| Oracle® Identity Manager Connector Guide for IBM OS/400 Advanced Release 9.0.4 Part Number E10452-04 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for IBM OS/400 Advanced Release 9.0.4 Part Number E10452-04 |
|
|
View PDF |
You must install the Reconciliation Agent component of the connector on the mainframe. The following sections describe the installation and configuration of this agent and of the exits required for this agent:
Both the Reconciliation Agent and Provisioning Agent need a started task and service account that has the privileges required to run IBM OS/400 system commands on the mainframe.
In addition, these agents function under a user account on the mainframe. This user account must be created by the systems programmer before you deploy the agents.
Note:
Both the Provisioning Agent and Reconciliation Agent user accounts require the
SystemAdministrators group privileges on the OS/400 system.The Reconciliation Agent operates by using user exit technology, outside the mainframe operating system. This means that it runs in a different LPAR from the operating system.
A command execution is passed through an exit, just before full completion of the native mainframe command. If the exit fails, then the command fails and returns an error message. Maintaining a specific password format is an example of the objective for which you use custom exits. Oracle Identity Manager exits are engineered to be the last exits called in sequence, which allows the existing exits to function normally. After modifying exits within an LPAR, an initial program load (IPL) of the LPAR may be required.
You must deploy the Reconciliation Agent on the target system. The Provisioning Agent does not require any special configuration during the connector deployment. To use the provisioning functionality of this connector, you must ensure that the LDAP Gateway and the message transport layer are configured correctly.
See Also:
"Installing and Configuring the LDAP Gateway" for the procedure to install and configure the LDAP Gateway
"Configuring the Message Transport Layer" for the procedure to install and configure the message transport layer
To deploy the Reconciliation Agent:
Transmit or FTP the /etc/Provisioning and Reconciliation Connector/OIMIDFEX.SAVF file to any directory on the mainframe.
Note:
For this procedure, the directory to which this file is transmitted will be referred to as LSVALGAARD.To view the contents of the OIMIDFEX.SAVF file, run the DSPSAVF command as shown:
DSPSAVF FILE(SAMPLIB/OIMIDFEX)
The following is the output of the DSPSAVF command:
==============================================================================
Display Saved Objects - Save File ,
Library saved . . . : ORIGLIB Release level . . . :
V4R5M0
ASP . . . . . . . . : 1 Data compressed . . : No
Save file . . . . . : OIMIDFEX Objects displayed . : 3
Library . . . . . : ORIGLIB Objects saved . . . : 3
Records . . . . . . : 688 Access paths . . . . : 0
Save command . . . . : SAVOBJ
Save active . . . . : *NO
Save date/time . . . : 01/20/07 01:28:35
Type options, press Enter.
5=Display saved data base file members
Opt Object Type Attribute Owner Size (K) Data
XUSRPWD *PGM CLE ORIGLIB 236 YES
NOTIFY *PGM CLE ORIGLIB 68 YES
QCSRC *FILE PF ORIGLIB 24 YES
F3=Exit F12=Cancel
===============================================================================
Restore the objects in the OIMIDFEX.SAVF file by running the RSTOBJ (restore object) command. The following is the syntax for this command:
RSTOBJ OBJ(*ALL) SAVLIB(ORIGLIB) DEV(*SAVF) SAVF(SAMPLIB/OIMIDFEX) RSTLIB(NEWLIB)
The RSTOBJ command saves the restored objects in a new target library. In the command:
The SAVLIB parameter takes the original library name as input. In the command, replace ORIGLIB with the original library name.
DEV(*SAVF) indicates that a savefile is used.
The SAVF parameter takes the directory name and file name of the savefile.
The RSTLIB parameter takes the new library in which you restore the save file objects. In the command, replace NEWLIB with the name of the new library.
If required, specify the general public library (QGPL) as the new target library. The QGPL is an existing library on IBM OS/400 that can be used by the system or a user.
After copying the connector save file to the LSVALGAARD directory, you install the exits for the Reconciliation Agent. As mentioned earlier, the connector exits are engineered to be the last exits called in sequence, allowing existing exits to function normally. To install the exits for the Reconciliation Agent:
Note:
The Reconciliation Agent can be installed using either a menu-driven or a command-driven installation protocol. The following procedure assumes the use of the menu-driven protocol.Log in to the IBM OS/400 system as a system administrator.
Ensure that the connector library files and objects are present in the LSVALGAARD directory.
See Also:
"Deploying the Reconciliation Agent" for the procedure to copy the connector files to the LSVALGAARD directoryStart the WRKREGINF User Exit Registration program, as shown:
Parameters or command
===> WRKREGINF
In IBM OS/400, exit programs are called dynamically. This means that if an exit program is registered with the system, then you can replace the program with a new version, without the need to register the new version.
You must register the exit points that are required for the Reconciliation Agent with IBM OS/400. From the menu that is displayed when you run the WRKREGINF program, select option 8 for the exit points that you want to register, either as a group or one at a time. The following exits are registered:
QIBM_QSY_CHG_PROFILE CHGP0100 *YES Change User Profile QIBM_QSY_CRT_PROFILE CRTP0100 *YES Create User Profile QIBM_QSY_DLT_PROFILE DLTP0200 *YES Delete User Profile - before QIBM_QSY_RST_PROFILE RSTP0100 *YES Restore User Profile QIBM_QSY_VLD_PASSWRD VLDP0100 *YES Validate Password
Each exit point has an exit point format associated with it. The format that is passed to the exit program determines the format of the other information passed to it.
