1. Connector Guide for IBM RACF Advanced
  2. What's New in the Oracle Identity Manager Advanced Connector for IBM RACF?

What's New in the Oracle Identity Manager Advanced Connector for IBM RACF?

This chapter details updates made to the software and documentation for the Oracle Identity Manager Advanced Connector for IBM RACF.

The updates discussed in this chapter are divided into the following categories:

Software Updates

These are the updates made to the connector software.

Resolved Issues in Release 9.1.0.22

The following table lists the issues resolved in release 9.1.0.21.0:

Bug Number Issue Resolution

33479596

This update provides an ability to check the OIM data to be able to do some custom checks. This gives the customers an ability to write custom transformation logic inside the transform method. This custom transformation is called before the reconciliation event is being triggered.

This issue has been resolved.
35267151 Currently only user’s connected groups are displayed without connect-owner details. By checking the connected groups and respective connect-owners, customers want the ability to model such group connections using OIM child forms. Since this form currently does not have a connect-owner field, the group connection gets provisioned with secure-id defined for Pioneer STC. Hence the customer is looking for a new field (connect-owner) on the child form when adding a user to a group.

This issue has been resolved.

Resolved Issues in Release 9.1.0.21

The following table lists the issues resolved in release 9.1.0.21.0:

Bug Number Issue Resolution

35276005

Patch for Spring Framework Vulnerability for all mainframe connectors. Spring Framework version updated is 5.3.27

This issue has been resolved.

Resolved Issues in Release 9.1.0.20

The following table lists the issues resolved in release 9.1.0.20.0:

Bug Number Issue Resolution

35146143

FIND ALL GROUPS PARSING IS "COMBINING" TWO GROUPS

This issue has been resolved.

Resolved Issues in Release 9.1.0.19

The following table lists the issues resolved in release 9.1.0.19.0:

Bug Number Issue Resolution

35012329

INCORRECT OU IS UPDATED WHEN DELETE USER FOLLOWED BY FULL BATCH RECON FOR USERS

This issue has been resolved.

35002174

Placeholder for voyager looping This issue has been resolved.

Resolved Issues in Release 9.1.0.18

The following table lists the issues resolved in release 9.1.0.18.0:

Bug Number Issue Resolution

34574819

RACF CONN LOOKUP RECON JOB RUNS WIPE OUT CATALOG DISPLAY NAME OF ENTITLEMENT ON EVERY RUN

This issue has been resolved.

Resolved Issues in Release 9.1.0.17

The following table lists the issues resolved in release 9.1.0.17.0:

Bug Number Issue Resolution

34395959

LDAP GW ENFORCES REQUIRED ON ACCESS LEVEL FOR RESOURCE PROFILE PROVISIONING

This issue has been resolved.

34419876

SOMETIMES, WHEN WE REVOKE DATASETS FROM SOME USERS, THE REVOKE TASK FAILS

This issue has been resolved.

34319722

SUPPORT for RACF Resources more than 4096 records

This issue has been resolved.

34362872

Patch for Spring Framework Vulnerability for all mainframe connectors. Spring Framework version updated is 5.3.21

This issue has been resolved.

Resolved Issues in Release 9.1.0.16

The following table lists the issues resolved in release 9.1.0.16.0:

Bug Number Issue Resolution

34117288

CERTIFICATION OF Z/OS 2.5 FOR RACF CONNECTOR

This issue has been resolved.

34082221

Patch for Spring Framework Vulnerability for all mainframe connectors. Spring Framework version updated is 5.3.19

This issue has been resolved.

Resolved Issues in Release 9.1.0.15

The following table lists the issues resolved in release 9.1.0.15.0:

Bug Number Issue Resolution

33762490

ldap gateway fix for "account already exists" error condition

This issue has been resolved.

33668629

PATCH FOR LOG4J ISSUE FOR ALL MAINFRAME CONNECTORS. LOG4J VERSION UPDATED IS 2.17.1

This issue has been resolved.

