820 6551
820 6551
1
Resources Reference
Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without
limitation, these intellectual property rights may include one or more U.S. patents or pending patent applications in the U.S. and in other countries.
U.S. Government Rights – Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions
of the FAR and its supplements.
This distribution may include materials developed by third parties.
Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other
countries, exclusively licensed through X/Open Company, Ltd.
Sun, Sun Microsystems, the Sun logo, the Solaris logo, the Java Coffee Cup logo, docs.sun.com, Java, and Solaris are trademarks or registered trademarks of Sun
Microsystems, Inc. or its subsidiaries in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of
SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.
The OPEN LOOK and SunTM Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts
of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to
the Xerox Graphical User Interface, which license also covers Sun's licensees who implement OPEN LOOK GUIs and otherwise comply with Sun's written license
agreements.
Products covered by and information contained in this publication are controlled by U.S. Export Control laws and may be subject to the export or import laws in
other countries. Nuclear, missile, chemical or biological weapons or nuclear maritime end uses or end users, whether direct or indirect, are strictly prohibited. Export
or reexport to countries subject to U.S. embargo or to entities identified on U.S. export exclusion lists, including, but not limited to, the denied persons and specially
designated nationals lists is strictly prohibited.
DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO
THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Copyright 2009 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. Tous droits réservés.
Sun Microsystems, Inc. détient les droits de propriété intellectuelle relatifs à la technologie incorporée dans le produit qui est décrit dans ce document. En particulier,
et ce sans limitation, ces droits de propriété intellectuelle peuvent inclure un ou plusieurs brevets américains ou des applications de brevet en attente aux Etats-Unis
et dans d'autres pays.
Cette distribution peut comprendre des composants développés par des tierces personnes.
Certaines composants de ce produit peuvent être dérivées du logiciel Berkeley BSD, licenciés par l'Université de Californie. UNIX est une marque déposée aux
Etats-Unis et dans d'autres pays; elle est licenciée exclusivement par X/Open Company, Ltd.
Sun, Sun Microsystems, le logo Sun, le logo Solaris, le logo Java Coffee Cup, docs.sun.com, Java et Solaris sont des marques de fabrique ou des marques déposées de
Sun Microsystems, Inc., ou ses filiales, aux Etats-Unis et dans d'autres pays. Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou
des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d'autres pays. Les produits portant les marques SPARC sont basés sur une architecture
développée par Sun Microsystems, Inc.
L'interface d'utilisation graphique OPEN LOOK et Sun a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de
pionniers de Xerox pour la recherche et le développement du concept des interfaces d'utilisation visuelle ou graphique pour l'industrie de l'informatique. Sun détient
une licence non exclusive de Xerox sur l'interface d'utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l'interface
d'utilisation graphique OPEN LOOK et qui, en outre, se conforment aux licences écrites de Sun.
Les produits qui font l'objet de cette publication et les informations qu'il contient sont régis par la legislation américaine en matière de contrôle des exportations et
peuvent être soumis au droit d'autres pays dans le domaine des exportations et importations. Les utilisations finales, ou utilisateurs finaux, pour des armes nucléaires,
des missiles, des armes chimiques ou biologiques ou pour le nucléaire maritime, directement ou indirectement, sont strictement interdites. Les exportations ou
réexportations vers des pays sous embargo des Etats-Unis, ou vers des entités figurant sur les listes d'exclusion d'exportation américaines, y compris, mais de manière
non exclusive, la liste de personnes qui font objet d'un ordre de ne pas participer, d'une façon directe ou indirecte, aux exportations des produits ou des services qui
sont régis par la legislation américaine en matière de contrôle des exportations et la liste de ressortissants spécifiquement designés, sont rigoureusement interdites.
LA DOCUMENTATION EST FOURNIE "EN L'ETAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITES
SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE
IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L'APTITUDE A UNE UTILISATION PARTICULIERE OU A L'ABSENCE DE CONTREFACON.
090312@21990
Contents
Preface ...................................................................................................................................................27
3
Contents
5 ACF2 .......................................................................................................................................................75
Adapter Details .................................................................................................................................... 75
Resource Configuration Notes ................................................................................................... 75
Identity Manager Installation Notes .......................................................................................... 75
Usage Notes .................................................................................................................................. 77
Security Notes ............................................................................................................................... 78
Provisioning Notes ...................................................................................................................... 78
Account Attributes ....................................................................................................................... 78
Resource Object Management ................................................................................................... 86
Sample Forms ............................................................................................................................... 86
Troubleshooting ........................................................................................................................... 86
5
Contents
7
Contents
15 HP OpenVMS ......................................................................................................................................187
Adapter Details .................................................................................................................................. 187
Resource Configuration Notes ................................................................................................. 187
Identity Manager Installation Notes ........................................................................................ 187
Usage Notes ................................................................................................................................ 187
Security Notes ............................................................................................................................. 188
Provisioning Notes .................................................................................................................... 188
Account Attributes ..................................................................................................................... 188
Sample Forms ............................................................................................................................. 190
Troubleshooting ......................................................................................................................... 190
9
Contents
11
Contents
13
Contents
15
Contents
17
Contents
19
Contents
48 Windows NT ........................................................................................................................................503
Adapter Details .................................................................................................................................. 503
Resource Configuration Notes ................................................................................................. 503
Identity Manager Installation Notes ........................................................................................ 505
Usage Notes ................................................................................................................................ 505
Security Notes ............................................................................................................................. 505
Provisioning Notes .................................................................................................................... 505
21
Contents
23
Contents
25
26
Preface
Sun Identity Manager 8.1 Resources Reference publication provides reference and procedural
information to help you connect to resources and manage accounts on these resources.
Deployers should have a background in programming and should be comfortable with XML,
Java, Emacs and/or IDEs such as Eclipse or NetBeans.
Administrators may not have a programming background, but should be highly skilled in one
or more resource domains such as LDAP, Active Directory, or SQL.
27
Preface
■ Chapter 51, “Synchronizing LDAP Passwords.” Describes the Identity Manager product
enhancements that support password synchronization from the Sun JavaTM System
Directory Server to the Identity Manager system.
■ Chapter 52, “Active Directory Synchronization Failover.” Describes how to limit the
number of repeated events that occur when you switch to a new domain controller.
■ Chapter 53, “Mainframe Connectivity.” Describes how to connect to a mainframe resource
using IBM’s Host on Demand or the Attachmate 3270 Mainframe Adapter for Sun Emulator
Class Library.
■ Chapter 54, “Enabling Secure Network Communications (SNC) Connections.” Describes
how to enable the Access Enforcer, SAP, and SAP HR resource adapters to communicate
with SAP systems securely using Secure Network Communications (SNC).
■ Chapter 55, “Deprecated Resource Adapters.” Lists no longer supported resource adapters.
■ Chapter 56, “Identity Connectors Overview.” This chapter introduces identity connectors, a
newly supported feature of Identity Manager. Connectors provide an alternative to resource
adapters for managing identities and other object types in native resources.
■ Individual chapters for each supported connector-based resource. These chapters are
presented in alphabetical order.
Related Books
The Sun Identity Manager 8.1 documentation set includes the following books.
Sun Identity Manager 8.1 Release Describes known issues, fixed issues,
Notes and late-breaking information not
already provided in the Identity
Manager documentation set.
Business Administrators Business Administrator’s Guide Describes how to use Identity Manager
provisioning and auditing features.
Contains information about the user
interfaces, user and account
management, reporting, and more.
29
Preface
Documentation Updates
Corrections and updates to this and other Sun Identity Manager publications are posted to the
Identity Manager Documentation Updates website:
http://blogs.sun.com/idmdocupdates/
An RSS feed reader can be used to periodically check the website and notify you when updates
are available. To subscribe, download a feed reader and click a link under Feeds on the right side
of the page. Starting with version 8.0, separate feeds are available for each major release.
Note – Sun is not responsible for the availability of third-party web sites mentioned in this
document. Sun does not endorse and is not responsible or liable for any content, advertising,
products, or other materials that are available on or through such sites or resources. Sun will not
be responsible or liable for any actual or alleged damage or loss caused or alleged to be caused by
or in connection with use of or reliance on any such content, goods, or services that are available
on or through such sites or resources.
Typographic Conventions
The following table describes the typographic conventions that are used in this book.
AaBbCc123 The names of commands, files, and directories, Edit your .login file.
and onscreen computer output
Use ls -a to list all files.
machine_name% you have mail.
aabbcc123 Placeholder: replace with a real name or value The command to remove a file is rm
filename.
AaBbCc123 Book titles, new terms, and terms to be Read Chapter 6 in the User's Guide.
emphasized
A cache is a copy that is stored
locally.
Do not save the file.
Note: Some emphasized items
appear bold online.
Shell Prompt
C shell machine_name%
31
32
1
C H A P T E R 1
This chapter describes the resource adapters and identity connectors that are provided with
your Identity Manager installation.
Adapter Types
The following tables list these adapters (sorted by type) and provides an overview of supported
versions, Active Sync support, connection methods, and communication protocols for each
adapter. Refer to the Release Notes to determine which versions of each resource are supported.
Resource Adapter Supported Application Active Sync Support Gateway? Communications Protocols
33
Adapter Types
Communications
Resource Adapter Supported Applications Active Sync Support Gateway? Protocols
Lotus Domino Gateway YesSmart polling Yes RMI, IIOP using Toolkit
for Java, CORBA
SecurID TCL
Interface
The Identity Manager adapters can be often be used in their default state.
▼ To Enable an Adapter
1 Follow the installation and configuration procedures provided in the adapter’s Identity Manager
Installation Notes section in this chapter.
2 Add the resource to Identity Manager by using the Resource Wizard, as described in Business
Administrator's Guide.
See [Please define the Title_Deploy_Tools text entity] for information about creating customized
adapters.
■ Introduction. Lists supported resource versions. (Refer to the Readme file supplied with
your latest service pack version for updates to this list.)
■ Resource Configuration Notes. Lists additional steps you must perform on the resource to
allow you to manage the resource from Identity Manager.
■ Identity Manager Installation Notes. Details the installation and configuration steps that
you must follow to work with the resource.
■ Usage Notes. Lists dependencies and limitations related to using the resource.
■ Security Notes. Describes the types of connection supported as well as the authorizations
needed on the resource to perform basic tasks.
■ Provisioning Notes. Lists whether the adapter can perform tasks such as enable/disable
accounts, rename accounts, and whether it allows pass-through authentication.
■ Account Attributes. Describes default user attributes supported for the resource.
■ Resource Object Management. Lists objects the adapter can manage.
■ Identity Template. Provides notes about how to construct or work with the resource
identity template.
■ Sample Forms. Shows the location of a sample form you can use to construct a custom
Create/Update User form. Unless otherwise indicated, sample forms are located in the
InstallDir\idm\sample\forms\ directory.
■ Troubleshooting. Lists the classes that can be used for tracing and debugging.
Topic Descriptions
This section describes the information provided for each adapter, and the topics are organized
as follows:
■ “Introduction” on page 38
■ “Resource Configuration Notes” on page 38
■ “Identity Manager Installation Notes” on page 38
■ “Usage Notes” on page 42
■ “Active Sync Configuration” on page 43
■ “Security Notes” on page 44
■ “Provisioning Notes” on page 45
■ “Account Attributes” on page 45
■ “Resource Object Management” on page 46
■ “Identity Template” on page 46
■ “Sample Forms” on page 46
■ “Troubleshooting” on page 47
Introduction
The introductory section lists the versions of the resource supported by the adapter. Other
versions might be supported, but they have not been tested.
This section also lists the adapter’s Java class name. The class name is always used for tracing. In
addition, if the resource is a custom resource, the class name must be specified on the Configure
Managed Resources page. See “Identity Manager Installation Notes” on page 38 for more
information about custom resources.
Some resources have multiple adapters. For example, Identity Manager provides adapters for
Windows Active Directory and Windows Active Directory ActiveSync. In these cases, a table
similar to the following is listed in the introductory section:
The GUI name is displayed on the drop-down menu on the Resources page. Once the resource
has been added to Identity Manager, this name is also displayed in the resource browser.
1 From the Identity Manager Administrator Interface, click Resources, and then click Configure
Types.
5 From the Identity Manager Administrator interface, click Resources, and then click Configure
Types.
7 Enter the full class name of the adapter in the bottom text box, such as
com.waveset.adapter.DB2ResourceAdapter.
ACF2 habeans.jar
—OR—
■ habase.jar
■ hacp.jar
■ ha3270.jar
■ hassl.jar
■ hodbase.jar
—OR—
■ RWebSDK.jar
■ wrqtls12.jar
■ profile.jaw
ClearTrust ct_admin_api.jar
DB2 db2java.jar
MySQL mysqlconnector-java-Version-bin.jar
RACF habeans.jar
—OR—
■ habase.jar
■ hacp.jar
■ ha3270.jar
■ hassl.jar
■ hodbase.jar
—OR—
■ RWebSDK.jar
■ wrqtls12.jar
■ profile.jaw
SAP ■ sapjco.jar
■ sapidoc.jar
SiteMinder ■ smjavaagentapi.jar
■ smjavasdk2.jar
Sybase jconn2.jar
Usage Notes
This section lists dependencies and limitations related to using the resource. The contents of
this section varies among adapters.
Parameter Description
Process Rule Either the name of a TaskDefinition, or a rule that returns the name of a
TaskDefinition, to run for every record in the feed. The process rule gets the resource
account attributes in the activeSync namespace, as well as the resource ID and name.
This parameter overrides all others. If this attribute is specified, the process will be run
for every row regardless of any other settings on this adapter.
Correlation Rule If no Identity Manager user’s resource info is determined to own the resource account,
the Correlation Rule is invoked to determine a list of potentially matching
users/accountIDs or Attribute Conditions, used to match the user, based on the
resource account attributes (in the account namespace).
The rule returns one of the following pieces of information that can be used to correlate
the entry with an existing Identity Manager account:
■ Identity Manager user name
■ WSAttributes object (used for attribute-based search)
■ List of items of type AttributeCondition or WSAttribute (AND-ed, attribute-based
search)
■ List of items of type String (each item is the Identity Manager ID or the user name
of an Identity Manager account)
If more than one Identity Manager account can be identified by the correlation
rule, a confirmation rule or resolve process rule will be required to handle the
matches.
For the Database Table, Flat File, and PeopleSoft Component Active Sync adapters,
the default correlation rule is inherited from the reconciliation policy on the
resource.
Confirmation Rule Rule that is evaluated for all users returned by a correlation rule. For each user, the full
user view of the correlation Identity Manager identity and the resource account
information (placed under the account. namespace) are passed to the confirmation
rule. The confirmation rule is then expected to return a value that can be expressed like
a Boolean value. For example, “true” or “1” or “yes” and “false” or “0” or null.
For the Database Table, Flat File, and PeopleSoft Component Active Sync adapters, the
default confirmation rule is inherited from the reconciliation policy on the resource.
Parameter Description
Delete Rule A rule that can expect a map of all values with keys of the form activeSync. or
account. A LighthouseContext object (display.session) based on the proxy
administrator’s session is made available to the context of the rule. The rule is then
expected to return a value that can be expressed like a Boolean value. For example,
“true” or “1” or “yes” and “false” or “0” or null.
If the rule returns true for an entry, the account deletion request will be processed
through forms and workflow, depending on how the adapter is configured.
Resolve Process Rule Either the name of the TaskDefinition or a rule that returns the name of a
TaskDefinition to run in case of multiple matches to a record in the feed. The Resolve
Process rule gets the resource account attributes as well as the resource ID and name.
This rule is also needed if there were no matches and Create Unmatched Accounts is
not selected.
This workflow could be a process that prompts an administrator for manual action.
Create Unmatched If set to true, creates an account on the resource when no matching Identity Manager
Accounts user is found. If false, the account is not created unless the process rule is set and the
workflow it identifies determines that a new account is warranted. The default is true.
Populate Global If set to true, populates the global namespace in addition to the activeSync namespace.
The default value is false.
Security Notes
The Security Notes section provides connection and authorization information.
Supported Connections lists the type of connection used to communicate between Identity
Manager and the resource. The following types of connections are commonly used:
■ Sun Identity Manager Gateway
■ Secure Shell (SSH)
■ Java Database Connectivity (JDBC) over Secure Sockets Layer (SSL)
■ Java Naming and Directory Interface (JNDI) over SSL
■ Telnet/TN3270
Required Administrative Privileges lists the privileges the administrator account must have to
create users and perform other tasks from within Identity Manager. The administrator account
is specified on the Resource Attributes page.
For all Active Sync adapters, the administrator account must have read, write, and delete
permissions on the directory specified in the Log File Path field in the Active Sync Running
Settings
Provisioning Notes
This section contains a table that summarizes the provisioning capabilities of the adapter. These
capabilities include:
■ Enable/Disable Account. The ability to enable and disable user accounts is determined by the
resource. For example, on some UNIX systems, an account is disabled by changing the
password to a random value.
■ Rename Account. The ability to rename user accounts is determined by the resource.
■ Pass-Through Authentication. A Identity Manager feature that enables resource users to log
in to the Identity Manager User interface.
■ Before/After Actions. Actions are scripts that run within the context of a managed resource,
if native support exists for scripted actions.
For example, on UNIX systems, actions are sequences of UNIX shell commands. In
Microsoft Windows environments, actions are DOS-style console commands that can
execute within the CMD console.
■ Dataloading Methods. Indicates how data can be loaded into Identity Manager. The
following methods are supported:
■ Active Sync. Allows information that is stored in an “authoritative” external resource
(such as an application or database) to synchronize with Identity Manager user data. The
adapter can push or pull resource account changes into Identity Manager.
■ Discovery (load from resource). Initially pulls resource accounts into Identity Manager,
without viewing before loading. Resource account information can also be imported
from or exported to a file.
■ Reconciliation. Periodically pull resource accounts into Identity Manager, taking action
on each account according to configured policy. Use the reconciliation feature to
highlight inconsistencies between the resource accounts on Identity Manager and the
accounts that actually exist on a resource, and to periodically correlate account data.
Account Attributes
The Account Attributes page, or schema map, maps Identity Manager account attributes to
resource account attributes. The list of attributes varies for each resource. You should remove
all unused attributes from the schema map page. If you add attributes, you will probably need to
edit user forms or other code.
The Identity Manager User Attributes can be used in rules, forms, and other Identity
Manager-specific functions. The Resource User Attributes are used only when the adapter
communicates with the resource.
■ Boolean
■ encrypted
■ binary
Note – Binary attributes include graphic files, audio files, and certificates. Most resources do not
support binary account attributes. Currently, only certain directory, flat file, and database
adapters can process binary attributes. In your forms and workflows, make sure you do not
attempt to push binary attributes to resources that do not support them. Consult the “Account
Attributes” section of the adapter documentation to determine if binary attributes are
supported for your adapter.
In addition, keep the file size for any file referenced in a binary attribute as small as possible.
Loading extremely large graphics files, for example, can cause the performance of Identity
Manager to decrease.
Most adapters do not support binary account attributes. Some adapters support binary
attributes, such as graphics, audio, and certificates. Consult the “Account Attributes” section of
the adapter documentation to determine if it is supported for your adapter.
name is a reserved word in views and should not be used as an Identity System User Attribute on
resource schema maps.
Identity Template
Defines account name syntax for users. For most resources, the syntax is the same as the
account ID. However, the syntax is different if the resource uses hierarchical namespaces.
Sample Forms
A form is an object associated with a page that contains rules about how the browser should
display user view attributes on that page. Forms can incorporate business logic and are often
used to manipulate view data before it is presented to the user.
Built-In Forms
Some forms are loaded into the Identity Manager repository by default. To view a list of forms
in the repository, perform the following steps:
2 From the options menu adjacent to List Objects, select Type: ResourceForm.
3 Click List Objects. The List Objects of Type: ResourceForm page is displayed. This page lists all
editable forms that reside in the Identity Manager repository.
Also Available
Identity Manager provides many additional forms that are not loaded by default. These forms
are located in the InstallDir\idm\sample\forms\ directory.
Troubleshooting
Trace output can be helpful when identifying and resolving problems with any adapter.
Generally, these are the steps you will follow when using tracing to help identify and resolve
problems:
▼ Using trace
1 Turn on tracing.
3 Optionally turn tracing on for additional packages or classes, or turn up the tracing level and
repeat steps 2 and 3 as needed.
10 Enter a trace level (1-4). Each level captures different types of information:
■ 1, which identifies entry and exit of public methods, plus major exceptions.
■ 2, which identifies entry and exit of all methods.
■ 3, which identifies significant informational displays (such as the value of variables that
control flow) that occur only once per method invocation.
■ 4, which identifies informational displays that occur n times per method invocation.
11 Fill out the rest of the page as desired. Click Save when you are ready to begin tracing.
To disable tracing, either deselect the Show Trace option, or delete the class name from the
Method/Class text box.
Access Enforcer
2
The SAP Governance, Risk, and Compliance (GRC) Access Enforcer resource adapter is
defined in the com.waveset.adapter.AccessEnforcerResourceAdapter class. This class
extends the SAPResourceAdapter class.
Adapter Details
1 Download the JCo (Java Connection) toolkit from the following URL:
http://service.sap.com/connectors
Access to the SAP JCo download pages require a login and password. The toolkit will have a
name similar to sapjco-ntintel-2.1.8.zip. This name will vary depending on the platform
and version selected.
49
Adapter Details
Note – Make sure that the JCo toolkit you download matches the bit version of Java your
application server runs on. For example, JCo is available in only in the 64-bit version on the
Solaris x86 platform. Therefore, your application server must be running the 64-bit version on
the Solaris x86 platform.
2 Unzip the toolkit and follow the installation instructions. Be sure to place library files in the
correct location and to set the environment variables as directed.
4 Download the Apache Axis SOAP toolkit from the following URL:
http://www.apache.org/dyn/closer.cgi/ws/axis/1_4/
7 To add an Access Enforcer resource to the Identity Manager resources list, you must add the
following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.AccessEnforcerResourceAdapter
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses BAPI over SAP Java Connector (JCo) to communicate with the SAP
systems for the getUser and listObjects methods and the account iterator.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Pass-through authentication No
Before/after actions No
Data loading methods ■ Import from resource (through the SAPResourceAdapter class)
■ Reconciliation (through the SAPResourceAdapter class)
Account Attributes
The following table provides information about the account attributes that are specific to
Access Enforcer. Refer to the documentation for the SAP adapter for information about general
SAP attributes. Unless stated otherwise, all attribute types are String, and all attributes are
write-only. The values for all attributes listed below are converted to uppercase.
Note – The attributes designated as required must be sent in the Submit Request service call.
However, they are not marked as required on the schema map because of conflicts that may
occur when updating a user that has other resources assigned.
Other attributes may be added to the schema map, but are considered custom attributes in
Access Enforcer. To distinguish the custom attributes, you must prepend AE to any Resource
User Attribute. (For example, AEMyAttribute.) The values for custom attributes are not
converted to uppercase.
Identity Template
$accountId$
Sample Forms
■ Access Enforcer User Form
■ Access Enforcer EnableDisableDelete Form
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.AccessEnforcerResourceAdapter
■ com.waveset.adapter.SAPResourceAdapter
To determine which version of the SAP Java Connector (JCO) is installed, and to determine
whether it is installed correctly, run the following command:
The command returns the JCO version as well as the JNI platform-dependent and the RFC
libraries that communicate with the SAP system.
If the platform-dependent libraries are not found, refer to the SAP documentation to find out
how to correctly install the SAP Java Connector.
Identity Manager provides the Sun Access Manager resource adapter to support Sun JavaTM
System Access Manager running in Legacy mode.
Adapter Details
This adapter is defined in the com.waveset.adapter.SunAccessManagerResourceAdapter
class.
Note –
■ Use the Sun Access Manager resource adapter for resources running in Legacy mode.
■ Use the Sun Access Manager Realm resource adapter for resources running in Realm mode.
See Sun Access Manager Realm for information about this adapter.
Note – For Access Manager 7 and later, this adapter supports legacy mode only. Realms are not
supported.
You can configure only one Access Manager server (whether in Realm mode or in Legacy
mode).
The Policy Agent is an optional module that you can use to enable single sign-on (SSO). Do not
attempt to follow Policy Agent configuration or installation procedures if this product is not
being used in your environment.
55
Adapter Details
To install the Policy Agent, follow the installation instructions provided with the Policy Agent,
and then perform the following tasks:
com.sun.identity.agents.config.cookie.reset.enable = true
com.sun.identity.agents.config.cookie.reset.name[0] = AMAuthCookie
com.sun.identity.agents.config.cookie.reset.domain[0] = .example.com
com.sun.identity.agents.config.cookie.reset.path[0] = /
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user
4 You must restart the web server for your changes to take effect.
▼ To Create a Policy
1 From within the Sun Java System Access Manager application, create a new policy named IDMGR
(or something similar) with the following rules:
If Access Manager is installed on a different system than the Identity Manager server, then
perform the following steps on the Identity Manager system.
1 Create a directory to place files that will be copied from the Sun Java System Access Manager
server. This directory will be called CfgDir in this procedure. The location of Access Manager will
be called AccessMgrHome.
2 Copy the following files from AccessMgrHome to CfgDir. Do not copy the directory structure.
■ lib/*.*
■ locale/*.properties
■ config/serverconfig.xml
■ config/SSOConfig.properties (Identity Server 2004Q2 and later)
■ config/ums/ums.xml
3 On UNIX, it may be necessary to change the permissions of the jar files in the CfgDir to allow
universal read access. Run the following command to change permissions:
chmod a+r CfgDir/*.jar
5 If you are using version 6.0, set the Java system property to point to your CfgDir. Use a command
similar to the following:
java -Dcom.iplanet.coreservices.configpath=CfgDir
6 If you are using version 6.1 or later, add or edit the following lines in the
CfgDir/AMConfig.properties file:
com.iplanet.services.configpath=CfgDir
com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.
SecureRandomFactoryImpl
com.iplanet.security.SSLSocketFactoryImpl=netscape.ldap.factory.
JSSESocketFactory
com.iplanet.security.encryptor=com.iplanet.services.util.
JCEEncryption
The first line sets the configpath. The last three lines change security settings.
7 Copy the CfgDir/am_*.jar files to $WSHOME/WEB-INF/lib. If you are using version 6.0, also copy
the jss311.jar file to the $WSHOME/WEB-INF/lib directory.
8 If Identity Manager is running on Windows and you are using Identity Server 6.0, copy
IdServer\lib\jss\*.dll to CfgDir and add CfgDir to your system path.
Note – In an environment where Identity Manager is installed on a different system from Access
Manager check the following error conditions. If an error
java.lang.ExceptionInInitializerError, followed by java.lang.NoClassDefFoundError,
on subsequent attempts, is returned when attempting to connect to the Access Manager
resource, then check for incorrect or missing configuration data.
Also, check the jar file for the class indicated by the java.lang.NoClassDefFoundError.
Prepend the classpath of the jar file containing the class to the JAVA classpath on the application
server.
