1. Connector Guide for RSA Authentication Manager
  2. Using the RSA Authentication Manager Connector

3 Using the RSA Authentication Manager Connector

This chapter is divided into the following sections:

3.1 Performing First-Time Reconciliation

First-time reconciliation involves synchronizing lookup definitions in Oracle Identity Manager with the lookup fields of the target system, and performing full reconciliation. In full reconciliation, all existing user records from the target system are brought into Oracle Identity Manager.

The following is the sequence of steps involved in reconciling all existing user records:

  1. Perform lookup field synchronization by running the scheduled jobs provided for this operation.
  2. Perform user and token reconciliation by running the scheduled jobs for user and token reconciliation.

After first-time reconciliation, the Last Execution Timestamp attribute of the scheduled job is automatically set to the time stamp at which the reconciliation run began.

From the next reconciliation run onward, only target system user records that are added or modified after the time stamp stored in the scheduled job are considered for incremental reconciliation. These records are brought to Oracle Identity Manager when you configure and run the user reconciliation scheduled job.

3.2 Scheduled Job for Lookup Field Synchronization

The following scheduled jobs are used for lookup fields synchronization:

  • RSAAM TokenSerial Lookup Reconciliation

  • RSAAM SecurityDomain Lookup Reconciliation

  • RSAAM RadiusProfile Lookup Reconciliation

  • RSAAM IdentitySource Lookup Reconciliation

  • RSAAM UserGroup Lookup Reconciliation

  • RSAAM AdminRole Lookup Reconciliation

You must specify values for the attributes of these scheduled jobs. Table 3-1 describes the attributes of these scheduled jobs. Scheduled Jobs describes the procedure to configure scheduled jobs.

Table 3-1 Attributes of the Scheduled Jobs for Lookup Field Synchronization

Attribute Description

Code Key Attribute

Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).

Default value: __UID__

Note: Do not change the value of this attribute.

Decode Attribute

Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute).

Default value: __NAME__

Note: Do not change the value of this attribute.

IT Resource Name

Enter the name of the IT resource for the target system installation from which you want to reconcile user records.

Default value: RSA Server Instance

Lookup Name

Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system.

Depending on the scheduled job that you are using, the default values are as follows:

  • For TokenSerial Lookup Reconciliation: Lookup.RSAAM.TokenSerial

  • For SecurityDomain Lookup Reconciliation: Lookup.RSAAM.SecurityDomain

  • For RadiusProfile Lookup Reconciliation: Lookup.RSAAM.RadiusProfile

  • For IdentitySource Lookup Reconciliation: Lookup.RSAAM.IdentitySource

  • For UserGroup Lookup Reconciliation: Lookup.RSAAM.UserGroup

  • For AdminRole Lookup Reconciliation: Lookup.RSAAM.AdminRole

Object Type

Enter the type of object you want to reconcile.

Depending on the scheduled job that you are running, the default value is one of the following:

  • For TokenSerial Lookup Reconciliation: TokenSerial

  • For SecurityDomain Lookup Reconciliation: SecurityDomain

  • For RadiusProfile Lookup Reconciliation: RadiusProfile

  • For IdentitySource Lookup Reconciliation: IdentitySource

  • For UserGroup Lookup Reconciliation: UserGroup

  • For AdminRole Lookup Reconciliation: AdminRole

Resource Object Name

Name of the resource object that is used for reconciliation.

Default value: RSA Auth Manager User

3.3 Configuring Reconciliation

Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

3.3.1 Full Reconciliation

Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.

For performing a full reconciliation run, values for the Latest Token and Filter attributes of the scheduled jobs for reconciling user records must not be present.

At the end of the reconciliation run, the Latest Token attribute of the scheduled job for user record reconciliation is automatically set to the time stamp at which the run ended. From the next reconciliation run onward, only records created or modified after this time stamp are considered for reconciliation. This is incremental reconciliation.

Note:

Incremental reconciliation reflects changes or modifications made in the target system when a change or modification is made in the incremental reconciliation attribute. For example, during user reconciliation, changes like updates to all the fields on the Authentication Settings page (including radius profiles) and group updates will not be reconciled as a part of incremental reconciliation, and a full reconciliation has to be performed in order to reconcile these changes into Oracle Identity Manager.

3.3.2 Limited Reconciliation

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.

The connector provides a Filter attribute that allows you to use any of the RSA Authentication Manager resource attributes to filter the target system records.

You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled job attribute) that allows you to use any of the RSA Authentication Manager resource attributes to filter the target system records.