Resolved Issues in Release 9.1.0.14

The following table lists the issues resolved in release 9.1.0.14.0:

Bug Number Issue Resolution

33668629

PATCH FOR LOG4J ISSUE FOR ALL MAINFRAME CONNECTORS. LOG4J VERSION UPDATED IS 2.17.0

This issue has been resolved.

Resolved Issues in Release 9.1.0.13

The following table lists the issues resolved in release 9.1.0.13.0:

Bug Number Issue Resolution

33668629

PATCH FOR LOG4J ISSUE FOR ALL MAINFRAME CONNECTORS. LOG4J VERSION UPDATED IS 2.16.0

This issue has been resolved.

Resolved Issues in Release 9.1.0.12.0

The following table lists the issues resolved in release 9.1.0.12.0:

Bug Number Issue Resolution

33087587

RECONCILING RACF USER'S DATASET AND PROFILES INTO OIM USING EXTRACTS IN Z/OS V2.4

This issue has been resolved.

Software Updates in Release 9.1.0.11.0

The following are software updates in release 9.1.0.11.0:

Resolved Issues in Release 9.1.0.11.0

The following table lists the issues resolved in release 9.1.0.11.0:

Bug Number Issue Resolution

33033255

RECONCILING RACF USER’S DATASET AND PROFILES INTO OIM

This issue has been resolved.

33350939

RACF Command to remove instdata value is not generated

This issue has been resolved.

33350541

RACF with Default Group Update also triggering a Group Connect command

This issue has been resolved.

Software Updates in Release 9.1.0.10.0

The following are software updates in release 9.1.0.10.0:

Resolved Issues in Release 9.1.0.10.0

The following table lists the issues resolved in release 9.1.0.10.0:

Bug Number Issue Resolution

33203187

RACF - CSDATA attribute cannot be set to null

This issue has been resolved.

Software Updates in Release 9.1.0.9.0

The following are software updates in release 9.1.0.9.0:

Resolved Issues in Release 9.1.0.9.0

The following table lists the issues resolved in release 9.1.0.9.0:

Bug Number Issue Resolution

32577059

Enhanced Alias processing to be able to use IDCAMS JCL

This issue has been resolved.

Software Updates in Release 9.1.0.8.0

The following are software updates in release 9.1.0.8.0:

Resolved Issues in Release 9.1.0.8.0

The following table lists the issues resolved in release 9.1.0.8.0:

Bug Number Issue Resolution

Internal

Memory leak issue in the gateway

This issue has been resolved.

Internal

Race condition issue with RACF batch reconciliations

This issue has been resolved.

Software Updates in Release 9.1.0.7.0

The following are software updates in release 9.1.0.7.0:

Resolved Issues in Release 9.1.0.7.0

The following table lists the issues resolved in release 9.1.0.7.0:

Bug Number Issue Resolution

32498921

CVE-2021-26117: APACHE ACTIVEMQ UPDATE TO AT LEAST 5.16.1 OR 5.15.14

This issue has been resolved.

32054805

CVE-2019-10086: APACHE COMMONS BEANUTILS UPDATE TO AT LEAST 1.9.4

This issue has been resolved.

31974483

CVE-2020-5421: SPRING FRAMEWORK UPDATE TO AT LEAST 5.2.9, 5.1.18, 5.0.19, OR 4.3.29

This issue has been resolved.

Software Updates in Release 9.1.0.6.0

The following are software updates in release 9.1.0.6.0:

Resolved Issues in 9.1.0.6.0

The following table lists the issues resolved in release 9.1.0.6.0:
Bug Number Issue Resolution

31046304

IPV6 support for RACF.

This issue has been resolved.

31046245

OIM RACF CONNECTOR SUPPORT FOR IPV6.

This issue has been resolved.

32491842

RACF 9.1.0.5 ADDUSER command failed

This issue has been resolved.

32613512

RACF 9.1.0.X None of the RACF delete Events are getting processed completely. All are getting stuck in 'Event Received'

This issue has been resolved.

