| Oracle® Identity Manager Connector Guide for IBM OS/400 Advanced Release 9.0.4 Part Number E10452-04 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for IBM OS/400 Advanced Release 9.0.4 Part Number E10452-04 |
|
|
View PDF |
The Oracle Identity Manager IBM OS/400 Advanced connector provides a native interface between Oracle Identity Manager and IBM OS/400 installed on the z/OS mainframe. The connector functions as a trusted virtual administrator on the target system, performing tasks such as creating login IDs and changing passwords. In addition, it automates some of the functions that administrators usually perform manually.
The connector enables provisioning and reconciliation with IBM OS/400. This guide discusses the connector that enables you to use IBM OS/400 either as a managed (target) resource or as an authoritative (trusted) source of user data for Oracle Identity Manager.
This chapter discusses the following topics:
Note:
In earlier releases, IBM OS/400 was known as IBM AS/400 or IBM i5/OS. Because the connector development started before the change in nomenclature was formally announced by IBM, the IBM OS/400 connector code, scripts, and nomenclature in the connector pack may have occurrences of AS/400 or i5/OS. These instances are not errors in the documentation.Table 1-1 lists the certified deployment configurations.
Table 1-1 Certified Deployment Configurations
Note:
The LDAP Gateway uses the target system user account that you create for Oracle Identity Manager. Therefore, it has the privileges required to access and operate with the Reconciliation Agent and Provisioning Agent. See "Connector Architecture" for information about the Reconciliation Agent and Provisioning Agent.The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
This section discusses the following topics:
The connector consists of the following components:
LDAP Gateway: The LDAP Gateway is built on Java 1.4 and allows portability among different platforms and operating systems. The LDAP Gateway receives LDAP protocol commands from distributed applications and translates them to native IBM OS/400 commands. After the commands are run, LDAP-formatted responses are returned to the requesting application. It is recommended that you install the LDAP Gateway on the same computer as Oracle Identity Manager.
JTOpen Provisioning Agent: The connector provides the provisioning functionality through the JTOpen Provisioning Agent, which is an IBM OS/400 component. JTOpen receives IBM OS/400 identity and authorization change events from the LDAP Gateway. These events are processed against the IBM OS/400 authentication repository, in which all provisioning updates from the LDAP Gateway are stored. The response is parsed and returned to the LDAP Gateway.
Voyager Reconciliation Agent: The connector provides the reconciliation functionality through the Voyager Reconciliation Agent, which is an IBM OS/400 component. The Reconciliation Agent receives IBM OS/400 identity and authorization change events by using exit technology. Exits are programs that are run after an event in IBM OS/400 is processed. The exits then send the change events in real time to the Reconciliation Agent. These events include events occurring from the command prompt, batch jobs, and other native IBM OS/400 events. The Reconciliation Agent transforms these events into notification messages for Oracle Identity Manager through the LDAP Gateway.
Message Transport Layer: The message transport layer enables the exchange of messages between the LDAP Gateway and the Reconciliation Agent and Provisioning Agent. JTOpen is used as the messaging protocol for the message transport layer. JTOpen is a library of Java classes that lets you implement the client-server and internet programming model with an IBM OS/400 system. The JTOpen classes can be used by Java applets, servlets, and applications to access data and resources on an IBM OS/400 system. JTOpen requires only the Java Virtual Machine (JVM) and the Java Developer Kit (JDK).
See Also:
JTOpen Web site at the following URL for information about the JTOpen project:
IBM Toolbox for Java documentation at the following URL for information about the JTOpen functionality:
http://www-03.ibm.com/servers/eserver/iseries/toolbox/overview.html
The architecture of the connector can be explained in terms of the connector operations it supports:
Figure 1-1 shows the flow of data during reconciliation:
Reconciliation involves the following steps:
IBM OS/400 identity and authorization events take place in the target system. These events are processed through appropriate exits. After processing the events, the exits send them to the Voyager Reconciliation Agent.
Note:
Identity and authorization events in the IBM OS/400 system include the running of a command, real-time password synchronization, creation or deletion of a user, or a change in the user data.The Reconciliation Agent transforms these events into notification events or messages for the LDAP Gateway. The notification messages consist of encrypted files. The Reconciliation Agent opens a new socket to the LDAP Gateway and sends the encrypted notification messages. The messages are sent to the LDAP Gateway through the message transport layer. These messages contain the minimum amount of data required to reconcile the event, such as the message type, user id, and password (for a password change event).
The LDAP Gateway receives the messages from the Reconciliation Agent and decrypts them for the connector.
The connector sends a request to the JTOpen Provisioning Agent to retrieve all the current user data that is generated as a result of the IBM OS/400 identity and authorization events.