The following RSA Authentication Manager attributes are supported for filtering:

  • For User Reconciliation:

    • CERT_DN

    • EMAIL

    • FIRST_NAME

    • LAST_NAME

    • LOGINUID

    • MIDDLE_NAME

    • PASSWORD

    • ADMINISTRATOR_FLAG

    • PROXIED_AUTHENTICATORS

    • CHANGE_PASSWORD_DATE

    • CHANGE_PASSWORD_FLAG

    • DESCRIPTION

    • ENABLE_FLAG

    • EXPIRATION_DATE

    • EXPIRE_LOCKOUT_DATE

    • EXPIRE_EMERGENCY_LOCKOUT_DATE

    • FAIL_EMERGENCY_COUNT

    • FAIL_EMERGENCY_DATE

    • FAIL_PASSWORD_COUNT

    • FAIL_PASSWORD_DATE

    • IDENTITY_SRC_ID

    • IMPERSONATABLE_FLAG

    • IMPERSONATOR_FLAG

    • LAST_UPDATED_BY

    • LAST_UPDATED_ON

    • LOCKOUT_FLAG

    • EMERGENCY_LOCKOUT_FLAG

    • LOGIN_FAILURE_COUNT

    • OWNER_ID

    • SECURITY_QUES_ANSWERS

    • SECURITY_QUES_REQUIRED_AUTHN

    • SECURITY_QUES_REQUIRED_REG

    • SECURITY_QUES_LANGUAGE

    • SECURITY_QUES_COUNTRY

    • SECURITY_QUES_VARIANT

    • START_DATE

    In addition, all extended attributes that are added in the target system through customization are supported for filtering.

  • For Token Reconciliation:

    • assignedBy

    • tokenAssignedDate

    • assignedToken

    • enabled

    • tokenShutdownDate

    • importedBy

    • importedOn

    • lastExportedBy

    • lastExportedOn

    • tokenRuntime.lastLoginDate

    • lastUpdatedBy

    • lastUpdatedOn

    • tokenLost

    • replacedByToken

    • pinType

    • serialNumber

    • softidDeployed

    • tokenType

Note:

While entering filters in the scheduled job for user and token reconciliation, the attribute name should be in the same syntax as the decode value in the reconciliation attribute map.

See User Fields for Target Resource Reconciliation and Token Fields for Target Resource Reconciliation for decode values that need to be specified for user and token reconciliation.

In addition, during token reconciliation, use the token attributes from ListTokenDTO and not from TokenDTO target class.

Following are a few examples:

  • To reconcile all users whose login id is like 'jo*', use filter startsWith('__NAME__','jo')

  • To reconcile all users whose email is like '*@company.com', use filter endsWith('email;IMS;Core;String;EMAIL','@company.com')

  • To reconcile all tokens whose serialnumber is like '0002219*', use filter startsWith('__NAME__','0002219')

  • To reconcile all tokens which are marked as lost, use filter equalTo('tokenLost;ListTokenDTO;Core;boolean;tokenLost', true)

3.3.3 Batched Reconciliation

This section discusses the Batch Size, Batch Start, and Number of Batches attributes of the scheduled jobs for target resource reconciliation.

By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

You can configure batched reconciliation to avoid such problems.

The following are the attributes used to configure batched reconciliation:

  • Batch Size: Use this attribute to specify the number of records that must be included in each batch.

    If you set the value of this attribute to 0, then the defaultbatchsize entry of the main configuration lookup (Lookup.RSAAM.Configuration) is considered as the batch size for batched reconciliation. Any numeric value other than 0 takes precedence over the defaultbatchsize entry.

  • Batch Start: Use this attribute to specify the record number from which batched reconciliation must begin.

    Set the value of this attribute to 0 to begin reconciliation from the first record in the target system. Similarly, set the value of this attribute to 1 to begin reconciliation from the second record in the target system and so on.

  • Number of Batches: Use this attribute to specify the total number of batches that must be reconciled. The default value of this attribute is 0. This implies that the connector fetches records in the maximum possible number of batches from the target system. In other words, all records starting from the record specified in the Batch Start attribute to the last record available in the target system is fetched. Any other valid number limits the number of batches to that specified value.

To configure batched reconciliation for tokens, specify values for all the above attributes of the RSAAM Token Target Recociliation scheduled job.

To configure batched reconciliation for users, specify a value for the Batch Size attribute of the RSAAM User Target Recociliation scheduled job.

See Also:

Scheduled Jobs for Reconciliation of Token and User Records for more information about the RSAAM Token Target Reconciliation and RSAAM User Target Reconciliation scheduled jobs

3.3.4 Reconciliation Scheduled Jobs

When you run the Connector Installer, the scheduled tasks corresponding to the following scheduled jobs are automatically created in Oracle Identity Manager:

3.3.4.1 Scheduled Jobs for Reconciliation of Token and User Records

Depending on whether you want to implement target resource reconciliation for tokens or users, you must specify values for the attributes of one of the following user reconciliation scheduled jobs:

  • RSAAM Token Target Reconciliation

    This scheduled job is used to reconcile token data for assigned tokens.

