Oracle® Identity Manager Connector Guide for IBM RACF Advanced
Total Page:16
File Type:pdf, Size:1020Kb
Oracle® Identity Manager Connector Guide for IBM RACF Advanced Release 9.1.0.9.0 F21285-10 Aug 2021 Oracle Identity Manager Connector Guide for IBM RACF Advanced, Release 9.1.0.9.0 F21285-10 Copyright © 2019, 2021, Oracle and/or its affiliates. Primary Author: Debapriya Datta Contributing Authors: Maya Chakrapani, Mike Howlett Contributors: Amol Datar, Shradha Joshi, Vaidyanath Laturkar, Nilesh Nikalje This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle, Java, and MySQL are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle. Contents Preface Audience xii Documentation Accessibility xii Related Documents xii Conventions xiii What's New in the Oracle Identity Manager Advanced Connector for IBM RACF? Software Updates xiv Documentation-Specific Updates xxii 1 About the IBM RACF Advanced Connector 1.1 Introduction to the Connector 1-1 1.2 Certified Components 1-1 1.3 Certified Languages 1-2 1.4 Connector Architecture 1-3 1.4.1 Understanding the Connector Components 1-3 1.4.2 Understanding the Connector Operations 1-4 1.4.2.1 Full Reconciliation Process 1-4 1.4.2.2 Initial LDAP Population and Reconciliation Process 1-5 1.4.2.3 Provisioning Process 1-5 1.5 Connector Features 1-7 1.5.1 Full and Incremental Reconciliation 1-7 1.5.2 Encrypted Communication Between the Target System and Oracle Identity Manager 1-7 1.5.3 High Availability Feature of the Connector 1-7 1.6 Connector Objects Used During Reconciliation and Provisioning 1-8 1.6.1 Supported Functions for Target Resource Reconciliation 1-9 1.6.2 Supported Functions for Provisioning 1-9 1.6.3 User Attributes for Target Resource Reconciliation and Provisioning 1-10 1.6.4 GROUP Attributes for Target Resource Reconciliation and Provisioning 1-12 iii 1.6.5 Security Attributes for Provisioning 1-12 1.6.6 DATASET Profile Attributes for Provisioning 1-13 1.6.7 Resource Profile Attributes for Provisioning 1-13 1.6.8 Reconciliation Rule 1-14 1.6.9 Reconciliation Action Rules 1-14 1.6.10 Viewing the Reconciliation Action Rules for IBM RACF Advanced Connector 1-15 2 Installing and Configuring the LDAP Gateway 2.1 Hardware Requirements for Installing the LDAP Gateway 2-1 2.2 Installing the LDAP Gateway 2-1 2.3 Upgrading the LDAP Gateway 2-3 2.4 Configuring the LDAP Gateway 2-5 2.4.1 Setting Connection Properties 2-5 2.4.2 Creating the Connector Configuration 2-14 2.4.3 Configuring the LDAP Gateway for Multiple Installations of the Target System 2-16 2.4.4 Overriding the Default System Configuration 2-17 2.5 Configuring the Windows Service for the LDAP Gateway 2-18 2.5.1 Installing and Configuring the Windows Service for the LDAP Gateway 2-19 2.5.2 Uninstalling the Windows Service for the LDAP Gateway 2-19 2.5.3 Configuring Memory Pool Settings 2-19 2.6 Configuring Transformation of the LDAP Gateway Attributes 2-20 2.7 Configuring Multiple Instances of the LDAP Gateway 2-21 2.8 Encrypting Data 2-23 2.8.1 Understanding Encryption 2-23 2.8.2 Configuring Encryption 2-24 2.9 Understanding the Caching Layer 2-25 2.10 Configuring Scheduled Reconciliation 2-26 2.11 About Parsing Grammar Protocol 1.0 2-27 2.12 Configuring IDF LDAP Gateway to Use SSL for Messaging Between Gateway and Pioneer/Voyager 2-31 2.12.1 Configuring SSL for Messaging Between Gateway and Pioneer 2-32 2.12.2 Configuring SSL for Messaging Between Gateway and Voyager 2-32 2.12.3 Enabling AT-TLS for RACF Pioneer and Voyager 2-33 2.13 Configuring Replication 2-36 3 IBM RACF Connector Deployment on Oracle Identity Manager 3.1 Running the Connector Installer 3-1 3.2 Configuring the IT Resource 3-2 3.3 Configuring Oracle Identity Manager 3-4 iv 3.3.1 Creating Additional Metadata, Running Entitlement, and Catalog Synchronization Jobs 3-4 3.3.1.1 Creating and Activating a Sandbox 3-5 3.3.1.2 Creating a New UI Form 3-5 3.3.1.3 Creating an Application Instance 3-5 3.3.1.4 Publishing a Sandbox 3-6 3.3.1.5 Harvesting Entitlements and Sync Catalog 3-6 3.3.1.6 Updating an Existing Application Instance with a New Form 3-6 3.3.2 Localizing Field Labels in UI Forms 3-7 3.3.3 Clearing Content Related to Connector Resource Bundles from the Server Cache for Oracle Identity Manager Connector 3-9 3.3.4 Enabling Logging for IBM RACF Advanced Connector 3-9 3.3.4.1 Enabling Logging for the LDAP Gateway 3-10 3.3.4.2 Event Logging in Oracle Identity Manager 3-11 4 Installing and Configuring the Agents of the IBM RACF Connector on the Mainframe 4.1 Installation Requirements for Agents 4-1 4.2 Installing the Mainframe Agents 4-4 4.3 Configuring the Mainframe Agents 4-9 4.3.1 Configuring the Provisioning Agent 4-9 4.3.2 Configuring the Reconciliation Agent 4-13 4.4 Configuring Logging 4-15 4.5 Customizing the Reconciliation Exit 4-20 4.6 Activating and Deactivating Reconciliation Exits 4-22 4.7 Operator Interface for Mainframe Agents 4-22 4.7.1 Provisioning Agent Commands 4-22 4.7.2 Reconciliation Agent Commands 4-23 5 Using the IBM RACF Advanced Connector 5.1 Guidelines on Using the IBM RACF Advanced Connector 5-1 5.2 Scheduled Tasks for Lookup Field Synchronization 5-2 5.2.1 RACF Reconcile Groups To Internal LDAP 5-4 5.2.2 RACF Find All LDAP Groups 5-4 5.3 Configuring the Security Attributes Lookup Field 5-6 5.3.1 Attributes of the Find All Security Attributes Scheduled Task 5-6 5.3.2 Adding Additional Security Attributes for Provisioning and Reconciliation 5-8 5.4 Configuring Reconciliation 5-8 5.4.1 Configuring Incremental Reconciliation 5-8 5.4.2 Performing Full Reconciliation 5-9 v 5.4.3 Reconciliation Scheduled Tasks 5-10 5.4.3.1 RACF Reconcile All Users 5-10 5.4.3.2 RACF Deleted User Reconciliation Using OIM 5-11 5.4.3.3 RACF Reconcile Users to Internal LDAP 5-12 5.4.3.4 RACF Reconcile All LDAP Users 5-12 5.4.4 Guidelines for Configuring Filtered Reconciliation to Multiple Resource Objects 5-14 5.5 Configuring Account Status Reconciliation for IBM RACF Advanced Connector 5-15 5.6 Scheduled Tasks for IBM RACF Advanced Connector 5-15 5.7 Configuring