3 Configuring the Connector

After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Configuring Reconciliation

• Configuring Provisioning

• Configuring the Connector for Multiple Installations of the Target System

Note:

This chapter provides both conceptual and procedural information about customizing the connector. It is recommended that you read the conceptual information before you perform the procedures.

3.1 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager additions of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Limited Reconciliation

• Configuring Trusted Source Reconciliation

• Configuring the Reconciliation Scheduled Tasks

3.1.1 Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.

For this connector, you create a filter by specifying values for the CustomReconQuery, CompareType, and GroupTokenizerForCustomReconQuery of Scheduled Task attributes while performing the procedure described in the "Configuring the Reconciliation Scheduled Tasks" section.

You can use the following attributes to build the query condition:

• Last Name

• First Name

• Default Login

• Permanent or Temporary

• By Token

• By User Extension

• Group

The following table lists sample query conditions:

CustomReconQuery	CompareType	Description
[none]	Note: You can specify any value, but it must not be an empty value because scheduler does not allow empty values attributes.	Gets all users that are available in the target system
Last Name=D	Begins With	Gets all users whose last name starts with D
Last Name=Doe	Equals To	Gets all users with Doe as their last name
Last Name=oe	Contains	Gets all users whose last name contains oe
First Name=J	Begins With	Gets all users whose first name starts with J
First Name=John	Equals To	Gets all users with John as their first name
First Name=oh	Contains	Gets all user whose first name contains oh
First Name	With Empty Value	Gets all users with empty values as first name
First Name	With Non Empty Value	Gets all users with nonempty values as first name
Default Login=j	Begins With	Gets all users whose default login starts with j
Default Login=john	Equals To	Gets all users with john as their default login
Default Login=oh	Contains	Gets all users whose default login contains oh
By Token	Lost Tokens	Gets all users with token status as Lost
By Token	All With Passwords	Gets all users who have a password
By Token	All With Expired Tokens	Gets all users with token status as Expired
By User Extension	All With Extension	Gets all users that have extension data
By User Extension	All Without Extension	Gets all users that do not have extension data
By User Extension=key1	All With Extension Keys	Gets all users that have extension data with key as key1
By User Extension=key1	All Without Extension Keys	Gets all users that do not have extension data with key containing key1
Permanent or Temporary	All Permanent	Gets all permanent users
Permanent or Temporary	All Temporary	Gets all temporary users

If you want to reconcile users with more than one group, then you can specify multiple groups as the value of CustomReconQuery, for example, CustomReconQuery=grp1,grp2,grp3. In this example, the group names are separated by commas. You can specify the separator by specifying the value of GroupTokenizerForCustomReconQuery, as shown:

GroupTokenizerForCustomReconQuery=,

The following table lists sample query conditions with values for GroupTokenizerForCustomReconQuery:

CustomReconQuery	CompareType	GroupTokenizerForCustomReconQuery	Description
Group=grpParent,grpChild1 Note: If the group name consists of comma, you can specify any other separator, such as $.	Note: You can specify any value, but it must not be an empty value because scheduler does not allow empty value for attributes.	$	Gets all users who belong to the grpParent,grpChild1 group
Group=grpParent,grpChild1$ grpParent,grpChild2	Any value	$	Gets all users who belong to the grpParent,grpChild1 group or the grpParent,grpChild2 group

3.1.2 Configuring Trusted Source Reconciliation

While configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then both newly created and modified user accounts are reconciled in Oracle Identity Manager. If you designate the target system as a target resource, then only modified user accounts are reconciled in Oracle Identity Manager.

Note:

You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.

Configuring trusted source reconciliation involves the following steps:

1. Import the XML file for trusted source reconciliation, RSAAuthManagerXLResourceObject.xml, by using the Deployment Manager. This section describes the procedure to import the XML file.

   Note:

   Only one target system can be designated as a trusted source. If you import the RSAAuthManagerXLResourceObject.xml file while you have another trusted source configured, then both connector reconciliations would stop working.

2. Set the IsTrusted scheduled task attribute to True. You specify a value for this attribute while configuring the user reconciliation scheduled task, which is described later in this guide.

To import the XML file for trusted source reconciliation:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

4. Locate and open the RSAAuthManagerXLResourceObject.xml file, which is in the OIM_HOME/xellerate/XLIntegrations/AuthManager/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Import.

8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

After you import the XML file for trusted source reconciliation, you must set the value of the IsTrusted reconciliation scheduled task attribute to True. This procedure is described in the "Configuring the Reconciliation Scheduled Tasks" section.

3.1.3 Configuring the Reconciliation Scheduled Tasks

When you perform the procedure described in the "Step 5: Importing the Connector XML Files" section, the scheduled tasks for lookup fields and user reconciliations are automatically created in Oracle Identity Manager. To configure the scheduled task:

1. Open the Oracle Identity Design Console.

2. Expand the Xellerate Administration folder.

3. Select Task Scheduler.

4. Click Find. The details of the predefined scheduled task are displayed.

5. Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the FAILED status to the task.

