Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 |
1
Resources Reference
This chapter describes the resource adapters that are provided with your Identity Manager installation.
The following table lists these adapters (sorted by type) and provides an overview of supported versions, Active Sync support, connection methods, and communication protocols for each adapter:
Resource
Supported Versions
Active Sync Support
Gateway?
Communication Protocols
CRM and ERP Systems
Oracle Applications
(see page 1-193)Oracle Financials on Oracle Applications 11.5.9, 11.5.10
No
No
JDBC
PeopleSoft Component
(see page 1-227)PeopleTools
8.1 – 8.42
with HRMS
8.0 – 8.8Yes
Smart polling, ListenerNo
Client connection toolkit (Sync Only)
PeopleSoft
Component InterfacePeopleTools
8.1 through 8.4.No
No
Client connection toolkit (Read/Write)
SAP (see page 1-257)
SAP R/3
4.5, 4.6, 4.7No
No
BAPI via SAP Java Connector
SAP HR
4.5, 4.6, 4.7Yes
Smart polling, ListenerALE
SAP Enterprise Portal
(see page 1-283)6.20 SP2+
No
No
SAP User Management Engine
Siebel CRM
(see page 1-323)6.0, 7.0, 7.7
No
No
Siebel Data API
Databases
DB2 (see page 1-95)
7.0, 7.2, 8.1, 8.2
No
No
JDBC, SSL
Microsoft SQL Server (see page 1-159)
2000
No
No
JDBC, SSL
MySQL
(see page 1-165)4.1
No
No
JDBC, SSL
Databases (continued)
Oracle
(see page 1-193)9i, 10g
No
No
JDBC, SSL
Sybase
(see page 1-343)12.x
No
No
JDBC, SSL
Directories
LDAP (see page 1-141)
3.0
Yes
Smart polling, ListenerNo
LDAP v3, JNDI, SSL
Microsoft Active Directory
(see page 1-45)2000 SP3, 2003
Yes
Smart pollingYes
ADSI
NetWare NDS
(see page 1-175)Netware 5.1 SP6
Netware6.0 with eDirectory 8.7.1
Novell SecretStore 3.0
Yes
Smart pollingYes
NDS Client,
LDAP, SSLMessage Platforms
Lotus Domino Gateway (see page 1-99)
5.0, 6.5
Yes
Smart pollingYes
RMI, IIOP using Toolkit for Java, CORBA
Microsoft Exchange (see page 1-114)
5.5
No
Yes
ADSI
Note: Support for the Microsoft Exchange 5.5 resource adapter has been deprecated.
Use the Active Directory resource for Exchange 2000/20003, which is integrated with Exchange.
Novell GroupWise
(see page 1-121)5.5, 6.0
No
Yes
NDS Client,
LDAP, SSLMiscellaneous
Database Table
(see page 1-89)
Yes
Smart pollingNo
JDBC
Flat File ActiveSync (see page 1-115)
Yes
Smart polling (Internal Diff engine)No
Miscellaneous (continued)
INISafe Nexess
(see page 1-131)1.1.5
com.initech.eam.api Classes
JMS Listener
(see page 1-135)1.1 or later
Yes
No
Varies, per resource
Microsoft Identity Integration Server
(see page 1-155)2003
No
No
JDBC
Remedy Help Desk (see page 1-251)
4.5, 5.0
Yes
Smart pollingYes
Remedy APIs
Scripted Gateway
(see page 1-287Not applicable
Yes
Varies, per resource
Scripted Host
(see page 1-293)Not applicable
No
TN3270
Sun Java System Communications Services (see page 1-353)
Yes
No
JNDI over SSL or TCP/IP
Operating Systems
AIX (see page 1-79)
4.3.3, 5.2
No
No
Telnet, SSH
HP-UX
(see page 1-125)11.0, 11i v1,
11i v2No
No
Telnet, SSH
OS/400
(see page 1-205)V4r3, V5r1
No
No
Java toolkit for AS400
Red Hat Linux
(see page 1-245)Linux 8.0, 9.0
No
No
Telnet, SSH
Advanced Server
2.1, 3.0, 4.0Solaris
(see page 1-337)2.7, 7, 8, 9, 10
No
No
Telnet, SSH
SuSE Linux
(see page 1-245)Enterprise 9
No
No
Telnet, SSH
Windows NT, 2000, and 2003 (see page 1-391)
NT, 2000, 2003
No
Yes
ADSI
Security Managers
ACF2 (see page 1-25)
6.4, 6.5sp2, TSO 5.2, 5.3, CICS 2.2
No
No
Secure TN3270
ActivCard
(see page 1-39)5.0 (AIMS 3.6)
No
No
AIMS SDK, HTTPS
ClearTrust
(see page 1-85)5.01
No
No
Server Proxy API, JNDI, SSL
Natural
(see page 1-169)
No
No
Secure TN3270
RACF (see page 1-237)
1.x, 2.x
No
No
Secure TN3270
SecurID ACE/Server
(see page 1-313)5.0, 6.0 for Windows
No
Yes
SecurID
Admin API5.1, 6.0 for UNIX
SecurID TCL Interface
Top Secret
(see page 1-375)5.3
Yes
Smart polling (Filtered TSS Audit Events)No
Secure TN3270
Web Single Sign On (SSO)
IBM/Tivoli Access Manager
(see page 1-17)4.1, 5.1
No
No
JNDI, SSL
Netegrity Siteminder (see page 1-331)
Admin 5.5
No
No
Netegrity SDK, JNDI, SSL
LDAP 5.5
JNDI, SSL
Table 5.5
JDBC, JNDI, SSL
Sun Java System Access Manager
(see page 1-343)Sun ONE Identity Server 6.0, 6.1, 6.2
No
No
JNDI, SSL
Note: Support for the Sun ONE Identity Server resource adapter has been deprecated.
