1. Configuring the UNIX Application
  2. Creating an Application By Using the UNIX Connector

2 Creating an Application By Using the UNIX Connector

Learn about onboarding applications using the connector and the prerequisites for doing so.

2.1 Process Flow for Creating an Application By Using the Connector

From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment is handled using the application onboarding capability of Identity Self Service.

Figure 2-1 is a flowchart depicting high-level steps for creating an application in Oracle Identity Governance by using the connector installation package.

Figure 2-1 Overall Flow of the Process for Creating an Application By Using the Connector

Description of Figure 2-1 follows
Description of "Figure 2-1 Overall Flow of the Process for Creating an Application By Using the Connector"

2.2 Prerequisites for Creating an Application By Using the Connector

Learn about the tasks that you must complete before you create the application.

2.2.1 Downloading the Connector Installation Package

You can obtain the installation package for your connector on the Oracle Technology Network (OTN) website.

To download the connector installation package:
  1. Navigate to the OTN website at http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html.
  2. Click OTN License Agreement and read the license agreement.
  3. Select the Accept License Agreement option.
    You must accept the license agreement before you can download the installation package.
  4. Download and save the installation package to any directory on the computer hosting Oracle Identity Governance.
  5. Extract the contents of the installation package to any directory on the computer hosting Oracle Identity Governance. This creates a directory named CONNECTOR_NAME-RELEASE_NUMBER. For example, GenericUnix-12.2.1.3.0
  6. Copy the CONNECTOR_NAME-RELEASE_NUMBER directory to the OIM_HOME/server/ConnectorDefaultDirectory directory.

2.2.2 Configuring the Target System

Depending on the target system and your requirements, perform these procedures to configure your environment, install OpenSSH, create a target system user account with the minimum permissions required to perform connector operations, create an RBAC user account, and configure public key and SSH public key authentication.

2.2.2.1 Configuring Solaris, Linux, and AIX

Perform the following steps to configure Solaris, Linux, and AIX environments:

  1. Ensure that the /etc/passwd and /etc/shadow files are available on the UNIX server.
  2. Create a directory on the target system where the connector can create mirror files for the /etc/passwd and /etc/shadow files.

    This directory is specified in the Mirror Files Location parameter. The default value is /etc/connector_mirror_files for a Target application and /etc/connector_mirror_files_trusted for an Authoritative application. If the directory path is different from the default value, then you must update the parameter value. The Login User (sudo or root user) must have read and write privileges to this directory.

2.2.2.2 Configuring HP-UX

Perform the following steps for HP-UX environments:

  1. If you want to switch to HP-UX Trusted mode, then:

    Note:

    If you are converting the target system to the trusted system, then please make sure that no shadow file exists on the target after it is converted to trusted system. You can use pwunconv command to get rid of the shadow file, if it exists.

    1. Log in as root and then run the following command:

      /usr/bin/sam

      /usr/sbin/sam

    2. Select Auditing and Security and then select System Security Policies. A message is displayed asking if you want to switch to the trusted mode.

    3. Click Yes. The following message is displayed: 

      System changed successfully to trusted system

  2. Ensure that the /etc/passwd and /etc/shadow directories are available on the target server.

  3. Create a directory on the target system where the connector can create mirror files for the /etc/passwd and /etc/shadow files.

    This directory is specified in the Mirror Files Location parameter. The default value is /etc/connector_mirror_files for a Target application and /etc/connector_mirror_files_trusted for an Authoritative application. If the directory path is different from the default value, then you must update the parameter value. The loginUser (sudo or root user) must have read and write privileges to this directory.

2.2.2.3 Installing OpenSSH
2.2.2.3.1 Installing OpenSSH for Solaris 9

Perform the following steps to install OpenSSH on Solaris 9:

  1. If SSH is not installed on the Solaris server, then install the appropriate OpenSSH.
  2. Create a group with the name sshd and group ID 27. Add a user with the name sshadmin to this group.
  3. To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file as follows:
    PermitRootLogin yes

    Note:

    Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin to without-password.

    Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.

2.2.2.3.2 Installing OpenSSH for Solaris 10 and Later Versions

By default, OpenSSH is installed on Solaris 10 and later versions. If it is not installed, then install the OpenSSH server from the operating system installation CD. To enable SSH, make the following changes in the /etc/ssh/ssh_config file:

  1. Remove the comment character from the Host * line.
  2. To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file as follows:
    PermitRootLogin yes

    Note:

    Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin to without-password.

    Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.

2.2.2.3.3 Installing OpenSSH for HP-UX

If SSH is not installed on the UNIX server, then install the appropriate OpenSSH from the installation media.

2.2.2.3.4 Installing OpenSSH for Linux

By default, OpenSSH is installed on Red Hat Linux. If it is not installed, then install the OpenSSH server from the operating system installation CD.

