Adapter Types

The following tables list these adapters (sorted by type) and provides an overview of supported versions, Active Sync support, connection methods, and communication protocols for each adapter. Refer to the Release Notes to determine which versions of each resource are supported.

Resource adapters are divided into the following categories:

• CRM and ERP Systems

• Databases

• Directories

• Message Platforms

• Miscellaneous

• Operating Systems

• Security Managers

• Web Single Sign On (SSO)

Table 1–1 CRM and ERP Systems

Resource Adapter	Supported Application	Active Sync Support	Gateway?	Communications Protocols
Oracle Applications	Oracle Financials on Oracle Applications	No	No	JDBC
PeopleSoft Component	PeopleToolsPeopleTools with HRMS	YesSmart polling, Listener	No	Client connection toolkit (Sync Only)
PeopleSoft Component Interface	PeopleTools	No	No	Client connection toolkit (Read/Write)
SAP	SAP R/3	No	No	BAPI through SAP Java Connector
	SAP HR	YesSmart polling, Listener		ALE
	Governance, Risk, and Compliance (GRC) Access Enforcer	No	No	BAPI through SAP Java Connector
	Enterprise Portal	No	No	Siebel Data API

Table 1–2 Databases

Resource Adapter	Active Sync Support	Gateway?	Communications Protocol
DB2	No	No	JDBC, SSL
Microsoft SQL Server	No	No	JDBC, SSL
MySQL	No	No	JDBC, SSL
Oracle	No	No	JDBC, SSL
Sybase	No	No	JDBC, SSL

Table 1–3 Directories

Resource Adapter	Supported Applications	Active Sync Support	Gateway?	Communications Protocols
LDAP		YesSmart polling, Listener	No	LDAP v3, JNDI, SSL
Microsoft Active Directory		YesSmart polling	Yes	ADSI
NetWare NDS	Netware eDirectoryNovell SecretStore	YesSmart polling	Yes	NDS Client, LDAP, SSL

Table 1–4 Message Platforms

Resource Adapters	Active Sync Support	Gateway?	Communications Protocols
Lotus Domino Gateway	YesSmart polling	Yes	RMI, IIOP using Toolkit for Java, CORBA
Novell GroupWise	No	Yes	NDS Client, LDAP, SSL

Table 1–5 Miscellaneous

Resource Adapter	Active Sync Support	Gateway?	Communications Protocols
Database Table	YesSmart polling	No	JDBC
Flat File ActiveSync	YesSmart polling   (Filtered TSS Audit Events)	No
INISafe Nexess		com.initech.eam.api Classes
JMS Listener	Yes	No	Varies, per resource
Microsoft Identity Integration Server	No	No	JDBC
Remedy Help Desk	YesSmart polling	Yes	Remedy APIs
Scripted Gateway		Yes	Varies, per resource
Scripted Host		No	TN3270
Sun JavaTM System Communications Services	Yes	No	JNDI over SSL or TCP/IP

Table 1–6 Operating Systems

Resource Adapter	Active Sync Support	Gateway?	Communication Protocol
AIX	No	No	Telnet, SSH, SSHPubKey
HP-UX	No	No	Telnet, SSH, SSHPubKey
OS/400	No	No	Java toolkit for AS400
Red Hat Linux	No	No	Telnet, SSH, SSHPubKey
Solaris	No	No	Telnet, SSH, SSHPubKey
SuSE Linux	No	No	Telnet, SSH, SSHPubKey

Table 1–7 Security Managers

Resource Adapter	Active Sync Support	Gateway?	Communication Protocols
ACF2	No	No	Secure TN3270
ClearTrust	No	No	Server Proxy API, JNDI, SSL
RACF	No	No	Secure TN3270
SecurID ACE/Server (Windows and UNIX)	No	Yes	SecurID Admin API, SSHPubKey (UNIX only)
		SecurID TCL Interface
Top Secret	YesSmart polling   (Filtered TSS Audit Events)	No	Secure TN3270

Table 1–8 Web Single Sign On (SSO)

Resource Adapter	Active Sync Support	Gateway?	Communication Protocols
IBM/Tivoli Access Manager	No	No	JNDI, SSL
Netegrity Siteminder	No	No	Netegrity SDK, JNDI, SSL
Sun Access Manager	No	No	JNDI, SSL

The Identity Manager adapters can be often be used in their default state.