Check that the CfgDir contains all the data outlined in “Installing and Configuring Sun Java
System Access Manager (Versions Prior to Access Manager 7.0)” on page 57 and that all the
configuration properties have been assigned correctly.
http://wwws.sun.com/software/download/inter_ecom.html#dirserv
Follow the installation instructions provided with the Policy Agent. Then perform the following
tasks.
Be sure to use the files located the preceding directories. Do not use the copy located in the
AgentInstallDir\config directory.
com.sun.identity.agents.config.cookie.reset.enable = true
com.sun.identity.agents.config.cookie.reset.name[0] = AMAuthCookie
com.sun.identity.agents.config.cookie.reset.domain[0] = .example.com
com.sun.identity.agents.config.cookie.reset.path[0] = /
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user
4 You must restart the web server for your changes to take effect.
1 From within the Access Manager application, create a new policy named IDMGR (or something
similar) with the following rules:
1 Follow the instructions provided in the appropriate version of the Sun JavaTM System Access
Manager Developer’s Guide to build the client SDK from the Sun Access Manager installation.
2 Extract the AMConfig.properties and amclientsdk.jar files from the war file that is
produced.
7 After copying the files, you must add the Sun Java System Access Manager resource to the
Identity Manager resources list. Add the following value in the Custom Resources section of the
Configure Managed Resources page.
com.waveset.adapter.SunAccessManagerRealmResourceAdapter
Policy Agent
You must modify the administrator and user login modules so that the Access Manager login
modules are listed first.
Note – An Access Manager resource must be configured before performing this procedure:
1 From the Identity Manager Administrator Interface menu bar, select Security.
3 Click the Manage Login Module Groups button, located at the bottom of the page.
4 Select the Login Module to modify. For example, select Default Identity System ID/Pwd Login
Module Group.
5 In the Assign Login Module select box, select Sun Access Manager Login Module.
6 When a new Select option displays next to the Assign Login Module option, select the
appropriate resource.
7 When the Modify Login Module page displays, edit the displayed fields as needed, and then
click Save. The Modify Login Module Group is displayed again.
8 Specify Sun Access Manager Login Module as the first resource in the module group, and then
click Save.
Usage Notes
If you are running Identity Manager under WebLogic, and native changes made in Access
Manager do not appear in Identity Manager, add am_services.jar in the classpath before
weblogic.jar.
To set the protocol handler when you have more than one:
java.protocol.handler.pkgs=com.iplanet.services.comm|sun.net.www.protocol
Security Notes
This section provides information about supported connections and authorization
requirements needed to perform basic tasks.
Supported Connections
Identity Manager uses JNDI over SSL to communicate with this adapter.
Provisioning Notes
This section contains a table that summarizes the provisioning capabilities of the adapter.
Feature Supported?
Rename account No
Before/after actions No
Account Attributes
The following table lists the Access Manager user account attributes supported by default. All
attributes are optional, unless noted in the description.
Resource Attribute
Resource User Attribute Type Description
iplanet-am-user-account-life Date The date and time the user account expires. The
account does not expire if this value is not set.
iplanet-am-user-failure-url String The URL that the user will be redirected to upon
unsuccessful authentication.
iplanet-am-user-success-url String The URL that the user will be redirected to upon
successful authentication.
Identity Template
The default identity template is
uid=$uid$,ou=People,dc=MYDOMAIN,dc=com
Sample Forms
This section lists the sample forms that are built-in and available for the Sun Access Manager
resource adapter.
Built-In
■ Sun Java System Access Manager Update Static Group Form
■ Sun Java System Access Manager Update Role Form
■ Sun Java System Access Manager Update Organization Form
■ Sun Java System Access Manager Update Filtered Group Form
■ Sun Java System Access Manager Update Dynamic Group Form
■ Sun Java System Access Manager Create Static Group Form
■ Sun Java System Access Manager Create Role Form
■ Sun Java System Access Manager Create Organization Form
■ Sun Java System Access Manager Create Filtered Group Form
■ Sun Java System Access Manager Create Dynamic Group Form
Also Available
SunAMUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.SunAccessManagerResourceAdapter
Identity Manager provides the Sun Java System Access Manager Realm resource adapter to
support SunTM Java System Access Manager running in Realm mode.
Adapter Details
This adapter is defined in the
com.waveset.adapter.SunAccessManagerRealmResourceAdapter class.
Note –
■ Use the Sun Access Manager Realm resource adapter for resources running in Realm mode.
■ Use the Sun Access Manager resource adapter for resources running in Legacy mode. See
Sun Java System Access Manager for information about this adapter.
The Identity Server Policy Agent is an optional module that you can use to enable single sign-on
(SSO). You can obtain this Policy Agent from the following location:
http://wwws.sun.com/software/download/inter_ecom.html#dirserv
67
Adapter Details
Note – Do not attempt to follow the Policy Agent installation or configuration procedures if this
product is not being used in your environment.
http://docs.sun.com/app/docs/coll/1322.1
You must install the Identity Server Policy Agent on the same server where Identity Manager is
installed.
To install the Policy Agent, follow the installation instructions provided with the Policy Agent,
and then perform the following tasks:
com.sun.identity.agents.config.cookie.reset.enable = true
com.sun.identity.agents.config.cookie.reset.name[0] = AMAuthCookie
com.sun.identity.agents.config.cookie.reset.domain[0] = .example.com
com.sun.identity.agents.config.cookie.reset.path[0] = /
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user
4 You must restart the web server for your changes to take effect.
▼ To Create a Policy
1 From within the Sun Java System Access Manager application, create a new policy named IDMGR
(or something similar) with the following rules:
General Configuration
Use the following procedure to install and configure the resource adapter.
2 Extract the AMConfig.properties and amclientsdk.jar files from the war file that is
produced.
7 After copying the files, you must add the Sun Java System Access Manager Realm resource to
the Identity Manager resources list. Add the following value in the Custom Resources section of
the Configure Managed Resources page.
com.waveset.adapter.SunAccessManagerRealmResourceAdapter
Login Module
You must modify the administrator and user login modules so the Sun Java System Access
Manager login modules will be listed first.
Note – You must first configure a Sun Java System Access Manager realm resource before
performing the following procedure.
1 From the Identity Manager Administrator Interface menu bar, select Security.
3 Click the Manage Login Module Groups button, located at the bottom of the page.
4 Select the Login Module to modify. For example, select Default Identity System ID/Pwd Login
Module Group.
5 In the Assign Login Module select box, select Sun Access Manager Realm Login Module.
6 When a new Select option displays next to the Assign Login Module option, select the
appropriate resource.
7 When the Modify Login Module page displays, edit the displayed fields as needed, and then
click Save. The Modify Login Module Group is displayed again.
8 Specify Sun Access Manager Realm Login Module as the first resource in the module group, and
then click Save.
Security Notes
This section provides information about supported connections and authorization
requirements needed to perform basic tasks.
Supported Connections
Identity Manager uses SSL to communicate with this adapter.
Provisioning Notes
The following table summarizes the provisioning capabilities of the adapter.
Feature Supported?
Rename account No
Before/after actions No
Account Attributes
The following table lists the Sun Java System Access Manager user account attributes supported
by default. All attributes are optional, unless noted in the description.
Identity Template
The default identity template is $accountId$.
Sample Forms
This section lists the sample forms that are built-in and available for the Sun Java System Access
Manager Realm resource adapter.
Built-In
■ Sun Access Manager Realm Create Role Form
■ Sun Access Manager Realm Update Role Form
■ Sun Access Manager Realm Create Filtered Role Form
■ Sun Access Manager Realm Update Filtered Role Form
■ Sun Access Manager Realm Create Group Form
■ Sun Access Manager Realm Update Group Form
Also Available
SunAMRealmUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.SunAccessManagerRealmResourceAdapter
ACF2
5
The ACF2 resource adapter supports management of user accounts and memberships on an
OS/390 mainframe. The adapter manages ACF2 over a TN3270 emulator session.
Adapter Details
The ACF2 resource adapter is defined in the com.waveset.adapter.ACF2ResourceAdapter
class.
1 To add the ACF2 resource to the Identity Manager resources list, you must add the following
value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.ACF2ResourceAdapter
2 Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager
installation.
75
Adapter Details
Host On Demand The IBM Host Access Class Library (HACL) manages
connections to the mainframe. The recommended
JAR file containing HACL is habeans.jar. It is
installed with the HOD Toolkit (or Host Access
Toolkit) that comes with HOD. The supported
versions of HACL are in HOD V7.0, V8.0, V9.0, and
V10..
However, if the toolkit installation is not available, the
HOD installation contains the following JAR files that
can be used in place of the habeans.jar:
■ habase.jar
■ hacp.jar
■ ha3270.jar
■ hassl.jar
■ hodbase.jar
See
http://www.ibm.com/software/webservers/hostondemand/
for more information.
3 Add the following definitions to the Waveset.properties file to define which service manages
the terminal session:
serverSettings.serverId.mainframeSessionType=Value
serverSettings.default.mainframeSessionType=Value
4 When the Attachmate libraries are installed into a WebSphere or WebLogic application server,
add the property com.wrq.profile.dir=LibraryDirectory to the
WebSphere/AppServer/configuration/config.ini or startWeblogic.sh file.
This allows the Attachmate code to find the licensing file.
5 Restart your application server so that the modifications to the Waveset.properties file can
take effect.
Usage Notes
This section lists dependencies and limitations related to using the ACF2 resource adapter.
Administrators
TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for
Identity Manager ACF operations, you must create multiple administrators. Thus, if you create
two administrators, two Identity Manager ACF operations can occur at the same time. You
should create at least two (and preferably three) administrators.
If you are running in a clustered environment, you must define an admin for each server in the
cluster. This applies even if it is the same admin. For TSO, there must be a different admin for
each server in the cluster.
If clustering is not being used, the server name should be the same for each row (the name of the
Identity Manager host machine).
Note – Host resource adapters do not enforce maximum connections for an affinity
administrator across multiple host resources connecting to the same host. Instead, the adapter
enforces maximum connections for affinity administrators within each host resource.
If you have multiple host resources managing the same system, and they are currently
configured to use the same administrator accounts, you might have to update those resources to
ensure that the same administrator is not trying to perform multiple actions on the resource
simultaneously.
Resource Actions
The ACF2 adapter requires login and logoff resource actions. The login action negotiates an
authenticated session with the mainframe. The logoff action disconnects when that session is no
longer required.
Chapter 5 • ACF2 77
Adapter Details
See “Mainframe Examples” on page 536 for more information about creating login and logoff
resource actions.
SSL Configuration
Identity Manager uses TN3270 connections to communicate with the resource.
See Chapter 53, “Mainframe Connectivity,” for information about setting up an SSL connection
to an ACF2 resource.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses TN3270 connections to communicate with ACF2.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Pass-through authentication No
Account Attributes
The following table provides information about ACF2 account attributes.
CANCEL/SUSPEND.CANCEL Boolean The logonid is canceled and denied access to the system
CANCEL/SUSPEND.CSDATE String The date when the CANCEL or SUSPEND field was set
CANCEL/SUSPEND.MON-LOG Boolean ACF2 writes an SMF record each time this user enters the
system
CANCEL/SUSPEND.SUSPEND Boolean The logonid is suspended and denied access to the system
CANCEL/SUSPEND.TRACE Boolean All data references by this user are traced and logged
CICS.CICSKEY String The first three bytes of transaction security key values to
support CICS Release 1.6 and later
CICS.CICSKEYX String The last five bytes of transaction security key values to
support CICS Release 1.6 and later
Chapter 5 • ACF2 79
Adapter Details
IDMS.IDMSPROF String The name of the sign-on profile CLIST executed when
the user signs on to CA-IDMS
IDMS.IDMSPRVS String The version of the sign-on profile CLIST executed when
the user sign on to CA-IDMS
PRIVILEGES.ACCOUNT Boolean The user can insert, delete, and change logonids, as
limited by a scope
PRIVILEGES.AUDIT Boolean With this privilege, a user can inspect, but not modify,
the parameters of the CAACF2 system.
PRIVILEGES.BDT Boolean This logonid’s address space belongs to the Bulk Data
Transfer (BDT) product.
PRIVILEGES.CMD-PROP Boolean This indicates that the user can override the global CPF
target list by using the SET TARGET command or the
TARGET parameter.
PRIVILEGES.DUMPAUTH Boolean This user can generate a dump even when the address
space is in an execute-only or path control environment.
PRIVILEGES.JOB Boolean The user can enter batch and background Terminal
Monitor Program (TMP) jobs.
PRIVILEGES.JOBFROM Boolean The user can use the //*JOBFROM control statement.
PRIVILEGES.LEADER Boolean The user can display and alter certain fields of other
logonids for other users.
PRIVILEGES.LOGSHIFT Boolean A user can access the system outside the time period
specified in the SHIFT field of the logonid record.
PRIVILEGES.NO-INH Boolean A network job cannot inherit this logonid from its
submitter.
PRIVILEGES.NON-CNCL Boolean A user can access all data, even if a rule prohibits this
access.
PRIVILEGES.PPGM Boolean The user can execute those protected programs specified
in the GSO PPGM record.
PRIVILEGES.PRIV-CTL Boolean Checks privilege control resource rules when the user
accesses the system to see what additional privileges and
authorities the user has.
PRIVILEGES.READALL Boolean The logonid has only read access to all data at the site.
PRIVILEGES.RESTRICT Boolean This restricted logonid is for production use and does not
require a password for user verification.
Chapter 5 • ACF2 81
Adapter Details
PRIVILEGES.RSRCVLD Boolean Specifies that a resource rule must authorize any accesses
that a user makes.
PRIVILEGES.RULEVLD Boolean An access rule must exist for all data this user accesses.
PRIVILEGES.SCPLIST String The infostorage scope record that restricts accesses for
this privileged user.
PRIVILEGES.SYNCNODE String The node where the synchronized logonid for this
logonid is found in the Logonid database
PRIVILEGES.TAPE-BLP Boolean This user can use full bypass label processing (BLP) when
accessing tape data sets
PRIVILEGES.TAPE-LBL Boolean This user has limited BLP when accessing tape data sets.
PASSWORD.MINDAYS String The minimum number of days that must elapse before
the user can change the password
PASSWORD.PSWD-TIM String The time when the last invalid password for this logonid
was received
PASSWORD.PSWD-TOD String The date and time the password was last changed
RESTRICTIONS.GROUP String The group or project name associated with this user
RESTRICTIONS.PREFIX String The high-level index of the data sets that this user owns
and can access
RESTRICTIONS.SHIFT String The shift record that defines when a user is permitted to
log on to the system
RESTRICTIONS.VMACCT String A loginid field that holds the default account number for
a virtual machine
RESTRICTIONS.VMIDLEMN String The number of minutes that this user can be idle on the
system before idle terminal processing begins
RESTRICTIONS.VMIDLEOP String The type of idle terminal processing to perform when the
user exceeds the idle time limit
STATISTICS.SEC-VIO String The total number of security violations for this user
STATISTICS.UPD-TOD String The date and time that this logonid record was last
updated
TSO.ACCTPRIV Boolean Indicates whether the user has TSO accounting privileges
TSO.ALLCMDS Boolean The user can enter a special prefix character to bypass the
CA-ACF2 restricted command lists
TSO.ATTR2 String The IBM program control facility (PCF) uses the
PSCBATR2 field for command limiting and data set
protection.
Chapter 5 • ACF2 83
Adapter Details
TSO.CMD-LONG Boolean Indicates that only the listed command and aliases are
accepted when using TSO command lists.
TSO.DFT-DEST String The default remote destination for TSO spun SYSOUT
data sets
TSO.DFT-PFX String The default TSO prefix that is set in the user’s profile at
logon time.
TSO.INTERCOM Boolean This user is willing to accept messages from other users
through the TSO SEND command.
TSO.JCL Boolean This user can submit batch jobs from TSO and use the
SUBMIT, STATUS, CANCEL, and OUTPUT commands
TSO.LGN-ACCT Boolean This user can specify an account number at logon time.
TSO.LGN-DEST Boolean The user can specify a remote output destination at TSO
logon that overrides the value specified in the DFT-DEST
field.
TSO.LGN-MSG Boolean This user can specify message class at logon time.
TSO.LGN-PERF Boolean This user can specify a performance group at logon time.
TSO.LGN-PROC Boolean This user can specify the TSO procedure name at logon
time.
TSO.LGN-RCVR Boolean This user can use the recover option of the TSO or TSO/E
command package.
TSO.LGN-SIZE Boolean This user is authorized to specify any region size at logon
time.
TSO.LGN-TIME Boolean This user can specify the TSO session time limit at logon
time.
TSO.LGN-UNIT Boolean This user can specify the TSO unit name at logon time.
TSO.RECOVER Boolean Use the recover option of the TSO or TSO/E command
package
TSO.TSOCMDS String The name of the TSO command list module that contains
the list of the commands that this user is authorized to
use.
TSO.TSORBA String The mail index record pointer (MIRP) for this user
TSO.TSORGN String The user’s default TSO region size (in K bytes) if the user
does not specify a size at logon time
TSO.TSOSIZE String The user’s maximum TSO region size (in K bytes) unless
the user has the LGS-SZE field specified
Chapter 5 • ACF2 85
Adapter Details
Sample Forms
ACF2UserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.HostAccess
■ com.waveset.adapter.ACF2ResourceAdapter
Active Directory
6
Adapter Details
87
Adapter Details
Some operations, including pass-through authentication and before and after actions, require
that the Gateway system be a member of a domain.
If the gateway is used by an Active Directory adapter which has Exchange Server 2007 support
turned on the account which is used to run the gateway must have special privileges.
The account must be a domain account from the domain which has Exchange Server 2007
installed. The account used must also be a member of the standard Exchange Server 2007 group
Exchange Recipient Administrators. The account performs all Exchange Server 2007-specific
actions by the gateway. It will not use the administrative account specified in the resource.
This limitation in the allowed gateway account is caused by limitations in the Exchange Server
2007 API.
When this is not configured correctly, a PowerShell error message similar to "PowerShell
exception: Access to the address list service on all Exchange 2007 servers has been denied." will
be displayed, followed by a stack trace.
If you run the Gateway as an account other than Local System, then Gateway service account
requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It uses
these rights for pass-through authentication and for changing and resetting passwords in
certain situations.
Most of the management of AD is done using the administrative account specified in the
resource. However, some operations are done as the Gateway service account. This means that
the Gateway service account must have the appropriate permissions to perform these
operations. Currently, these operations are:
■ Creating home directories
■ Running actions (including before and after actions)
When performing before and after action scripts, the gateway may need the Replace a process
level token right. This right is required if the gateway attempts to run the script subprocess as
another user, such as the resource administrative user. In this case, the gateway process needs
the right to replace the default token associated with that subprocess.
If this right is missing, the following error may be returned during subprocess creation:
The Replace a process level token right is defined in the Default Domain Controller Group
Policy object and in the local security policy of workstations and servers. To set this right on a
system, open the Local Security Policies application within the Administrative Tools folder,
then navigate to Local Policies > User Rights Assignment > Replace a process level token.
The adapter requires that the Messaging Application Programming Interface (MAPI) be
installed on the gateway machine. There are at least two ways to install the MAPI subsystem.
The simplest way is to install the Microsoft Outlook client on the gateway machine. No other
configuration is necessary.
Another way is to install the Exchange System Management Tools, which are located on the
Exchange Server CD. The management tools are installed as a component of the normal
Exchange Server install. However, this installs the MAPI subsystem files, but it does not
complete the configuration.
The mapisvc.inf file (typically located in c:\winnt\system32) contains the available MAPI
services, and it must be updated to include the Exchange message service entries. The
msems.inf file, which is contained in the gateway zip file, contains the entries that need to be
merged into the mapisvc.inf file to configure the Exchange message server. The msems.inf file
can be merged into the mapisvc.inf file manually using a text file editor such as notepad.
Alternatively, a tool named MergeIni.exe is available on the Microsoft Platform SDK and can
be found in the Windows Core SDK in the Microsoft SDK\Bin directory.
MergeIni msems.inf -m
Exchange Server 2007 does not support setting the Out Of Office message for a user. The
messages are no longer stored as part of the user entry and form a part of the user’s mailbox.
Outlook or Outlook Web Access should be used by the end user to manage the Out of Office
replies.
The gateway must be run on a Microsoft Windows 32-bit operating system. In addition, the
following items must be installed on the gateway machine:
■ “Microsoft Exchange Server 2007 "Management Tools", 32-Bit” on page 90
■ “Microsoft Windows PowerShell 1.0” on page 90
■ “Microsoft .NET 2.0” on page 91
Install only the 32-bit version of the Management Tools on the gateway machine. Installing the
32-bit version of the tools on a 64-bit version of the operating system, or installing both versions
of the tools can lead to unpredictable behavior.
The 32-bit version of the management tools can be downloaded from the Microsoft website:
http://go.microsoft.com/fwlink/?LinkID=82335
The version of the tools you download and install should correspond to the Exchange Server
2007 version installed in the rest of the Exchange environment.
Before starting the installation of the management tools make sure that Microsoft Windows
PowerShell 1.0 and Microsoft .NET 2.0 Framework
http://go.microsoft.com/fwlink/?LinkID=75790&clcid=0x09
The PowerShell environment logs messages to the event viewer. There are two event logs
created for PowerShell in a standard installation: the “PowerShell” and “Windows PowerShell”
event logs. The “PowerShell” event log is used when the gateway creates a PowerShell runtime
environment. When a write operation fails to write to the event log, the PowerShell
environment will not start up, and all PowerShell-related actions of the gateway will fail. To
prevent this failure, you should monitor and clean up the event log regularly or configure it to
overwrite messages.
http://www.microsoft.com/downloads/details.aspx?familyid=0856EACB-4362-
4B0D-8EDD-AAB15C5E04F5
Usage Notes
This section lists dependencies and limitations related to using the Active Directory resource
adapter, including:
■ “Checking Password History” on page 91
■ “Supporting Microsoft Exchange Server 2000 and 2003” on page 92
■ “Supporting Exchange 2007” on page 93
■ “Configuring Active Sync” on page 94
■ “Specifying a Domain for Pass-Through Authentication” on page 94
■ “Gateway Timeouts” on page 95
In addition, you must create at least one new form to support printer objects.
The Windows Active Directory resource can manage Exchange 2000 contacts by changing the
object class to contact and removing the password, accountId, and expirePassword resource
attributes.
The Active Directory adapter does not manage Exchange 2007 email accounts by default. To
enable support for these accounts:
■ Select the Exchange 2007 Support resource parameter.
■ Make sure the gateway runs as a user that is a member of the Exchange Recipient
Administrators group and is logged into the Windows domain.
■ Add the following account attributes to the schema map. Do not select the Required check
box for these attributes.
RecipientType (String) The user type on the resource. It is required during creation of the account
on an Exchange 2007-enabled resource. Allowed values are:
- User (Active Directory only user)
- UserMailbox (Active Directory and Exchange user with local mail storage)
- MailUser (Active Directory and Exchange user without local mail storage)
This attribute is read-only during later actions, except when changing from
an Active Directory-only user (RecipientType equals User) to an Exchange
user type (RecipientType UserMailbox or MailUser). You can not change
the RecipientType back to User or from MailUser to UserMailbox and vice
versa.
Database (String) The Database to store the users Mailbox. This value must be of the form:
Server\StorageGroup\MailboxDatabase. This attribute must have a value
when the RecipientType is set to UserMailbox. The attribute is ignored for
other values of RecipientType.
ExternalEmailAddress (String) An e-mail address outside of the Exchange organization. This attribute
must be set to a unique value in the Exchange organization for the
RecipientType MailUser. The attribute is ignored for other values of
RecipientType.
See Chapter 52, “Active Directory Synchronization Failover,” for information about limiting the
number of repeated events that occur when you switch to a new domain controller.
To allow the user to enter the domain on the login page, add the following property to the
<AuthnProperties> element in the resource object’s XML:
In an environment with multiple trusted domains and Active Directory forests, the
authentication can fail using any of these configurations because the Global Catalog does not
contain cross-forest information. If a user supplies a wrong password, it could also lead to
account lockout in the user’s domain if the number of domains is greater than the lockout
threshold.
User management across forests is only possible when multiple gateways, one for each forest,
are deployed. In this case, you can configure the adapters to use a predefined domain for
authentication per adapter without requiring the user to specify a domain. To accomplish this,
add the following authentication property to the <AuthnProperties> element in the resource
object’s XML:
Login failures will occur in domains if the user exists in the domain and the password is not
synchronized.
It is not possible to use multiple data sources for the domain information in one Login Module
Group.
Gateway Timeouts
The Active Directory adapter allows you to use the RA_HANGTIMEOUT resource attribute to
specify a timeout value, in seconds. This attribute controls how long before a request to the
gateway times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
The default value for this attribute is 0, indicating that Identity Manager will not check for a
hung connection.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
The Encryption Type resource parameter allows you to enter the encryption type that the
Identity Manager gateway will use to communicate with the Active Directory server. Valid
values for this field are None (the default value), Kerberos, and SSL.
To use SSL, a certificate authority must be set up in the domain. In addition, the username used
to access Active Directory must be in UPN format (for example, DomainName\UserName).
Reset Password
The permissions to perform Create, Delete, and Update of resource objects are as expected. The
account needs the Create and Delete permissions for the corresponding object type and you
need appropriate Read/Write permissions on the properties that need to be updated.
Pass-Through Authentication
To support Active Directory (AD) pass-through authentication:
■ When configuring the Gateway to run as a user, that user account must have the “Act As
Operating System” and “Bypass Traverse Checking” user rights. By default, the Gateway
runs as the Local System account, which should already have these rights. Also, the “Bypass
Traverse Checking” user right is enabled for all users by default.
Note – If you must update user rights, there might be a delay before the updated security policy is
propagated. Once the policy has been propagated, you must restart the Gateway.
■ Accounts being authenticated must have “Access This Computer From The Network” user
rights on the Gateway system.
The Gateway uses the LogonUser function with the LOGON32_LOGON_NETWORK log-on type and
the LOGON32_PROVIDER_DEFAULT log-on provider to perform pass-through authentication. The
LogonUser function is provided with the Microsoft Platform Software Development Kit.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Feature Supported?
Account Attributes
The syntax (or type) of an attribute usually determines whether the attribute is supported. In
general, Identity Manager supports Boolean, string, and integer syntaxes. Binary strings and
similar syntaxes are not supported.
Supported Syntaxes
The following table lists the Active Directory syntax supported by Identity Manager:
Identity
Manager
AD Syntax Syntax Syntax ID OM ID ADS Type
Identity
Manager
AD Syntax Syntax Syntax ID OM ID ADS Type
Unsupported Syntaxes
The following table lists the Active Directory syntaxes that are not supported by Identity
Manager:
Identity Manager supports the jpegPhoto and thumbnailPhoto account attributes, which use
the Replica Link syntax. Other Replica Link attributes might be supported, but they have not
been tested.
Supported Syntaxes
Identity Manager supports the following PowerShell syntaxes:
Syntax Description
Nullable An attribute which does not have to contain a value. If used without another
type a String is indicated.
