Skip Headers
Oracle® Identity Manager Connector Guide for IBM RACF Advanced
Release 9.0.4
Part Number E10451-04
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

4 Configuring Reconciliation

This connector enables real-time reconciliation of user data from IBM RACF. After you deploy the connector and import existing user data from the target system to Oracle Identity Manager, you need not depend on a scheduled task to initiate reconciliation runs with the target system.

This chapter discusses the following topics:

Configuring Trusted Source Reconciliation

The XML file for trusted source reconciliation, racfTrustedXellerateUser.xml, contains definitions of the connector components that are used for trusted source reconciliation. To import this XML file:

Note:

The procedure described in this section enables trusted source reconciliation for both the initial reconciliation run and subsequent, real-time reconciliation runs.

  1. Open the Oracle Identity Manager Administrative and User Console.

  2. Click the Deployment Management link on the left navigation bar.

  3. Click the Import link under Deployment Management. A dialog box for opening files is displayed.

  4. Locate and open the racfTrustedXellerateUser.xml file, which is in the OIM_HOME/xellerate/XLIntegrations/racf/xml directory. Details of this XML file are shown on the File Preview page.

  5. Click Add File. The Substitutions page is displayed.

  6. Click Next. The Confirmation page is displayed.

  7. Click Import.

  8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

Running Initial Reconciliation

The initial reconciliation run involves importing user data from the target system into Oracle Identity Manager, immediately after you deploy the connector.

To start the initial reconciliation run:

  1. Ensure that properties that are common to both the run script and the run_initial_recon_provisioning script have the same values.

    The run script is in the LDAP_INSTALL_DIR/bin directory. The run_initial_recon_provisioning script is in the OIM_HOME/xellerate/JavaTasks directory.

  2. In a text editor, open the initialRacfAdv.properties file. This file is in the following directory:

    OIM_HOME/xellerate/JavaTasks

  3. In the initialRacfAdv.properties file, specify values for the properties that control the initial reconciliation script.

    Note:

    Ensure that properties that are common to both the initialRacfAdv.properties file and racfConnection.properties file have the same values.

    The following is a description of some of the properties in the file:

    • idfTrusted

      Enter true as the value of this property to specify that you want to perform trusted source reconciliation with the target system.

    • userFile

      Enter the name of the TXT file in which you have stored the user IDs of the target system users that you want to reconcile. This file must be placed in the following directory:

      OIM_HOME/xellerate/JavaTasks

      For more information about this file, see the sample user.txt file in the scripts directory on the installation media.

    The following is a sample set of values for the properties in the initialRacfAdv.properties file:

    xlAdminId:xelsysadm
idfTrusted:true
_resourceObject_:OIMRacfResourceObject
_itResource_:RacfResource
_dummyPwd_:Pwd123
isFileRecon:true
userFile:user.txt
#REMOVED: sn,givenName,revoke,passwordExpire,
reconAttrs:uid,cn,userPassword,revokeDate,resumeDate,defaultGroup,owner,instdata,omvsUid,omvsHome,omvsProgram,waaccnt,waaddr1,waaddr2,waaddr3,waaddr4,wabldg,wadept,waname,waroom
tsoReconAttrs:tsoAcctNum,tsoProc,tsoSize,tsoUnit,tsoUserdata,tsoCommand,tsoDest,tsoHoldclass,tsoMsgclass,tsoMaxSize,tsoSysoutclass,tsoJobclass
idfServerUrl:ldap://localhost:5389
idfAdminDn:cn=idfRacfAdmin, dc=racf,dc=com
idfAdminPwd:idfRacfPwd
ouPeople:ou=People
ouGroups:ou=Groups
ouDatasets:ou=Datasets
ouResources:ou=Resources
ouFacilities:ou=Facilities
ouBaseDn:dc=racf,dc=com
idfSystemAdminDn:cn=Directory Manager, dc=system,dc=backend
idfSystemAdminPwd:testpass
idfSystemDn:dc=system,dc=backend

  4. In a text editor, open the run_initial_recon_provisioning script. This file is in the following directory:

    OIM_HOME/xellerate/JavaTasks

  5. To perform trusted source reconciliation:

    Note:

    Ignore step 5 if you want to run target resource reconciliation only.

    1. Set the value of the JV parameter in the script to –X to reconcile Xellerate User.

    2. Run the script.

      When you run the script, it opens the file (whose name is the value of the userFile property) containing user data and reads the user IDs of the users that you want to reconcile. Then, the loader, which is the initial load script, connects to the LDAP Gateway and issues commands to fetch the required user data from the target system. This data is loaded in the LDAP Gateway cache and reconciliation events are submitted to Oracle Identity Manager. Xellerate Users are created for all the target system users identified by the userFile property in the initialRacfAdv.properties file.

    3. In the run_initial_recon_provisioning script, change the value of the JV parameter to -R to run target resource reconciliation.

    4. Run the script again.

      Because you have set the value of the JV parameter in the script to -R, target resource reconciliation is performed when you run the script. Resources are assigned to each OIM User that was created when you first ran the script.

  6. To perform target resource reconciliation only:

    Note:

    Ignore step 6 if you want to run trusted source reconciliation.

    1. In a text editor, open the initialRacfAdv.properties file and enter false as the value of the idfTrusted property to specify that you want to perform target resource reconciliation with the target system.

      Make the same change in the racfConnection.properties file.

    2. In the run_initial_recon_provisioning script and change the value of the JV parameter to -P to run target resource reconciliation.

    3. Run the script again.

      Because you have set the value of the JV parameter in the script to -P, target resource reconciliation is performed when you run the script.

After the initial reconciliation run ends, real-time reconciliation takes over and newly created or modified user data is automatically reconciled into Oracle Identity Manager.

Configuring Account Status Reconciliation

When a user is disabled or enabled on the target system, the user is reconciled and the changed status is reflected in Oracle Identity Manager. To reconcile a user after a change of the user's status on the mainframe system, perform the following configuration steps:

  1. In the LDAP_INSTALL_DIR directory, add the name of the status attribute to the reconAttrs section in the racfConnection.properties.

    Make the same change in the initialRacfAdv.properties file, which is in the OIM_HOME/xellerate/JavaTasks directory.

  2. Restart the LDAP Gateway for the changes to take effect.

  3. In the Design Console:

    See Also:

    Oracle Identity Manager Design Console Guide for detailed information about the following steps

    • In the OIMRacfResourceObject resource object, create a field to represent the status attribute.

    • In the OIMRacfProvisioningProcess process definition, map the field for the status attribute to the OIM_OBJECT_STATUS field.

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us