6. Ensure that the Disabled and Stop Execution check boxes are not selected.

7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, set the date and time at which you want the task to run.

8. In the Interval region, set the following schedule parameters:

   • To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

     If you select the Recurring Intervals option, then you must also specify the time interval at which you want to run the task on a recurring basis.

   • To set the task to run only once, select the Once option.

9. Provide values for the user-configurable attributes of the scheduled task. Refer to the following table for information about the values to be specified.

   See Also:

   Oracle Identity Manager Design Console Guide for information about adding and removing task attributes

   Attribute	Description	Sample Value
   IsTrusted	Specifies whether or not reconciliation must be performed in trusted mode.	True or False
   Server	Name of the IT resource.	ACE Server Remote
   Target System Recon - Resource Object name	Name of the target system resource object corresponding to the RSA Authentication Manager User.	Auth Manager User
   Target System Recon - Token Resource Object name	Name of the target system resource object corresponding to the RSA Authentication Manager User Token, which was assigned to user.	Auth Manager Token
   Trusted Source Recon - Resource Object name	Name of the trusted source Resource Object.	Xellerate User
   IsDeleteAllowed	Specifies whether or not the users who have been deleted in the target system should be deleted in Oracle Identity Manager.	True or False
   Start Record	Specifies the record number from which the reconciliation for CustomReconQuery and CompareType must begin. If Scheduler Task fails after reconciling 10000 records, then you can specify the value of StartRecord as 10000 so that reconciliation starts from the record where it failed. You do not have to reconcile the records that have already been reconciled.	1
   BatchSize	Specifies the number of records to be reconciled in a batch. Caution: If you specify a very high value for BatchSize, for example 50000, then out memory exception may occur in the Remote Manager.	1000
   FieldMapForCustomQuery	Specifies the lookup defintion name that contains the mapping between the CustomReconQuery field name and the target system equivalent number for that field name. RSA ACE Server API accepts numbers to indicate the field name in the target system.	UD_Lookup.Ace.CustomRecon.FieldMap
   CompareTypeMapForCustomQuery	Specifies the lookup definition name, which contains the mapping between CompareType and its equivalent number in the target system. The CompareType is mentioned in the task scheduler. RSA ACE Server accepts numbers to indicate the operator on field to search for the mapping.	UD_Lookup.Ace.CustomRecon.CompareTypeMap
   CustomReconQuery	Query condition on which reconciliation must be based. If you specify a query condition for this attribute, then the target system records are searched based on the query condition. If you want to reconcile all the target system records, then specify [None] as the value for this attribute. For more information about this parameter, refer to the "Limited Reconciliation" section.	[None]
   CompareType	Specifies the type of comparison used in the query condition of CustomReconQuery.	Equals To
   NumberOfCharactersInEachUser	Indicates the memory allocated for each user in C code. Caution: If you specify a very low value for NumberOfCharactersInEachUser, for example 10, then the Remote Manager's JVM may terminate.	500
   Organization	Specifies the name of the organization under which users are created during trusted source reconciliation.	Xellerate Users
   Xellerate Type	Specifies the user type created during trusted source reconciliation. If you reconcile users in trusted mode, then you must specify a value for this attribute.	End-User
   Role	Specifies the type of employment of a user in trusted source reconciliation.	Full-Time
   TrustedDeleteReconObjectStatusList	Indicates the status of the list of users that need to be deleted while performing delete reconciliation in trusted mode. f you perform delete reconciliation in trusted mode, then you must specify the statuses, separated by a comma.	Enabled, Disabled, Active
   TargetDeleteReconObjectStatusList	Indicates the status of the list of users that needs to be deleted during target resource reconciliation. If you delete users during target resource reconciliation, then you must specify the statuses, separated by a comma.	Enabled, Disabled, Provisioned
   TrustedDeleteReconExemptedUserIDs	Specifies the list of user IDs that must be excluded from trusted delete reconciliation.	XELOPERATOR, XELSELFREG, XELSYSADM
   GroupTokenizerForCustomReconQuery	Specifies the token for the groups provided in CustomReconQuery. For more information about GroupTokenizerForCustomReconQuery, see "Limited Reconciliation".	$
   IsEnableLog	Specifies whether or not to generate a log file when performing reconciliation. The default value for the IsEnableLog attribute is No. It means that a log file is not generated. Note: The log file always appends the existing log file. As a result, the file size may exceed disk space. Therefore, set the value of IsEnableLog to Yes only if the user wants to debug. When the value is set to Yes, the OIM_ACE_INTG.log file is generated.	Yes or No
   LogFileLocationInRemoteManager	Specifies the location in the Remote Manager where the log file is to be generated. The default value is None. It means that the log file is generated in the Remote Manager absolute path. Note: The Remote Manager absolute path is the location in which Remote Manager's .batch and .sh files are stored.	D:\RM\log

   
   

10. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

Stopping Reconciliation

Suppose the User Reconciliation Scheduled Task for the connector is running and user records are being reconciled. If you want to stop the reconciliation process:

1. Perform Steps 1 through 4 of the procedure to configure reconciliation scheduled tasks.

2. Select the Stop Execution check box in the task scheduler.

3. Click Save.

3.2 Configuring Provisioning

As mentioned earlier in this guide, provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. Refer to the "Supported Functionality" section for a listing of the provisioning functions that are available with this connector.