Unlimited An integer represented as a String, with as a special allowed value the string
"Unlimited".
Unsupported Syntaxes
The following list describes the PowerShell syntaxes that are not supported by Identity
Manager:
Syntax Description
accountNameHistory String The length of time that the account has been active.
Read-only.
aCSPolicyName String String name of an ACS policy that applies to this user.
adminCount String Indicates that a given object has had its ACLs changed
to a more secure value by the system because it was a
member of one of the administrative groups (directly
or transitively). Set by system. Read-only.
badPasswordTime String The last time the user tried to log on to the account
using an incorrect password.
codePage Int Specifies the code page for the user’s language of
choice.
countryCode String Specifies the country code for the user’s language of
choice.
department String Contains the name for the department in which the
user works.
desktopProfile String The location of the desktop profile for a user or group
of users.
givenName String Contains the given name (first name) of the user.
homeDrive String The drive letter (including the colon) that the home
directory should be mapped to (for example, “Z:”). It
should be specified only if homeDirectory is a UNC
path.
info String The user’s comments. This string can be a null string.
initials String Contains the initials for parts of the user’s full name.
lastLogonTimestamp String The time that the user last logged into the domain.
This value is only updated when the user logs in if a
week has passed since the last update.
logonCount Int The number of successful times the user tried to log
on to this account. This property is maintained
separately on each domain controller in the domain.
managedObjects String Contains the list of objects that are managed by the
user.Set by the system. Read only.
maxStorage String The maximum amount of disk space the user can use.
mDBUseDefaults String Indicates whether the store should use the default
quota, rather than the per-mailbox quota.
ms-DS-KeyVersionNumber Int The Kerberos version number of the current key for
this account. This is a constructed attribute. Read
only.
ms-IIS-FTP-Dir String The user home directory relative to the file server
share. It is used in conjunction with
ms-IID-FTP-Root to determine the FTP user home
directory.
objectClass N/A The list of classes from which this class is derived.
The value of this attribute should be set using the
Object Class resource attribute. Read-only.
otherIpPhone String The list of alternate TCP/IP addresses for the phone.
Used by Telephony.
primaryGroupID Int If the user is not already a member of the group, then
the primaryGroupID must be set in 2 steps: add the
user to the group then set the primaryGroupId.
profilePath String Specifies a path to the user’s profile. This value can be
a null string, a local absolute path, or a UNC path.
pwdLastSet String This attribute indicates the last time the user modified
the password. This value is stored as a large integer
that represents the number of seconds elapsed since
00:00:00, January 1, 1601 (FILETIME). If this value is
set to zero and the user account has the password
never expires property set to false, then the user must
set the password at the next logon.
RecipientType String Required for all Exchange 2007 account types The
possible values are User, UserMailbox or MailUser.
This attribute is not displayed by default. You must
add it to manage Exchange 2007 accounts.
scriptPath String The path for the user’s logon script. The string can be
null.
Terminal Services Initial Program String The path of the initial program that runs when the
user logs on.
Terminal Services Initial Program String The path of working directory for the initial program
Directory
Terminal Services Inherit Initial Boolean Indicates whether the client can specify an initial
Program program
true - The client can specify program.
false - The Terminal Services Initial Program value
is used and client is logged off when exiting that
program.
Terminal Services Allow Logon Boolean false - The user cannot logon.
true - The user can logon.
Terminal Services Active Session Integer Duration in milliseconds. A value of 0 indicates the
Timeout connection timer is disabled.
Terminal Services Disconnected Session Integer The maximum duration, in milliseconds, that a
Timeout terminal server retains a disconnected session before
the logon is terminated. A value of 0 indicates the
disconnection timer is disabled.
Terminal Services Idle Timeout Integer The maximum idle time, in milliseconds. If there is no
keyboard or mouse activity for the specified interval,
the user’s session is disconnected or terminated
depending on the value specified in Terminal Services
End Session On Timeout Or Broken Connection. A
value of 0 indicates the idle timer is disabled.
Terminal Services Connect Client Drives Boolean Indicates whether the terminal server automatically
At Logon reestablishes client drive mappings at logon.
false - The server does not automatically connect to
previously mapped client drives.
true - The server automatically connects to previously
mapped client drives at logon.
Terminal Services Connect Client Boolean Indicates whether the terminal server automatically
Printers At Logon reestablishes client printer mappings at logon.
false - The server does not automatically connect to
previously mapped client printers.
true - The server automatically connects to previously
mapped client printers at logon.
Terminal Services Default To Main Boolean Indicates whether the client printer is the default
Client Printer printer.
false - The client printer is not the default printer.
true - The client printer is the default printer.
Terminal Services End Session On Boolean Specifies the action when the connection or idle
Timeout Or Broken Connection timers expire, or when a connection is lost due to a
connection error.
false - The session is disconnected.
true - The session is terminated.
Terminal Services Allow Reconnect Boolean Indicates how a disconnected session for this user can
From Originating Client Only be reconnected.
false - The user can log on to any client computer to
reconnect to a disconnected session.
true - The user can reconnect to a disconnected
session by logging on to the client computer used to
establish the disconnected session.
Terminal Services Callback Settings Integer Indicates the configuration for dialup connections in
which the terminal server hangs up and then calls
back the client to establish the connection.
0 - Callback connections are disabled.
1 - The server prompts the user to enter a phone
number and calls the user back at that phone number.
2 - The server automatically calls the user back at the
phone number specified by the Terminal Services
Callback Phone Number attribute.
Terminal Services Callback Phone String The phone number to use for callback connections.
Number
Terminal Services Remote Control Integer Indicates whether the user session can be shadowed.
Settings Shadowing allows a user to remotely monitor the
on-screen operations of another user.
0 - Disable
1 - Enable input, notify
2 - Enable input, no notify
3 - Enable no input, notify
4 - Enable no input, no notify
Terminal Services User Profile String The path of the user’s profile for terminal server
logon.
Terminal Services Local Home Directory String The path of the user’s home directory for terminal
server logon.
Terminal Services Home Directory String A drive name (a drive letter followed by a colon) to
Drive which the UNC path specified in the Terminal
Services Local Home Directory attribute is mapped.
usnChanged String USN value assigned by the local directory for the
latest change, including creation. Read only.
uSNLastObjRem String Indicates when the last object was removed from a
server. Read only.
WS_USER_PASSWORD Encrypted Contains the user password. See the Usage Notes for
more information.
whenChanged String The date when this object was last changed. Read
only.
whenCreated String The date when this object was created. Read only.
AcceptMessagesOnlyFrom String A list of users who are allowed to send mail to this
user
EndDateForRetentionHold Nullable The end date for retention hold for messaging
records management (MRM) (RecipientType
UserMailbox only)
MaxReceiveSize Unlimited The maximum size of messages that this user can
ByteQantifiedSize receive.
MaxSendSize Unlimited The maximum size of messages that this user can
ByteQantifiedSize send.
PrimarySmtpAddress String The address that external users will see when they
receive a message from this user. Not to be used in
conjunction with EmailAddresses: the
EmailAddresses list contains the
PrimarySmtpAddress. Can not be used with
EmailAddressPolicyEnabled set to "True"
ProhibitSendQuota Unlimited The mailbox size at which the user associated with
ByteQantifiedSize this mailbox can no longer send messages.
(RecipientType UserMailbox only)
ProhibitSendReceiveQuota Unlimited The mailbox size at which the user associated with
ByteQantifiedSize this mailbox can no longer send or receive messages.
(RecipientType UserMailbox only)
RulesQuota ByteQuantifiedSize The limit for the size of rules for this mailbox.
Maximum value is 256 KB (RecipientType
UserMailbox only)
SCLDeleteEnabled Nullable Boolean Delete messages that meet the SCL delete threshold
(RecipientType UserMailbox only)
SCLJunkEnabled Nullable Boolean Junk messages that meet the SCL junk threshold
(RecipientType UserMailbox only)
SCLQuarantineEnabled Nullable Boolean Quarantine messages that meet the SCL quarantine
threshold (RecipientType UserMailbox only)
SCLRejectEnabled Nullable Boolean Reject messages that meet the SCL reject threshold
(RecipientType UserMailbox only)
StartDateForRetentionHold Nullable The start date for retention hold for MRM.
(RecipientType UserMailbox only)
UseDatabaseQuotaDefaults Boolean Specifies that this mailbox uses the quota attributes
specified for the mailbox database where this mailbox
resides. (RecipientType UserMailbox only)
UserPrincipalName String This is the logon name for the user. The UPN consists
of a user name and a suffix.
Trustee|Mask|aceType|aceFlags|objectType|InheritedObjectType
Where:
■ Trustee is the DOMAIN\Account of the user.
■ Mask is a flag specifying access permissions (read, write, etc. ).
■ aceType is a flag indicating the access-control entry (ACE) types.
ADS_ACETYPE_ACCESS_ALLOWED = 0,
ADS_ACETYPE_ACCESS_DENIED = 0x1,
ADS_ACETYPE_SYSTEM_AUDIT = 0x2,
ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 0x5,
ADS_ACETYPE_ACCESS_DENIED_OBJECT = 0x6,
ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 0x7,
ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 0x8 ADS_ACETYPE_ACCESS_ALLOWED
Where:
■ ADS_ACETYPE_ACCESS_ALLOWED: The ACE is of the standard ACCESS ALLOWED
type, where the ObjectType and InheritedObjectType fields are NULL.
■ ADS_ACETYPE_ACCESS_DENIED: The ACE is of the standard system-audit type,
where the ObjectType and InheritedObjectType fields are NULL.
■ ADS_ACETYPE_SYSTEM_AUDIT: The ACE is of the standard system type, where the
ObjectType and InheritedObjectType fields are NULL.
■ ADS_ACETYPE_ACCESS_ALLOWED_OBJECT: On Windows 2000, ACE grants
access to an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property
set, property, extended right, or type of child object.
■ ADS_ACETYPE_ACCESS_DENIED_OBJECT: Windows 2000, ACE denies access to
an object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property
set, property, extended right, or type of child object.
■ ADS_ACETYPE_SYSTEM_AUDIT_OBJECT: Windows 2000, ACE audits access to an
object or a subobject of the object, such as a property set or property.
ObjectType, InheritedObjectType, or both contain a GUID that identifies a property
set, property, extended right, or type of child object.
■ ADS_ACETYPE_SYSTEM_ALARM_OBJECT: Not used on Windows 2000/XP at this
time.
aceFlags is a flag specifying whether other containers or objects can inherit the ACE from
the ACL owner.
ADS_ACEFLAG_INHERIT_ACE = 0x2,
ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = 0x4,
ADS_ACEFLAG_INHERIT_ONLY_ACE = 0x8,
ADS_ACEFLAG_INHERITED_ACE = 0x10,
ADS_ACEFLAG_VALID_INHERIT_FLAGS = 0x1f,
ADS_ACEFLAG_SUCCESSFUL_ACCESS = 0x40,
Where:
■ ADS_ACEFLAG_FAILED_ACCESS = 0x80 ADS_ACEFLAG_INHERIT_ACE:
Indicates child objects that will inherit this access-control entry (ACE).
The inherited ACE is inheritable unless you set the
ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE flag.
objectType is a flag indicating the ADSI object type. the objectType value is a GUID to a
property or an object in string format.
■ The GUID refers to a property when you use ADS_RIGHT_DS_READ_PROP and
ADS_RIGHT_DS_WRITE_PROP access masks.
■ The GUID specifies an object when you use ADS_RIGHT_DS_CREATE_CHILD and
ADS_RIGHT_DS_DELETE_CHILD access masks.
InheritedObjectType is a flag indicating the child object type of an ADSI object. The
InheritedObjectType value is a GUID to an object in string format. When you set such a
GUID, the ACE applies only to the object referred to by the GUID.
The objectType and InheritedObjectType flags specify the GUID of other objects in the
form:
{BF9679C0-0DE6-11D0-A285-00AA003049E2}
The best method in which to find the correct string to pass down, is to do the following:
1 Add the attribute to your schema, and then add the following field to your user form, as follows:
<Field name=’accounts[AD].nTSecurityDescriptor’>
<Display class=’TextArea’>
<Property name=’title’ value=’NT User Security Descriptor’/>
<Property name=’rows’ value=’20’/>
<Property name=’columns’ value=’100’/>
</Display>
</Field>
or
<Field name=’accounts[AD].msExchMailboxSecurityDescriptor’>
<Display class=’TextArea’>
<Property name=’title’ value=’Mailbox Security Descriptor’/>
<Property name=’rows’ value=’20’/>
<Property name=’columns’ value=’100’/>
</Display>
</Field>
2 Edit a user’s object in Active Directory and set the corresponding ACL lists for all users to
establish a baseline.
Unsupported Attributes
The following table lists the account attributes that are not supported by Identity Manager:
controlAccessRights String(Octet)
createTimeStamp String(UTC-Time)
dBCSPwd String(Octet)
directReports System usage. Set using the manager attribute of the users that are
managed by this user.
dSASignature Object(Replica-Link)
dSCorePropagationData String(UTC-Time)
groupMembershipSAM String(Octet)
lmPwdHistory String(Octet)
logonHours String(Octet)
logonWorkstations String(Octet)
modifyTimeStamp String(UTC-Time)
MS-DRM-Identity-Certificate String(Octet)
ms-DS-Cached-Membership String(Octet)
mS-DS-ConsistencyGuid String(Octet)
mS-DS-CreatorSID String(Sid)
ms-DS-Site-Affinity String(Octet)
mSMQDigests String(Octet)
mSMQDigestsMig String(Octet)
mSMQSignCertificates String(Octet)
mSMQSignCertificatesMig String(Octet)
objectSid String(Sid)
otherWellKnownObjects Object(DN-Binary)
proxiedObjectName Object(DN-Binary)
registeredAddress String(Octet)
securityIdentifier String(Sid)
sIDHistory String(Sid)
telexNumber String(Octet)
teletexTerminalIdentifier String(Octet)
terminalServer String(Octet)
thumbnailLogo String(Octet)
tokenGroupsGlobalAndUniversal String(Sid)
userCert String(Octet)
userCertificate String(Octet)
userSMIMECertificate String(Octet)
wellKnownObjects Object(DN-String)
x500uniqueIdentifier String(Octet)
The attributes that can be managed on resource objects are also generally dictated by the
attribute syntaxes. The attributes for these object types are similar as those for user accounts
and are supported accordingly.
Identity Template
Windows Active Directory is a hierarchically based resource. The identity template will provide
the default location in the directory tree where the user will be created. The default identity
template is
CN=$fullname$,CN=Users,DC=mydomain,DC=com
Sample Forms
This section lists the sample forms provided for the Active Directory resource adapter.
Built-In
■ ActiveDirectory ActiveSync Form
■ Windows Active Directory Create Container Form
■ Windows Active Directory Create Group Form
■ Windows Active Directory Create Organizational Unit Form
■ Windows Active Directory Create Person Form
■ Windows Active Directory Create User Form
■ Windows Active Directory Update Container Form
■ Windows Active Directory Update Group Form
Also Available
ADUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.ADSIResourceAdapter
In addition, tracing can be enabled on the Gateway service through the Identity Manager debug
pages. (InstallDir/idm/debug/Gateway.jsp). This page allows you to specify the level of trace,
location of the trace file, and the maximum size of the trace file. This page also allows you to
remotely retrieve the gateway trace file and display the version information for the Gateway.
The Gateway service may also be started from the console with debug tracing through various
command line switches. Use -h to review the usage for the Gateway service.
Tracing can also be enabled on the following methods to diagnose connection problems:
■ com.waveset.adapter.AgentResourceAdapter#sendRequest
■ com.waveset.adapter.AgentResourceAdapter#getResponse
Adapter Details
Usage Notes
The AIX resource adapter primarily provides support for the following AIX commands:
■ mkuser, chuser, rmuser
■ mkgroup, chgroup, rmgroup
■ passwd, pwdadm
Note – For more information about supported attributes and files, refer to the AIX manual pages
for these commands.
The Bourne-compliant shell (sh, ksh) must be used as the root shell when connecting to a UNIX
resource (AIX, HP-UX, Solaris, or Linux).
127
Adapter Details
The administrative account that manages AIX accounts must use the English (en) or C locale.
This can be configured in the user’s .profile file.
In environments in which NIS is implemented, you can increase performance during bulk
provisioning by implementing the following features:
■ Add an account attribute named user_make_nis to the schema map and use this attribute in
your reconciliation or other bulk provisioning workflow. Specifying this attribute causes the
system to bypass the step of connecting to the NIS database after each user update on the
resource.
■ To write the changes to the NIS database after all provisioning has completed, create a
ResourceAction named NIS_password_make in the workflow.
Do not use control characters (for example, 0x00, 0x7f) in user passwords.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the following connections to communicate with the AIX adapter:
■ Telnet
■ SSH (SSH must be installed independently on the resource.)
■ SSHPubKey
For SSHPubKey connections, the private key must be specified on the Resource Parameters
page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END
PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the
server.
If you are using sudo, you must set the tty_tickets parameter to true for the commands
enabled for the Identity Manager administrator. Refer to the man page for the sudoers file for
more information.
The administrator must be granted privileges to run the following commands with sudo:
Note – A test connection can use different command options than a normal provision run.
The adapter provides basic sudo initialization and reset functionality. However, if a resource
action is defined and contains a command that requires sudo authorization, then you must
specify the sudo command along with the UNIX command. (For example, you must specify
sudo useradd instead of just useradd.) Commands requiring sudo must be registerd on the
native resource. Use visudo to register these commands.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Feature Supported?
Rename account No
You can define resource attributes to control the following tasks for all users on this resource:
■ Create a home directory when creating the user
■ Copy files to the user’s home directory when creating the user
■ Delete the home directory when deleting the user
Account Attributes
The following table lists the AIX user account attributes. All attributes are Strings. Attributes
are optional unless noted in the description.
home home=PathName The full path to the user’s home directory. Any
value specified in this account attribute takes
precedence over a value specified in the Home
Base Directory resource attribute.
login login=[true | false] Indicates whether the user can log in to the
system with the login command.
shell shell=PathName The program run for the user at session initiation.
If you are provisioning to an NIS master, the
value of the user shell will be checked on the NIS
master only. Checks against other machines the
user may log on to will not be performed.
Identity Template
$accountId$
Sample Forms
Built-In
■ AIX Group Create Form
■ AIX Group Update Form
Also Available
AIXUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.AIXResourceAdapter
■ com.waveset.adapter.ScriptedConnection
BridgeStream SmartRoles
The BridgeStream SmartRoles adapter provisions users in SmartRoles. The adapter places these
users in the appropriate organizations within SmartRoles so that SmartRoles can determine
which business roles those users should have.
Adapter Details
When retrieving a user from SmartRoles, the adapter retrieves the user’s business roles. These
business roles can be used within Identity Manager to determine the Identity Manager roles,
resources, attributes, and access that user should be assigned.
Additionally, SmartRoles can be a source of user changes using Active Sync. You can load
SmartRoles users into Identity Manager and reconcile them.
133
Adapter Details
1 To add a SmartRoles resource to the Identity Manager resources list, you must add the following
value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.SmartRolesResourceAdapter
2 Copy the following jar files from the SmartRoles installation directory
(SR_install_dir/Foundation/lib) to $WSHOME/WEB-INF/lib:
■ bridgestream-common.jar
■ jgroups-all.jar
■ log4j-1.2.8.jar
■ rowset.jar
■ fxrm.jar
■ jmxri.jar
■ ojdbc14.jar
■ jcert.jar
■ jmxtools.jar
■ ojdbc14_g.jar
4 Edit the log4j.properties file to specify the path to the log files in the
log4j.appender.debuglog.File and log4j.appender.logfile.File properties files. These
properties can both specify the same file.
5 Set the following Java system properties in the JVM running Identity Manager:
Note – If you need to specify these properties on the JVM command line, use the -D option to set
the properties as follows:
-Djava.security.auth.login.config=PathToBridgestream_jaas.config
-DbrLoggingConfig=PathTolog4j.properties
-DbrfConfig=PathTofoundation_config.xml and foundation_config.dtd files
Usage Notes
This section provides information related to using the SmartRoles resource adapter. The
information is organized as follows:
■ General Notes
■ Complex Attribute Support
■ Limitations
General Notes
The following general notes are provided for this resource:
■ The SmartRoles adapter communicates directly with the SmartRoles repository, so the
Relationship Manager application does not have to be running for the adapter to work.
■ The adapter can generate universal IDs and store connection information in configuration
files.
When configuring the SmartRoles adapter, you can choose to have SmartRoles generate the
universal ID for new accounts or have the adapter provide the universal ID. When the
adapter provides the ID, it uses the value generated from the Identity Template.
ResourceAction Support
Although the adapter does not support before and after actions, it does support running
actions using the runResourceAction Provision Workflow Service. You can write a SmartRoles
action in javascript or BeanShell, and it can call the SmartRoles APIs to perform custom
behavior as part of a workflow. Input to the action script is contained in a Map object named
actionContext. The actionContext Map contains the following:
Key Value
action String describing the type of action being run. Currently, this action can only be run.
session Reference to a SmartRoles IOMSession instance. The session is created using the
administrator and password defined in the SmartRoles resource.
The following ResourceAction XML is an example of a BeanShell action. (Set the actionType to
JAVASCRIPT for a javascript action.) This action script takes an argument named user (retrieved
from the additionalArgs Map) and searches the SmartRoles repository for one or more
Person objects with a LOGON_ID that matches the value in the user argument. The string
representation of each matching Person is then returned in the WavesetResult in the
ACTION_RC ResultItem.
Limitations
Currently, this adapter has the following limitations:
■ Roles can only be granted to SmartRoles person objects. You cannot grant roles to position
objects.
■ An Identity Manager installation can only be configured to communicate with a single
SmartRoles installation.
■ When assigning a granted role sphere of control, the organizations in the sphere of control
include organizations that are directly assigned as well as all descendants of those
organizations. If you attempt to assign a descendant of an organization that is assigned, an
error will occur.
■ Because the adapter references SmartRoles organizations by name, the organization names
within SmartRoles must be unique.
■ When you assign a SmartRoles person object to a position, the adapter does not attempt to
find an available position. Instead, the adapter always creates a new position object and
assigns the person object to the new position.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
The SmartRoles adapter communicates with the SmartRoles repository as specified in the
configuration files copied from the SmartRoles installation. See the SmartRoles product
documentation for details about configuring this connection.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter:
Feature Supported?
Pass-through authentication No
Before/after actions No
You can run actions from workflows using the runResourceAction
Provision Workflow Service. See the ResourceAction Support section
for more information.
Account Attributes
The SmartRoles adapter provides the following Identity system user attributes:
sr_derivedRoles String Roles that are assigned based on rules or policies (read only)
sr_grantedRoles String Roles that are granted directly to Person (read only)
sr_grantedRolesSphere complex Complex attribute providing granted roles and sphere of control
for each role. Sphere of control specifies for which organizations
the account has that role.
The schema for the GenericObject in the GenericAttribute is
as follows:
■ roles[*]— List of roles granted to account.
■ roles[index].roleName— Name of granted role.
■ roles[index].organizations— List of organizations in which
the account has the role.
Note: Specifying an organization in this list implies all child
organizations as well. If you also explicitly specify a child
organization in this list, an error will occur.
Use attribute namespaces to specify attributes generically on related or underlying objects. Use
dotted syntax, as follows:
namespace.attribute_name
■ Use WORKER for Worker attributes (for example, WORKER.WORKER_TYPE)
■ Use X500_PERSON and AUTHENTICATION_INFO namespaces for information objects
containing additional attributes for the Person object.
■ X500_PERSON contains attributes such as POSTAL_ADDRESS and SECRETARY
■ AUTHENTICATION_INFO contains attributes such as LOGON_ATTEMPTS and PASSWORD_CHANGED
(date)
When listing objects, you can specify the following options in the option Map:
Identity Template
$Logon ID$
Sample Forms
The following sample forms are provided with the SmartRoles resource adapter:
Built-In
None
Also Available
SmartRolesUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the
com.waveset.adapter.SmartRolesResourceAdapter class.
You can also enable DEBUG logging in the SmartRoles APIs by editing the log4j.properties
file that is configured in your JVM’s system properties.
3 You must then restart your server for these log settings to take effect.
ClearTrust
9
Adapter Details
1 To add this resource to the Identity Manager resources list, you must add the following value in
the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.ClearTrustResourceAdapter
2 Copy the ct_admin_api.jar file from your Clear Trust installation CD to the WEB-INF\lib
directory.
145
Adapter Details
Usage Notes
The ClearTrust API is split for users and administrators. (Users are not granted access to
servers; administrators are users with administrative rights to the ClearTrust server.) Identity
Manager does not create or manage ClearTrust administrative users.
There are three types of entitlements in ClearTrust: Application, Application Function and
URL. Identity Manager supports Application Function only; other entitlements are ignored.
Entitlements should be assigned to groups and the groups assigned to the user (which is
supported by the adapter).
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses JNDI over SSL to communicate with the ClearTrust adapter.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Before/after actions No
Account Attributes
The following table provides information about ClearTrust account attributes.
Identity Template
$accountId$
Sample Forms
ClearTrustUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.ClearTrustResourceAdapter
Database Table
1 0
Adapter Details
This adapter supports any relational database that has a JDBC driver.
The Database Table resource adapter is designed to guide you through a series of steps to
connect to and manage users that are located in a single custom database table. The adapter also
supports Active Sync to poll for account changes.
Note – This resource is not designed to manage the DBMS system accounts which are typically
found in multiple tables. (The adapter does not support join operations.) For those resources,
continue to use the Oracle, SQL Server, DB2, Sybase, and MySQL resources.
149
Adapter Details
Usage Notes
This section provides configuration notes related to using the Database Table resource adapter,
including:
■ General configuration notes
■ Active Sync configuration notes
General Configuration
Use the following steps to set up a new Database Table resource:
1 Specify the database access parameters. Include the database type, connection information,
and the database name where the table to be managed is located.
2 All of the available tables for that database are displayed on the Database Tables page. Select
the table where the resource accounts for this resource are stored.
3 Select the columns from the table that Identity Manager will manage. One of these columns will
be designated as the Key and be used as the account name attribute for the users and one
column will be designated as the Password and be used as the account password. Other
columns can be selected as attributes to be managed.
4 The resource schema map page will list just those attributes that were selected to be managed.
It will not list the Key and Password attributes. These attributes will be implicitly managed.
5 The Active Sync Configuration page allows you to optionally specify the Active Sync-related
Database Table attributes. If you are not using the adapter as an Active Sync, you can skip these
values. See the “Active Sync Configuration”on page 150 section for additional details.
6 Specify the identity template used for this resource. This is the Identity Manager attribute name
that will be used for the Key attribute.
7 Specify the Identity Manager resource parameters for this resource. This includes information
like the resource name, Active Sync scheduling and logging, and approvers for the resource.
Note – The Active Sync adapter does not detect account deletions. As a result, you must
reconcile to detect these deletions.
During its Active Sync poll, the Database Table adapter selects resource accounts (from the
specified database table) for passing to the user form (or instead to the workflow if specified).