    Table 3-2 describes the attributes of the scheduled job for reconciliation of token records

    Table 3-2 Attributes of the Scheduled Jobs for Reconciliation of Token Records

    Attributes Description

    Batch Size

    Enter the number of records that must be included in each batch fetched from the target system.

    Default value: 0

    This attribute is used in conjunction with the Batch Start and Number of Batches attributes. All these attributes are discussed in Batched Reconciliation.

    Batch Start

    Enter the number of the target system record from which a batched reconciliation run must begin.

    Default value: 0

    This attribute is used in conjunction with the Batch Start and Number of Batches attributes. All these attributes are discussed in Batched Reconciliation.

    Filter

    Expression for filtering records. Use the following syntax:

    syntax = expression ( operator expression )* 
operator = 'and' | 'or' 
expression = ( 'not' )? filter 
filter = ('equalTo' | 'contains' | 'containsAllValues' 
| 'startsWith' | 'endsWith'  | 'greaterThan' | 'greaterThanOrEqualTo'
| 'lessThan' | 'lessThanOrEqualTo' )  '(' 'attributeName' ','
 attributeValue')' 
attributeValue = singleValue  |  multipleValues
singleValue = 'value'
multipleValues = '[' 'value_1' (',' 'value_n')* ']'

    Default value: None

    Incremental Recon Attribute

    Attribute that holds the date on which the token record was modified.

    Default value: lastUpdatedOn;TokenDTO;Core;Date;lastUpdatedOn

    Note: Do not change the value of this attribute

    IT Resource Name

    Name of the IT resource instance that the connector must use to reconcile data.

    Sample value: RSA Server Instance

    Latest Token

    This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty.

    Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute.

    Sample value: 1354753427000

    Number of Batches

    Enter the number of batches that must be reconciled.

    Default value: 0

    This attribute is used in conjunction with the Batch Start and Number of Batches attributes. All these attributes are discussed in Batched Reconciliation.

    Object Type

    This attribute holds the type of object you want to reconcile.

    Default value: Token

    Resource Object Name

    Enter the name of the resource object against which reconciliation runs must be performed.

    Default value: RSA Auth Manager Token.

    Scheduled Task Name

    Name of the scheduled task used for reconciliation.Default value: RSAAM Token Target Reconciliation.

  • RSAAM User Target Reconciliation

    This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector.

    Table 3-3 describes the attributes of the scheduled job for reconciliation of user records.

    Table 3-3 Attributes of the Scheduled Jobs for Reconciliation of User Records

    Attribute Description

    Batch Size

    Enter the number of records that must be included in each batch fetched from the target system.

    Default value: 0

    Filter

    Expression for filtering records. Use the following syntax:

    syntax = expression ( operator expression )* 
operator = 'and' | 'or' 
expression = ( 'not' )? filter 
filter = ('equalTo' | 'contains' | 'containsAllValues' 
| 'startsWith' | 'endsWith'  | 'greaterThan' | 'greaterThanOrEqualTo'
| 'lessThan' | 'lessThanOrEqualTo' )  '(' 'attributeName' ','
 attributeValue')' 
attributeValue = singleValue  |  multipleValues
singleValue = 'value'
multipleValues = '[' 'value_1' (',' 'value_n')* ']'

    Default value: None

    IT Resource Name

    Name of the IT resource instance that the connector must use to reconcile data.

    Sample value: RSA Server Instance

    Object Type

    This attribute holds the type of object you want to reconcile.

    Default value: User

    Resource Object Name

    Enter the name of the resource object against which reconciliation runs must be performed.

    Default value: RSA Auth Manager User.

    Incremental Recon Attribute

    Attribute that holds the date on which the user record was modified.

    Default value: lastModifiedOn;IMS;Core;Date;LAST_UPDATED_ON

    Note: Do not change the value of this attribute

    Latest Token

    This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty.

    Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute.

    Sample value: 1354753427000

    Scheduled Task Name

    Name of the scheduled task used for reconciliation.

    Default value: RSAAM User Target Reconciliation.
3.3.4.2 Scheduled Jobs for Reconciliation of Deleted Token and User Records

Depending on whether you want to implement target resource delete reconciliation for tokens or users, you must specify values for the attributes of one of the following scheduled jobs:

  • RSAAM Token Target Delete Reconciliation

    This scheduled job is used to reconcile unassigned token data in the target source (identity management) mode of the connector. After the completion of this scheduled job, all the unassigned tokens are revoked in Oracle Identity Manager.

    Table 3-4 describes the attributes of the scheduled job for reconciliation of deleted token records.

    Table 3-4 Attributes of the Scheduled Jobs for Delete Token Reconciliation

    Attributes Description

    IT Resource Name

    Name of the IT resource instance that the connector must use to reconcile data.

