.
config/LogOutSequence.txt	This file contains the logoff sequence that the connector uses to log off from the IBM Mainframe server. The logoff sequence contains the sequence of values to be provided to the Telnet session between the connector and the IBM Mainframe server. These values are required to navigate through the various screens that are part of the TSO logoff process from the `READY` prompt on the mainframe target server. The values in this file are supplied in the form of variables that hold IT resource values and literals. This machine-dependent file must be altered after deployment.
scripts/DATAEXTT	This file uses the decrypted copy of the IBM RACF database to extract user-related records required for reconciliation into temporary files. It is a member of a procedure library on the IBM Mainframe server.
scripts/DATAUNLD	This file merges the data from the `SYSTMDAT` and `JCLSRC` files into a temporary file to submit a background job. This background job prepares a decrypted copy of the IBM RACF database and then calls the individual `REXX` code scripts to format the data.
scripts/JCLSRC	This file is used to submit the background job for use in reconciliation. It is a member of a procedure library on the IBM Mainframe server. A procedure library is a partitioned dataset containing member files.
scripts/JOBSTAT	This file determines the status of a background job used for reconciliation. It is a member of a procedure library on the IBM Mainframe server.
scripts/RECNLKUP	This file provides lookup fields data. It is a member of a procedure library on the IBM Mainframe server.
scripts/RXDIFFER	This file provides differences between the old and new database images. It is a member of a procedure library on the IBM Mainframe server.
scripts/RXDPTADD	This file copies the user's department data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server.
scripts/RXGRPADD	This file copies the user's group privilege data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server.
scripts/RXPRNTDT	This file carries user reconciliation data from the IBM Mainframe to Oracle Identity Manager. It is a member of a procedure library on the IBM Mainframe server.
scripts/RXPRVADD	This file copies the user's connect privilege data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server.
scripts/RXTSOADD	This file copies the user's TSO data from a temporary file and adds this information to the user's basic data. It is a member of a procedure library on the IBM Mainframe server.
scripts/SYSTMDAT	This file is used to provide job configuration parameters to the mainframe system.
Files in the `resources` directory	Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied into the following directory: OIM_HOME/xellerate/connectorResources Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console.
test/config/config.properties	This testing utility file holds the input data that you provide for each test.
test/config/log.properties	This testing utility file holds log data that is generated after each test.
test/scripts/RACF.sh test/scripts/RACF.bat	This file is used to run the testing utility.
xml/RACFnonTrusted.xml	These XML files contain definitions for the following components of the connector: IT resource type IT resource Resource object form Process definition Process tasks Connector tasks
xml/RACFTrusted.xml	This XML file contains the configuration for the Xellerate User (OIM User). You must import this file only if you plan to use the connector in trusted source reconciliation mode.

Note:

The files in the test directory are used only to run tests on the connector.

1.6 Determining the Release Number of the Connector

You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:

In a temporary directory, extract the contents of the following JAR file:
```
OIM_HOME/xellerate/JavaTasks/xlUtilHostAccess.jar
```
Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xlUtilHostAccess.jar file.

In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.