Use the Sun Java System Access Manager resource adapter instead.
Sun Java System Identity Server 2004Q2
No
No
JNDI, SSL
Sun Java System Access Manager
6 2005Q1,
7 2005Q4
Note The Identity Manager adapters can be often be used in their default state.
To enable an adapter,
- Follow the installation and configuration procedures provided in the adapter’s Identity Manager Installation Notes section in this chapter.
- Add the resource to Identity Manager by using the Resource Wizard, as described in Sun Java System Identity Manager Administration.
Note See Sun Java System Identity Manager Data Loading and Synchronization for information about customizing adapters.
How the Adapter Sections are Organized
The resource adapter sections in this chapter are organized as follows:
- Introduction — Lists supported resource versions. (Refer to the Readme file supplied with your latest service pack version for updates to this list.)
- Resource Configuration Notes — Lists additional steps you must perform on the resource to allow you to manage the resource from Identity Manager.
- Identity Manager Installation Notes — Details the installation and configuration steps that you must follow to work with the resource.
- Usage Notes — Lists dependencies and limitations related to using the resource.
- Security Notes — Describes the types of connection supported as well as the authorizations needed on the resource to perform basic tasks.
- Provisioning Notes — Lists whether the adapter can perform tasks such as enable/disable accounts, rename accounts, and whether it allows pass-through authentication.
- Account Attributes — Describes default user attributes supported for the resource.
- Resource Object Management — Lists objects the adapter can manage.
- Identity Template — Provides notes about how to construct or work with the resource identity template.
- Sample Forms — Shows the location of a sample form you can use to construct a custom Create/Update User form. Unless otherwise indicated, sample forms are located in the InstallDir\idm\sample\forms\ directory.
- Troubleshooting — Lists the classes that can be used for tracing and debugging.
A detailed description of each topic is provided in the remainder of this section.
Topic Descriptions
This section describes the information provided for each adapter, and the topics are organized as follows:
Introduction
The introductory section lists the versions of the resource supported by the adapter. Other versions might be supported, but they have not been tested.
This section also lists the adapter’s Java class name. The class name is always used for tracing. In addition, if the resource is a custom resource, the class name must be specified on the Configure Managed Resources page. See Identity Manager Installation Notes on page 1-7 for more information about custom resources.
Some resources have multiple adapters. For example, Identity Manager provides adapters for Windows Active Directory and Windows Active Directory ActiveSync. In these cases, a table similar to the following is listed in the introductory section:
GUI Name
Class Name
Windows 2000 /
Active Directorycom.waveset.adapter.ADSIResourceAdapter
Windows 2000 / Active Directory ActiveSync
com.waveset.adapter.ActiveDirectoryActiveSyncAdapter
The GUI name is displayed on the drop-down menu on the Resources page. Once the resource has been added to Identity Manager, this name is also displayed in the resource browser.
Resource Configuration Notes
This section lists additional steps you must perform on the resource to allow you to manage the resource from Identity Manager. (It is assumed that the resource is fully functional before you attempt to establish a connection with Identity Manager.) If there are no configuration tasks, the section will be blank or say “None”.
Identity Manager Installation Notes
From an installation perspective, there are two types of adapters:
Identity Manager adapters do not require additional installation procedures. Use the following steps to display the resource on the drop-down menu on the Resource page:
Custom adapters require additional installation procedures. Typically, you must copy one or more jar files to the InstallDir\idm\WEB-INF\lib directory and add the adapter’s Java class to the list of adapters. The jar files are usually available on the installation media, or via download on the internet.
The following example from the DB2 resource adapter illustrates this procedure:
- Copy the db2java.jar file to the InstallDir\idm\WEB-INF\lib directory.