    Sample value: RSA Server Instance

    Object Type

    This attribute holds the type of object you want to reconcile.

    Default value: Token

    Resource Object Name

    Enter the name of the resource object against which reconciliation runs must be performed.

    Default value: RSA Auth Manager Token.

  • RSAAM User Target Delete Reconciliation

    This scheduled job is used to reconcile deleted user data in the target source (identity management) mode of the connector.

    Table 3-5 describes the attributes of the scheduled job for reconciliation of deleted user records.

    Table 3-5 Attributes of the Scheduled Jobs for Delete User Reconciliation

    Attributes Description

    IT Resource Name

    Name of the IT resource instance that the connector must use to reconcile data.

    Sample value: RSA Server Instance

    Object Type

    This attribute holds the type of object you want to reconcile.

    Default value: User

    Resource Object Name

    Enter the name of the resource object against which reconciliation runs must be performed.

    Default value: RSA Auth Manager User.

3.4 Scheduled Jobs

The following sections provide detailed information about scheduled jobs that must be configured along with the procedure to configure them for lookup field synchronization and reconciliation:

3.4.1 Scheduled Jobs for Lookup Field Synchronization and Reconciliation

All scheduled jobs that must be configured are listed in Table 3-6.

Table 3-6 Scheduled Jobs for Lookup Field Synchronization and Reconciliation

Scheduled Task Description

RSAAM Token Serial Lookup Reconciliation

This scheduled job is used to synchronize values of the token serial lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job.

RSAAM Security Domain Lookup Reconciliation

This scheduled job is used to synchronize values of the security domain lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job.

RSAAM Radius Profile Lookup Reconciliation

This scheduled job is used to synchronize values of the radius profile lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job.

RSAAM Identity Source Lookup Reconciliation

This scheduled job is used to synchronize values of the identity source lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job.

RSAAM User Group Lookup Reconciliation

This scheduled job is used to synchronize values of the user group lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job.

RSAAM Admin Role Lookup Reconciliation

This scheduled job is used to synchronize values of the admin role lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job.

RSAAM User Target Reconciliation

This scheduled job is used to fetch user data during target resource reconciliation. See Reconciliation Scheduled Jobs for information about this scheduled job.

RSAAM Token Target Reconciliation

This scheduled job is used to fetch token data during target resource reconciliation. See Reconciliation Scheduled Jobs for information about this scheduled job.

RSAAM User Target Delete Reconciliation

This scheduled job is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user record on the target system, the RSA Authentication Manager user resource for the corresponding OIM User is revoked. See Reconciliation Scheduled Jobs for information about this scheduled job.

RSAAM Token Target Delete Reconciliation

This scheduled job is used to fetch data about deleted tokens during target resource reconciliation. During a reconciliation run, for each deleted token record on the target system, the token for the corresponding OIM User is revoked. See Reconciliation Scheduled Jobs for information about this scheduled job.

3.4.2 Configuring Scheduled Jobs

This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation:

  1. Log in to Oracle Identity System Administration.

  2. In the left pane, under System Management, click Scheduler.

  3. Search for and open the scheduled job as follows:

    1. In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.

    2. In the search results table on the left pane, click the scheduled job in the Job Name column.

  4. On the Job Details tab, you can modify the following parameters:

    • Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.

    • Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.

      Note:

      See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.

    In addition to modifying the job details, you can enable or disable a job.

  5. On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled job.

    Note:

    • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

    • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.

  6. Click Apply to save the changes.

    Note:

    The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.

3.5 Guidelines On Performing Provisioning Operations

The following is a guideline that you must apply while performing a provisioning operation:

During a provisioning operation, if you do not specify values or clear all the existing values for the Account Expire Date, Account Expire Hours, and Account Expire Minutes fields, then the corresponding account in the target system is set to Does Not Expire.

3.6 Performing Provisioning Operations

To perform provisioning operations in Oracle Identity Manager:

  1. Log in to Oracle Identity Administrative and User console.

  2. Create a user. See Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager.

  3. On the Account tab, click Request Accounts.

  4. In the Catalog page, search for and add to cart the application instance created for the RSA Server Instance IT resource (in Creating an Application Instance), and then click Checkout.

  5. Specify value for fields in the application form.

    Note:

    Ensure to select proper values for lookup type fields as there are a few dependent fields. Selecting a wrong value for such fields may result in provisioning failure.

  6. Click Ready to Submit.

  7. Click Submit.

  8. If you want to provision entitlements, then:

    1. On the Entitlements tab, click Request Entitlements.

    2. In the Catalog page, search for and add to cart the entitlement, and then click Checkout.

    3. Click Submit.

3.7 Uninstalling the Connector

If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.

After you uninstall the connector, perform the postuninstall procedure. See Postuninstall in Oracle Fusion Middleware Administering Oracle Identity Manager.