2.2.2.3.5 Installing OpenSSH for AIX

If SSH is not installed on the AIX server, then from the installation media:

  1. Install OpenSSL.
  2. Install PRNG.
  3. Install OpenSSH.
  4. To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file as follows:
    PermitRootLogin yes

    Note:

    Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin to without-password.

    Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.

2.2.2.4 Creating a Target System SUDO User Account for Connector Operations

Oracle Identity Governance uses a target system account for performing reconciliation and provisioning operations. On all supported target systems, this account must be either the root user or sudo user.

See Also:

Privileges Required for Performing Provisioning and Reconciliation for information about the privileges required to perform connector operations

To create a target system user account with the minimum permissions required to perform connector operations, perform the following procedure:

  1. If SUDO is not installed on the target system, then install it from the installation media.

  2. Use the visudo command to edit and customize the /etc/sudoers file according to your requirements.

    Note:

    If you cannot use the visudo command to edit the sudoers file, then:

    1. Enter the following command:

      chmod 777 /etc/sudoers

    2. Make the required changes in the sudoers file.

    3. Enter the following command:

      chmod 440 /etc/sudoers

    For example, if you have a group named mqm on the Linux server and require all members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain the following line: 

    mqm ALL= (ALL) ALL

    This example is only a sample configuration. If you need other group members or individual users to be SUDO users with specific privileges, then edit this file as was done for the sample value mqm.

    Therefore, the SUDO user must have the privileges required to run these commands.

    Note:

    NOPASSWD: ALL option for any SUDO user or group is supported. To configure this, you need to update the Sudo Passwd Expect Expression parameter. See Advanced Settings Parameters.

  3. Edit the same sudoers file so that the SUDO user stays validated for 10 minutes after being validated once. You may need to increase the timeout if the reconciliation operation takes longer than 10 minutes and if you encounter errors such as "Permission denied". At the beginning of each operation, the connector validates the user using sudo -v option so that the operation stays validated for a maximum of 10 minutes. After carrying out the operation, the connector runs the sudo -k to kill the validation.

    Add the following line under the # Defaults specification header: 

    Defaults timestamp_timeout=10

    This is a prerequisite for this connector to work successfully.

  4. Create a SUDO user as follows:

    1. Enter the following command:

      useradd -g group_name -d /home/directory_name -m user_name

      In this command:

      group_name is the SUDO users group for which there is an entry in the /etc/sudoers file.

      directory_name is the name of the directory in which you want to create the default directory for the user.

    2. In the .bash_profile file, which is created in the /home/directory_name directory, add the following lines to set the PATH environment variable: 

      PATH=/usr/sbin:$PATH
export PATH

  5. In the sudo user's .bashrc, .cshrc, or .kshrc file, which is created in the sudo user's home directory, add the following line to change the prompt end character from $ (dollar sign) to # (pound sign):

    PS1="[\\u@\\h:\\w]#"

    The encrypted passwords in the shadow file contain $ (dollar sign), which matches the default prompt end character. You must change the prompt end character to ensure that changes made to the shadow file are reconciled correctly.

  6. Login with the sudo user.

  7. Run the sudo -k command on the target system to clear the validation.

  8. Run the sudo -v command on the target system and ensure that the password prompt is displayed.

    The connector would not work if the sudo user is not prompted for password at this step.

2.2.2.5 Creating an RBAC User Account for Connector Operations on Solaris

On Solaris, you can either create a sudo user or apply the role-based access control (RBAC) feature to create an account and assign to it the minimum privileges required for connector operations.

Note:

You use the RBAC Role Expect Expressions parameter to specify if you want to use an RBAC user. See Advanced Settings Parameters.

To create an RBAC user account:

  1. Run the following command to create a role for the user.

    roleadd -d /export/home/ROLE_NAME -m ROLE_NAME

    In this command, replace ROLE_NAME with the name that you want to assign to the role, for example, OIMRole.

  2. Run the following command to assign a password to the role:

    passwd ROLE_NAME

    At the prompt, enter a password for the role.

    See Also:

    Privileges Required for Performing Provisioning and Reconciliation for information about the privileges required to run the commands that are used for provisioning and reconciliation

  3. Create a profile for the user as follows:

    1. Open the /etc/security/prof_attr file in a text editor and insert the following line in the file: 

      PROFILE_NAME:::Oracle Identity Manager Profile:

      In this line, replace PROFILE_NAME with the name that you want to assign to the profile, for example, OIMProf.

    2. Save and close the file.

  4. Add execution attribute entries in the /etc/security/exec_attr file. Each entry defines a task to be run and the uid that the role will assume when running the task.