The Static Search Predicate parameter specifies the optional static predicate used to qualify the
accounts to be returned from the database. (A predicate is an SQL expression that is evaluated.)
The parameter must be expressed in the native SQL syntax.
syncState = ”P’
This example requires that a column named syncState exists and that P is a possible value. This
value is combined with the Last Fetched Predicate parameter to form the complete qualifier.
The Last Fetched Conjunction parameter is the value AND or OR. It specifies the conjunction
prepended to the Last Fetched Predicate.
The Last Fetched Predicate parameter specifies another optional predicate, but this predicate
can contain one or more user attributes defined in Identity Manager. This feature allows you to
construct a predicate in native SQL syntax that compares values returned in a previous poll to
values returned in the current poll. For example, if the lastMod column contains a timestamp,
then this value can be compared on each poll. Then, if the value is higher on the current poll
than on the previous poll, return information about the database entry. The following
expression illustrates this feature:
The value specified between the parentheses must be an Identity Manager User Attribute
defined on the schema map page. The $(lastmod) token will be replaced with the value
returned on the previous poll. An example value might be 2004-06-20 6:23:00.
Note – The first time the adapter polls, the Last Fetched Filter is not applied, because there are
no previously fetched values. The filter will be run in all subsequent polls.
The Database Table adapter concatenates the Static Search Predicate, Last Fetched
Conjunction, and Last Fetched Predicate resource parameters and sends a search expression
similar to the following:
The ORDER BY parameter allows you to provide a native SQL ORDER BY clause to force the
poll to process the rows in the specified order. Do not include the words ORDER BY in the value.
For example, if you specify a value of lastMod, the rows are sorted based on the lastMod
column, in an ascending order.
The optional Process to run with changes parameter, if specified, identifies the Identity
Manager workflow to launch with each qualified account returned from the database. The map
of values passed to the workflow is keyed by the attributes on the left-hand side of the schema
map. If this value is not specified, then the update will be performed by the standard Active Sync
user form processing.
Security Notes
The proxy user that connects to the database table must have the following characteristics:
■ The user must appear to own the database tables or views being accessed. The connection
user name must be able to refer to the table or view without using a qualifier to specify the
owner.
■ The user must have permissions to perform any actions the adapter is configured to support.
At a minimum, the user must have SELECT privilege on the database table or view (possibly
including its underlying tables). If the adapter is configured to create, update, and delete
users, for example, then the user must have SELECT, INSERT, UPDATE, and DELETE
privileges.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Enable/disable account No
Pass-through authentication No
Before/after actions No
Account Attributes
The Resource User Attributes are populated by the wizard during the creation or editing of the
resource. The values of these columns for selected users are then mapped with their
corresponding attribute names found in the Identity Manager User Attributes.
This adapter supports binary datatypes, including BLOBs, in Oracle. The corresponding
attributes must be marked as binary on the schema map. Sample binary attributes include
graphics files, audio files, and certificates.
Identity Template
$accountId$
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.DatabaseTableResourceAdapter
Additionally, you can set the following Identity Manager Active Sync logging parameters for the
resource instance:
■ Maximum Log Archives
■ Maximum Active Log Age
■ Maximum Log File Size
■ Log File Path
■ Log Level
DB2
1 1
Adapter Details
Use this adapter to support user accounts for logging into DB2. If you have a custom DB2 table,
see Chapter 10, “Database Table,” for information about using the Resource Adapter Wizard to
create a custom DB2 table resource.
155
Adapter Details
1 To add this resource to the Identity Manager resources list, you must add the following value in
the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.DB2ResourceAdapter
Usage Notes
DB2 performs authentication externally and authorization internally. Authentication is
performed through an accountID/password that is passed on to an external certifier. By default,
the operating system performs the authentication, but other programs can be used for this
purpose.
In general, you should place the DB2 application in a resource group that also includes the
machine upon which it is installed.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses JDBC over SSL to communicate with the DB2 adapter.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Enable/disable account No
Rename account No
Pass-through authentication No
Before/after actions No
Account Attributes
The following table lists the DB2 user account attributes. All attributes are Strings.
accountId Required.
grants Required.
Any comma-separated list of valid grants. For example:
CONNECT ON MySchema.MyTable,DELETE ON MySchema.MyTable,INSERT ON
MySchema.MyTable,SELECT ON MySchema.MyTable,UPDATE ON MySchema.MyTable
Identity Template
$accountId$
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.DB2ResourceAdapter
Domino
1 2
Adapter Details
1 Create the Identity Manager administrator in Domino. Use a certifier ID that has access to all
organizations needed to manage users.
2 Add the user to the access control list (ACL) of the address book for the server, names.nsf.
159
Adapter Details
■ UserCreator
■ UserModifier
3 Add the user to the ACL of the registration log, certlog.nsf, with Depositor access.
4 Add the user to the ACL of the Administration Requests, admin4.nsf, with Depositor access.
b. If access to the Domino server is restricted, make sure the Identity Manager proxy account
has access to the server. This is done by specifying the account name or a group to which the
proxy account belongs in the Access Serverfield.
c. If there is a before or after action that calls a Domino agent, the user might need to be added
to the Run unrestricted LotusScript/Java agentsor Run restricted LotusScript/Java
agentfield, depending on how the agent being called is configured.
Note – Make sure the Notes client is running with a network-enabled profile. If you change the
network connection after you copy the ini file, you must re-copy it or run the client through the
command line, as in:
C:\Lotus\Notes\notes.exe=PathToIniFile
Usage Notes
This section provides information related to using the Domino resource adapter, which is
organized into the following sections:
■ “Recertification Process” on page 161
■ “Changing Passwords” on page 161
■ “Disabling and Enabling” on page 163
■ “ID File” on page 165
■ “Rename/Move” on page 166
■ “Resource Names” on page 166
■ “Roaming Support” on page 166
■ “Gateway Timeouts” on page 166
You can used aliased groups when using Identity Manager to create a Domino group. Names of
aliased groups are represented by this syntax: Group1;alias1;alias2. Note that when a group
name appears in a list, you will see the primary name only.
Recertification Process
The recertification process is done using the Boolean user attribute named “recertify.” During
an update operation the attribute is checked; if enabled, the user ID is recertified.
The recertification process is done through the adminp process, meaning we generate an
adminp request and the recertification of the ID gets done at some point afterwards. The timing
of the recertification will depend on configuration of the Domino server.
Changing Passwords
Lotus users have two different passwords:
■ HttpPassword, which is the password that allows a user to access a Notes server from a web
browser or other HTTP client.
■ ID file, which is the password that encrypts the user’s Notes ID file. This password cannot be
changed unless the current password is specified. As a result, an Identity
Manageradministrator cannot change this password.
See “ID File” on page 165 for additional information.
<Field name=’resourceAccounts.currentResourceAccounts[ResourceName].
attributes.idFile’>
<Display class=’Text’>
<Property name=’title’ value=’idfile’/>
</Display>
</Field>
<Field name=’resourceAccounts.currentResourceAccounts[ResourceName].
attributes.WS_USER_PASSWORD’>
<Display class=’Text’>
<Property name=’title’ value=’WS_USER_PASSWORD’/>
</Display>
</Field>
<Field name=’resourceAccounts.currentResourceAccounts[ResourceName].
attributes.idFile’>
<Display class=’Text’>
<Property name=’title’ value=’idfile’/>
</Display>
</Field>
Early versions of Domino do not implement a native disable flag for each user, so each user
disabled is placed in a DENY GROUP. When enabled, they are removed as members of any of
the defined groups. DENY GROUP has a maximum number of members threshold so the
group has to be specified as an account attribute to the resource. This requires an additional
DenyGroups account attribute to be passed to the resource. DenyGroups can be set during a
Disable, Enable, or Deprovision, but will not be fetched without additional coding.
When deprovisioning or disabling, you must send a list of DenyGroups that the user will be
added to. When enabling, you must send a list of DenyGroups that the user will be removed
from.
The available DenyGroups can be fetched from the resource with the following code:
The currently assigned DenyGroups can be fetched on a disable, enable, or deprovision form
with this code:
<invoke name=’getList’>
<invoke name=’getView’>
<ref>display.session</ref>
<concat>
<s>UserViewer:</s>
<ref>resourceAccounts.id</ref>
</concat>
<map>
<s>TargetResources</s>
<list>
<s>YourResourceName</s>
</list>
</map>
</invoke>
<s>accounts[YourResourceName].DenyGroups</s>
</invoke>
In the enable, disable, and deprovision forms, you must address the DenyGroups attribute as:
resourceAccounts.currentResourceAccounts [YourResourceName].attributes.DenyGroups
The following example defines a field in the disable form that lists the available DenyGroups in
the left hand side of a multi-select box:
<Field name=’resourceAccounts.currentResourceAccounts [
YourResourceName].attributes.DenyGroups’>
<Display class=’MultiSelect’>
<Property name=’title’ value=’Deny Groups’/>
<Property name=’required’>
<Boolean>false</Boolean>
</Property>
<Property name=’allowedValues’>
<invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>
<ref>:display.session</ref>
<s>DenyLists</s>
<s>YourResourceName</s>
<null/>
<s>false</s>
</invoke>
</Property>
<Property name=’availableTitle’ value=’Available Deny Groups’/>
<Property name=’selectedTitle’ value=’Assigned Deny Groups’/>
</Display>
</Field>
The following example defines a field in the enable form that lists the assigned DenyGroups in a
derivation rule of a hidden field:
<Field name=’resourceAccounts.currentResourceAccounts
[YourResourceName].attributes.DenyGroups’>
<Derivation>
<invoke name=’getList’>
<invoke name=’getView’>
<ref>display.session</ref>
<concat>
<s>UserViewer:</s>
<ref>resourceAccounts.id</ref>
</concat>
<map>
<s>TargetResources</s>
<list>
<s>YourResourceName</s>
</list>
</map>
</invoke>
<s>accounts[YourResourceName].DenyGroups</s>
</invoke>
</Derivation>
</Field>
ID File
The gateway machine generates new IDs for users that are newly registered. They may be placed
on a UNC path that is accessible to the gateway process/service. So, specifying
\\machine\ids\myidfile.id would put it on the network share.
There might be a need for the gateway to run as a user when configured as a service to get access
to the share specified when a user is created. You can assign SYSTEM to have access to shares,
but it depends on how the gateway network environment looks.
You can specify that the ID file be stored in the address book also by setting the Store ID In Addr
Book resource attribute to TRUE/FALSE.
Rename/Move
The move/rename actions are also performed by the adminp process. A move can be initiated
from the rename form by changing the certifierOrgHierarchy attribute and providing the
original certifierId file and password for that id file. The move request will create a “Name
Move Request” in the requests database and must be completed by the new certifier that
represents the user’s new organization. A move can be initiated by changing the user’s first/last
name.
Note – You cannot perform a rename and a move at the same time; the adminp process will not
allow this since the request references the canonical name which will be changed in both cases.
Resource Names
The gateway requires that all Domino resources be named uniquely. If you have multiple
Identity Manager deployments and they “point” to the same gateway, all of the Domino
resources that exist on the deployments must have unique resource names.
Roaming Support
Identity Manager can create roaming users if the resource is a Domino 7.0 or later server.
Identity Manager cannot change a user’s roaming status. Therefore, the RoamingUser account
attribute cannot be set on existing users.
Gateway Timeouts
The Domino adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a
timeout value, in seconds. This attribute controls how long before a request to the gateway
times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
The default value for this attribute is 0, indicating that Identity Manager will not check for a
hung connection.
Additional Information
This section provides some additional information related to this adapter, including:
■ “ListAllObjects” on page 167
■ “Form Updates” on page 167
ListAllObjects
You can list any object specified in Domino. Pass in the view name as the “type” to the
listAllObjects call.
Form Updates
Since some of these operations require additional attributes, default forms must be updated to
include these attributes.
The resource definition already defines the attributes that should be passed to the various views.
■ Enable, Disable forms: DenyGroups
■ Deprovision form: DenyGroups (optional)
■ Expired Login, Change Password, Change My Password forms: HTTPPassword (must be
secret), ID file
■ Rename form: certifierIDFile, credentials (must be secret)
searchFilter
The following sample UserForm illustrates how the searchFilter option for the
getResourceObjects method can be implemented for Domino. This form finds all users with the
last name Smith on the resource MyResource. Users are displayed by internal identifier, such as
com.waveset.object.GenericObject%4014a614a6, rather than account IDs.
<Map>
<MapEntry key=’searchAttrsToGet’>
<List>
<String>LastName</String>
<String>ShortName</String>
<String>MailFile</String>
</List>
</MapEntry>
<MapEntry key=’searchFilter’ value=’@IsAvailable(LastName) &
@Contains(@LowerCase(LastName);"smith")’/>
</Map>
</invoke>
</block>
</Property>
</Display>
<Disable>
<i>0</i>
</Disable>
</Field>
</Form>
</Extension>
</Configuration>
Actions
The following variables are available for use in before and after actions:
■ WSUSER_accountId
■ WSUSER_UNID
The WSUSER_UNID variable refers to the Lotus Notes universal ID. This variable cannot be
referenced until after the account has been created.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the Sun Identity Manager Gateway to communicate with Domino.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Pass-through authentication No
Account Attributes
The following table provides information about Domino account attributes. The default data
type is string, unless otherwise indicated.
alternateOrgUnit The organizational unit for the user in the alternate language.
certifierIDFile Path to the certifier ID file relative to the gateway machine (overrides value
on resource)
CheckPassword Integer.
0 = no check
1 = check
2 = Disable user
dbQuotaSizeLimit Specifies the maximum size of the user’s mail database. If you specify a
value less than 1000, then the maximum size is in megabytes (MB). If the
value is 1000 or greater, then the maximum size is expressed in bytes.
Values between 1001 and 1023 are rounded up to 1024 bytes.
The proxy administrator must be listed as an Administrator in the Server
document to set this attribute.
dbQuotaWarningThreshold Specifies the size of a user’s mail database at which point a warning about
the size of the database is generated. If you specify a value less than 1000,
then the threshold is in megabytes (MB). If the value is 1000 or greater,
then the threshold is expressed in bytes. Values between 1001 and 1023 are
rounded up to 1024 bytes.
The proxy administrator must be listed as an Administrator in the Server
document to set this attribute.
HTTPPassword Password to be used when accessing a Notes server from a web browser or
other HTTP client.
idFile Full qualified path to the ID file relative to the gateway machine.
gateway machine
InternetAddress
lastModified A string representation of the last date and time the user was modified.
mailOwnerAccess Indicates the access control level for the mailbox owner. Possible values are
0 (manager), 1(designer), and 2 (editor).
This attribute is not in the schema map by default. The attribute is
applicable only when creating users.
NotesGroups
orgUnit
PasswordChangeInterval Integer. The number of days after which the user must supply a new
password.
PasswordGracePeriod The number of days after the password has expired before the user is
locked out.
PhoneNumber_6
Policy The explicit policy for the user. The value of the Explicit Policy Name
resource parameter overrides this attribute. This parameter is applicable
only for Domino 7.0 or later.
Profiles The profile assigned to the user. This value overrides any profile specified
as a resource parameter. This attribute is applicable only for Domino 7.0
and higher.
RoamCleanSetting Specifies when Domino cleans up the user’s roaming files. Valid values are
0 (Never)
1 (Periodically)
2 (When the Domino server shuts down)
3 (Prompt the user)
RoamRplSrvrs A list of servers where the user’s roaming files are to be replicated.
RoamSrvr Specifies the server where the user’s roaming files are to be located.
RoamSubdir Specifies the directory that will contain the user’s roaming files.
WS_USER_PASSWORD Attribute used to send user’s current password during user change
password requests.
x400Address
Identity Template
Domino stores the identity of each user in the userid file. However, that same user name is
stored in the user record in the FullName attribute. That attribute is multi-valued, and the first
one in the list is unique. The first name in the list is stored in canonical format and is similar to
the following:
CN=Joe T Smith/O=MyCompany
Using this name we can get to the record of the Name and address book. Identity Manager
stores this string on the resourceInfo in its “nice” form, which looks like:
Joe T Smith/MyCompany
Domino has built-in functions to convert names back and forth at the API level. Identity
Manager also stores the NOTEID as the GUID attributes, and whenever possible uses this global
identifier to look up users in Domino.
The default identity template is:
Depending on the environment, the middle initial may not be not included.
Sample Forms
DominoActiveSyncForm.xml
Dominogroupcreate.xml
Dominogroupupdate.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.DominoResourceAdapter
Tracing can also be enabled on the following methods to diagnose problems connecting to the
gateway:
■ com.waveset.adapter.AgentResourceAdapter#sendRequest
■ com.waveset.adapter.AgentResourceAdapter#getResponse
External Resource
1 3
Adapter Details
177
Adapter Details
Usage Notes
The External Resource adapter picks up the datastore information from the external resource
configuration. If the datastore information is modified during configuration, then the External
Resources configuration settings are updated as well.
To modify the datastore configuration of an external resource, you must modify the External
Resource configuration. Note that a change to the system-wide configuration causes all external
resources to be updated with the new datastore configuration.
Security Notes
If the datastore is a database, refer to the ScriptedJDBC adapter, and if the datastore is a
directory, refer to the LDAP adapter.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Pass-through authentication No
Before/after actions No
Dataloading methods No
Account Attributes
None.
Identity Template
If the datastore is a database, refer to the ScriptedJDBC adapter, and if the datastore is a
directory, refer to the LDAP adapter.
Sample Forms
None.
Troubleshooting
Use the Identity Manager Debug pages to set trace options on the following classes:
com.waveset.adapter.ExternalResourcesAdapter
For additional troubleshooting directions, refer to the ScriptedJDBC adapter if the datastore is a
database, and if the datastore is a directory, refer to the LDAP adapter.
Adapter Details
The flat file Active Sync adapter provides the ability to read from the following types of files:
■ Delimited files, such as those containing comma-separated values (CSV), or those delimited
by pipes (|).
■ LDAP Data Interchange Format (LDIF), if the Netscape ldapjdk.jar is provided in the
class path.
Custom parsers can also be used, if the parser class implements the
com.waveset.util.FlatFileIterator interface.
This adapter is a source-only adapter. It will not write back out to a file.
The following cases are some examples in which it might be appropriate to use the Flat File
Active Sync adapter:
■ A direct API or other programmatic interface does not exist.
■ No resource adapter exists for the specific resource.
■ Data stored in one or more resources must be pre-processed before being read into Identity
Manager.
■ The resource owner does not allow direct connections to the resource.
■ No direct connectivity is available to the resource.
181
Adapter Details
The most reliable configuration (and recommended practice) is to store the flat file on a drive
that is local to the application server. The log file should also be written to a local directory. If
using multiple Identity Manager instances on different servers, choose one server on which to
run the flat file Active Sync adapter, and specify that server on the Synchronization policy page
of the Administration Interface. Setting this property will ensure that the polling operation on
the adapter will always run on one or more particular servers.
Usage Notes
This section provides configuration notes related to using the Flat File Active Sync resource
adapter, which is organized into the following sections:
■ “General Notes” on page 182
■ “Active Sync Configuration” on page 183
■ “Supported Example Files” on page 184
General Notes
If you are polling an LDIF file, the LDAP API converts attribute names to lower case. Therefore,
if you have an attribute name that contains a capital letter, such as accountId, the LDAP API
converts it to accountid. The following error is logged when you start Active Sync.
To correct this situation, in your schema map, set your resource user attribute to accountid.
You might encounter the same error message when you import a file that does not directly set
the accountId by a column in the file. To avoid this error message, change the Active Sync User
Form by adding a Field for global.accountId and adding logic to build the accountId within
that field. The following example field sets accountId to be firstname.lastname, but only on
create operations.
<Field name=’waveset.accountId’>
<Expansion>
<concat>
<ref>activeSync.firstname</ref>
<s>.</s>
<ref>activeSync.lastname</ref>
</concat>
</Expansion>
<Disable>
<neq>
<ref>feedOp</ref>
<s>create</s>
</neq>
</Disable>
</Field>
The delimiter and text qualifier can be configured to be any single character. If a Unicode
character is used for either, it can be entered in the /u#### format. Delimiters and text qualifiers
are not applicable to the LDAP interchange format.
Comma-Delimited Values
In the following example, quotation marks (“ “) are used as the text qualifier. The string 1234
Pecan Ave., Ste 30 contains a comma. Therefore, the string must be qualified to prevent the
system from interpreting Ste 30 as an attribute.
accountId,firstname,lastname,email,street address
kb323441,Kevin,Brown,[email protected],”1234 Pecan Ave., Ste 30”
pc432343,Penelope,Carter,[email protected],4234 Main St.
Pipe-Delimited
accountId|firstname|lastname|email|street address
kb323441|Kevin|Brown|[email protected]|1234 Pecan Ave., Ste 30
pc432343|Penelope|Carter|[email protected]|4234 Main St.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
See the “Resource Configuration Notes” on page 182.
In addition, the administrator account must have read, write, and delete permissions on the
directory specified in the Active Sync Log File Path field.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Enable/disable account No
Rename account No
Pass-through authentication No
Before/after actions No
Account Attributes
The resource adapter schema definition is dependent on the contents of the flat file. If no
attributes are specified, the adapter will use the attribute names pulled from the flat file. In the
case of a delimited file, these values will correspond to the column headings. If different Identity
Manager attribute names should be mapped to the column names, specify one or more of those
mappings in the schema map.
If the flat file format is LDIF, then binary attributes, such as graphics files, audio files, and
certificates may be specified. Binary attributes are not supported for delimited files.
Identity Template
The identity template is ignored by this adapter.
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.FlatFileActiveSyncAdapter
HP OpenVMS
1 5
Adapter Details
com.waveset.adapter.VMSResourceAdapter
Usage Notes
For information about the HP OpenVMS user attributes, refer to your VMS product
documentation.
187
Adapter Details
Security Notes
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename Account No
Account Attributes
The following table provides the account attributes provided with the HP OpenVMS resource
adapter:
login script source String Indicates an existing login script, to be copied to the new user
FlagList ArrayList Valid entries in the list are: DisCtlY, DefCLI, LockPwd, Restricted,
DisUser, DisWelcome, DisNewMail, DisMail, GenPwd,
Pwd_Expired, Pwd2_Expired, Audit, DisReport, DisReconnect,
AutoLogin, DisForce_Pwd_Change, Captive, DisImage,
DisPwdDic, DisPwdHis, ExtAuth
PrivilegesList ArrayList Valid entries in the list are: ACNT, ALLSPOOL, ALTPRI, AUDIT,
BUGCHK, BYPASS, CMEXEC, CMKRNL, DIAGNOSE,
DOWNGRADE, EXQUOTA, GROUP, GRPNAM, GRPPRV,
IMPERSONATE, IMPORT, LOG_IO, MOUNT, NETMBX, OPER,
PFNMAP, PHY_IO, PRMCEB, PRMGBL, PRMMBX, PSWAPM,
READALL, SECURITY, SETPRV, SHARE, SHMEM, SYSGBL,
SYSLCK, SYSNAM, SYSPRV, TMPMBX, UPGRADE, VOLPRO,
WORLD
DefPrivilegesList ArrayList Valid entries in the list are: ACNT, ALLSPOOL, LTPRI, AUDIT,
BUGCHK, BYPASS, CMEXEC, CMKRNL, DIAGNOSE,
DOWNGRADE, EXQUOTA, GROUP, GRPNAM, GRPPRV,
IMPERSONATE, IMPORT, LOG_IO, MOUNT, NETMBX, OPER,
PFNMAP, PHY_IO, PRMCEB, PRMGBL, PRMMBX, PSWAPM,
READALL, SECURITY, SETPRV, SHARE, SHMEM, SYSGBL,
SYSLCK, SYSNAM, SYSPRV, TMPMBX, UPGRADE, VOLPRO,
WORLD
PrimaryDaysList ArrayList Valid entries in the list are: Mon, Tue, Wed, Thu, Fri, Sat, Sun
Sample Forms
VMSUserForm.xml
Troubleshooting
Use the Identity Manager Debug pages to set trace options on the following classes:
■ com.waveset.adapter.VMSResourceAdapter
■ com.waveset.adapter.ScriptedConnection
HP-UX
1 6
Adapter Details
Usage Notes
The HP-UX resource adapter primarily provides support for the following HP-UX commands:
■ useradd, usermod, userdel
■ groupadd, groupmod, groupdel
■ passwd
For more information about supported attributes and files, refer to the HP-UX manual pages
for these commands.
When a rename of a user account is executed on an HP-UX resource, the group memberships
are moved to the new user name. The user’s home directory is also renamed if the following
conditions are true:
191
Adapter Details
The Bourne-compliant shell (sh, ksh) must be used as the root shell when connecting to a UNIX
resource (AIX, HP-UX, Solaris, or Linux).
The administrative account that manages HP-UX accounts must use the English (en) or C
locale. This can be configured in the user’s .profile file.
In environments in which NIS is implemented, you can increase performance during bulk
provisioning by implementing the following features:
■ Add an account attribute named user_make_nis to the schema map and use this attribute in
your reconciliation or other bulk provisioning workflow. Specifying this attribute causes the
system to bypass the step of connecting to the NIS database after each user update on the
resource.
■ To write the changes to the NIS database after all provisioning has completed, create a
ResourceAction named NIS_password_make in the workflow.
■ The adapter does not support HP-UX Trusted Mode.
Do not use control characters (for example, 0x00, 0x7f) in user passwords.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the following connections to communicate with the HP-UX adapter.
■ Telnet
■ SSH (SSH must be installed independently on the resource.)
■ SSHPubKey
For SSHPubKey connections, the private key must be specified on the Resource Parameters
page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END
PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the
server.
The adapter also supports the sudo facility (version 1.6.6 or later), which can be installed on
HP-UX 11i from the HP-UX Internet Express CD. sudo allows a system administrator to give
certain users (or groups of users) the ability to run some (or all) commands as root or another
user.
In addition, if sudo is enabled for a resource, its settings will override those configured on the
resource definition page for the root user.
If you are using sudo, you must set the tty_tickets parameter to true for the commands
enabled for the Identity Manager administrator. Refer to the man page for the sudoers file for
more information.
The administrator must be granted privileges to run the following commands with sudo:
Note – A test connection can use different command options than a normal provision run.
The adapter provides basic sudo initialization and reset functionality. However, if a resource
action is defined and contains a command that requires sudo authorization, then you must
specify the sudo command along with the UNIX command. (For example, you must specify
sudo useradd instead of just useradd.) Commands requiring sudo must be registerd on the
native resource. Use visudo to register these commands.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Enable/disable account HP-UX does not natively support Identity Manager enable and
disable actions. Identity Manager simulates enabling and disabling
accounts by changing the user password. The changed password is
exposed on enable actions, but it is not exposed on disable actions.
As a result, enable and disable actions are processed as update
actions. Any before or after actions that have been configured to
operate on updates will execute.
