| Oracle® Identity Manager Connector Guide for IBM RACF Advanced Release 9.0.4 Part Number E10451-04 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for IBM RACF Advanced Release 9.0.4 Part Number E10451-04 |
|
|
View PDF |
The Oracle Identity Manager Connector for IBM RACF provides a native interface between IBM RACF installed on a z/OS mainframe and Oracle Identity Manager. The connector functions as a trusted virtual administrator on the target system, performing tasks such as creating login IDs, suspending IDs, and changing passwords. In addition, it automates some of the functions that administrators usually perform manually.
The connector enables provisioning and reconciliation with the IBM RACF security facilities.
This chapter discusses the following topics:
Table 1-1 lists the certified deployment configurations.
Table 1-1 Certified Deployment Configurations
Note:
The LDAP Gateway uses the target system user account that you create for Oracle Identity Manager. Therefore, it has the privileges required to access and operate with the Reconciliation Agent and Provisioning Agent.Between the Oracle Identity Manager and mainframe environments, Oracle Identity Manager supports the TCP/IP message transport layer.
For the TCP/IP message transport layer, ports 5190 and 5790 are the default ports for the Reconciliation Agent and Provisioning Agent, respectively. You can change the ports for these agents.
The procedures to configure this message transport layer is described later in this guide.
APF stands for the IBM Authorized Program Facility. Granting the APF Authorized status to a program is similar to giving superuser status. This process will allow a program to run without allowing normal system administrators to query or interfere with its operation. Both the program that runs on the mainframe system and the user account it runs under must have APF authorization. For example, the Provisioning Agent user account must also have APF authorization.
Note:
APF authorization is usually done by a mainframe administrator. If you do not have the required authority to perform such tasks, you should arrange to enlist the assistance of someone who is qualified to perform these tasks.The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
Note:
In this guide, the Oracle Identity Manager Connector for IBM RACF is referred to as the IBM RACF Advanced connector.The IBM RACF Advanced connector includes the following components:
LDAP Gateway: The LDAP Gateway receives instructions from Oracle Identity Manager in the same way as any LDAP version 3 identity store. These LDAP commands are then converted into native mainframe commands for IBM RACF and sent to the Provisioning Agent. The response, which is also native to IBM RACF, is parsed into an LDAP-format response and returned to Oracle Identity Manager.
Pioneer Provisioning Agent: The Pioneer Provisioning Agent is a mainframe component. It receives native mainframe IBM RACF provisioning commands from the LDAP Gateway. These requests are processed against the IBM RACF authentication repository. The response is parsed and returned to the LDAP Gateway.
Note:
At some places in this guide, the Pioneer Provisioning Agent is referred to as the Provisioning Agent or Pioneer.Voyager Reconciliation Agent: The Voyager Reconciliation Agent captures native mainframe events by using advanced exit technology for seamless reconciliation with Oracle Identity Manager through the LDAP Gateway. Exits are programs that are run after a system event in IBM RACF is processed. The Reconciliation Agent captures in real time events occurring from the TSO logins, the command prompt, batch jobs, and other native events. The Reconciliation Agent captures these events and transforms them into notification messages for Oracle Identity Manager through the LDAP Gateway.
Note:
At some places in this guide, the Voyager Reconciliation Agent is referred to as the Reconciliation Agent or Voyager.Message Transport Layer: The message transport layer enables the exchange of messages between the LDAP Gateway and the Reconciliation Agent and Provisioning Agent. You can use the TCP/IP messaging protocol for the message transport layer.
TCP/IP with Advanced Encryption Standard (AES) encryption using 128-bit cryptographic keys. The IBM RACF Advanced connector supports a message transport layer by using the TCP/IP protocol, which is functionally similar to proprietary message transport layer protocols.