    Open the /etc/security/exec_attr file in a text editor, and insert the following lines:

    Note:

    There are seven fields in this file, and the colon (:) is used as the delimiting character.

    On Solaris 10, the value suser can be replaced with solaris.

    Some of the entries contain euid. These instances of euid can be replaced with uid. 

    PROFILE_NAME:suser:cmd:::/usr/sbin/usermod:uid=0
PROFILE_NAME:suser:cmd:::/usr/sbin/useradd:uid=0
PROFILE_NAME:suser:cmd:::/usr/sbin/userdel:uid=0
PROFILE_NAME:suser:cmd:::/usr/bin/passwd:uid=0
PROFILE_NAME:suser:cmd:::/usr/bin/cat:euid=0
PROFILE_NAME:suser:cmd:::/usr/bin/diff:euid=0
PROFILE_NAME:suser:cmd:::/usr/bin/sort:euid=0
PROFILE_NAME:suser:cmd:::/usr/bin/rm:uid=0
PROFILE_NAME:suser:cmd:::/usr/bin/grep:euid=0
PROFILE_NAME:suser:cmd:::/usr/bin/egrep:euid=0
PROFILE_NAME:suser:cmd:::/bin/echo:euid=0
PROFILE_NAME:suser:cmd:::/bin/sed:euid=0

    You can add similar entries for other commands if you have customized the pre-configured Solaris scripts to use other commands.

  5. Run the following command to associate the profile with the role:

    rolemod -P PROFILE_NAME ROLE_NAME

  6. Run the following command to create the user: 

    useradd -d /export/home/USER_NAME -m USER_NAME

  7. Run the following command to assign a password to the user:

    passwd USER_NAME

  8. Run the following command to grant the role to the user:

    usermod -R ROLE_NAME USER_NAME

  9. To verify the changes that you have made, open the /etc/user_attr file in a text editor and verity that the following entries are present in the file:

    ROLE_NAME::::type=role;profiles=PROFILE_NAME
USER_NAME::::type=normal;roles=ROLE_NAME
2.2.2.6 Configuring Public Key Authentication

To configure Public Key Authentication:

Note:

  • If Public Key Authentication is used, then an RBAC user for a Solaris target system cannot be used.

  • This section contains the procedure to configure Public Key Authentication for a root user. It can also be configured for a SUDO user.

  1. Copy the util/privateKeyGen.sh file from the installation media directory to any directory on the target system server.
  2. Open this script file in a text editor and specify a working directory path other than the default value given in the file.
  3. If required, enter the following command:

    For Solaris or Linux:

    dos2unix privateKeyGen.sh privateKeyGen.sh

    For HP-UX:

    dos2ux privateKeyGen.sh
  4. Run the privateKeyGen.sh script on the UNIX server.

    Provide a secure passphrase when prompted. Do not leave the passphrase blank. If you do so, the connector operations will be affected.

    When these commands are run, the following files are created in the $HOME/.ssh directory:

    • id_rsa: This is a private key file.

    • authorized_keys: This file lists public keys that can be used to log in.

  5. When the keys are generated successfully, edit the sshd_config file for Public Key Authentication and test login.
  6. After successfully testing login, copy the id_rsa file to the following directory:
    OIM_HOME/server/ConnectorDefaultDirectory/SSH/config

    You can also copy the file to any directory that is readable and accessible by Oracle Identity Governance. The permissions for the keys should not be changed. If you change it for copying, then you must revert the permissions.

    Note:

    This release of the connector has been tested and certified only for RSA keys, and not DSA. In addition, this connector has been tested and certified for only single key configuration and not multiple keys.

2.2.2.7 Configuring SSH Public Key Authentication

Depending on the target system and your requirements, perform some of the following procedures to configure SSH Public Key Authentication:

2.2.2.7.1 Configuring SSH Public Key Authentication for Solaris

Perform the following steps to configure SSH Public Key Authentication on Solaris:

  1. Set the following parameters in the /etc/ssh/sshd_config file:
    PubKeyAuthorization yes
PasswordAuthentication no
PermitRootLogin yes

    Note:

    Change the value of PermitRootLogin to yes only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin to without-password.

    Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.

  2. To restart the SSH server, enter the following commands:

    • /etc/init.d/sshd stop

    • /etc/init.d/sshd start

  3. To test login:
    ssh -i /.ssh/id_rsa -l root server_IP_address

    This command prompts you for the passkey before setting up the connection.

    Note:

    Instead of using the root account, you can use a user account with sudo privileges, if desired.
  4. Set the privateKey[LOADFROMURL] advanced settings parameter to include the complete path of the id_rsa file with the prefix file://.