You can define resource attributes to control the following tasks for all users on this resource:
■ Create a home directory when creating the user
■ Copy files to the user’s home directory when creating the user
■ Delete the home directory when deleting the user
Account Attributes
The following table lists the HP-UX user account attributes. These attributes are optional unless
noted in the description. All attributes are Strings.
dir -d directory The user’s home directory. Any value specified in this
account attribute takes precedence over a value specified
in the Home Base Directory resource attribute.
time_last_login Obtained from the last The date and time of the last login. This value is
command. read-only.
Identity Template
$accountId$
Sample Forms
Built-In
■ HP-UX Group Create Form
■ HP-UX Group Update Form
Also Available
HP-UXUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.HPUXResourceAdapter
■ com.waveset.adapter.SVIDResourceAdapter
■ com.waveset.adapter.ScriptedConnection
INISafe Nexess
1 7
Adapter Details
1 Add the following value in the Custom Resources section of the Configure Managed Resources
page.
com.waveset.adapter.INISafeNexessResourceAdapter
concurrent.jar http://www.jboss.org/products/jbosscache
197
Adapter Details
crimson.jar http://ant.apache.org/bindownload.cgi
jdom.jar http://jdom.org/downloads/index.html
log4j-1.2.6.jar http://logging.apache.org/log4j/docs/download.html
Usage Notes
This adapter supports only create, update and delete of users. You cannot perform
reconciliation or load data from the resource.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Communication with INISafe Nexess is conducted through the com.initech.eam.api classes.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Pass-through authentication No
Before/after actions No
Feature Supported?
Account Attributes
The following table lists the INISafe Nexess account attributes.
If you add other account attributes, the resource user attribute name must be in one of the
following formats:
■ Account.name
■ Attribute.name
■ Field.name
For example, a field named sn must have resource user attribute name of Field.sn
If the resource has accounts, then you may need to add a resource user attribute named
Account.accounts. Account names are serialized as comma-separated value (CSV) strings
with three fields:
Your user form will need to construct and deconstruct these strings.
Identity Template
$accountId$
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.INISafeNexessResourceAdapter
JMS Listener
1 8
The JMS Listener adapter is a JMS (Java Message Service) client that provides the ability to
perform Active Sync processing on messages from a JMS-compliant messaging system queue or
topic.
This adapter is a source-only adapter; it cannot write messages back to a queue or topic.
Adapter Details
The adapter interacts with the source JMS messaging system topic or queue through standard
JNDI lookups of a specified connection factory and destination. Therefore, the messaging
system administrator must ensure that the connection factory and destination have been
previously created and are available through standard JNDI lookups.
201
Adapter Details
The application server administrator must ensure that the Identity Manager web application
can successfully bind through JNDI to the JMS connection factory and destination objects
appropriate for the source JMS messaging system.
Usage Notes
This section provides information related to using the JMS Listener resource adapter, which is
organized into the following sections:
■ “Connections” on page 202
■ “Message Mapping” on page 202
■ “Guaranteed Delivery/Reliable Processing” on page 203
■ “LifeCycle Listener” on page 203
■ “Reconnections” on page 203
■ “JMX Monitoring” on page 204
Connections
When Active Sync processing begins, a connection to the source messaging system is first made
using the connection factory specified with the JNDI name of Connection factory resource
parameter field. If specified, the User and Password fields are used for authentication when
establishing the connection. If the fields are not specified, the connection are established using
the default authentication.
The JMS Listener adapter operates in synchronous mode. It establishes a synchronous message
consumer on the queue or topic destination specified by the JNDI name of Destination field.
During each poll interval, the adapter will receive and process all available messages. Messages
can be (optionally) additionally qualified by defining a valid JMS message selector string for the
Message Selector field.
The connection factory and destination attributes must specify objects that correspond to the
specified destination type. If a destination type of Durable Topic is specified, the additional
fields of Durable Topic ClientID and Durable Topic Subscription Label are used to configure
the durable subscription.
Message Mapping
When the adapter processes a qualified message, the received JMS message is first converted to a
map of named values using the mechanism specified by the Message Mapping field. Refer to
this resulting map as the message value map.
The message value map is then translated to the Active Sync map using the account attributes
schema map. If the adapter has account attributes specified, the adapter searches the message
value map for key names that also appear as a resource user attribute in the schema map. If
present, the value is copied to the Active Sync map, but the entry name in the Active Sync map is
translated to the name specified in the Identity system user attribute column in the schema
map.
If the message value map has an entry that cannot be translated using the account attributes
schema map, then the entry from the message value map is copied unaltered to the Active Sync
map.
The Reliable Messaging Support field indicates the form of reliable message processing the
adapter should perform.
■ If set to LOCAL, then the JMS session for the adapter is transacted. The session is always
committed after the message is processed, regardless of any errors encountered during the
processing stages. This ensures that the message is processed only once.
■ If set to AUTO, then the session is not transacted, but the message is automatically
acknowledged immediately according to the JMS definition of AUTO_ACK.
■ If set to DUPS_OK, then the session is not transacted, but the message is automatically
acknowledged immediately according to the JMS definition of DUPS_OK_ACK.
■ If set to CLIENT, then the session is not transacted, and the message is not acknowledged by
the adapter. Instead, it is expected that a lifecycle listener specified by the Message LifeCycle
Listener field acknowledges the message as needed. The lifecycle listener is called with an
AWAITING_CLIENT_ACK lifecycle event at the typical point that an acknowledgement is
expected. It is rare that this mode is needed.
LifeCycle Listener
An optional lifecycle listener class can be registered with the adapter with the Message LifeCycle
Listener field. The lifecycle listener can be used to perform:
■ Custom logging of the processing stages of the adapter
■ Custom manipulation of data during processing stages of the adapter
■ Custom acknowledgement of messages received with CLIENT_ACK mode
Reconnections
If connection is lost to the messaging system (for example, the messaging system server has
been shut down), the adapter can be configured to periodically attempt to reconnect with the
messaging system to re-establish the listener.
The Re-initialize upon exception check box enables reconnect behavior. You can set the
frequency to attempt reconnect with the Connection Retry Frequency (secs) field.
JMX Monitoring
The JMS Listener adapter provides multiple attributes and operations that can be monitored
with Java Management Extensions (JMX). For detailed information about configuring JMX on
an Identity Manager server, refer to the Configuration chapter in Business Administrator's
Guide.
On the server running the Active Sync process, (which also contains the authoritative mbean),
statistics are computed based on a specified window of time. The setWindowMillis operation
sets the duration of the window. Each time the statistics are computed, the actual duration of
the statistics window is recorded as the ActualWindowTime attribute.
For example, the setWindowMillis operation could be set to 10000 (10 seconds), but the
ActualWindowTime could contain a value of 10005, indicating the actual window was 10.005
seconds. Other attributes, such as MsgCountInWindow, use the actual window to measure or
count statistics. If MsgCountInWindow contained a value of 63, then 63 messages were
retrieved from JMS in 10.005 seconds.
The following tables list the attributes and operations the adapter makes available to JMX. The
attributes and operations can be viewed from the JMX console under IDM/Cluster/
Synchronization/Active Sync/JMS Listener/SyncStats:DestinationName. The value for
DestinationName is generated by concatenating the values of the Destination Type and JNDI
name of Destination resource parameters.
JMX Attributes
Attribute Description
ActualWindowTime Indicates the actual time, in milliseconds, of the most recent window.
Authoritative Indicates whether the server is the one running the Active Sync process.
AvgMsgWaitTime Indicates the average time, in milliseconds, spent waiting for messages.
CurrentMsgWaitStart Indicates the date and time when the wait for the current message wait
started, or null if no wait is pending.
Attribute Description
CurrentPollStart Indicates the date and time when Active Sync last started, if Active Sync is
currently running.
CurrentProcessStart Indicates the date and time when processing started for the message
currently being processed.
CurrentProcessTime Indicates the total number of milliseconds spent processing the current
message. A value of 0 indicates no message is being processed.
LastCalculatedPollTime Indicates the total number of milliseconds in the poll loop, including
current poll, as of the last time it was calculated.
MaxMsgWaitTime Indicates the maximum number of milliseconds spent waiting for a single
message.
MsgCountInWindow Indicates the number of messages recieved durring the last window of time.
MsgPerUnittime Indicates the number of messages processed during the specified window.
TotMsgWaitTime Indicates the total number of milliseconds spent waiting for messages.
JMX Operations
Operation Description
getWindowMillis Gets the duration of the statistics window, in milliseconds. This operation is
available only if the authoritative attribute is true.
resetStatistics Resets the statistics of the adapter. This operation is available only if the
authoritative attribute is true.
Operation Description
setWindowMillis Sets the duration, in milliseconds, of the statistics window. This operation is
available only if the authoritative attribute is true.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Many messaging systems support the capability to encrypt messages between clients and
brokers. The configuration is specific to each messaging system. However, typically the
encryption is abstracted so that the choice of a specially configured connection factory is
sufficient to enable encryption between the JMS Listener adapter and the messaging system
broker.
The messaging system administrator should protect the JMS connection by disabling default
authentication. For further protection, the messaging system administrator should configure
the authorization (access control) to optimize security.
Provisioning Notes
The following table summarizes the provisioning capabilities of the JmsListener adapter.
Feature Supported?
Create account No
Update account No
Delete account No
Enable/disable account No
Rename account No
Pass-through authentication No
Feature Supported?
Before/after actions No
Account Attributes
The JMS Listener adapter does not provide default account attributes because the account
attributes vary greatly, depending on the semantics of the messages read from the topic or
queue.
You must define an account attribute in which the Identity System user attribute is named
accountId.
Identity Template
None. You must supply the identity template with a valid value.
Sample Forms
JmsListenerActiveSync.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.JmsListenerResourceAdapter
You may also set the following Active Sync logging parameters for the resource instance:
■ Maximum Log Archives
■ Maximum Active Log Age
■ Maximum Log File Size
■ Log File Path
■ Log Level
The Test Configuration button in the resource wizard when creating or editing a resource of
type JMS Listener does an extensive check. It is valuable to troubleshoot configuration issues.
LDAP
1 9
Identity Manager provides a resource adapter that supports Lightweight Directory Access
Protocol (LDAP) v3. The class name of this adapter is
com.waveset.adapter.LDAPResourceAdapter.
Adapter Details
The LDAP adapter provides provisioning services for standard LDAP installations. It can also
read the replication changelog of an LDAP server and apply those changes to Identity Manager
users or custom workflows.
Note – The LDAP ChangeLog Active Sync and LDAP Listener Active Sync adapters have been
deprecated. All functionality of these adapters have been merged into the LDAP resource
adapter.
To configure the Sun Java System Directory Server to enable the change log and tracking of
modifier information, use the following instructions as guide (the actual procedure depends on
the Directory Server version).
209
Adapter Details
1 From the directory server configuration tab, click on the Replication folder, then select the
“Enable change log”box. For 5.0 and later servers, you must also enable the RetroChangelog
Snapin. On the configuration tab go to the plugin object, select the Retro change log plugin and
enable it.
2 To verify that the server is configured to maintain special attributes for newly created or
modified entries, in the Directory Server console, click the Configuration tab, then select the
root entry in the navigation tree in the left pane.
3 Click the Settings subtab and verify that the Track Entry Modification Times box is checked.
The server adds the following attributes to a newly created or modified entry to determine if an
event was initiated from Identity Manager.
■ creatorsName: The DN of the person who initially created the entry.
■ modifiersName: The DN of the person who last modified the entry.
4 Connect to a directory server through SSL in which a self-signed certificate has been
implemented by performing the following procedure:
■ Export the CA certificate from the directory server to a temporary file. For example, on Sun
Java System Directory Server, enter the following command:
cd $JAVA_HOME/jre/lib/security
keytool -import -file PathTo/ds-cert.txt -keystore ./cacerts
-storepass changeit -trustcacerts
Usage Notes
This section provides information related to using the LDAP resource adapter, which is
organized into the following sections:
■ “General Notes” on page 211
■ “Virtual List View Support for Directory Server” on page 212
General Notes
■ You should create an Identity Manager service account to connect to LDAP, rather than
using the administrator account CN=Directory Manager. Use your LDAP Directory Server
management tool to set permissions by an ACI (access control instructions) at each base
context.
Set the permissions in the ACI based on the source. If the adapter is connecting to an
authoritative source, then set read, search, and possibly compare permissions only. If the
adapter is used to write back, then you will need to set write and possibly delete permissions.
Note – If the account will be used for the monitoring the changelog, an ACI should also be
created on cn=changelog. The permissions should be set to read and search only, because you
cannot write or delete changelog entries.
■ The LDAP adapter can manage aliases. However, when a getUser call is performed, the alias
is dereferenced and the adapter returns the referenced object. As a result, the adapter will
not find attributes on the alias object itself.
This occurs because JNDI defaults to the following setting:
java.naming.ldap.derefAliases=always
You can change this property globally by creating a jndi.properties file that contains the
following line:
java.naming.ldap.derefAliases=never
The jndi.properties file must be placed in the Java library path, such as
$WSHOME/WEB-INF/classes. You must restart the application server for the change to take
effect.
■ When editing synchronization policy, be sure to specify a value for the Filter Changes By
field. The standard value is the administrator name used by this adapter. Entering an
administrator name will prevent infinite loops from occurring. Entries should be of the
format cn=Directory Manager.
Note – This discussion assumes that Identity Manager connects to the LDAP resource as a
non-RootDN user. If you are connecting as a RootDN user, the procedures described are
applicable, but additional LDAP attribute values might be possible. Consult the Directory
Server documentation for more information.
See “Modifying the ADAM Schema” on page 216 for information about enabling this feature
with Microsoft ADAM.
It is not always desirable to change the default values. To improve performance on LDAP
searches, you can enable the LDAP Virtual List View (VLV) control. VLV returns partial results
of a search, rather than returning all results at once.
The Use Blocks resource attribute enables Identity Manager to stay within the query result size
limit by using the VLV control. The Block Count resource attribute specifies how many users to
return, but this value must be less than or equal to the value set in the nsslapd-sizelimit
attribute.
A VLV index (also known as a browsing index) must be created, or the nsslapd-sizelimit size
limit will still be in effect. Using a VLV index significantly improves the performance of
iterating over accounts, so you should set up the index if you plan to reconcile, load from
resource, or export to file frequently.
Refer to the Directory Server documentation for detailed instructions on creating a VLV index.
The basic process follows:
2 Create a vlvindex component as a subobject of vlvsearch. The vlvsort attribute must be set
to uid.
3 Build the VLV index using the vlvindex command or other mechanism.
4 Set permissions through access control instructions (ACI) for the following:
■ vlvsearch object
■ vlvindex
■ the directory the index was created for.
To set up VLV for the changelog, use the following general steps. Refer to the Directory
Server documentation for detailed instructions.
5 If you have not already done so, create a browsing index for the changelog. If you use the
Directory Server user interface, then by default, a vlvsearch object named “MCC
cn=changelog” and a vlvindex object named “SN MCC cn=changelog” will be created.
6 Set permissions through access control instructions (ACI) so that the Identity Manager account
has read, compare, and search rights for the following:
■ The changelog (cn=changelog)
■ The vlvsearch object (cn=”MCC cn=changelog”,cn=config,cn=ldbm)
■ The vlvindex object (“SN MCC cn=changelog”,cn=config,cn=ldbm)
On some versions of Directory Server, the changelog nsLookThroughLimit attribute has a
hard-coded value of 5,000. To avoid hitting the changelog lookthrough limit, restrict the
maximum number of changelog entries that are kept on the server to less than 5,000. To avoid
losing changelog entries, set the polling frequency for the adapter to a short interval.
3 On the Account Attributes page, add IDMAttribute as an Identity System User attribute. Set the
Resource User attribute to nsroledn. The attribute must be of type string.
1 On the Resource Parameters page, set the LDAP Activation Method field to nsaccountlock.
2 Set the LDAP Activation Parameter field to IDMAttribute=true. (IDMAttribute will be specified
on the schema in the next step.) For example, accountLockAttr=true.
3 On the Account Attributes page, add the value specified in the LDAP Activation Parameter field
as an Identity System User attribute. Set the Resource User attribute to nsaccountlock. The
attribute must be of type string.
ADAM Support
The LDAP adapter can be configured to provision to Microsoft’s Active Directory Application
Mode (ADAM). The following sections describe how to enable ADAM support.
■ “Modifying the ADAM Schema” on page 216
■ “Enabling and Disabling Accounts in ADAM” on page 216
The ADAM schema defines the attribute index configuration. Each attribute definition entry in
the schema has a searchFlags attribute. For example, the definition for Uid is located at
cn=Uid,cn=Schema under the schema context. The searchFlags attribute is a bitmask and
values 1 (create index), 2 (create index in each container) and 64 (index to support efficient VLV
queries) are related to indexing.
Attribute” field on the resource's resource parameters configuration page must be indexed in
ADAM with the option to support efficient VLV queries. See Modifying the ADAM Schema for
details.
Use the following procedure to allow Identity Manager to enable and disable accounts in
ADAM.
1 On the LDAP Resource Parameters page, set the LDAP Activation Method parameter to
com.waveset.adapter.util.ActivationByAttributePushDisablePullEnable
3 On the Account Attributes page, add the Identity System attribute specified in the LDAP
Activation Parameter field as an Identity System User attribute. Set the Resource User attribute
to msDS-UserAccountDisabled. The attribute must be of type string.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses Java Naming and Directory Interface (JNDI) over TCP/IP or SSL to
communicate with the LDAP adapter.
■ If you are using TCP/IP, specify port 389 on the Resource Parameters page.
■ If you are using SSL, specify port 636.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Before/after actions No
Account Attributes
The syntax (or type) of an attribute usually determines whether the attribute is supported. In
general, Identity Manager supports Boolean, string, integer, and binary syntaxes. A binary
attribute is an attribute that can be safely expressed only as a byte array.
The following table lists the supported LDAP syntaxes. Other LDAP syntaxes might be
supported, as long as it is Boolean, string, or integer in nature. Octet strings are NOT supported.
DN String 1.3.6.1.4.1.1466.115.121.1.12
Resource User
Identity System Attribute Attribute LDAP Syntax Description
modifyTimeStamp modifyTimeStamp Generalized time Indicates when a user entry was modified.
Resource User
Identity System Attribute Attribute LDAP Syntax Description
Note the following behavior when either posixGroups or ldapGroups is defined in the schema
map:
■ When an LDAP account is deleted, then Identity Manager removes the account’s DN from
any LDAP groups and the account’s uid from any posixGroups.
■ When the uid of an account changes, then Identity Manager replaces the old uid with the
new uid in the appropriate posixGroups.
■ When an account is renamed, then Identity Manager replaces the old DN with the new DN
in the appropriate LDAP groups.
Resource User
Identity System Attribute Attribute LDAP Syntax Description
Attribute
Resource User Attribute LDAP Syntax Type Description
destinationIndicator Printable string String This attribute is used for the telegram
service.
physicalDeliveryOfficeName Directory string String The office where deliveries are routed
to.
postalAddress Postal address String The office location in the user’s place
of business.
postalCode Directory string String The postal or zip code for mail
delivery.
Attribute
Resource User Attribute LDAP Syntax Type Description
postOfficeBox Directory string String The P.O. Box number for this object.
title Directory string String Contains the user’s job title. This
property is commonly used to indicate
the formal job title, such as Senior
Programmer, rather than
occupational class, such as
programmer. It is not typically used
for suffix titles such as Esq. or DDS.
Resource User
Identity System Attribute Attribute LDAP Syntax Description
Resource User
Identity System Attribute Attribute LDAP Syntax Description
initials Directory string String Initials for parts of the user’s full name
Posix Group Create, update, delete, rename, saveas cn, description, gid, memberUid
Domain Find dc
The LDAP resource adapter provides management of posixGroup entries. By default, the list of
accounts that are available to be assigned to a posixGroup have the posixAccount object class.
The LDAP Create Posix Group Form and LDAP Update Posix Group From can be customized
to list accounts other than posixAccounts. However, these accounts must have a uid attribute
defined to be a member of a posixGroup.
Identity Template
You must define the identity template for this resource.
Sample Forms
Built-in
■ LDAP Create Group Form
■ LDAP Create Organization Form
■ LDAP Create Organizational Unit Form
■ LDAP Create Person Form
■ LDAP Create Posix Group Form
■ LDAP Update Group Form
■ LDAP Update Organization Form
■ LDAP Update Organizational Unit Form
■ LDAP Update Person Form
■ LDAP Update Posix Group Form
Also Available
■ LDAPActiveSyncForm.xml
■ LDAPGroupCreateExt.xml
■ LDAPGroupUpdateExt.xml
■ LDAPgroupScalable.xml
■ LDAPPasswordActiveSyncForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on one or more of the following
classes:
■ com.waveset.adapter.LDAPResourceAdapterBase
■ com.waveset.adapter.LDAPResourceAdapter
The Microsoft Identity Integration Server (MIIS) resource adapter is defined in the
com.waveset.adapter.MIISResourceAdapter class.
Adapter Details
The MIIS adapter is implemented as a database table resource adapter. Therefore, the MIIS
adapter has the same installation requirements and requires the same administrative privileges
as the underlying database.
The MIIS adapter can be used with the following database systems:
■ SQL Server
■ DB2
■ MySQL
■ Oracle
The MIIS resource adapter is a custom adapter. You must perform the following steps to
complete the installation process:
225
Adapter Details
1 Select the Microsoft Identity Integration Server option from the Resources section of the
Configure Managed Resources page.
2 If you connect to the resource with the Microsoft SQL Server 2005 Driver for JDBC, copy the
mssqlserver.jar file to the InstallDir\idm\WEB-INF\lib directory.
If you connect to the resource with the Microsoft SQL Server 2000 Driver for JDBC, copy the
following jar files from the Program Files\2000 Microsoft SQL Server 2000 Driver for
JDBC\lib directory to the InstallDir\idm\WEB-INF\lib directory.
■ msbase.jar
■ mssqlserver.jar
■ msutil.jar
Note – All connections to SQL Server must be performed using the same version of the JDBC
driver. This includes the repository as well as all resource adapters that manage or require
SQL Server accounts or tables, including the Microsoft SQL adapter, Microsoft Identity
Integration Server adapter, Database Table adapter, Scripted JDBC adapter, and any custom
adapter based on these adapters. Conflict errors occur if you attempt use different versions
of the driver.
Usage Notes
None
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses JDBC to communicate with the MIIS adapter.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Before/after actions No
Account Attributes
The list of account attributes is determined by which database columns were selected as
Managed Columns during configuration of the MIIS resource. The possible account attributes
vary for each installation.
Identity Template
$accountId$
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.MIISResourceAdapter
■ com.waveset.adapter.JdbcResourceAdapter
Adapter Details
Use this adapter to manage multiple databases on the SQL server. Logins can be managed to the
server itself as well as the managed databases.
If you have a custom SQL table, see Chapter 10, “Database Table,” for information about using
the Resource Adapter Wizard to create a custom Microsoft SQL table resource.
1 To add this resource to the Identity Manager resources list, you must add the following value in
the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.MSSQLServerResourceAdapter
229
Adapter Details
2 If you connect to the resource with the Microsoft SQL Server 2005 Driver for JDBC, copy the
mssqlserver.jar file to the InstallDir\idm\WEB-INF\lib directory.
If you connect to the resource with the Microsoft SQL Server 2000 Driver for JDBC, copy the
following jar files from the Program Files\2000 Microsoft SQL Server 2000 Driver for
JDBC\lib directory to the InstallDir\idm\WEB-INF\lib directory.
■ msbase.jar
■ mssqlserver.jar
■ msutil.jar
Note – All connections to SQL Server must be performed using the same version of the JDBC
driver. This includes the repository as well as all resource adapters that manage or require
SQL Server accounts or tables, including the Microsoft SQL adapter, Microsoft Identity
Integration Server adapter, Database Table adapter, Scripted JDBC adapter, and any custom
adapter based on these adapters. Conflict errors occur if you attempt use different versions
of the driver.
Usage Notes
You can use two types of authentication with SQL Server:
■ Windows authentication. SQL Server relies on Windows for all authentication and security
mechanisms. When a user access SQL Server, it obtains the user and password information
from the user’s network security attributes. If the user has been granted access to SQL Server
from within Windows, the user is logged in to SQL Server automatically. Account IDs
passed in to the adapter must be in the form of Domain\accountID. Pass-through
authentication is not supported for Windows authentication.
■ Mixed mode authentication. In this scenario, both Windows authentication and SQL
Server authentication are enabled. When a user connects with a specified login name and
password from a non-trusted connection, SQL Server performs the authentication itself by
checking to see if a SQL Server login account has been set up and if the specified password
matches the one previously recorded. If SQL Server does not have a login account set,
authentication fails and the user receives an error message.
Windows authentication mode for the SQL Server resource adapter can only be configured on
the Microsoft SQL Server adapter if the Identity Manager server is running on a Windows
machine that is included in the same Windows security/authentication framework as the SQL
Server server instance.
The JDBC driver supports the use of Type 2 integrated authentication on Windows operating
systems through the integratedSecurity connection string property. To use integrated
authentication, copy the sqljdbc_auth.dll file to a directory on the Windows system path on
the computer where the JDBC driver is installed.
InstallationDirectory\sqljdbc_Version\Language\auth\
On a 32-bit processor, use the sqljdbc_auth.dll file in the x86 folder. On a 64-bit processor,
use the sqljdbc_auth.dll file in the x64 folder.
http://msdn2.microsoft.com/en-us/library/ms378428.aspx
The SQL Server resource adapter uses the following system procedures to manage user
accounts:
■ sp_addlogin, sp_droplogin
■ sp_addrole
■ sp_addrolemember, sp_droprolemember
■ sp_addsrvrolemember, sp_dropsrvrolemember
■ sp_grantdbaccess
■ sp_helplogins
■ sp_helprole
■ sp_helpuser
■ sp_helpsrvrolemember
■ sp_password
■ sp_revokedbaccess
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses JDBC over SSL to communicate with SQL Server.
sp_addrole Members of the sysadmin fixed server role, and the db_securityadmin and
db_owner fixed database roles.
sp_addrolemember Members of the sysadmin fixed server role and the db_owner fixed database
role can execute sp_addrolemember to add a member to fixed database roles.
Role owners can execute sp_addrolemember to add a member to any SQL
Server role they own. Members of the db_securityadmin fixed database role
can add users to any user-defined role.
sp_droprolemember Only members of the sysadmin fixed server role, the db_owner and
db_securityadmin fixed database roles can execute sp_droprolemember.
Only a member of the db_owner fixed database role can remove users from a
fixed database role.
sp_grantdbaccess Members of the sysadmin fixed server role, the db_accessadmin and
db_owner fixed database roles.
sp_password Execute permissions default to the public role for a user changing the
password for his or her own login. Only members of the sysadmin role can
change the password for another user’s login.
sp_revokedbaccess Members of the sysadmin fixed server role, and the db_accessadmin and
db_owner fixed database roles
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Before/after actions No
Feature Supported?
Account Attributes
The following table lists the default account attributes (all strings).