Software Updates in Release 9.1.0.5.1

The following are software updates in release 9.1.0.5.1:

Resolved Issues in 9.1.0.5.1

The following table lists the issues resolved in release 9.1.0.5.1:

Bug Number Issue Resolution

32430567

RACF 9.1.0.5 LMTS updated in alternate IT Resource when Scheduled Task is run.

This issue has been resolved.

31829404

RACF 9.1.x - Recon Timezone Issue On OIM scheduled job page , in 'LDAP Time Zone' field enter the Timezone database name value instead of the abbreviated timezone.

To find out TimeZone database name value refer to List of tz database time zones .

Sample value: America/New_York instead of EST

This issue has been resolved.

Software Updates in Release 9.1.0.5.0

The following are software updates in release 9.1.0.5.0:

Support for Filtering

Support for filtering has been added for the following jobs:

  • RACF Reconcile All Users
  • RACF Reconcile All LDAP Users

Secondary IT Resource Parameter Added

Secondary IT Resource Parameter has been added for the following job:
  • RACF Reconcile All LDAP Users

Additional Jobs

The following jobs have been added to fetch groups from the mainframe:

  • RACF Reconcile Groups to Internal LDAP
  • RACF Find All LDAP Groups

Resolved Issues in 9.1.0.5.0

The following table lists the issues resolved in release 9.1.0.5.0:

Bug Number Issue Resolution

31598874

RACF 9.1.0.3 - Doesn't have "Support for Filtering" capability on Reconciliation

This issue has been resolved.

29998398

Provided a new job on OIM to fetch Groups from Mainframe to Internal LDAP and another job on OIM to get the Groups from LDAP and load the lookup in OIM.

This issue has been resolved.

30788999

'RACF Reconcile All LDAP Users' doesn't have Secondary IT Resource Parameter.

This issue has been resolved.

Software Updates in Release 9.1.0.4.0

The following are software updates in release 9.1.0.4.0:

Addition of a New Property in the racf.properties File

A new property, sendAltGrpWithMembershipUpdate, has been added to the racf.properties file. Use this property to determine if other group attributes can be modified along with the membership update.

See Setting Connection Properties for more information about this property.

Resolved Issues in Release 9.1.0.4.0

The following table lists the issues resolved in release 9.1.0.4.0:

Bug Number Issue Resolution

31941015

When voyager tried to write back information to the LDAP gateway, it would fail with the following error:

cn=XXXX,ou=racf,ou=Groups,dc=system,dc=backend cannot be parsed as a valid DN: The provided value "UID" could not be parsed as a valid distinguished name because the last non-space character was part of the attribute name 'UID'. It will be excluded from the set of group members

This issue has been resolved.

31940817

Duration required to run the RACF Reconcile Users To Internal LDAP schedule job was long resulting in fewer number of users being reconciled.

This issue has been resolved.

31829404

Due to unsuccessful timezone conversion upon a reconciliaton operation, logs displayed timezone in the EST -5 hrs format.

This issue has been resolved.

31753123

Unable to search the key VOYSDV54 when the logger was present in the INFO mode.

This issue has been resolved.

31910630

Error resulted in logs due to prompt for update user/account operation even before completion of create user/account operation.

This issue has been resolved.

32121259

Below lines from the config.ldif file of the LDAP Gateway version 6.8.0 have been removed to increse performance:

ds-cfg-index-type: presence -- removed from settings under dn:ds-cfg-attribute=cn,cn=Index,ds-cfg-backend-id=userRoot,cn=Backends,cn=config

ds-cfg-index-type: substring -- removed from settings under dn:ds-cfg-attribute=objectClass,cn=Index,ds-cfg-backend-id=userRoot,cn=Backends,cn=config

ds-cfg-index-type: presence -- removed from settings under dn:ds-cfg-attribute=uid,cn=Index,ds-cfg-backend-id=userRoot,cn=Backends,cn=config

This issue has been resolved.