    For example:

    file:///OIM_HOME/server/ConnectorDefaultDirectory/SSH/config/id_rsa
2.2.2.7.2 Configuring SSH Public Key Authentication for HP-UX

Perform the following steps to configure SSH Public Key Authentication on HP-UX:

  1. Uncomment the following lines in the /etc/ssh/sshd_config file:
    PermitRootLogin yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

    Note:

    Change the value of PermitRootLogin to yes only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin to without-password.

    Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.

  2. To restart the SSH Server, enter the following command:
    /opt/ssh/sbin/sshd
  3. To test login, enter the following command:
    ssh -i /.ssh/id_rsa -l root server_IP_address

    When prompted, enter the passkey to connect to the server.

    Note:

    Instead of using the root account, you can use a user account with sudo privileges, if desired.
  4. Set the privateKey[LOADFROMURL] advanced settings parameter to include the complete path of the id_rsa file with the prefix file://.

    For example:

    file:///OIM_HOME/server/ConnectorDefaultDirectory/SSH/config/id_rsa
2.2.2.7.3 Configuring SSH Public Key Authentication for Linux

Perform the following steps to configure SSH Public Key Authentication on Linux:

  1. Enter the following commands to restart the UNIX server:
    /etc/init.d/sshd stop
/etc/init.d/sshd start
  2. Copy the /.ssh/id_rsa file to the following directory:
    OIM_HOME/server/ConnectorDefaultDirectory/SSH/config
  3. To check if you can connect to the target system using the SSH protocol, directly from the command prompt and without using a password, enter the following command:

    Note:

    The account used to run the OIM application server on UNIX should have the ownership of the id_rsa file.

    ssh -i OIM_HOME/server/ConnectorDefaultDirectory/SSH/config/id_rsa -l root host_ip_address
  4. Set the privateKey[LOADFROMURL] advanced settings parameter to include the complete path of the id_rsa file with the prefix file://.

    For example:

    file:///OIM_HOME/server/ConnectorDefaultDirectory/SSH/config/id_rsa
2.2.2.7.4 Configuring SSH Public Key Authentication for AIX

Perform the following steps to configure SSH Public Key Authentication on AIX:

  1. Use the /etc/ssh/sshd_config file to set the following parameters:
    export PATH=$PATH: /usr/sbin
Installation path: /etc/ssh/
sshd -- /usr/sbin/
  2. Open the /etc/ssh/sshd_config file, and uncomment the following lines:
    AuthorizedKeysFile .ssh/authorized_keys
PermitRootLogin yes
PubkeyAuthentication yes

    Note:

    Change the value of PermitRootLogin to yes only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin to without-password.

    Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.

  3. To restart the SSH server, enter the following command:

    /usr/sbin/sshd

  4. To test the login, enter the following command:
    ssh -i /.ssh/id_rsa -l root server_IP_address

    When prompted, enter the passkey to connect to the server.

    Note:

    Instead of using the root account, you can use a user account with sudo privileges, if desired.
  5. Set the privateKey[LOADFROMURL] advanced settings parameter to include the complete path of the id_rsa file with the prefix file://.

    For example:

    file:///OIM_HOME/server/ConnectorDefaultDirectory/SSH/config/id_rsa

2.3 Creating an Application By Using the Connector

You can onboard an application into Oracle Identity Governance from the connector package by creating a target or an authoritative application. To do so, you must log in to Identity Self Service and then choose the Applications box on the Manage tab.

The following is the high-level procedure to create an application by using the connector:

Note:

For detailed information on each of the steps in this procedure, see Creating Applications of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

  1. Create an application in Identity Self Service. The high-level steps are as follows:
    1. Log in to Identity Self Service either by using the System Administration account or an account with the ApplicationInstanceAdministrator admin role.
    2. Ensure that the Connector Package option is selected when creating an application.
    3. Update the basic configuration parameters to include connectivity-related information.
    4. If required, update the advanced setting parameters to update configuration entries related to connector operations.
    5. Review the default user account attribute mappings. If required, add new attributes or you can edit or delete existing attributes.
    6. Review the provisioning, reconciliation, organization, and catalog settings for your application and customize them if required. For example, you can customize the default correlation rules for your application if required.
    7. Review the details of the application and click Finish to submit the application details.
      The application is created in Oracle Identity Governance.
    8. When you are prompted whether you want to create a default request form, click Yes or No.
      If you click Yes, then the default form is automatically created and is attached with the newly created application. The default form is created with the same name as the application. The default form cannot be modified later. Therefore, if you want to customize it, click No to manually create a new form and attach it with your application.
  2. Verify reconciliation and provisioning operations on the newly created application.

See Also:

  • Configuring the UNIX Connector for details on basic configuration and advanced settings parameters, default user account attribute mappings, default correlation rules, and reconciliation jobs that are predefined for this connector

  • Configuring Oracle Identity Governance for details on creating a new form and associating it with your application, if you chose not to create the default form