To Enable an Adapter

1. Follow the installation and configuration procedures provided in the adapter’s Identity Manager Installation Notes section in this chapter.

2. Add the resource to Identity Manager by using the Resource Wizard, as described in Business Administrator's Guide.

   See [Please define the Title_Deploy_Tools text entity] for information about creating customized adapters.

How the Adapter Sections are Organized

The resource adapter sections in this chapter are organized as follows:

• Introduction. Lists supported resource versions. (Refer to the Readme file supplied with your latest service pack version for updates to this list.)

• Resource Configuration Notes. Lists additional steps you must perform on the resource to allow you to manage the resource from Identity Manager.

• Identity Manager Installation Notes. Details the installation and configuration steps that you must follow to work with the resource.

• Usage Notes. Lists dependencies and limitations related to using the resource.

• Security Notes. Describes the types of connection supported as well as the authorizations needed on the resource to perform basic tasks.

• Provisioning Notes. Lists whether the adapter can perform tasks such as enable/disable accounts, rename accounts, and whether it allows pass-through authentication.

• Account Attributes. Describes default user attributes supported for the resource.

• Resource Object Management. Lists objects the adapter can manage.

• Identity Template. Provides notes about how to construct or work with the resource identity template.

• Sample Forms. Shows the location of a sample form you can use to construct a custom Create/Update User form. Unless otherwise indicated, sample forms are located in the InstallDir\idm\sample\forms\ directory.

• Troubleshooting. Lists the classes that can be used for tracing and debugging.

A detailed description of each topic is provided in the remainder of this section.

Topic Descriptions

This section describes the information provided for each adapter, and the topics are organized as follows:

• Introduction

• Resource Configuration Notes

• Identity Manager Installation Notes

• Usage Notes

• Active Sync Configuration

• Security Notes

• Provisioning Notes

• Account Attributes

• Resource Object Management

• Identity Template

• Sample Forms

• Troubleshooting

Introduction

The introductory section lists the versions of the resource supported by the adapter. Other versions might be supported, but they have not been tested.

This section also lists the adapter’s Java class name. The class name is always used for tracing. In addition, if the resource is a custom resource, the class name must be specified on the Configure Managed Resources page. See Identity Manager Installation Notes for more information about custom resources.

Some resources have multiple adapters. For example, Identity Manager provides adapters for Windows Active Directory and Windows Active Directory ActiveSync. In these cases, a table similar to the following is listed in the introductory section:

GUI Name	Class Name
Windows 2000 / Active Directory	com.waveset.adapter.ADSIResourceAdapter
Windows 2000 / Active Directory ActiveSync	com.waveset.adapter.ActiveDirectoryActiveSyncAdapter

The GUI name is displayed on the drop-down menu on the Resources page. Once the resource has been added to Identity Manager, this name is also displayed in the resource browser.

Resource Configuration Notes

This section lists additional steps you must perform on the resource to allow you to manage the resource from Identity Manager. (It is assumed that the resource is fully functional before you attempt to establish a connection with Identity Manager.)

Identity Manager Installation Notes

From an installation perspective, there are two types of adapters:

• Identity Manager adapters

• Custom adapters

Identity Manager adapters do not require additional installation procedures. Use the following steps to display the resource on the actions menu on the Resource page:

Displaying the Resource on the Actions Menu of the Resource Page

1. From the Identity Manager Administrator Interface, click Resources, and then click Configure Types.

2. Select the appropriate options in the Identity Manager Resources section.

3. Click Save at the bottom of the page.

   Custom adapters require additional installation steps. Typically, you must copy one or more jar files to the InstallDir\idm\WEB-INF\lib directory and add the adapter’s Java class to the list of adapters. The JAR files are usually available on the installation media, or through download from the Internet.