The CHG_PROFILE (change), CRT_PROFILE (create), and DLT_PROFILE (delete) exit points are used to change, create, and delete user profiles, respectively.
Note:
Deleting a user profile can take a long time because a user may own multiple objects, and therefore, be present on many lists and internal tables. After a user is deleted, cleaning up all the entries for the user takes a long time to process. Therefore, you can use a batch job to run the cleanup process. There are two delete points: before the start of the cleanup job and at the end of the cleanup job. This means that in the process of deleting the user profile, there are only two times when actions are monitored. The Reconciliation Agent monitors only the delete point before the cleanup job.Register the following exit points:
RST_PROFILE (restore): This is used when user profiles are restored from a save file during a normal operation, and not during the restore operation of the entire system.
VLD_PASSWRD : This is called when the password is changed by the user.
Note:
The RST_PROFILE exit point is not called when a user profile is created with the initial password or when the security administrator changes the password for a user. This IBM design limitation has been fixed in IBM OS/400 V5R4 by introducing another exit point called QIBM_QSY_CHK_PASSWRD.XUSRPWD: This must be registered with QIBM_QSY_CHG_PROFILE. However, when you try to register, you might find that there is an existing exit program registered for this point. In the following code snippet, QGLDPUEXIT represents this exit point in the main system library QSYS, which implies that the IBM OS/400 system itself uses this exit point to extend its functionality.
Exit
Program Exit
Opt Number Program Library
1 XUSRPWD LSVALGAARD
2147483647 QGLDPUEXIT QSYS
You must also consider the Exit Program Number, which determines the order in which the exit programs run. The system exit program is typically the last to run in the processing order, and therefore, has a very large Exit Program Number (2147483647). Enter the Oracle Identity Manager custom user exit program and the library for it, and select option 1 for adding the exit program.
Press the Enter key. The Add screen is displayed with the following values:
Exit point . . . . . . . . . > QIBM_QSY_CHG_PROFILE Exit point format . . . . . > CHGP0100 Name Program number . . . . . . . > 1 1-2147483647, *LOW, *HIGH Program . . . . . . . . . . > XUSRPWD Name Library . . . . . . . . . > LSVALGAARD Name, *CURLIB Threadsafe . . . . . . . . . *UNKNOWN *UNKNOWN, *NO, *YES Multithreaded job action . . *SYSVAL *SYSVAL, *RUN, *MSG, *NORUN Text 'description' . . . . . *BLANK
Press the Enter key to add the program, and then the F5 key to refresh the system to display the result.
Note:
An exit program runs in the environment (called an activation group) of the job or user issuing the command to call the exit program. Therefore, the current library (*CURLIB) value changes often and the system might not be able to locate the exit program. The library from which the system can find the exit program is usually hard coded into the exit program registration, as shown in the screen output.Register the exit points as shown in the following screen output:
Program Exit
Opt Number Program Library
1 XUSRPWD LSVALGAARD
2147483647 QGLDPUEXIT QSYS
Exit point: QIBM_QSY_CHG_PROFILE Format: CHGP0100
Exit point: QIBM_QSY_CRT_PROFILE Format: CRTP0100
Exit point: QIBM_QSY_DLT_PROFILE Format: DLTP0200
Exit point: QIBM_QSY_RST_PROFILE Format: RSTP0100
Exit point: QIBM_QSY_VLD_PASSWRD Format: VLDP0100
Note:
On IBM OS/400 V5R4, you also register the CHK_PASSWRD exit point.Enter the WRKSYSVAL command and scroll down to the following line:
QPWDVLDPGM *SEC Password validation program
The WRKSYSVAL command allows you to change the system values that control most of the system configuration.
Note:
Before the General Registration Facility was introduced, a password validation program was used. This was handled through the system value settings.Select option 2 for QPWDVLDPGM.
After the XUSRPWD exit program is added to the various exit points, add the NOTIFY exit program to the exit points. The NOTIFY program notifies the LDAP Gateway of a real-time event. This exit program must be defined with Program Number 2, because it must be triggered after the XUSRPWD exit program is run. The NOTIFY exit program must be registered only for the CHGP0100, CRTP0100, and DLTP0200 exits.
This completes the installation of the Reconciliation Agent exits.
Note:
Do not specify an exit program instead of *REGFAC because this will interfere with an existing validation program. This method of specifying a validation program is no longer valid. The IBM OS/400 Advanced connector code does not support the obsolete validation program.
The QSECURITY system value determines the security level of the system. The highest (most secure) level is level 50. The IBM OS/400 Advanced connector is designed for and has been successfully tested on level 50.
To configure the message transport layer on the IBM OS/400 system, you configure the NOTIFY exit IP address. To do so:
Open the QCSRC/IPPARMS file for editing. This file contains the IP address and the port number of the LDAP Gateway. The Notify exit takes the IP address and port number parameters for the LDAP Gateway (installed on the Oracle Identity Manager host computer) from the QCSRC/IPPARMS file.
The standard port number is 5490. This must be entered as a 6-digit number with zeros preceding the actual port number. For example, 5490 must be entered as 005490. The port number is followed by the colon (:) symbol, the LDAP Gateway server IP, and then an additional colon symbol. For example:
005490:10.0.0.1:
The IP address and port number in the QCSRC/IPPARMS file identify the LDAP Gateway to notify real-time changes.
Note:
The port number must take up the first six character positions, with leading zeros in the number. A colon is in the seventh character position. The IP address starts at the eight character position and its size can vary, but it must be followed by a colon.Save the QCSRC/IPPARMS file. This change for IBM OS/400 does not require an IPL.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|