Because multiple databases can be managed, the Identity Manager administrator must add
account attributes for each database to be managed. These attributes must include the database
name as part of the attribute name in order to differentiate them from attributes for other
managed databases:
userNameDBName String The user name of the account on the database. Setting a
userName for a database will grant access to the database for
the account, and clearing the userName for a database will
remove access.
Identity Template
$domain$ $accountId$
Sample Forms
MSSQLServerUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.MSSQLServerResourceAdapter
■ com.waveset.adapter.JdbcResourceAdapter
MySQL
2 2
Adapter Details
Use this adapter to support user accounts for logging into MySQL. If you have a custom table,
see Chapter 10, “Database Table,” for information about using the Resource Adapter Wizard to
create a custom MySQL table resource.
1 To add this resource to the Identity Manager resources list, you must add the following value in
the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.MySQLResourceAdapter
235
Adapter Details
Usage Notes
Identity Manager creates a new user based on the account properties of the user specified in the
User Model resource parameter. You must specify a valid value to create users.
The MySQL resource adapter can update MySQL user passwords only.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses JDBC over SSL to communicate with MySQL.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Enable/disable account No
Rename account No
Pass-through authentication No
Before/after actions No
Account Attributes
None
Identity Template
$accountId$
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.MySQLResourceAdapter
NetWare NDS
2 3
Identity Manager provides adapters for supporting the following Novell products:
■ NetWare with eDirectory
■ Novell SecretStore
Adapter Details
The following table summarizes the attributes of the Novell adapters:
Gateway Location
Install the Sun Identity Manager Gateway on any NDS client that can connect to the domain to
be managed. Multiple gateways should be installed if pass-through authentication is enabled.
239
Adapter Details
If you run the Gateway as an account other than Local System, then the Gateway service
account requires the “Act As Operating System” and “Bypass Traverse Checking” user rights. It
uses these rights for pass-through authentication and for changing and resetting passwords in
certain situations.
When performing before and after action scripts, the gateway may need the Replace a process
level token right. This right is required if the gateway attempts to run the script subprocess as
another user, such as the resource administrative user. In this case, the gateway process needs
the right to replace the default token associated with that subprocess.
If this right is missing, the following error may be returned during subprocess creation:
The Replace a process level token right is defined in the Default Domain Controller Group
Policy object and in the local security policy of workstations and servers. To set this right on a
system, open the Local Security Policies application within the Administrative Tools folder,
then navigate to Local Policies > User Rights Assignment > Replace a process level token.
SecretStore Certificates
To support SecretStore, a SSL certificate must be exported from the NDS system to the Identity
Manager application server.
One possible way to obtain this certificate is to use ConsoleOne to export the public key. To do
this, start ConsoleOne and navigate to the SSL CertificateDNS object. On the Properties dialog
of the SSL CertificateDNS object, select Public Key Certificate from the Certificates tab. Press
the Export button to begin the process of exporting the certificate. You do not need to export
the private key. Store the file in DER format.
Copy the DER file to the Identity Manager application server. Then add the certificate to the
jdk\jre\lib\security\cacerts keyfile using keytool or other certificate management tool.
The keytool utility is shipped with the Java SDK. Refer to the Java documentation for more
information about the keytool utility.
To add the NDS SecretStore resource to the resources list, perform the following procedure:
1 Add the following value in the Custom Resources section of the Configure Managed Resources
page.
com.waveset.adapter.NDSSecretStoreResourceAdapter
2 Copy the jsso.jar file to the InstallDir\idm\WEB-INF\lib directory. The jsso.jar file can be
obtained from one of the following locations where the NDS client with either Novell
SecretStore or Novell SecureLogin is installed:
■ NovellInstallDir\ConsoleOne\version\lib\SecretStore
■ NovellInstallDir\ConsoleOne\version\lib\security
Usage Notes
This section provides information related to using the NetWare NDS resource adapter, which is
organized into the following sections:
■ “Miscellaneous” on page 241
■ “Pass-Through Authentication Notes” on page 242
■ “Gateway Timeouts” on page 243
■ “Managing NDS Users in GroupWise” on page 243
■ “SecretStore and the Identity Manager System Configuration Object” on page 244
Miscellaneous
■ The NetWare NDS adapter in Active Sync mode does not detect account deletions. As a
result, you must reconcile to detect these deletions.
■ The NDS adapters support template values, including user DS and FS rights, Home
Directory rights, and Trustees of New Object.
■ To avoid display problems on the Resources page, set the “Identity Manager User Name
Attribute” parameter to cn.
■ NDS uses periods instead of commas to mark segments of a name. Identity Manager will
return an error message if you specify commas.
■ To configure an NDS resource so that you can create a user’s home directory, you must add
two attributes to the account attributes:
Home Directory (String) The format of this attribute is
VolumeDN#NameSpaceType#DirectoryPath.
For example,
SERVER_SYS.MYORG#0#\Homes\bob_smith.
The NameSpaceType is one of:
1 Delete the pass-through authentication resource from your NDS login module group.
2 If you want to delete the pass-through authentication resource from Identity Manager, first
delete or modify the common resources attribute of the System Configuration object.
<Attribute name=’common resources’>
<Object>
<Attribute name=’NDS Group’>
<List>
<String>NDS_Resource_Host</String>
<String>NDS_Passthrough_Host</String>
</List>
</Attribute>
</Object>
</Attribute>
If your NDS group contains only the NDS resource and pass-through authentication host, then
delete the entire Attribute element. Otherwise, delete the string that defines the pass-through
authentication host.
4 If the gateway is no longer needed on the pass-through authentication host, you may disable
the gateway service and remove the application.
Gateway Timeouts
The NetWare adapters allow you to use the RA_HANGTIMEOUT resource attribute to specify a
timeout value, in seconds. This attribute controls how long before a request to the gateway
times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
The default value for this attribute is 0, indicating that Identity Manager will not check for a
hung connection.
To activate the integration with GroupWise, you must define a value in the GroupWise Domain
DN resource attribute. This value specifies the DN of the GroupWise domain which will
managed. An example value for this attribute is
CN=gw_dom.ou=GroupWise.o=MyCorp
The NDS Tree resource attribute defines the NDS tree under which the GroupWise domain is
expected to reside is. That is, the GroupWise domain must be in the same tree as the NDS users
managed by the adapter.
To add an NDS user into a GroupWise Post Office, set the GW_PostOffice account attribute to
the name of an existing Post Office that is associated with the GroupWise domain.
To move an NDS user to a different GroupWise Post Office, set the GW_PostOffice account
attribute to the name of the new Post Office that is associated with the GroupWise domain.
To remove an NDS user from its Post Office, set the GW_PostOffice account attribute to the
same value as the GroupWise Delete Pattern resource attribute. The default value for
GroupWise Delete Pattern resource attribute is *TRASH*.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
The Gateway service should be used to connect to a NetWare NDS resource. The Gateway
service uses a TCP/IP socket connection (3 DES) for exchanging password information on the
network.
You can also use standard LDAP or LDAP over SSLP to connect to the NetWare NDS server. In
this scenario, use the LDAP resource adapter.
To perform password administration, an NDS administrator must have Compare, Read, and
Write rights on the following properties:
■ Group Membership
■ Locked By Intruder
■ Login Intruder Attempts
■ Login Intruder Reset Time
■ Password Management
The Identity Manager administrator account performing functions with NDS SecretStore must
be defined as a SecretStore administrator.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account Yes, except renames are not supported when the NDS user also has a
GroupWise account.
Before/after actions No
Feature Supported?
Account Attributes
This section provides information about the NetWare NDS account attribute support
including:
■ “Attribute Syntax Support” on page 246
■ “Account Attribute Support” on page 248
The syntax (or type) of an attribute usually determines whether the attribute is supported. In
general, Identity Manager supports Boolean, string, and integer syntaxes.
The values for attributes with SYN_CI_LIST (such as Language) and SYN_PO_ADDRESS
(such as Postal Address) syntaxes should be a list of strings separated by $. The values for
SYN_OCTET_STRING attributes should be Base 64 encoded strings of the bytes in the octet
stream.
Supported Syntaxes
The following table provides information about supported attribute syntaxes:
Unsupported Syntaxes
The following table provides information about unsupported syntaxes:
Description Case Ignore String String Text that describes the user.
Full Name Case Ignore String String The full name of a user.
Generational Qualifier Case Ignore String String Indicates a person’s generation. For
example, Jr. or II.
Given Name Case Ignore String String The given (first) name of a user.
Group Membership Distinguished Name String A list of the groups to which the user
belongs.
Internet EMail Address Case Ignore String String Specifies an Internet e-mail address.
Login Grace Limit Integer Int The total number of times an old
password can be used (after the old
password has expired) to access the
account.
Password Unique Required Boolean Boolean Establishes that when a user password
is changed, it must be different from
those in the Passwords Used attribute.
The following table lists additional supported attributes that are defined in the NDS User object
class.
Account Balance Counter Int The amount of credit the user has to
buy network services, such as
connection time.
Allow Unlimited Credit Boolean Boolean Indicates whether the user account has
unlimited credit for using network
services.
Last Login Time Time String The login time of the session previous
to the current session.
Login Allowed Time Map Octet String String The allowed login time periods for an
account for each day of the week to a
precision of one-half hour.
Login Disabled Boolean Int Informs the user that the account has
been disabled.
Login Expiration Time Time String A date and time after which a client
cannot log in.
Login Grace Remaining Counter Int The number of grace logins are left
before the account is locked.
Login Intruder Attempts Counter Int The number of failed login attempts
that have occurred in the current
interval.
Login Intruder Reset Time Time String The next time that the intruder
attempts variable will be reset.
Login Time Time String The login time of the current session.
Minimum Account Balance Integer Int The minimum amount of credit (or
money) a user must have in his or her
account to access specified services.
Password Expiration Time Time String Specifies when the password will
expire.
preferredLanguage Case Ignore String String The user’s preference for written or
spoken language.
Profile Membership Distinguished String A list of profiles that the object can
Name use.
roomNumber Case Ignore String String The user’s office or room number.
Security Flags Integer Int The NCP Packet Signature level of the
object.
Timezone Octet String String The time zone offset for a user.
UID (User ID) Integer Int A unique user ID for use by UNIX
clients.
■ Private Key
■ Server Holds
■ Type Creator Map
Organizational Unit Create, update, delete OU, Description, L, Facsimile Telephone Number,
Telephone Number
Identity Template
The default identity template is
CN=$accountId$.O=MYORG
Sample Forms
This section lists the sample forms that are available for this resource adapter.
Built-In
These forms are built into Identity Manager:
■ NDS Group Create Form
■ NDS Group Update Form
■ NDS Create Organizational Unit Form
■ NDS Update Organizational Unit Form
■ NDS Create Organization Form
■ NDS Update Organization Form
Also Available
The NDSUserForm.xml form is also available.
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.NDSResourceAdapter
■ com.waveset.adapter.NDSSecretStoreResourceAdapter
■ com.waveset.adapter.AgentResourceAdapter
To make access to NDS through the Sun Identity Manager Gateway single-threaded or
serialized, set the following registry key and value in the
HKEY_LOCAL_MACHINE\SOFTWARE\Waveset\Lighthouse\Gateway node on the Gateway
machine:
Tracing can also be enabled on the following methods to diagnose problems connecting to the
gateway:
■ com.waveset.adapter.AgentResourceAdapter#sendRequest
■ com.waveset.adapter.AgentResourceAdapter#getResponse
Oracle
2 4
Note – Identity Manager also provides an Oracle ERP resource adapter that supports Oracle
E-Business Suite (EBS). For detailed information about this adapter, see Chapter 25, “Oracle
ERP.”
Use this adapter to support user accounts for logging into Oracle. If you have a custom Oracle
table, see Chapter 10, “Database Table”for information about using the Resource Adapter
Wizard to create a custom Oracle table resource.
Adapter Details
255
Adapter Details
1 To add an Oracle resource to the Identity Manager resources list, you must add the following
value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.OracleResourceAdapter
2 If you are connecting to Oracle Real Application Clusters (RAC) using a thin driver, specify a
value in the following format in the Connection URL on the Resource parameters page:
jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)
(ADDRESS=(PROTOCOL=TCP)(HOST=host01)(PORT=1521))
(ADDRESS=(PROTOCOL=TCP)(HOST=host02)(PORT=1521))
(ADDRESS=(PROTOCOL=TCP)(HOST=host03)(PORT=1521))
(CONNECT_DATA=(SERVICE_NAME=PROD)))
3 If you are using the JDBC thin driver in an environment that does not use Oracle Real Application
Clusters, copy the JAR file that contains the JDBC thin driver classes to the $WSHOME$/WEB-INF/
lib directory. The JAR file must be compatible with the JDK version of your application server.
4 If you are using a different driver, specify the driver and connection URL on the Resource
Parameters page.
Usage Notes
This section describes dependencies and limitations related to using the Oracle resource
adapter, including information about user types and cascade deletes.
User Types
The Oracle database permits the following types of users:
■ Local. Local users are fully managed by Oracle and require a password. Oracle manages
these passwords as well. Therefore, the user name and password must fully comply with the
standards set within the application.
■ External. External users must be authenticated by the operating system or a third-party
application. Oracle relies on the login authentication to ensure that a specific operating
system user has access to a specific database user.
■ Global. Global users must be authenticated by a directory service, such as LDAP or Active
Directory. The user’s name must be specified as a full distinguished name (DN) or as a null
string. If a null string is used, the directory service will map authenticated global users to the
appropriate database features.
If you are managing external or global users, you should place the Oracle resource in a resource
group that also includes the machine upon which it is installed or the directory service.
Cascade Deletes
The noCascade account attribute indicates whether to perform cascade drops when deleting
users. By default, cascade drops are performed. To disable cascade drops:
4 Add a noCascade field to the user form so that the attribute can be disabled. For example:
<Field name=’global.noCascade’>
<Disable>
<s>TRUE</s>
</Disable>
</Field>
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager can use one of the following drivers to communicate with the Oracle adapter:
■ JDBC thin driver
■ JDBC OCI driver
■ Third-party drivers
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Before/after actions No
Account Attributes
The following table lists the Oracle database user account attributes. All attributes are Strings.
All attributes are optional.
oracleDefaultTS Name of the default tablespace for objects that the user creates.
oracleTempTSQuota The maximum amount of temporary tablespace the user can allocate. If the
attribute appears in the schema map, the quota is always set on the temporary
tablespace. If the attribute is removed from the schema map, no quota will be set
on the temporary tablespace. The attribute must be removed for adapters that
communicate with Oracle 10gR2 resources.
Identity Template
$accountId$
Sample Forms
Built-In
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.OracleResourceAdapter
■ com.waveset.adapter.JdbcResourceAdapter
Oracle ERP
2 5
Note – Identity Manager also provides an Oracle resource adapter that supports Oracle
databases. For detailed information about this adapter, see Chapter 24, “Oracle.”
Adapter Details
1 To add an Oracle resource to the Identity Manager resources list, you must add the following
value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.OracleERPResourceAdapter
261
Adapter Details
2 If you are connecting to Oracle Real Application Clusters (RAC) using a thin driver, specify a
value in the following format in the Connection URL on the Resource parameters page:
jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=on)
(ADDRESS=(PROTOCOL=TCP)(HOST=host01)(PORT=1521))
(ADDRESS=(PROTOCOL=TCP)(HOST=host02)(PORT=1521))
(ADDRESS=(PROTOCOL=TCP)(HOST=host03)(PORT=1521))
(CONNECT_DATA=(SERVICE_NAME=PROD)))
3 If you are using the JDBC thin driver in an environment that does not use Oracle Real Application
Clusters, copy the JAR file that contains the JDBC thin driver classes to the
$WSHOME$/WEB-INF/lib directory. The JAR file must be compatible with the JDK version of your
application server.
4 If you are using a different driver, specify the driver and connection URL on the Resource
Parameters page.
The Oracle ERP adapter supports Oracle E-Business Suite (EBS) version 11.5.9 without further
modification; however, the following additional changes are required to support EBS version
11.5.10 and 12:
5 Delete the responsibilities account attribute from the schema map and add the
directResponsibilities and indirectResponsibilities attributes.
6 Add the following properties to the FormRef attribute to any Oracle ERP user form :
■ RESOURCE_NAME. Specifies the ERP resource name
■ VERSION. Specifies the version of the ERP resource. Allowed values are 11.5.9, 11.5.10,
12.
■ RESP_DESCR_COL_EXISTS. Defines whether the description column exists in the
fnd_user_resp_groups_direct table. This property is required if Version is 11.5.10 or 12.
Allows values are TRUE and FALSE.
For example, the Tabbed User Form may need to be modified in a manner similar to the
following to support EBS version 12.
Usage Notes
This section describes resource parameters that are applicable for the Oracle ERP adapter,
including
The Oracle ERP adapter supports functional security only. Therefore, the adapter cannot list
create, update, or delete Oracle data objects, object instances, or instance sets. Nor does the
adapter create or manage role objects, role hierarchies or role categories.
Note – The Oracle Server must also be configured to support this type of encryption.
For a more information about the supported algorithms, refer to the Oracle Advanced Security
Administrator’s Guide. See the SQLNET.ENCRYPTION_TYPES_CLIENT section for a list of
valid values for the thin JDBC client.
You must also configure the Oracle Server to support this type of encryption.
If the Identity Manager Oracle EBS Admin user has a valid EBS system account and has a
responsibility that matches the value of this parameter, the Oracle session created during
connection enables the users’ actions to be audited using the Oracle EBS auditing mechanism.
For example, the created_by and the last_updated_by fields of the fnd_user table objects will
be updated correctly with the user ID of the Identity Manager Oracle EBS Admin user.
2 Enter a search pattern to narrow the choices of available attributes in the Enter Securing
Attribute Search Pattern text box. Use the % character as a wild card. Then click the Load
Securing Attributes button. This will load the attributes into the Oracle Securing Attributes
select box.
3 Select an attribute from the drop-down menu, and it will be added to the Securing Attributes
table.
You can remove securing attributes by selecting the attribute to be removed from the table and
clicking the Remove Selected Securing Attribute button.
Enabling Users
Enabling an Oracle EBS user requires the value of the owner attribute to be specified. The value
CUST is used by default unless the value is specifically added to the Enable form and sent through
the Enable view. The following code example changes the default owner to MYOWNER:
<Field name=’resourceAccounts.currentResourceAccounts[MyOracleERP].
attributes.owner’ type=’string’>
<Display class=’Text’>
<Property name=’title’ value=’Owner’/>
</Display>
<Default>
<s>MYOWNER</s>
</Default>
</Field>
The following code sample adds a field to the user form that returns active responsibilities. You
must replace USER_NAME and RESOURCE_NAME with valid values. auditorResps may be
replaced with responsibilities, directResponsibilities, or indirectResponsibilites
Auditing Responsibilities
To audit the sub-items (such as forms and functions) of responsibilities assigned to users, add
the auditorObject to the schema map. auditorObject is a complex attribute that contains a
set of responsibility objects. The following attributes are always returned in a responsibility
object:
■ responsibility
■ userMenuNames
■ menuIds
■ userFunctionNames
■ functionIds
■ formIds
■ formNames
■ userFormNames
■ readOnlyFormIds
■ readWriteOnlyFormIds
■ readOnlyFormNames
■ readOnlyUserFormNames
■ readWriteOnlyFormNames
■ readWriteOnlyUserFormNames
■ functionNames
■ readOnlyFunctionNames
■ readWriteOnlyFunctionNames
Note – readOnly and ReadWrite attributes are identified by querying the PARAMETERS
column in the fnd_form_functions table for one of the following:
■ QUERY_ONLY=YES
■ QUERY_ONLY="YES"
■ QUERY_ONLY = YES
■ QUERY_ONLY = "YES"
■ QUERY_ONLY=Y
■ QUERY_ONLY="Y"
■ QUERY_ONLY = Y
■ QUERY_ONLY = "Y"
If the Return Set of Books and/or Organization resource parameter is set to TRUE, the
following attributes are also returned:
■ setOfBooksName
■ setOfBooksId
■ organizationalUnitName
■ organizationalUnitId
The auditorResps[] view provides access to the responsibility attributes. The following form
snippet returns all the active responsibilities (and their attributes) assigned to a user .
<defvar name=’audObj’>
<invoke name=’get’>
<ref>accounts[Oracle ERP 11i VIS].auditorObject</ref>
</invoke>
</defvar>
<!-- this returns list of responsibility objects -->
<defvar name=’respList’>
<invoke name=’get’>
<ref>audObj</ref>
<s>auditorResps[*]</s>
</invoke>
</defvar>
For example:
■ auditorResps[0].responsibility returns the name of the first responsibility object.
Every action script receives an actionContext map, as defined by the java.util.Map class. The
possible map content varies for each action.
Scripts should never close the JDBC Connection that is passed to them. The adapter
automatically closes the connection at the appropriate time.
See Chapter 50, “Adding Actions to Resources,” for more information about implementing
resource actions. Example scripts are provided in $WSHOME/sample/OracleERPActions.xml.
password java.lang.String If present, this value is the new user’s decrypted password
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may also add appropriate strings to the errors
key. The presence of any items in the errors List is considered a creation failure.
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may add the appropriate strings to the errors key.
The presence of any items in the errors List is considered an update failure.
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may add appropriate strings to the errors key.
The presence of any items in the errors List is considered a deletion failure.
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may add the appropriate strings to the errors key.
The presence of any items in the errors List is considered a failure.
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may add the appropriate strings to the errors key.
The presence of any items in the errors List is considered a failure.
The actionContext map passed to the action contains the following entries:
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, it may add appropriate strings to the errors key. The
presence of any items in the errors List is considered a fetch failure.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager can use one of the following drivers to communicate with the Oracle adapter:
■ JDBC thin driver
■ JDBC OCI driver
■ Third-party drivers
Since the Oracle Application stored procedures require unencrypted passwords to be passed to
some of the stored procedures used for provisioning, you should implement encrypted
communications between Identity Manager and the Oracle application resource.
Please read the Oracle publication Oracle Advanced Security Administrators Guide and your
JDBC driver’s documentation to validate the level of support for encryption that your specific
version of Oracle RDBMS and driver provides.
Note – The administrator must be able to run the select command for all tables. In addition, the
administrator must be able to update the apps.fnd_user table.
apps.ak_attributes apps.app_exception.raise_exception
apps.ak_attributes_tl apps.fnd_global.apps_initialize
apps.ak_web_user_sec_attr_values apps.fnd_global.user_id
apps.fnd_application apps.fnd_message.get
apps.fnd_application_tl apps.fnd_message.get_token
apps.fnd_application_vl apps.fnd_message.set_name
apps.fnd_profile apps.fnd_message.set_token
apps.fnd_responsibility apps.fnd_profile.get
apps.fnd_responsibility_vl apps.fnd_user_pkg.AddResp
apps.fnd_security_groups apps.fnd_user_pkg.CreateUser
apps.fnd_security_groups_tl apps.fnd_user_pkg.DisableUser
apps.fnd_security_groups_vl apps.fnd_user_pkg.DelResp
apps.fnd_user apps.fnd_user_pkg.UpdateUser
apps.fnd_user_resp_groups apps.fnd_user_pkg.user_synch
apps.icx_parameters apps.fnd_user_pkg.validatelogin
apps.fnd_user_resp_groups_api.assignment_exists
apps.fnd_user_resp_groups_api.insert_assignment
apps.fnd_user_resp_groups_api.update_assignment
apps.fnd_web_sec.change_password
apps.fnd_web_soc.create_user
apps.fnd_web_sec.validation_login
apps.icx_user_sec_attr_pub.create_user_sec_attr
apps.icx_user_sec_attr_pub.delete_user_sec_attr
Note – The adapter might access additional tables and stored procedures. Refer to the Oracle
E-business Suite documentation for additional information.
Oracle states that the Oracle EBS system, including the fnd_user_pkg stored procedures, were
designed to be used to administer the ORACLE EBS system as the APPS user. Oracle does NOT
recommend creating an alternate administrative user. However, if you need to manage Oracle
EBS with a user other than APPS, contact Oracle for guidance.
The alternate administrative user must be granted the same access as the APPS user has to all
Oracle data, including tables, views, and stored procedures.
The user will also need synonyms set up so the user will have access to the tables that the APPS
user has access to. If a different user is used and the appropriate grants and synonyms have not
been created for the user, the following error might be encountered:
Add the appropriate grants and synonyms to correct the error. A sample SQL*Plus script is
located in the following directory:
$WSHOME/sample/other/CreateLHERPAdminUser.oracle.
You can modify this script as necessary and use it to create an alternative Oracle EBS Admin
user. Usage instructions are documented in the comments at the beginning of the script.
For pass-through authentication only, authority is needed to run the following SQL command:
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter. The adapter does
not issue any direct table updates during any supported provisioning operation.
Feature Supported?
Feature Supported?
Assign indirect responsibilities. No. Indirect responsibilities can be read, but not
assigned.
Rename accounts. No
Account Attributes
Default Attribute
The following table lists the default Oracle ERP account attributes. All attributes are optional.
password_accesses_left string The number of times the user can use the current password.
password_lifespan_accesses string The number of accesses over the life of the password
responsibilities string The names of the responsibilities assigned to the user. Valid for
Oracle EBS 11.5.9 only.
Use the sysdate or SYSDATE keyword with to_date to specify
an expiration date for a responsibility with the local time of the
Oracle EBS server.
responsibilityKeys string The keys associated with the user’s list of responsibilities.
directResponsibilities string Returns the user’s direct responsibilities. Valid for 11.5.10 only.
indirectResponsibilities string Returns the user’s indirect responsibilities. Valid for 11.5.10
only.
Additional Attributes
The Oracle ERP adapter allows you to add several read-only attributes that Identity Manager
can use to audit changes to responsibilities. The values returned in the auditorResps attribute
are the active responsibilities for that user. Except for auditorObject, all other attributes listed in
the following table are aggregates of each responsibility’s sub-items, minus any menu and
function exclusions that may exist.
The auditorObject attribute may be added as well. See “Auditing Responsibilities” on page 266
for details about this atttribute.
The following table lists attributes that may be added to the schema map.
Attribute Description
The Oracle ERP adapter can support any additional custom attributes by using before and after
actions for create and update, and by using a custom getUser action. See “Using Resource
Actions” on page 269 for more information.
Identity Template
$accountId$
Sample Forms
Built-In
None
Also Available
OracleERPUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.OracleERPResourceAdapter
■ com.waveset.adapter.JdbcResourceAdapter
■ com.waveset.adapter.JActionUtil (if using before/after actions)
OS/400
2 6
Adapter Details
None.
1 Download version 2.03 of the JTOpen product from the following URL:
http://jt400.sourceforge.net
2 Unzip the JTOpen file and follow the installation instructions. Be sure to place library files in the
correct location and to set the environment variables as directed.
You must contact IBM to obtain the jt400.jar file.
283
Adapter Details
4 To add an OS/400 resource to the Identity Manager resources list, you must add the following
value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.OS400ResourceAdapter
Usage Notes
Identity Manager supports three options for handling OS/400 objects that are associated with
an account on an OS/400 resource. To enable this specialized support, you must use the
OS400Deprovision form that is located in the Identity Manager sample directory. You must
also edit the system configuration object. Instructions for editing this object are included in
comments in the OS400Deprovision form. Once enabled, these options appear on the Delete
Resource Accounts page when you choose to delete a user’s OS/400 resource account.