   The following example from the DB2 resource adapter illustrates this procedure:

4. Copy the db2java.jar file to the InstallDir\idm\WEB-INF\lib directory.

5. From the Identity Manager Administrator interface, click Resources, and then click Configure Types.

6. Click Add Custom Resource near the bottom of the page.

7. Enter the full class name of the adapter in the bottom text box, such as com.waveset.adapter.DB2ResourceAdapter.

8. Click Save at the bottom of the page.

   The following table lists the adapters that require jar files to be installed on the Identity Manager server.

   Adapter	Files Required
   Access Enforcer	sapjco.jar axis.jar commons-discovery-0.2.jar commons-logging-1.0.4.jar jaxrpc.jar log4j-1.2.8.jar saaj.jar wsdl4j-1.5.1.jar
   Access Manager	pd.jar
   ACF2	habeans.jar —OR—  habase.jar hacp.jar ha3270.jar hassl.jar hodbase.jar —OR— RWebSDK.jar wrqtls12.jar profile.jaw
   ClearTrust	ct_admin_api.jar
   DB2	db2java.jar
   INISafe Nexess	concurrent.jar crimson.jar external-debug.jar INICrypto4Java.jar jdom.jar log4j-1.2.6.jar
   MS SQL Server	If connecting with Microsoft SQL Server 2005 Driver for JDBC  mssqlserver.jar If connecting with Microsoft SQL Server 2000 Driver for JDBC msbase.jar mssqlserver.jar msutil.jar
   MySQL	mysqlconnector-java-Version-bin.jar
   Oracle and Oracle ERP	oraclejdbc.jar
   PeopleSoft Component and PeopleSoft Component Interface	psjoa.jar
   RACF	habeans.jar —OR—  habase.jar hacp.jar ha3270.jar hassl.jar hodbase.jar —OR— RWebSDK.jar wrqtls12.jar profile.jaw
   SAP	sapjco.jar sapidoc.jar
   SAP HR ActiveSync	sapjco.jar sapidoc.jar sapidocjco.jar
   Scripted Host	habeans.jar —OR—  habase.jar hacp.jar ha3270.jar hassl.jar hodbase.jar —OR— RWebSDK.jar wrqtls12.jar profile.jaw
   Siebel CRM	Siebel 7.0: SiebelJI_Common.jar SiebelJI_enu.jar SiebelJI.jar Siebel 7.7, 7.8 Siebel.jar SiebelJI_enu.jar
   SiteMinder	smjavaagentapi.jar smjavasdk2.jar
   Sun Java System Access Manager	Prior to version 7.0:  Varies, depending on release Version 7.0 and later am_sdk.jar am_services.jar
   Sun Java System Access Manager Realm	am_sdk.jar am_services.jar
   Sybase	jconn2.jar
   Top Secret	habeans.jar —OR—  habase.jar hacp.jar ha3270.jar hassl.jar hodbase.jar —OR— RWebSDK.jar wrqtls12.jar profile.jaw

Usage Notes

This section lists dependencies and limitations related to using the resource. The contents of this section varies among adapters.

Active Sync Configuration

This section provides resource-specific configuration information that can be viewed on the Edit Synchronization Policy page. The following attributes are applicable to most Active Sync adapters.