Software Updates in Release 9.1.0.3.0

The following are software updates in release 9.1.0.3.0:

Support for New Oracle Identity Governance Release

From this release onward, you can install and use the connector with Oracle Identity Governance 12c PS4 (12.2.1.4.0).

See Table 1-1 for the full list of certified Oracle Identity Governance releases.

Addition of a New Parameter in the Pioneer Control File

A new parameter, EXPORT_MON, has been added to the HLQ.PIONEER.CONTROL.FILE file. Use this parameter to specify whether you want to monitor user or group imports with messages displayed for every specified number of records. By default, the value of this parameter is set to NO.

See Configuring the Provisioning Agent for more information about this parameter and the permitted values.

Addition of New Informational Messages

The IDFRPI066 and IDFRPI067 informational message IDs have been added as a result of introduction of the EXPORT_MON parameter in the HLQ.PIONEER.CONTROL.FILE file.

See Pioneer Messages for the message IDs and its corresponding text.

Resolved Issues in Release 9.1.0.3.0

The following table lists the issues resolved in release 9.1.0.3.0:

Bug Number Issue Resolution

30955398

The number of records processed by the RACFROU batch job was logged incorrectly in the HLQ.PIONEER.IMPORTU.FILE dataset. The count in the HLQ.PIONEER.IMPORTU.FILE dataset was double the number of records processed.

This issue has been resolved.

31009468

When you updated the display name of an account in the target system, only the value of the sn attribute in LDAP was updated. The cn value was not updated.

This issue has been resolved.

31046369

The IT Resource field was not configured as a key field for reconciliation matching.

This issue has been resolved.

Software Updates in Release 9.1.0.2.0

The following is a software update in release 9.1.0.2.0:

Customizing the IRREVX01 RACF Command Exit

From this release onward, you can integrate any custom version of the RACF command exit (IRREVX01) in your environment with the connector-specific version of the IRREVX01 exit (module name: IDFINSTX). The connector installation package includes sample files that let you add your modifications and then integrate different versions of the IRREVX01 exit.

See Customizing the Reconciliation Exit for more information about working with custom reconciliation exit routines.

Software Updates in Release 9.1.0.1.0

The following are the software updates in release 9.1.0.1.0:

Transformation of LDAP Gateway Attributes

By including transformation rules within the LDAP_INSTALL_DIR/conf/customer-configuration.properties file, you can configure the LDAP gateway to transform the gateway attributes in search results.

See Configuring Transformation of the LDAP Gateway Attributes for more information on the transformation rules to include and its format.

Running Multiple Instances of the LDAP Gateway on the Same Host

From this release onward, you can run multiple instances of the LDAP Gateway on the same host.

See Configuring Multiple Instances of the LDAP Gateway for more information on configuring and running multiple gateway instances in your environment.

CRUD Operations on RACLIST Resource Classes

The connector provides support for performing CRUD operations on RACLIST resource classes. To support this feature, the "supportedResourceClasses" property has been added to racf.properties file that is located in the LDAP_INSTALL_DIR/conf directory.

See the "supportedResourceClasses" property in Table 2-2 for more information on configuring the connector for this feature.

Software Updates in Release 9.1.0.0.0

The following are the software updates in release 9.1.0.0.0:

Support for New Oracle Identity Governance Release

From this release onward, the connector can be installed and used on Oracle Identity Governance release12.2.1.3.0. Be sure to download and apply the 28682376 and 29133050 mandatory patches from My Oracle Support.

Support for New Target System Version

From this release onward, the you can install and use the connector with IBM RACF on z/OS 2.3.

Detailed Audit Logs

From this release onward, the connector provides a LOGGERX module that you can configure for detailed debug level log information on the Pioneer and Voyager agents. This detailed logging provides additional auditing and monitoring capabilities for your target system. In addition, you can choose to print or suppress log messages.

See Configuring Logging for more information.