Security Notes
This section provides information about supported connections and privilege requirements
Supported Connections
Identity Manager may use Secure Sockets Layer (SSL) to communicate with the OS/400
adapter. If so, the following product must be implemented:
■ SSL objects delivered in a V5R1 or later version of IBM iSeries Client Encryption licensed
program 5722-CE2 or 5722-CE3.
This program contains the SSLight package, which is necessary for SSL connections from
Identity Manager through the Java Toolbox installation on the OS/400 resource.
■ CRT: To add an OS/400 user, the administrator must have (1) *SECADM special authority,
(2) *USE authority to the initial program, initial menu, job description, message queue,
output queue, and attention-key-handling program if specified, and (3) *CHANGE and
object management authorities to the group profile and supplemental group profiles, if
specified.
■ CHG: You must have *SECADM special authority, and *OBJMGT and *USE authorities to
the user profile being changed, can specify this command. *USE authority to the current
library, program, menu, job description, message queue, print device, output queue, or
ATTN key handling program is required to specify these parameters.
■ DLT: The user must have use (*USE) and object existence (*OBJEXIST) authority to the
user profile. The user must have existence, use, and delete authorities to delete a message
queue associated with and owned by the user profile. The user profile cannot be deleted if a
user is currently running under the profile, or if it owns any objects and
OWNOBJOPT(*NODLT) is specified. All objects in the user profile must first either be
transferred to new owners by using the Change Object Owner (CHGOBJOWN) command
or be deleted from the system. This can also be accomplished by specifying
OWNOBJOPT(*DLT) to delete the objects or OWNOBJOPT(*CHGOWN
user-profile-name) to change the ownership. Authority granted to the user does not have to
be specifically revoked by the Revoke Object Authority (RVKOBJAUT) command; it is
automatically revoked when the user profile is deleted.
■ DSP: The user name can be specified as USRPRF(*ALL) or USRPRF(generic*-user-name)
only when TYPE(*BASIC) and OUTPUT(*OUTFILE) are specified.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Pass-through authentication No
Account Attributes
The following table provides information about OS/400account attributes. All attributes are
strings, unless indicated otherwise.
HIGHEST_SCHEDULING_PRIORITY
Identity Template
$accountId$
Sample Forms
OS400UserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.OS400ResourceAdapter
PeopleSoft Component
The PeopleSoft Component adapter supports PeopleTools with HRMS, using the PeopleSoft
Component interface. This adapter is read-only. You cannot use this adapter to create or
modify PeopleSoft accounts. This adapter uses Active Sync to load account information into
Identity Manager.
Adapter Details
Follow these steps to configure PeopleSoft for use with Identity Manager:
■ Step 1: Create the New Project
■ Step 2: Edit Identity Manager Objects
■ Step 3: Build the Project
■ Step 4: Manually Execute the audittrigger Script
■ Step 5: Enable Auditing on Selected Tables
■ Step 6: Configure PeopleTools
■ Step 7: Prune the Audit Log
289
Adapter Details
1 Create a new project in the Application Designer by selecting the File—>New menu. Then select
Project from the list.
2 Name the project by performing a save. Use the File—>Save Project As... menu, and enter a
unique name for the project, such as“IDM”.
3 Create the objects within the project by performing the tasks listed in “Step 2: Edit Identity
Manager Objects”on page 290.
You must create these objects within the Application Designer. Each of these objects is
described in detail below.
Fields
Create the following fields:
■ AUDIT_PROC_ORDER. Set the field type to Character and set the length to 20.
■ AUDIT_PROC_END. Set the field type to Character and set the length to 20.
■ AUDIT_PROC_DATE. Set the field type to Date
5 Save the field by selecting File— > Save. Assign it the name AUDIT_PROC_ORDER.
6 Select Insert— > Current Definition to add the field to the project
Records
There are three records (two views and one table) that must be defined within the Application
Designer. The following record descriptions illustrate a typical implementation. The records
can be customized to the needs of the implementation by adding or changing fields.
AUDIT_EFFDT_LH View
The AUDIT_EFFDT_LH view is polled by the PeopleSoft Active Sync resource adapter.
Identity Manager uses the following fields to query for events that have not yet been processed:
■ AUDIT_PROC_ORDER. This field must specify the Key, Search Key, List Box Item, and
From Search Field keys.
■ AUDIT_PROC_END. This field must specify the Key, Search Key, List Box Item, and
Through Search Field fields.
■ EMPLID and EMPL_RCD. These are required non-key properties that are used by an
Identity Manager query to fetch employee data.
The following table describes the Use Display characteristics of the AUDIT_EFFDT_LH view:
Field Name Type Key Ordr Dir Srch List Sys Default
AUDIT_STAMP DtTm No No No
AUDIT_OPRID Char No No No
AUDIT_ACTN Char No No No
AUDIT_RECNAME Char No No No
EMPL_RCD Nbr No No No
The final line in this SQL code sample prevents Identity Manager from seeing operations with
effective dates until the effective date has arrived.
AUDIT_PRS_DATA Table
The following table describes the Use Display characteristics of the AUDIT_PRS_DATA view:
Field Name Type Key Ordr Dir Srch List Sys Default
EMPL_RCD Nbr No No No
PERS_SRCH_LH View
The PERS_SRCH_LH view must contain the EMPLID and EMPL_RCD fields, with the Key,
Search Key, and List Box Item keys selected. All other fields provide the data that is
synchronized with Identity Manager. It is up to the PeopleSoft Active Sync form to map this
data into the Identity Manager user account.
The following table describes the Use Display characteristics of the PERS_SRCH_LH view:
Note – For your convenience, the peoplesoft/idm.zip file on the installation media contains an
SQL script file named pers_srch_lh.sql that duplicates the following SQL code.
SELECT P.EMPLID
,A.EMPL_RCD
,P.NAME
,P.LAST_NAME_SRCH
,A.SETID_DEPT
,A.DEPTID
,P.ADDRESS1
,A.EMPL_STATUS
,P.FIRST_NAME
,P.LAST_NAME
,P.MIDDLE_NAME
,A.REPORTS_TO
,A.JOBCODE
,A.COMPANY
,P.NAME_INITIALS
,P.COUNTRY
,P.PHONE
,P.CITY
,P.STATE
,P.POSTAL
FROM PS_Job A
, PS_PERSONAL_DATA P
WHERE A.EMPLID = P.EMPLID
AND A.EffDt = (
SELECT MAX(C.EffDt)
FROM PS_Job C
WHERE C.EmplID = A.EmplID
AND C.EMPL_RCD = A.EMPL_RCD
AND C.EffDt <= %CurrentDateIn)
AND A.EffSeq = (
SELECT MAX(D.EffSeq)
FROM PS_Job D
WHERE D.EmplID = A.EmplID
AND D.EMPL_RCD = A.EMPL_RCD
AND D.EffDt = A.EffDt)
The WHERE clause returns the current employee record for the given employee ID. PeopleSoft
allows multiple records for a given employee, each of which has its own effective date/effective
sequence. This clause returns the record whose effective date/effective sequence pair is the latest
out of all those that are already effective (whose effective date has occurred).
The WHERE clause returns null for an employee whose sunrise date is in the future.
Pages
The Identity Manager project must also contain the following pages for the Component
interface only:
■ LH_AUDIT_EFFDT
■ LH_EMPLOYEE_DATA
LH_AUDIT_EFFDT
The LH_AUDIT_EFFDT page contains fields defined in the AUDT_EFFDT_LH table. This
page is not displayed on the PeopleSoft GUI. Therefore, the layout and ordering of the fields is
not important.
The following table describes the Use Display characteristics of the LH_AUDIT_EFFDT page.
All items are defined in the AUDT_EFFDT_LH record.
LH_EMPLOYEE_DATA
The LH_EMPLOYEE_DATA page is the container for the fields defined in the
PERS_SRCH_LH view. All items are defined in the PERS_SRCH_LH record.
The following table describes the Use Display characteristics of the LH_EMPLOYEE_DATA
page:
Components
Components are the bridge between pages and menus. Once you have created your pages, you
must add them to one or more components to use them on menus or in business processes.
2 Select Insert— > Page Into Component.... Specify the name as LH_AUDIT_EFFDT.
3 Select File— > Definition/Object Properties. Then go to Use and Search Record
AUDIT_EFFDT_LH
Component Interfaces
A component interface is a PeopleTools object that exposes a PeopleSoft component for
synchronous access from another application, such as Identity Manager. Create a separate
component interface for each component you created. The default names for the Component
Interfaces are LH_AUDIT_EFFDT_COMP_INTF and LH_EMPLOYEE_COMP_INTF. These
values can be modified on the General Active Sync Settings page of the Active Sync Wizard.
2 In the Build Options area, select the Create Tables and Create Views options. In the Build Execute
Options area, select the Execute SQL now option.
6 In the Logging Level area, select the Fatal errors, warnings and information messages option.
8 Click OK, and then click Build to build the project and to create views and tables.
Application Designer may display a warning message similar to the following:
Potentially data destructive settings are active. Continue the build process?
Note – After importing and building the project, you must test the components in Application
Designer. The reliability of the import project feature within PeopleSoft varies from release to
release. Therefore, validation of the objects is very important.
Note – The audittrigger.oracle script is available only for Oracle. If you are using a different
database, convert the script to run on that database.
The audittrigger.oracle script or its equivalent must be run every time you rebuild the
PeopleSoft project.
3 Select Record from the Object type menu, and then type JOB in the Name field.
5 Select File—>Properties to open the record properties, and then click the Use tab.
7 In the Audit Options area, select the Add, Change, and Delete options. Leave the Selective
option unchecked.
Repeat these steps for the PERSONAL_DATA table and other tables that will be triggers for data
synchronization.
Note – For more information, see “Creating Record Definitions” in the Application Designer
documentation.
Component Interfaces
Use of component interfaces must be authorized.
1 Log in to the PeopleTools browser-based GUI and navigate to Home— > People Tools— >
Maintain Security— > Use— > Permission Lists. (For Peoplesoft 9, this path is Home—>People
Tools—>Security—>Permissions & Roles—>Permission List.)
2 Select the Add a New Value link and enter a value such as LH_ALL
3 Click on the right arrow in the tabs section near the top of the page until the Component
Interface tab is displayed. Then click on the Component Interface tab.
6 Click the Full Access button to enable full access for all the methods, or use the drop-down
menus to assign access for individual methods. Click OK to return to the Permission Lists page.
1 Navigate to Home— > People Tools— > Maintain Security— > Use— > Roles. (For Peoplesoft 9,
the path is Home-> People Tools-> Security-> Permissions & Roles-> Roles.)
2 Select the Add a New Value link and enter a value such as LH_ROLE.
1 Navigate to Home— > People Tools— > Maintain Security— > Use— > User Profiles. (For
Peoplesoft 9, the path is Home—> People Tools—> Security—> User Profiles—> User Profiles.)
2 Enter an existing user ID. This user can be specified as the user on the Resource Parameters page
in Identity Manager.
Note – You can also create a new user. Refer to the PeopleSoft documentation for more
information about the requirements of a user account.
1 Copy the psjoa.jar file from the PeopleSoft installation media to the
InstallDir\idm\WEB-INF\lib directory:
The version number of the jar file must match the version of PeopleSoft.
2 To add this resource to the Identity Manager resources list, you must add the following value in
the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.PeopleSoftComponentActiveSyncAdapter
Usage Notes
This section provides information related to using the PeopleSoft Component resource adapter,
including:
■ “Controlling Hosts in a Cluster” on page 302
■ “Active Sync Configuration” on page 302
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the Client Connection Toolkit (Sync Only) to communicate with this
adapter.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Create account No
Update account No
Delete account No
Enable/disable account No
Password update No
Rename account No
Pass-through authentication No
Before/after actions No
Account Attributes
The following table provides information about the PeopleSoft Component Active Sync adapter
account attributes.
AUDIT_OPRID AUDIT_OPRID The operator who caused the system to trigger the
audit.
PS_EMPL_STATUS (Status EMPL_STATUS The status of the employee, such as Active, Suspended,
on the AS adapter) or Terminated.
Job Title JOBCODE A code that identifies the user’s job title.
Identity Template
$accountId$
Sample Forms
PeopleSoftForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.PeopleSoftComponentActiveSyncAdapter
This resource adapter manages data in PeopleSoft through component interfaces. It can also
manage additional PeopleSoft applications (such as HR and Financials) if these applications are
installed on a system with a supported version of PeopleTools.
Adapter Details
To delete accounts, the custom component interface must support the following methods:
■ Get
■ Save
In addition, the user specified on the Resource Parameters page must have permission to
execute the methods of the invoked component interfaces.
307
Adapter Details
1 Copy the following file from the PeopleSoft installation media to the $WSHOME/WEBINF/lib
directory:
psjoa.jar
Note – The version of the psjoa.jar must match the version of your installed PeopleSoft system.
2 To add this resource to the Identity Manager resources list, you must add the following value in
the Custom Resources section of the Configure Managed Resources page:
com.waveset.adapter.PeopleSoftCompIntfcAdapter
Usage Notes
The PeopleSoft Component Interface adapter accomplishes user provisioning by invoking
methods and setting properties on PeopleSoft component interfaces. Component interface
definitions are assigned in the PeopleSoft Component Interface configuration object. This
object can be modified through the debug pages or with the [Please define the IDMIDE text
entity]. You can also edit a copy of the
$WSHOME/sample/PeopleSoftComponentInterfaces.xml file and load that file into Identity
Manager.
For more information about configuring and implementing component interfaces with this
adapter, see the following sections:
■ “Component Interface Map Definitions” on page 308
■ “Adding FIND Method Support to the USER_PROFILE Component Interface” on page 311
■ “PeopleSoft Component Interface Resource Objects” on page 312
Each available component interface has its own definition. Key elements of a component
interface definition include:
■ name. The label of a component interface. It often matches the value of the
componentInterface attribute, but this is not a requirement. The value will be displayed in
the drop-down menu on the adapter’s Resource Parameters page.
■ componentInterface attribute. The name of the component interface, as defined in
PeopleSoft.
■ getKey attribute. The name of the component interface property that is set when
performing a PeopleSoft GET operation. If getKey is not defined, then the key attribute is
used instead.
■ findKey attribute. The name of the component interface property that is set when
performing a PeopleSoft FIND operation. If findKey is not defined, then the key attribute is
used instead.
■ createKey attribute. The name of the component interface property that is set when
performing a PeopleSoft CREATE operation. If createKey is not defined, then key attribute
is used instead.
■ key attribute. Deprecated. Use getKey, findKey, or createKey instead.
■ properties attribute. A list of properties that can be read or set from the PeopleSoft
component interface.
Each Object in the properties list must have the following attribute:
■ name. The name of the property. This must match exactly with the name of a property
exposed by the PeopleSoft component interface identified by the componentInterface
property. The names of the properties are candidates to be listed as resource user
attributes on the Account Attributes page.
If this a collection property, then you must define additional attributes. A collection
property defines its key property and its own nested set of simple and/or complex
properties:
■ isCollection attribute. If the property is a collection, then set this to true.
■ key attribute. If the property is a collection, set this to the name of the property that
uniquely identifies each item of the collection.
■ properties attribute. The list of properties that can be read/set for each item of the
collection. To support arbitrary complexity, each member of this list is an Object with
the same allowed attributes as the parent. That is, it can contain its own name,
isCollection, key, and properties attributes.
disableRule attribute. An Object that defines the logic to compute and set the user disable
state. This attribute contains the following attributes
■ property attribute. The property to check. The value must be listed in the properties
attribute for the componentInterface object.
■ trueValue attribute. A value that indicates the user is disabled.
supportedObjectTypes attribute. A list of Identity Manager resource objects types that can
be accessed through the adapter. Each object defines a set of features.
■ features attribute. A list supported features. Possible feature types include view, get,
list, find, create, saveas, update, rename, and delete.
The default USER_PROFLE component interface definition is used to perform create, read, and
update actions. The key and findKey attributes are set to UserID, because the USER_PROFILE
component interface assigns the UserID field for the GETKEYS and FINDKEYS keys.
The default definition for the USER_PROFILE component interface does not define all of the
possible properties. It has been simplified to include those used in the sample user form. If you
need to add more resource user attributes to the Account Attributes page, then the component
interface definition must be updated first. A resource user attribute cannot be added to that
page unless it is listed in the component interface definition.
Most properties are defined in USER_PROFILE are simple objects. However, the IDTypes and
Roles objects are collections and can have multiple values. IDTypes contains a collection of its
own, Attributes. These objects must include the isCollection attribute, the key name for the
collection, and at least one property.
Note – The PeopleSoft Component Interface adapter supports listing resource objects only. It
does not support other object features, such as update, create, or delete.
The ROLE_MAINT component interface definition has the following characteristics of note:
■ The findKey and getKey attributes are assigned to ROLENAME because ROLENAME is
the primary key for FINDKEYS and GETKEYS.
■ DESCR and ROLESTATUS are also keys in FINDKEYS, but since they are not primary keys,
they are not listed as values for findKey. Instead, they are listed in the properties section.
■ The supportedObjectTypes attribute defines the Role object. The Role object supports the
find and get features.
Use the following steps to add FIND method support to an existing USER_PROFILE
component interface.
2 On the left window (which shows the USERMAINT Component), select the OPRID field under the
PSOPRDEFN_SRCH object.
Drag this field over to the right window (which shows the USER_PROFILE CI).
When you drop the field, a new key called FINDKEYS will be created in the USER_PROFILE
CI. Under that key, there will be a sub-key called OPRID.
3 Right-click on the OPRID name under FINDKEYS, and select Edit Name. Change the name to
UserID.
4 Right click on USER_PROFILE CI and select Component Interface Properties. Select the Standard
Methods tab, then select the Find checkbox. Click OK to close the Component Interface
Properties dialog.
Note – A PeopleSoft administrator should grant Full Access to the Find method for the
component interface (in addition to the Create, Get, Save, and SetPassword methods).
For example, to add support for the Role resource object, add an ObjectType element similar to
the following.
<ObjectTypes>
<ObjectType name=’Role’ icon=’role’>
<ObjectFeatures>
<ObjectFeature name=’find’/>
</ObjectFeatures>
<ObjectAttributes idAttr=’ROLENAME’ displayNameAttr=’ROLENAME’ descriptionAttr=’DESCR’>
<ObjectAttribute name=’ROLENAME’ type=’string’/>
<ObjectAttribute name=’DESCR’ type=’string’/>
<ObjectAttribute name=’ROLESTATUS’ type=’string’/>
</ObjectAttributes>
</ObjectType>
</ObjectTypes>
The ObjectType name (for example, Role) must match the name of one of the objects in the
supportedObjectTypes list of exactly one component interface definition. Each ObjectFeature
(for example, find) must have a corresponding feature in the features list in that same
supportedObjectTypes. The matched component interface will be the one used to perform the
resource feature. (If there are multiple matches, the first one found will be used.)
The following example is part of the component interface definition for the ROLE_MAINT
component interface in the component interface map. Note that the Object name Role is found
and that an item in the features list is named find.
User Form
The following user form fragment can be used to retrieve a list of PeopleSoft roles. Note that
ROLENAME and DESCR attributes are being fetched.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the Client Connection Toolkit (Read/Write) to communicate with this
adapter.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Pass-through authentication No
Before/after actions No
Account Attributes
The account attributes for the PeopleSoft Component Interface resource depend on the
component interface being managed.
Each entry of the schema map should have a Resource User Attribute name that matches one of
the entries in the “properties” list defined for the component interface in the Component
Interface Map. When editing the schema map, you can click the Test Configuration button to
verify an appropriate match can be found.
If the Resource User Attribute name matches a collection property in the component interface
map, the value for the account attribute will be an XML string representation of the collection.
For examples of manipulating collection properties, see the sample user form field
accounts[PeopleSoft Component Interface].ps_roles.
Note – The default schema map entries that are defined for a new resource instance are
appropriate only when used with the default USER_PROFILE and DELETE_USER_PROFILE
component interface maps. If you change these maps, or create your own, then you must
change your schema map accordingly.
email EmailAddress The user’s e-mail address. This attribute is available only
on older PeopleTools releases. It is not on the schema
map by default.
Identity Template
$accountId$
Sample Forms
The following forms are provided in the $WSHOME/sample/forms directory:
■ PeopleSoftCompIntfcUserForm.xml
This user form will function as expected only if the USER_PROFILE component interface is
being managed, and if the default account attributes are used. This form assumes that you
have added the email account attribute to the schema map.
The EmailAddress attribute is available only on older PeopleTools releases. Check with your
PeopleTools administrator to determine if you USER_PROFILE supports EmailAddress.
If you are managing a different component interface or using a different schema map, the
user form must be changed accordingly.
■ PeopleSoft_8_4X_CompIntfcUserForm.xml
This user form will function as expected only if the USER_PROFILE component interface is
being managed. This form assumes that you have added the EmailAddresses account
attribute to the schema map.
The EmailAddresses attribute is available only on new 8.4x PeopleTools releases. Check
with your PeopleTools administrator to determine if your USER_PROFILE supports
EmailAddresses.
Troubleshooting
Use the debug pages to set trace options on the following class:
com.waveset.adapter.PeopleSoftCompIntfcAdapter
RACF
2 9
The RACF resource adapter supports management of user accounts and memberships on an
OS/390 mainframe. The adapter manages RACF over a TN3270 emulator session.
Adapter Details
1 To add the RACF resource to the Identity Manager resources list, you must add the following
value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.RACFResourceAdapter
2 Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager
installation.
317
Adapter Details
Host On Demand The IBM Host Access Class Library (HACL) manages connections to the
mainframe. The recommended JAR file containing HACL is habeans.jar. It
is installed with the HOD Toolkit (or Host Access Toolkit) that comes with
HOD. The supported versions of HACL are in HOD V7.0, V8.0, V9.0, and
V10.
However, if the toolkit installation is not available, the HOD installation
contains the following JAR files that can be used in place of the habeans.jar:
■ habase.jar
■ hacp.jar
■ ha3270.jar
■ hassl.jar
■ hodbase.jar
See http://www.ibm.com/software/webservers/hostondemand/ for more
information.
Attachmate WRQ The Attachmate 3270 Mainframe Adapter for Sun product contains the files
needed to manage connections to the mainframe.
■ RWebSDK.jar
■ wrqtls12.jar
■ profile.jaw
Contact Sun Professional Services about getting this product.
3 Add the following definitions to the Waveset.properties file to define which service manages
the terminal session:
serverSettings.serverId.mainframeSessionType=
ValueserverSettings.default.mainframeSessionType=Value
Value can be set as follows:
■ 1 indicates IBM Host On-Demand (HOD)
■ 3 indicates Attachmate WRQ
If these properties are not explicitly set, then Identity Manager attempts to use WRQ first
then HOD.
4 When the Attachmate libraries are installed into a WebSphere or WebLogic application server,
add the property com.wrq.profile.dir=LibraryDirectory to the
WebSphere/AppServer/configuration/config.ini or startWeblogic.sh file.
This allows the Attachmate code to find the licensing file.
5 Restart your application server so that the modifications to the Waveset.properties file can
take effect.
Usage Notes
This section provides information related to using the RACF resource adapter, which is
organized into the following sections:
■ “Administrators” on page 319
■ “Support for Additional Segments” on page 319
■ “Resource Actions” on page 320
■ “SSL Configuration” on page 320
Administrators
TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for
Identity Manager RACF operations, you must create multiple administrators. Thus, if two
administrators are created, two Identity Manager RACF operations can occur at the same time.
You should create at least two (and preferably three) administrators.
If you are running in a clustered environment, you must define an admin for each server in the
cluster. This applies even if it is the same admin. For TSO, there must be a different admin for
each server in the cluster.
If clustering is not being used, the server name should be the same for each row (the name of the
Identity Manager host machine).
Note – Host resource adapters do not enforce maximum connections for an affinity
administrator across multiple host resources connecting to the same host. Instead, the adapter
enforces maximum connections for affinity administrators within each host resource.
If you have multiple host resources managing the same system, and they are currently
configured to use the same administrator accounts, you might have to update those resources to
ensure that the same administrator is not trying to perform multiple actions on the resource
simultaneously.
1 Create an AttrParse object that parses the segment. See Chapter 49,“Implementing the
AttrParse Object,”for information about defining custom AttrParse objects. Example AttrParse
objects are defined in $WSHOME/web/sample/attrparse.xml.
3 Add an element to the RACF resource object that defines a custom account attribute.
<AccountAttributeType id=’32’ name=’WORKATTR Account’ syntax=’string’
mapName=’WORKATTR.WAACCNT’ mapType=’string’>
</AccountAttributeType>
The value of the mapName attribute must be of the form SegmentName.AttributeName. When
the adapter detects a mapName in this format, it asks RACF for the specified segment and uses the
object specified in the SegmentName Segment AttrParse field to parse it.
Resource Actions
The RACF adapter requires login and logoff resource actions. The login action negotiates an
authenticated session with the mainframe. The logoff action disconnects when that session is no
longer required.
See “Mainframe Examples” on page 536 for more information about creating login and logoff
resource actions.
SSL Configuration
Identity Manager uses TN3270 connections to communicate with the resource.
See Chapter 53, “Mainframe Connectivity,” for information about setting up an SSL connection
to a RACF resource.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses TN3270 to communicate with the RACF adapter.
To list the contents of a user profile or the contents of individual segments of the user profile,
use the LISTUSER command.
To display the information in a non-base segment of a user profile, including your own, you
must have the SPECIAL or AUDITOR attribute or at least READ authority to the segment
through field-level access checking.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Pass-through authentication No
Account Attributes
The following table provides information about RACF account attributes.
TSO.Delete Segment Boolean If this field is set to true, the TSO Segment will be deleted
from the RACF user.
TSO.MAXSIZE Int The maximum TSO region size the user can request
during logon
TSO.PROC String The name of the user’s default TSO logon procedure
TSO.SIZE Int The minimum TSO region size if the user does not
request a region size during logon
TSO.UNIT String The default name of a TSO device or group of devices that
a procedure uses for allocations
CICS.OPCLASS String The CICS operator classes for which the user will receive
BMS (basic mapping support) messages
CICS.TIMEOUT String The amount of time that the user can be idle before being
signed off by CICS
CICS.XRFSOFF String A setting that indicates whether the user will be signed off
by CICS when an XRF takeover occurs
NETVIEW.NGMFADMN String Indicates whether this operator can use the NetView
graphic monitor facility (NO or YES)
NETVIEW.NGMFVSPN String
Identity Template
$accountId$
Sample Forms
Built-In
None
Also Available
RACFUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.RACFResourceAdapter
■ com.waveset.adapter.HostAccess
RACF LDAP
3 0
The RACF LDAP resource adapter supports management of user accounts and memberships
on an OS/390 mainframe. Whenever possible, the adapter connects to the LDAP server
included within the z/OS Security Server to manage user accounts. All other functions are
handled by standard calls to the RACF system.