Note:
JTOpen acts uses TCP/IP to send IBM OS/400 commands. JTOpen acts as the message transport layer as well as the provisioning agent. See "Provisioning" for more information about JTOpen as the provisioning agent.If an event fetched from the target system matches with the notification data, then the connector returns an error and the process stops. If the event does not match, then the connector sends the event to Oracle Identity Manager for reconciliation and updates the internal meta-store of event records. This process is repeated for all the events that are fetched from the target system.
Figure 1-2 shows the flow of data during provisioning:
Provisioning involves the following steps:
A user is created, updated, or deleted in Oracle Identity Manager.
The Oracle Identity Manager process task adapter for IBM OS/400 forwards the change request to the LDAP Gateway.
The LDAP Gateway translates the change requests to IBM OS/400 commands. The IBM OS/400 Advanced connector encrypts the data, and sends it to the JTOpen Provisioning Agent, which also functions as the message transport layer.
The connector also updates the internal meta-store of the LDAP Gateway with the changes in user data.
JTOpen decrypts the data, sends the data to the IBM OS/400 repository, and returns success or error messages back to the LDAP Gateway.
Note:
No agents are required on the target system to support the provisioning capabilities of the connector. Provisioning is achieved by using a network-aware API located on the Oracle Identity Manager host computer. Reconciliation requires an agent on the target system to detect changes and also uses the network-aware API.The Voyager Reconciliation Agent supports reconciliation of changes that are made to user profiles by using commands such as CRTUSRPRF or CHGUSRPRF. These commands also contain users' passwords for reconciliation, if any.
The Reconciliation Agent supports the following functions:
Create user data event
Modify user data event
Delete user event
Password change event
Disable user event
Enable user event
The Provisioning Agent uses the following IBM OS/400 user profile commands:
[ADDUSER]: Creates an IBM OS/400 user profile
[CHGUSRPRF]: Modifies an existing IBM OS/400 user profile
[DLT]: Deletes an IBM OS/400 user profile
Table 1-2 describes the functions supported by the Provisioning Agent.
Table 1-2 Functionality Supported for Provisioning
| Function | Description |
|---|---|
|
Create OS/400 User |
Creates a user |
|
Modify OS/400 User |
Modifies a user |
|
Delete OS/400 User |
Deletes a user |
|
Change OS/400 Password |
Changes the password of a user |
|
Reset OS/400 Password |
Resets the user password |
|
Revoke OS/400 User Account |
Revokes the user account |
|
Resume OS/400 User Account |
Resumes a revoked user account |
Table 1-3 lists the target system fields that are used for reconciliation and provisioning operations.
Table 1-3 Field Mapping Between Oracle Identity Manager and IBM OS/400
| Oracle Identity Manager Field | IBM OS/400 Field | Description |
|---|---|---|
|
uid |
USER |
User login ID |
|
cn |
NAME |
User full name |
|
sn |
NAME |
User last name |
|
userPassword |
PASSWORD |
Password used to login |
|
owner |
OWNER |
The owner of the user profile |
|
status |
STATUS |
User status (enable, disable) |
|
specialAuthority |
SPECAUTH |
Special access permissions for the user |
|
usrcls |
USRCLS |
Special access control for the user |
|
inlprg |
INLPRG |
User initial program |
|
text |
TEXT |
Free form text field |
|
lmtcpb |
LMTCPB |
Limit capabilities |
|
jobd |
JOBD |
Job description |
|
supgrpprf |
SUPGRPPRF |
Supplemental group |
|
inlmnu |
INLMNU |
Initial menu |
|
grpprf |
GRPPRF |
Group profile |
|
passwordExpire |
PWDEXP |
User password is set to expire |
The IBM OS/400 Advanced connector deployment involves deploying the LDAP Gateway and the Reconciliation Agent. The Reconciliation Agent is deployed on IBM OS/400.
These procedures are described in the following chapters:
Chapter 2, "Connector Deployment on Oracle Identity Manager" provides instructions for deploying the connector on the Oracle Identity Manager host computer. This procedure involves configuring Oracle Identity Manager, importing the connector XML file, compiling adapters, installing the LDAP Gateway, and configuring the message transport layer.
Chapter 3, "Connector Deployment on IBM OS/400" describes the procedure to deploy the Reconciliation Agent on IBM OS/400. It is recommended that you perform this procedure with the assistance of the systems programmer.
Chapter 4, "Configuring the Connector" describes the procedure to run initial reconciliation and to configure trusted source reconciliation and account status reconciliation.
Chapter 5, "Troubleshooting" states the problem scenarios commonly associated with the connector and the possible solutions to those problems. In addition, this chapter discusses some guidelines on using the connector.
Chapter 6, "Known Issues" lists the known issues associated with this release of the connector.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