See Also:
Appendix B, "Connector Architecture" for more information about the connector architecture and configuration of the message transport layerThis section discusses the following topics:
The Pioneer Provisioning Agent supports the following functions:
Standard IBM RACF user profile commands:
[ADDUSER]: Creates an IBM RACF user profile
[ALTUSER]: Modifies an existing IBM RACF user profile
[DELUSER]: Deletes an IBM RACF user profile
Standard IBM RACF group profile commands:
[CONNECT]: Adds an IBM RACF user to a group
[REMOVE]: Removes an IBM RACF user from a group
Standard IBM RACF data set and resource profile commands:
[PERMIT]: Provides data set or resource profile access to a user
The functions supported by the Provisioning Agent are described in the following table:
| Function | Description |
|---|---|
| Change passwords | Changes user passwords on IBM RACF in response to password changes made on Oracle Identity Manager through user self-service. |
| Reset passwords | Resets user passwords on IBM RACF. The passwords are reset by the administrator. |
| Create users | Adds new users in IBM RACF. |
| Modify users | Modifies user information in IBM RACF. |
| Revoking user accounts | Sets IBM RACF users to a REVOKED state. |
| Resuming user accounts | Sets IBM RACF users to an ENABLED state. |
| Add user to group | Connects users with an IBM RACF group. |
| Remove user from group | Disconnects users from an IBM RACF group. |
| Permit user to dataset | Permits users to be part of the data set ACL and gives them access rights to the data set. |
| Remove user from dataset | Removes users from the data set ACL. |
| Permit user to general resource | Permits users to be part of the resource ACL and gives them access rights to the resource. |
| Remove user from general resource | Removes users from the resource ACL. |
| Grant user to TSO segment | Provides TSO access and information to users. |
| Grant user to OMVS segment | Provides OMVS information to users. |
The Voyager Reconciliation Agent supports reconciliation of changes that are made to user profiles by using commands such as ADDUSER or ALTUSER. These commands also contain users' passwords for reconciliation, if any.
The Reconciliation Agent supports the following functions:
Change passwords
Reset passwords
Create user data
Modify user data
Revoke users
Resume users
Delete users
The following attributes are reconciled between IBM RACF and Oracle Identity Manager:
See Also:
Appendix A, "Field Mapping Between IBM RACF and Oracle Identity Manager" for the descriptions of these fields| Oracle Identity Manager Gateway Attribute | IBM RACF Attribute |
|---|---|
| cn | NAME |
| defaultGroup | DEFAULT-GROUP |
| instdata | DATA |
| omvsHome | HOME |
| omvsProgram | PROGRAM |
| omvsUid | UID |
| owner | OWNER |
| resumeDate | RESUME DATE |
| revokeDate | REVOKE DATE |
| tsoAcctNum | ACCTNUM |
| tsoCommand | COMMAND |
| tsoDest | DEST |
| tsoHoldclass | HOLDCLASS |
| tsoJobclass | JOBCLASS |
| tsoMaxSize | MAXSIZE |
| tsoMsgclass | MSGCLASS |
| tsoProc | PROC |
| tsoSize | SIZE |
| tsoSysoutclass | SYSOUTCLASS |
| tsoUnit | UNIT |
| tsoUserdata | USERDATA |
| uid | USER |
| userPassword | PASSWORD |
| waaccnt | WAACCNT |
| waaddr1 | WAADDR1 |
| waaddr2 | WAADDR2 |
| waaddr3 | WAADDR3 |
| waaddr4 | WAADDR4 |
| wabldg | WABLDG |
| wadept | WADEPT |
| waname | WANAME |
| waroom | WAROOM |
The IBM RACF Advanced connector deployment involves deploying the LDAP Gateway, Reconciliation Agent, and Provisioning Agent. This document assumes that the LDAP Gateway is deployed on the same system as Oracle Identity Manager. The Reconciliation Agent and Provisioning Agent are deployed on the mainframe.
These procedures are described in the following chapters:
Chapter 2, "Connector Deployment on Oracle Identity Manager" provides instructions for deploying the LDAP Gateway on the Oracle Identity Manager system. This procedure involves configuring Oracle Identity Manager, importing the connector XML file, compiling adapters, installing the LDAP Gateway, and configuring the message transport layer.
Chapter 3, "Connector Deployment on IBM RACF" describes the procedure to deploy the Reconciliation Agent and Provisioning Agent on the mainframe. It is recommended that you perform this procedure with the assistance of the systems programmer.
Chapter 4, "Configuring Reconciliation" describes the procedure to run initial reconciliation and to configure trusted source reconciliation and account status reconciliation.
Chapter 5, "Troubleshooting" states the problem scenarios commonly associated with the connector and the possible solutions to those problems. In addition, this chapter discusses some guidelines on using the connector.
Chapter 6, "Known Issues" lists the known issues associated with this release of the connector.
Appendix A, "Field Mapping Between IBM RACF and Oracle Identity Manager" describes the user field mapping, group field mapping, and resource profile field mapping between Oracle Identity Manager and IBM RACF.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