- From the Identity Manager Administrative interface, click Configure, and then click Managed Resources.
- Click the Add Custom Resource button near the bottom of the page.
- Enter the full class name of the adapter in the bottom text box, such as com.waveset.adapter.DB2ResourceAdapter.
- Click the Save button at the bottom of the page.
The following table lists the adapters that require jar files to be installed on the Identity Manager server.
Usage Notes
This section lists dependencies and limitations related to using the resource. The contents of this section varies between adapters.
Active Sync Configuration
This section provides resource-specific configuration information that can be viewed on the General Active Sync Settings page of the Active Sync Wizard. The following attributes are applicable to most Active Sync adapters.
Security Notes
The Security Notes section provides connection and authorization information.
Supported Connections - Lists the type of connection used to communicate between Identity Manager and the resource. The following types of connections are commonly used:
Other connection types are possible.
Required Administrative Privileges - Lists the privileges the administrator account must have to create users and perform other tasks from within Identity Manager. The administrator account is specified on the Resource Attributes page.
Provisioning Notes
This section contains a table that summarizes the provisioning capabilities of the adapter. These capabilities include
- Enable/Disable Account — The ability to enable and disable user accounts is determined by the resource. For example, on some UNIX systems, an account is disabled by changing the password to a random value.
- Rename Account — The ability to rename user accounts is determined by the resource.
- Pass-Through Authentication — A Identity Manager feature that enables resource users to login to the Identity Manager User interface.
- Before/After Actions — Actions are scripts that run within the context of a managed resource, if native support exists for scripted actions.
For example, on UNIX systems, actions are sequences of UNIX shell commands. In Microsoft Windows environments, actions are DOS-style console commands that can execute within the CMD console.
- Data Loading Methods — Indicates how data can be loaded into Identity Manager. The following methods are supported:
- ActiveSync — Allows information that is stored in an “authoritative” external resource (such as an application or database) to synchronize with Identity Manager user data. The adapter can push or pull resource account changes into Identity Manager.
- Discovery (load from resource) — Initially pulls resource accounts into Identity Manager, without viewing before loading. Resource account information can also be imported from or exported to a file.
- Reconciliation — Periodically pull resource accounts into Identity Manager, taking action on each account according to configured policy. Use the reconciliation feature to highlight inconsistencies between the resource accounts on Identity Manager and the accounts that actually exist on a resource, and to periodically correlate account data.
Account Attributes
The account attributes, or schema map, maps Identity Manager account attributes to resource account attributes. The list of attributes varies for each resource. You may remove unused attributes from the schema map page. However, adding attributes might require editing the user forms or other code.
The Identity Manager User Attributes can be used in rules, forms, and other Identity Manager-specific functions. The Resource User Attributes are used only when the adapter communicates with the resource.
Resource Object Management
Lists the objects on the resource that can be managed through Identity Manager.
Identity Template
Defines account name syntax for users. For most resources, the syntax is the same as the account ID. However, the syntax is different if the resource uses hierarchical namespaces.
Sample Forms
A form is an object associated with a page that contains rules about how the browser should display user view attributes on that page. Forms can incorporate business logic and are often used to manipulate view data before it is presented to the user.
Forms can be edited with the Identity Manager Business Process Editor (BPE). The BPE is a standalone, Swing-based Java application that allows you to create and edit forms. By selecting form and field definitions from various dialogs and menus, you can quickly customize the content and appearance of Identity Manager pages. For more information, see the Identity Manager Workflows, Forms, and Views.
Built-In Forms
Some forms are loaded into the Identity Manager repository by default. To view a list of forms in the repository, perform the following steps:
- From a web browser, go to http://IdentityManagerHost/idm/debug
The browser displays the System Settings page.
- From the options menu adjacent to List Objects, select Type: ResourceForm.
- Click List Objects. The List Objects of Type: ResourceForm page is displayed. This page lists all editable forms that reside in the Identity Manager repository.
Also Available
Identity Manager provides many additional forms that are not loaded by default. These forms are located in the InstallDir\idm\sample\forms\ directory.
Troubleshooting
Trace output can be helpful when identifying and resolving problems with any adapter. Generally, these are the steps you will follow when using tracing to help identify and resolve problems:
To turn tracing on, follow these steps:
- Log in to Identity Manager as the Configurator account
- Go to the Debug page: http://IdentityManagerHost/idm/debug
- Click Show Trace
- Ensure that Trace Enabled is checked
- Enter the full class name in the Method/Class text box.
- Enter a trace level (1-4). Each level captures different types of information:
- Fill out the rest of the page as desired. Click Save when you are ready to begin tracing.
To disable tracing, either deselect the Show Trace option, or delete the class name from the Method/Class text box.