Parameter	Description
Process Rule	Either the name of a TaskDefinition, or a rule that returns the name of a TaskDefinition, to run for every record in the feed. The process rule gets the resource account attributes in the activeSync namespace, as well as the resource ID and name.  This parameter overrides all others. If this attribute is specified, the process will be run for every row regardless of any other settings on this adapter.
Correlation Rule	If no Identity Manager user’s resource info is determined to own the resource account, the Correlation Rule is invoked to determine a list of potentially matching users/accountIDs or Attribute Conditions, used to match the user, based on the resource account attributes (in the account namespace). The rule returns one of the following pieces of information that can be used to correlate the entry with an existing Identity Manager account:  Identity Manager user name WSAttributes object (used for attribute-based search) List of items of type AttributeCondition or WSAttribute (AND-ed, attribute-based search) List of items of type String (each item is the Identity Manager ID or the user name of an Identity Manager account) If more than one Identity Manager account can be identified by the correlation rule, a confirmation rule or resolve process rule will be required to handle the matches. For the Database Table, Flat File, and PeopleSoft Component Active Sync adapters, the default correlation rule is inherited from the reconciliation policy on the resource.
Confirmation Rule	Rule that is evaluated for all users returned by a correlation rule. For each user, the full user view of the correlation Identity Manager identity and the resource account information (placed under the account. namespace) are passed to the confirmation rule. The confirmation rule is then expected to return a value that can be expressed like a Boolean value. For example, “true” or “1” or “yes” and “false” or “0” or null.  For the Database Table, Flat File, and PeopleSoft Component Active Sync adapters, the default confirmation rule is inherited from the reconciliation policy on the resource.
Delete Rule	A rule that can expect a map of all values with keys of the form activeSync. or account. A LighthouseContext object (display.session) based on the proxy administrator’s session is made available to the context of the rule. The rule is then expected to return a value that can be expressed like a Boolean value. For example, “true” or “1” or “yes” and “false” or “0” or null. If the rule returns true for an entry, the account deletion request will be processed through forms and workflow, depending on how the adapter is configured.
Resolve Process Rule	Either the name of the TaskDefinition or a rule that returns the name of a TaskDefinition to run in case of multiple matches to a record in the feed. The Resolve Process rule gets the resource account attributes as well as the resource ID and name.  This rule is also needed if there were no matches and Create Unmatched Accounts is not selected. This workflow could be a process that prompts an administrator for manual action.
Create Unmatched Accounts	If set to true, creates an account on the resource when no matching Identity Manager user is found. If false, the account is not created unless the process rule is set and the workflow it identifies determines that a new account is warranted. The default is true.
Populate Global	If set to true, populates the global namespace in addition to the activeSync namespace. The default value is false.

Security Notes

The Security Notes section provides connection and authorization information.

Supported Connections lists the type of connection used to communicate between Identity Manager and the resource. The following types of connections are commonly used:

• Sun Identity Manager Gateway

• Secure Shell (SSH)

• Java Database Connectivity (JDBC) over Secure Sockets Layer (SSL)

• Java Naming and Directory Interface (JNDI) over SSL

• Telnet/TN3270

Other connection types are possible.

Required Administrative Privileges lists the privileges the administrator account must have to create users and perform other tasks from within Identity Manager. The administrator account is specified on the Resource Attributes page.

For all Active Sync adapters, the administrator account must have read, write, and delete permissions on the directory specified in the Log File Path field in the Active Sync Running Settings

Provisioning Notes

This section contains a table that summarizes the provisioning capabilities of the adapter. These capabilities include:

• Enable/Disable Account. The ability to enable and disable user accounts is determined by the resource. For example, on some UNIX systems, an account is disabled by changing the password to a random value.

• Rename Account. The ability to rename user accounts is determined by the resource.

• Pass-Through Authentication. A Identity Manager feature that enables resource users to log in to the Identity Manager User interface.

• Before/After Actions. Actions are scripts that run within the context of a managed resource, if native support exists for scripted actions.

  For example, on UNIX systems, actions are sequences of UNIX shell commands. In Microsoft Windows environments, actions are DOS-style console commands that can execute within the CMD console.

• Dataloading Methods. Indicates how data can be loaded into Identity Manager. The following methods are supported:

  • Active Sync. Allows information that is stored in an “authoritative” external resource (such as an application or database) to synchronize with Identity Manager user data. The adapter can push or pull resource account changes into Identity Manager.