This section discusses the following topics related to configuring provisioning:

Note:

You must perform these procedures if you want to use the provisioning features of Oracle Identity Manager for this target system.

• Compiling Adapters

• Installing Software Tokens

3.2.1 Compiling Adapters

Adapters are used to implement provisioning functions. The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

• ACE ASSIGN TO GROUP

• ACE DELETE USER

• ACE CREATE USER

• SetRSAUserAttribute

• ACE PrePop DefLogin

• ACE PrePop FirstName

• ACE PrePop GrpLogin

• ACE PrePop LastName

• ACE ASSIGN TOKEN

• ACE REMOVE TOKEN

• ACE DISABLE TOKEN

• ACE SET PIN

• ACE SET PIN TO NTC

• ACE TRACK LOST TOKEN

• ACE ENABLE TOKEN

• ACE TEST LOGIN

• ACE ADD USER EXTENSION DATA TO USER

• ACE UPDATE USER EXTENSION DATA FOR USER

• ACE DEL USER EXTENSION DATA TO USER

• Set Temporary User

You must compile these adapters before they can be used in provisioning operations.

To compile adapters by using the Adapter Manager form:

1. Open the Adapter Manager form.

2. To compile all the adapters that you import into the current database, select Compile All.

   To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.

   Note:

   Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have an OK compilation status.

3. Click Start. Oracle Identity Manager compiles the selected adapters.

4. If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_HOME/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

If you want to compile one adapter at a time, then use the Adapter Factory form.

See Also:

Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager forms

To view detailed information about an adapter:

1. Highlight the adapter in the Adapter Manager form.

2. Double-click the row header of the adapter, or right-click the adapter.

3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

3.2.2 Installing Software Tokens

When you use this connector to run provisioning functions that are specific to software tokens, you must provide the required input parameters, such as the Token Code.

You can determine the values of these token-specific parameters only after the RSA Software Token application is installed on the Oracle Identity Manager server or on a user computer other than the Oracle Identity Manager server.

If you are using RSA SecurID software tokens, then:

1. Download RSA SecurID Token for Windows Desktops 3.0.5 from

   http://www.rsasecurity.com/node.asp?id=1162

2. Install the file on the Oracle Identity Manager server.

3. Copy the RSA SecurID software token file to an appropriate location on the Oracle Identity Manager server. The file to be copied is in the RSA Authentication Manager installation directory. The format of the directory path where you copy this file can be as follows:

   target_dir_location/Token1File/
   

   Note:

   While assigning a software token to an ACE user, you must specify the name and complete location of this file (in the db_file_location/file_name.sdtid format) in the Software Token File Name process form field.

4. Import the .sdtid file into the RSA SecurID Token software application as follows:

   1. Click Start, and then select Programs.

   2. Click RSA SecurID Software Token, and select the subcategory RSA SecurID Software Token.

      The token screen is displayed.

   3. Click the File menu, and then select Import Tokens. In the dialog box that is displayed, select the .sdtid file mentioned in Step 3.

      For example:

      target_dir_location/Token1File/file_name.sdtid
      

   4. Select the token serial number, and click Transfer Selected Tokens to Hard Drive. The software token is imported.

   5. On the screen that is displayed, click View and then select Advanced View.

   6. On the screen that is displayed, click View and then select Token View to view the software token number.

3.3 Configuring the Connector for Multiple Installations of the Target System

Note:

Perform this procedure only if you want to configure the connector for multiple installations of RSA Authentication Manager.

You may want to configure the connector for multiple installations of RSA Authentication Manager. The following example illustrates this requirement:

The Tokyo, London, and New York offices of Example Multinational Inc. have their own installations of RSA Authentication Manager. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of RSA Authentication Manager.

To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of RSA Authentication Manager.

To configure the connector for multiple installations of the target system:

See Also:

Oracle Identity Manager Design Console Guide for detailed instructions on performing each step of this procedure

1. Create and configure one IT resource for each target system installation.

   The IT Resources form is in the Resource Management folder. An IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.

2. Configure reconciliation for each target system installation. Refer to the "Configuring Reconciliation" section for instructions. Note that you need to modify only the attributes that are used to specify the IT resource and to specify whether or not the target system installation is to be set up as a trusted source.

   You can designate either a single or multiple installations of RSA Authentication Manager as the trusted source.

3. If required, modify the fields to be reconciled for the Xellerate User resource object.

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the RSA Authentication Manager installation to which you want to provision the user.