Support for High Availability and Disaster Recovery in the LDAP Gateway

From this release onward, the LDAP gateway supports high availability and disaster recovery when you use OpenDS as the backend.

Support for Reconciling Space Character in TSO Command

From this release onward, the connector reconciles TSO commands that contain space characters.

Dynamic Allocation of the Voyager DEBUGOUT Parameter

From this release onward, the connector dynamically allocates the value of the DEBUGOUT parameter for Voyager.

Support for RACLINK Command

The connector can now issue RACLINK (administer user ID associations) commands for certain provisioning operations.

Support for a New Diagnostic Tool

From this release onward, a new diagnostic tool, ENVINFO, for the mainframe agents Pioneer and Voyager is available for use.

Addition of New Parameters to Pioneer and Voyager

The EBCDIC_COUNTRY_CODE and EBCDIC_TILDE_CHR parameters have been added to Pioneer and Voyager. You must use these parameters in conjunction with the gateway configuration property _mainframeCodePage_ that is available within the racf.properties file.

Note that the value of the EBCDIC_TILDE_CHR parameter must be the HEX value 'BC' on the target system if it is used.

Support for 256-Bit TCP/IP Encryption

The connector supports TCP/ IP with 256-bit encryption between the LDAP gateway and mainframe agents Pioneer and Voyager.

Documentation-Specific Updates

These are the updates made to the connector documentation.

Documentation-Specific Updates in Release 9.1.0.22.0

  • ER 35267151 - RACF Provision and read connect owner group attribute

    This provides the ability to view the connect-owner field for a user with connected groups listing. Currently only user's with connected groups are displayed without connect-owner details. While viewing the connected groups and the respective connect-owners, the ability to model such group connections using OIM child forms is required. This form currently does not have a connect-owner field, and the group connection is provisioned with secure-id defined for Pioneer STC. Hence there is a need for a new field (connect-owner) on the child form while adding a user to a group. The following are the Impacted Components:
    • RACF Advanced Custom Adapter – OIM
    • RACF LDAP gateway Changes

    IDF OIM RACF Advanced Custom Adapter changes are as follows:

    Reconciliation changes
    1. While reconciling all user’s data, the OIM RACF Advanced custom adapter will be expecting the Connect-owner attribute along with each user's connected group.
    2. The parsing logic would be enhanced to read each connected group’s connect-owner attribute and display it on the user profile.
    Provisioning changes
    1. While adding/connecting a user to a group using OIM child form/Entitlement, currently only the group display name is displayed as part of the lookup and the user can select the group to connect.
    2. This child form/entitlement is enhanced to provide an additional field connect-owner which allows user details to populate once the group name is selected from the lookup values. This new connect-owner field being free-form, accepts any valid group name to be specified during connect operation.
    3. Connect-owner field to be defined on the OIM child form is an optional field. If the value is not populated, the default behavior of setting the secure id as connect-owner will continue to work.

    RACF Reconcile All LDAP Users

    The RACF Reconcile All LDAP Users scheduled task is used to reconcile users from the internal LDAP store to Oracle Identity Manager. When you configure this scheduled task, it runs at specified intervals and fetches a list of users within the internal LDAP store and reconciles these users to Oracle Identity Manager. The following table provides the attribute values to be updated if ConnectOwner needs to be reconciled to users.
    Attribute Description
    MultiValuedAttributes Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma.

    Sample value: attributes,memberOf,groupConnectOwner

    RACF Reconcile All Users

    The RACF Reconcile All Users scheduled task is used to reconcile user data in the target resource (account management) mode of the connector. This scheduled task runs at specified intervals and fetches create or modify events on the target system for reconciliation. The following table provides the attribute values to be updated if ConnectOwner needs to be reconciled to users.
    Attribute Description
    MultiValuedAttributes Enter a comma-separated list of multivalued attributes that you want to reconcile. Do not include a space after each comma.