  • Discovery (load from resource). Initially pulls resource accounts into Identity Manager, without viewing before loading. Resource account information can also be imported from or exported to a file.

  • Reconciliation. Periodically pull resource accounts into Identity Manager, taking action on each account according to configured policy. Use the reconciliation feature to highlight inconsistencies between the resource accounts on Identity Manager and the accounts that actually exist on a resource, and to periodically correlate account data.

Account Attributes

The Account Attributes page, or schema map, maps Identity Manager account attributes to resource account attributes. The list of attributes varies for each resource. You should remove all unused attributes from the schema map page. If you add attributes, you will probably need to edit user forms or other code.

The Identity Manager User Attributes can be used in rules, forms, and other Identity Manager-specific functions. The Resource User Attributes are used only when the adapter communicates with the resource.

Identity Manager supports the following types of account attributes:

• string

• integer

• Boolean

• encrypted

• binary

---

Note –

Binary attributes include graphic files, audio files, and certificates. Most resources do not support binary account attributes. Currently, only certain directory, flat file, and database adapters can process binary attributes. In your forms and workflows, make sure you do not attempt to push binary attributes to resources that do not support them. Consult the “Account Attributes” section of the adapter documentation to determine if binary attributes are supported for your adapter.

In addition, keep the file size for any file referenced in a binary attribute as small as possible. Loading extremely large graphics files, for example, can cause the performance of Identity Manager to decrease.

---

Most adapters do not support binary account attributes. Some adapters support binary attributes, such as graphics, audio, and certificates. Consult the “Account Attributes” section of the adapter documentation to determine if it is supported for your adapter.

name is a reserved word in views and should not be used as an Identity System User Attribute on resource schema maps.

Resource Object Management

Lists the objects on the resource that can be managed through Identity Manager.

Identity Template

Defines account name syntax for users. For most resources, the syntax is the same as the account ID. However, the syntax is different if the resource uses hierarchical namespaces.

Sample Forms

A form is an object associated with a page that contains rules about how the browser should display user view attributes on that page. Forms can incorporate business logic and are often used to manipulate view data before it is presented to the user.

Built-In Forms

Some forms are loaded into the Identity Manager repository by default. To view a list of forms in the repository, perform the following steps:

Viewing a List of Forms in the Repository

1. From a web browser, go to http://IdentityManagerHost/idm/debug

   The browser displays the System Settings page.

2. From the options menu adjacent to List Objects, select Type: ResourceForm.

3. Click List Objects. The List Objects of Type: ResourceForm page is displayed. This page lists all editable forms that reside in the Identity Manager repository.

Also Available

Identity Manager provides many additional forms that are not loaded by default. These forms are located in the InstallDir\idm\sample\forms\ directory.

Troubleshooting

Trace output can be helpful when identifying and resolving problems with any adapter. Generally, these are the steps you will follow when using tracing to help identify and resolve problems:

Using trace

1. Turn on tracing.

2. Reproduce the problem and evaluate the results.

3. Optionally turn tracing on for additional packages or classes, or turn up the tracing level and repeat steps 2 and 3 as needed.

4. Turn off tracing.

   To turn tracing on, follow these steps:

5. Log in to Identity Manager as the Configurator account.

6. Go to the Debug page: http://IdentityManagerHost:Port/idm/debug.

7. Click Show Trace.

8. Ensure that Trace Enabled is checked.

9. Enter the full class name in the Method/Class text box.

10. Enter a trace level (1-4). Each level captures different types of information:

    • 1, which identifies entry and exit of public methods, plus major exceptions.

      • 2, which identifies entry and exit of all methods.

      • 3, which identifies significant informational displays (such as the value of variables that control flow) that occur only once per method invocation.

      • 4, which identifies informational displays that occur n times per method invocation.

11. Fill out the rest of the page as desired. Click Save when you are ready to begin tracing.

    To disable tracing, either deselect the Show Trace option, or delete the class name from the Method/Class text box.