    Sample value

    attributes,memberOf,groupConnectOwner

    ER 33479596 - RACF Reconciliation with Custom Transformation

    This update provides the ability to customize transformation during RACF reconciliation to derive the values for some process form attributes on OIM. To check the OIM data and to be able to do some custom checks and to write custom transformation logic inside the transform method. This custom transformation is called before the reconciliation event is being triggered. The following are the steps for the changes to be done to the IDF OIM RACF Advanced Custom Adapter:
    1. Download the release build package - IBM_RACF_Adv_9.1.0.22.zip.
    2. Unzip the release build package.
    3. Unzip the IBM_RACF_Adv_Connector.zip file.
    4. Go to IBM_RACF_Adv_Connector\transformation folder.
    5. Refer the README.md for further instructions.
      Below is the template code snippet for TransformationImpl.java class.
      Transformational Java

Documentation-Specific Updates in Release 9.1.0.21.0

NA

Documentation-Specific Updates in Release 9.1.0.20.0

NA

Documentation-Specific Updates in Release 9.1.0.19.0

NA

Documentation-Specific Updates in Release 9.1.0.18.0

NA

Documentation-Specific Updates in Release 9.1.0.17.0

The following documentation-specific update has been made in revision "17" of the guide:

Table 2-2 updated with details for the following properties: resourceReadFromStaticFile.

Documentation-Specific Updates in Release 9.1.0.16.0

NA

Documentation-Specific Updates in Release 9.1.0.15.0

NA

Documentation-Specific Updates in Release 9.1.0.14.0

NA

Documentation-Specific Updates in Release 9.1.0.13.0

NA

Documentation-Specific Updates in Release 9.1.0.12.0

The following documentation-specific update has been made in revision "12" of the guide:

Documentation-Specific Updates in Release 9.1.0.11.0

The following documentation-specific update has been made in revision "11" of the guide:

Documentation-Specific Updates in Release 9.1.0.10.0

The following documentation-specific update has been made in revision "10" of the guide:

Documentation-Specific Updates in Release 9.1.0.9.0

The following documentation-specific update has been made in revision "10" of the guide:

The POST_PROC_ALIAS and JWAIT parameters have been updated in Table 4-4

The following messages were added to Pioneer Messages : IDFRPI050 IDFRPI051 IDFRPE025 IDFRPW010 IDFRPW011.

Attribute LDAP Time Zone description amended to OIM Server Time Zone in Table 5-8 since OIM Server TZ is required rather than LDAP Server TZ as previously documented.

Documentation-Specific Updates in Release 9.1.0.6.0

The following documentation-specific update has been made in revision "09" of the guide:

A new parameter called IP has been added to Table 4-4

A new parameter called IP has been added to Table 4-5

The LDAP Time Zone attribute description in Table 5-8 has been updated.

Documentation-Specific Updates in Release 9.1.0.5.0

The following documentation-specific update has been made in revision "08" of the guide:

A new property called Filter has been added to Table 5-5 and Table 5-8

Scheduled Tasks for Lookup Field Synchronization has been updated to include RACF Reconcile Groups To Internal LDAP and RACF Find All LDAP Groups.

Documentation-Specific Updates in Release 9.1.0.4.0

There are no documentation-specific updates in revision "07" of the guide.

The following documentation-specific update has been made in revision "06" of the guide:

A new property called sendAltGrpWithMembershipUpdate has been added to Table 2-2.

Documentation-Specific Updates in Release 9.1.0.3.0

There are no documentation-specific updates in revision "05" of the guide.

Documentation-Specific Updates in Release 9.1.0.2.0

The following documentation-specific update has been made in revision "04" of the guide:

Activating and Deactivating Reconciliation Exits has been updated.

Documentation-Specific Updates in Release 9.1.0.1.0

The following documentation-specific updates have been made in revision "03" of the guide:
The following documentation-specific updates have been made in revision "02" of the guide:

Documentation-Specific Updates in Release 9.1.0.0.0

The following documentation-specific update has been made in revision "01" of the guide:

This is the first release of the connector in this release track. Therefore, there are no documentation-specific updates in this release.