This adapter extends the LDAP resource adapter. See the documentation for the LDAP adapter
for information about implementing LDAP features.
Adapter Details
1 To add the RACF LDAP resource to the Identity Manager resources list, you must add the
following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.RACF_LDAPResourceAdapter
2 Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager
installation.
325
Adapter Details
Host On Demand The IBM Host Access Class Library (HACL) manages
connections to the mainframe. The recommended
JAR file containing HACL is habeans.jar. It is
installed with the HOD Toolkit (or Host Access
Toolkit) that comes with HOD. The supported
versions of HACL are in HOD V7.0, V8.0, V9.0, and
V10.
However, if the toolkit installation is not available, the
HOD installation contains the following JAR files that
can be used in place of the habeans.jar:
■ habase.jar
■ hacp.jar
■ ha3270.jar
■ hassl.jar
■ hodbase.jar
See
http://www.ibm.com/software/webservers/hostondemand/
for more information.
3 Add the following definitions to the Waveset.properties file to define which service manages
the terminal session:
serverSettings.serverId.mainframeSessionType=
ValueserverSettings.default.mainframeSessionType=Value
4 When the Attachmate libraries are installed into a WebSphere or WebLogic application server,
add the property com.wrq.profile.dir=LibraryDirectory to the
WebSphere/AppServer/configuration/config.ini or startWeblogic.sh file.
This allows the Attachmate code to find the licensing file.
5 Restart your application server so that the modifications to the Waveset.properties file can
take effect.
Usage Notes
Administrators
TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for
Identity Manager RACF operations, you must create multiple administrators. Thus, if two
administrators are created, two Identity Manager RACF operations can occur at the same time.
You should create at least two (and preferably three) administrators.
If you are running in a clustered environment, you must define an admin for each server in the
cluster. This applies even if it is the same admin. For TSO, there must be a different admin for
each server in the cluster.
If clustering is not being used, the server name should be the same for each row (the name of the
Identity Manager host machine).
Note – Host resource adapters do not enforce maximum connections for an affinity
administrator across multiple host resources connecting to the same host. Instead, the adapter
enforces maximum connections for affinity administrators within each host resource.
If you have multiple host resources managing the same system, and they are currently
configured to use the same administrator accounts, you might have to update those resources to
ensure that the same administrator is not trying to perform multiple actions on the resource
simultaneously.
1 Create an AttrParse object that parses the segment. See Chapter 49,“Implementing the
AttrParse Object,”for information about defining custom AttrParse objects. Example AttrParse
objects are defined in $WSHOME/web/sample/attrparse.xml.
2 Add a ResourceAttribute element to the RACF LDAP resource object. For example:
<ResourceAttribute name=’OMVS Segment AttrParse’ displayName=’OMVS Segment AttrParse’
description=’AttrParse for OMVS Segment’ value=’Default RACF OMVS Segment AttrParse’>
</ResourceAttribute>
This example adds a field labeled OMVS Segment AttrParse to the Resource Parameters page.
The value assigned to the name attribute must be of the form SegmentName Segment
AttrParse.
3 Add an element to the RACF LDAP resource object that defines a custom account attribute.
<AccountAttributeType id=’32’ name=’OMVS Mem Max Area Size’ syntax=’int’
mapName=’OMVS.MMAPAREAMAX’ mapType=’int’>
</AccountAttributeType>
The value of the mapName attribute must be of the form SegmentName.AttributeName. When
the adapter detects a mapName in this format, it asks the resource for the specified segment and
uses the object specified in the SegmentName Segment AttrParse field to parse it.
Resource Actions
The RACF LDAP adapter requires login and logoff resource actions. The login action negotiates
an authenticated session with the mainframe. The logoff action disconnects when that session is
no longer required.
See “Mainframe Examples” on page 536 for more information about creating login and logoff
resource actions.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses TN3270 connections to communicate with the resource.
See Chapter 53, “Mainframe Connectivity,” for information about setting up an SSL connection
to a RACF LDAP resource.
The user specified in the User DN resource parameter field must have the ability to read, write,
delete, and add users.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Pass-through authentication No
Account Attributes
The syntax (or type) of an attribute usually determines whether the attribute is supported. In
general, Identity Manager supports Boolean, string, integer, and binary syntaxes. A binary
attribute is an attribute that can be safely expressed only as a byte array.
The following table lists the supported LDAP syntaxes. Other LDAP syntaxes might be
supported, as long as it is Boolean, string, or integer in nature. Octet strings are NOT supported.
DN String 1.3.6.1.4.1.1466.115.121.1.12
TSO.Delete Segment Boolean If this field is set to true, the TSO Segment will
be deleted from the RACF user.
SAFLogonSize Int The minimum TSO region size if the user does
not request a region size during logon
SAFMaximumRegionSize Int The maximum TSO region size the user can
request during logon
racfTerminalTimeout String The amount of time that the user can be idle
before being signed off by CICS
racfOperatorClass String The CICS operator classes for which the user
will receive BMS (basic mapping support)
messages
Identity Template
$accountId$
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on one or more of the following
classes:
■ com.waveset.adapter.RACF_LDAPResourceAdapter
■ com.waveset.adapter.LDAPResourceAdapter
■ com.waveset.adapter.LDAPResourceAdapterBase
The Red Hat Linux and SuSE Linux resource adapter are two separate adapters defined in the
com.waveset.adapter.RedHatLinuxResourceAdapter and
com.waveset.adapter.SUSELinuxResourceAdapter classes, respectively.
Adapter Details
Usage Notes
The Linux resource adapters primarily provide support for the following commands:
■ useradd, usermod, userde1
■ groupadd, groupmod, groupdel
■ passwd
For more information about supported attributes and files, refer to the Linux manual pages for
these commands.
335
Adapter Details
When a rename of a user account is executed on a Linux resource, the group memberships are
moved to the new user names. The user's home directory is also renamed if the following
conditions are true:
■ The original home directory name matched the user name.
■ A directory matching the new user name does not already exist.
The Bourne-compliant shell (sh, ksh) must be used as the root shell when connecting to a Linux
resource.
The administrative account that manages Linux accounts must use the English (en) or C locale.
This can be configured in the user's .profile file. Do note use control characters (for example,
0x00, 0x7f) in user passwords.
In environments in which NIS is implemented, you can increase performance during bulk
provisioning by implementing the following features:
■ Add an account attribute named user_make_nis to the schema map and use this attribute in
your reconciliation or other bulk provisioning workflow. Specifying this attribute causes the
system to bypass the step of connecting to the NIS database after each user update on the
resource.
■ To write the changes to the NIS database after all provisioning has completed, create a
ResourceAction named NIS_password_make in the workflow.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager can use the following connections to communicate with this adapter:
■ Telnet
■ SSH (SSH must be installed independently on the resource.)
■ SSHPubKey
For SSHPubKey connections, the private key must be specified on the Resource Parameters
page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END
PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the
server.
The adapter also supports the sudo facility (version 1.6.6 or later), which can be installed on
Solaris 9 from a companion CD. sudo allows a system administrator to give certain users (or
groups of users) the ability to run some (or all) commands as root or another user.
In addition, if sudo is enabled for a resource, its settings will override those configured on the
resource definition page for the root user.
If you are using sudo, you must set the tty_tickets parameter to true for the commands
enabled for the Identity Manager administrator. Refer to the man page for the sudoers file for
more information.
The administrator must be granted privileges to run the following commands with sudo:
The adapter does not support NIS commands with sudo, because the yppasswd command
requires the root password.
A test connection can use different command options than a typical provision run.
The adapter provides basic sudo initialization and reset functionality. However, if a resource
action is defined and contains a command that requires sudo authorization, then you must
specify the sudo command along with the UNIX command. (For example, you must specify
sudo useradd instead of just useradd.) Commands requiring sudo must be registerd on the
native resource. Use visudo to register these commands.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Enable/disable account Linux does not natively support Identity Manager enable and disable
actions. Identity Manager simulates enabling and disabling accounts
by changing the user password. The changed password is exposed on
enable actions, but it is not exposed on disable actions.
As a result, enable and disable actions are processed as update actions.
Any before or after actions that have been configured to operate on
updates will execute.
You can define resource attributes to control the following tasks for all users on this resource:
■ Create a home directory when creating the user
■ Copy files to the user’s home directory when creating the user
■ Delete the home directory when deleting the user
Account Attributes
The following table lists the Red Hat Linux and SuSE Linux user account attributes. Attributes
are optional unless noted in the description. All attributes are Strings.
dir - d dir The user’s home directory. Any value specified in this
account attribute takes precedence over a value specified in
the Home Base Directory resource attribute.
time_last_login Obtained from the The date and time of the last login. This value is read-only.
lastlog command. If you do not need to track this attribute, delete it from the
schema map, as additional calls to the resource are
required to retrieve the last login time.
Identity Template
$accountId$
Sample Forms
Built-In
■ Red Hat Linux Group Create Form
■ Red Hat Linux Group Update Form
■ SuSE Linux Group Create Form
■ SuSE Linux Group Update Form
Also Available
■ RedHatLinuxUserForm.xml
■ SUSELinuxUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.RedHatLinuxResourceAdapterr
■ com.waveset.adapter.SUSELinuxResourceAdapter
■ com.waveset.adapter.SVIDResourceAdapter
■ com.waveset.adapter.ScriptedConnection
Remedy
3 2
Adapter Details
341
Adapter Details
Usage Notes
■ “Workflows” on page 342
■ “Gateway Timeouts” on page 343
Workflows
See Business Administrator's Guide for more information about Remedy integration.
If you do not enable the Active Sync functionality, then the Remedy adapter automates the
integration of Remedy tickets into a Identity Manager workflow.
If you use the Active Sync functionality, then the adapter can be configured to support the
following features:
■ Querying any Remedy ticket schema
■ Filtering tickets based on static criteria, such as status = ”new’.
■ Filtering tickets based on dynamic criteria, such as the most recently fetched.
■ Specifying a workflow to be launched for each matching ticket.
With Active Sync, the Remedy adapter uses the Update Search Filter, Last Fetched
Conjunction, and Last Fetched Filter resource parameters to determine which tickets are
returned. The Update Search Filter or Last Fetched Filter, or both, should be used.
The Update Search Filter parameter is an optional parameter that contains an executable
Remedy search expression. This parameter can contain any valid search expression that can be
entered in the Advanced Search Criteria of the Remedy User application. (Valid search
expressions can contain fields, selection values, and keywords.) The adapter does not attempt to
check the validity of the search expression.
The following examples illustrate search expressions that would work with the Help Desk Cases
sample form provided with the Remedy User application.
■ ’Status’ = "New"
■ ’Case Type’ = "Problem"
Note – Remedy field names are enclosed in single quotation marks, while values are enclosed in
double quotation marks.
If the Last Fetched Filter parameter is used, then the Last Fetched Conjunction parameter must
also be specified. The Last Fetched Conjection parameter may contain one of the following
values:
■ AND. The conditions in the Update search filter field as well as the Last Fetched Filter field
must be logically True.
■ OR. The conditions in either the Update search filter field or the Last Fetched Filter field
must be logically True.
The Last Fetched Filter parameter specifies another Remedy search expression, but this
expression can contain one or more user attributes defined in Identity Manager. This feature
allows you to construct an expression that compares values returned in a previous poll to values
returned in the current poll. For example, if the Case ID+ field on your Remedy form contains
an ID that is unique for every ticket, then this value can be compared on each poll. If the value is
higher on the current poll than on the previous poll, then return information about the ticket.
The following expression illustrates this feature:
The value specified between the parentheses must be a Waveset User Attribute defined on the
schema map page. The $(caseId) token will be replaced with the value returned on the
previous poll. An example value might be HD0000045.
Note – The first time the adapter polls, the Last Fetched Filter is not applied, because there are
no previously fetched values. The filter will be run in all subsequent polls.
The adapter concatenates the Update search filter, Last Fetched Conjunction, and Last
Fetched Filter resource parameters and sends a search expression similar to the following:
Gateway Timeouts
The Remedy adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a
timeout value, in seconds. This attribute controls how long before a request to the gateway
times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
The default value for this attribute is 0, indicating that Identity Manager will not check for a
hung connection.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses Remedy APIs to communicate with the Remedy adapter.
Provisioning Notes
The attributes of Remedy users are based on a schema that is established within the Remedy
application. Refer to the Remedy documentation for information about the schema and details
of its operation.
Feature Supported?
Expire passwords No
Rename account No
Pass-through authentication No
Before/after actions No
Account Attributes
The Remedy adapter does not provide default account attributes. Use the following guidelines
when adding custom attributes:
■ The Waveset User Attribute value can be used in forms and workflows. This attribute must
be a valid Remedy field ID. Every field in a Remedy form must have an integer field ID that is
unique within that form.
To view the ID of field from within Remedy Administrator, open the form and select the
field. The field ID is displayed in brackets in the Find Field drop down menu.
■ If a Resource User Attribute corresponds to a Remedy Diary field, then the attribute value
will be multi-valued. Each value in the value list is in the following format:
Timestamp User Message
where:
Timestamp. An integer indicating the number of seconds since 1970-01-01 UTC.
User. The Remedy user who added the message to the diary.
Message. The diary entry.
■ To allow the Remedy adapter to change passwords, you must do the following:
■ Select the Supports Passwords resource parameter.
■ Add an account attribute in the schema map in which the Identity system user attribute
name is password and the attribute type is encrypted. The resource user attribute must
be a Remedy field ID that holds the user password.
Identity Template
The identity template for Remedy is generated by the Remedy system. Any identity template
established through Identity Manager is ignored.
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.RemedyResourceAdapter
In addition, you can set the following Identity Manager logging parameters for the resource
instance:
■ Log File Path
■ Log Level
■ Maximum Archives
■ Maximum Age Unit
■ Maximum Age Length
■ Maximum Log File Size
Tracing can also be enabled on the following methods to diagnose problems connecting to the
gateway:
■ com.waveset.adapter.AgentResourceAdapter#sendRequest
■ com.waveset.adapter.AgentResourceAdapter#getResponse
SAP
3 3
Adapter Details
The resource adapter is defined in the com.waveset.adapter.SAPResourceAdapter class.
To enable the ability of a user to change his or her own SAP password, perform the following
steps:
2 Add WS_USER_PASSWORD to both sides of the schema map. You do not need to modify the user
form or other forms.
347
Adapter Details
Note – Make sure that the JCo toolkit you download matches the bit version of Java your
application server runs on. For example, JCo is available only in the 64-bit version on the Solaris
x86 platform. Therefore, your application server must be running the 64-bit version on the
Solaris x86 platform.
2 Unzip the toolkit and follow the installation instructions. Be sure to place library files in the
correct location and to set the environment variables as directed.
4 To add an SAP resource to the Identity Manager resources list, you must add the following value
in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.SAPResourceAdapter
Usage Notes
This section provides information related to using the SAP resource adapter, which is organized
into the following sections:
■ “General Notes” on page 348
■ “Enabling Secure Network Communications (SNC) Connections” on page 349
■ “SAP JCO and RFC Tracing” on page 349
■ “Changing Productive Passwords in a CUA Environment” on page 349
■ “Renaming Accounts” on page 350
■ “Global Trade Services (GTS) Support” on page 351
■ “Additional Table Support” on page 351
General Notes
The following general notes are provided for the resource:
■ To allow editing of to and from dates on a per activity group basis, load the
SAPUserForm_with_RoleEffectiveDates_Timezone.xml form. This form also provides the
ability to select a time zone for the user.
Note – If no JCO tracing is desired, set RFC_TRACE to 0 to ensure that no trace files are created.
failures of password changes under certain circumstances. The adapter will allow you to set a
productive password in a CUA landscape on all systems on which the user exists. You can do
this only by changing the password on each system separately. To enable this feature, you must
install a special Function Module on the CUA central system that is executed for all client
systems. The module is provided in source form in InstallDir\idm\sample\other and must be
installed on the SAP central system. The name of the Function Module must be set in the “CUA
Child Password Change Function Module” resource attribute.
When a password is changed in a CUA landscape and the module is used, multiple failures for
one password change can occur: one for each client and one for the central system. Each system
keeps its own password policies. A password that complies to the rules on one system could
cause a policy failure on another. A failure on one system does not mean that the other systems
will not be changed. This accords with how SAP defines and works with passwords in a CUA
landscape.
When CUA is configured on the adapter, but the module is not installed on the central system
or the attribute is not configured on the adapter, then productive password changes will be
applied to the central system only. Setting initial passwords or performing a password reset, in
other words password which are expired, is not affected by this configuration change.
Renaming Accounts
The SAP adapter now supports renaming accounts, except when CUA mode is enabled on the
adapter. The adapter performs this function by copying an existing account to a new account
and deleting the original. SAP discourages renaming accounts, but provides the option in the
user management application (Transaction SU01 from the SAP GUI). Therefore, Identity
Manager also supports the option. Be aware that SAP may not support the rename feature in
future releases.
The SAP GUI uses a different method to perform the rename because it has access to
non-public APIs and to the SAP kernel. The following steps provide a high-level description of
how the adapter performs the rename operation:
9 Set the Alias on the new user if one was set on the old user.
If an error occurs during steps 1-3, the operation fails immediately. If an error occurs during
steps 4-7, the new user is deleted and the whole operation fails. (If the new user cannot be
deleted, a warning is placed into the WavesetResult). If an error occurs during steps 8-9, a
warning is added to the WavesetResult, but the operation succeeds.
The Rename operation requires that a new password be set on the new user. This is most easily
accomplished by customizing the Rename User Task to invoke the Change User Password
Task.
The adapter provides an account attribute of type string named GROUPS->USERGROUP account
attribute. This attribute processes data from the GROUPS table. By default, this attribute type is
string. When this attribute type set to string, the adapter processes values as a list of strings. If
you want the adapter to process data from the table in the same manner as other tables, you
must change the data type to complex.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
■ BAPI over SAP Java Connector (JCo)
■ SAP Secure Network Communications
Provisioning Notes
Feature Supported?
Pass-through authentication No
Before/after actions No
Account Attributes
The following table provides information about the default SAPaccount attributes. (Additional
attributes are provided if the Enable SAP GRC Access Enforcer? resource parameter is
selected.) All attribute types are String.
lastLoginTime LOGONDATA->LTIME Read only attribute that lists the most recent
login time.
Managed Objects
This adapter does not manage objects on the SAP resource.
Listable Objects
The following table describes the SAP objects that can be called using the listAllObjects
method within a user form.
Object Description
Object Description
activityGroups Lists the activity groups (or roles) available for users. (Non-CUA mode
only)
cuaSystems When CUA is enabled, lists the names of the CUA children.
localActivityGroups When CUA is enabled, lists the activity groups that exist on a particular
child system in a CUA environment.
table Lists the contents of a column of an SAP table. The options map requires the
following parameters.
name, which represents SAP table name
offset, which indicates the starting character column in the table
length, which represents the length of the data field
Refer to the SAP documentation for the BAPI
RFC_GET_TABLE_ENTRIES to determine these values. See “Additional
Table Support” on page 351 for more information.
timeZones Lists the available time zones supported by the SAP system.
Identity Template
$accountId$
Sample Forms
SAPForm.xml
SAPUserForm_with_RoleEffectiveDates_Timezone.xml
SAPHRActiveSyncForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.SAPResourceAdapter
To determine which version of the SAP Java Connector (JCO) is installed, and to determine
whether it is installed correctly, run the following command:
The command returns the JCO version as well as the JNI platform-dependent and the RFC
libraries that communicate with the SAP system.
If the platform-dependent libraries are not found, refer to the SAP documentation to find out
how to correctly install the SAP Java Connector.
The SAP HR Active Sync adapter supportsIdentity Manager provides resource adapters for
supporting the following versions of SAP HR:
■ SAP HR 4.5, 4.6, 4.7 (read-only access)
Adapter Details
The following table summarizes the attributes of the SAP HR Active Sync adapter:
Note – As of Identity Manager 6.0, the SAP HR Active Sync account attributes have a new
format. The resource user attributes in the schema map are now separated by : (colon) instead
of _ (underscore). This allows an attribute from SAP HR to be a path to arbitrarily deep
attributes instead of a simple attribute within the infotype. If you are upgrading either of these
products from a previous version, the default attributes are renamed by default as part of the
update script. The ResourceUpdater will print a message if it had a problem converting an
attribute. However, you should review your account attributes to ensure the conversion was
successful.
359
Adapter Details
The SAP Application Link Enabling (ALE) technology enables communication between SAP
and external systems, such as Identity Manager. The SAP HR Active Sync adapter uses an
outbound ALE interface. In an outbound ALE interface, the base logical system becomes the
sender for outbound messages and the receiver of inbound messages. A SAP user will likely be
logged into the base logical system/client when making changes to the database (for example,
hiring an employee, updating position data, terminating an employee, etc.) A logical
system/client must also be defined for the receiving client. This logical system will act as the
receiver of outbound messages. As for the message type between the two systems, the Active
Sync adapter uses a HRMD_A message type. A message type characterizes data being sent
across the systems and relates to the structure of the data, also known as an IDoc type (for
example, HRMD_A05).
Note – You must configure the SAP system parameters to enable Application Link Enabling
(ALE) processing of HRMD_A IDocs. This allows for data distribution between two
application systems, also referred to as messaging.
1 Enter transaction code SPRO, then display the SAP Reference IMGproject (or the project
applicable to your organization).
2 Based on the SAP version you are using, perform one of the following:
■ For SAP HR 4.6, click Basic Components > Application Link Enabling (ALE) > Sending
and Receiving Systems > Logical Systems > Define Logical System.
■ For SAP HR 4.7, click SAP Web Application Server, > Application Link Enabling (ALE)
> Sending and Receiving Systems > Logical Systems > Define Logical System.
■ For SAP HR 5.0, click SAP Netweaver > SAP Web Application Server > IDOC
Interface/Application Link Enabling (ALE) > Basic Settings > Logical Systems > Define
Logical System.
■ For SAP HR 6.0, click SAP Netweaver > Web Application Server > IDOC
Interface/Application Link Enabling (ALE) > Basic Settings > Logical Systems > Define
Logical System.
4 Enter a name and a description for the logical system you want to create (IDMGR).
1 Enter transaction code SPRO, then display the SAP Reference IMGproject (or the project
applicable to your organization).
2 Based on the SAP version you are using, perform one of the following:
■ For SAP 4.6, click Basis Components > Application Link Enabling (ALE) > Sending and
Receiving Systems > Logical Systems > Assign Client to Logical System.
■ For SAP 4.7, click SAP Web Application Server > Application Link Enabling (ALE) >
Sending and Receiving Systems > Logical Systems > Assign Client to Logical System.
■ For SAP 5.0, click SAP Netweaver > SAP Web Application Server > IDOC
Interface/Application Link Enabling (ALE) > Basic Settings > Logical Systems > Assign
Client to Logical System.
■ For SAP HR 6.0, click SAP Netweaver > Web Application Server > IDOC
Interface/Application Link Enabling (ALE) > Basic Settings > Logical Systems > Define
Logical System.
4 Click GOTO > Details to display the Client Details dialog box.
5 In the Logical System field, enter the logical system you want to assign to this client.
6 In the Changes and Transports for Clients section, click Automatic Recording of Changes.
2 Enter transaction code BD64. Ensure that you are in Change mode.
4 Enter the short and technical names for your view, as well as the start and end date, then click
Continue.
5 Select the view you created, then click Add Message Type.
8 In the Protection Client Copier and Comparison Tool section, click Protection Level: No
Restriction.
9 Define the Message Type you want to use (HRMD_A), then click Continue.
10 Click Save.
4 In the RFC destination field, enter the name of the RFC destination system. (IDMRFC).
6 Enter a description for the new RFC destination, and then click Save.
7 Click the Registration Server Program radio button in the Activation Type pane.
8 Set the Program ID in the Start on Application Server pane. You should use the same value as the
RFC destination (IDMRFC), and then click Enter.
9 If the SAP system is a Unicode system, the port must be configured for Unicode. Click the Special
Options tab (MDMP & Unicode tab on some systems), and look for the Character Width In Target
System section. There is a setting for unicode and non-unicode.
10 Using the buttons at the top - Test Connection and Unicode Test - test the connection to the
Identity Manager resource. You must have the adapter started for the test to pass.
2 Select Transactional RFC, then click the Create icon. Enter IDMRFC for the RFC Destination.
Note – If you are using an existing distribution model and partner profile, you do not need to
automatically generate a partner profile. Instead, you can modify it to include the HRMD_A
message type.
2 Select the Model View. This should be the Model View previously created.
3 Ensure the Transfer IDoc immediately and Trigger Immediately radio buttons are selected.
4 Click Execute.
4 Select Outbound Parameters, then click Display. (On some systems, click the“+”icon beneath
the Outbound Parameters box.)
6 Click Outbound Options, then modify the receiver port so it is the RFC port name you created
(IDMGR).
7 From the Output Mode, select Transfer IDoc Immediately to send IDocs immediately after they
are created.
9 Click Continue/Save.
Generating an IDoc
▼ To Generate an IDoc
4 Click Execute.
6 The IDoc has been created. Check the Active Sync adapter log file to verify that an update was
received.
Not all available object types are resource objects. The following mapping applies to the object
types:
■ P, CP – the person's iDocs
■ S – the organizational roles iDoc (related the user)
■ O – organization iDoc
■ C – job iDoc
Identity Manager process the user-related iDoc's types P and CP if no object types are
configures, and these object types will provide the basic user information.
The user-related iDocs not only process iDoc data, but trigger BAPI calls unless the resource is
configured not to do so. You must configure the “Process rule” on the resource if the objects O
and/or C are processed. Via the process rule, you must allow for two distinct object types to be
processed. User-related objects (iDoc types P, CP, and S) will have the accountId mapped to the
SAP HR PERNR as before. The O and C type do not have a relation to a person and
consequently will not have an accountId mapped. The other attribute that allows for object type
identification is the OTYPE from the iDoc when mapped.
Any attribute from the iDoc must be mapped in the resource configuration to be returned to the
Identity Manager server. All object types support future processing.
3 Name the variant and give it a description (Make note of the variant name so you can use it
when scheduling the job).
4 Select the HRMD_A message type, then click Save. You will be prompted to select variant
attributes. Select the background processing attribute.
5 Click Save.
Scheduling a Job
▼ To Schedule a Job
3 Assign Job Class. Job Class is the priority in which jobs are processed. Class A is the highest
priority and will be processed first. For a production environment, assign the class to B or C.
4 Schedule a start time. Click the Start Condition tab, then click Date and Time. Enter a scheduled
start time, which must be a future event.
a. Mark the job as a periodic job. Click the Periodic Values tab, schedule how frequently you
want the job to run, then press Enter. For testing purposes, setting this period to 5 minutes.
b. Click Save.
6 Click Save (Note: Click Save once; otherwise, the job will be scheduled to run multiple times).
2 Ensure that an IDoc was created. You can verify IDoc creation in two locations:
■ Enter transaction code WE02, enter search date parameters and generate a list of generated
IDOCs
■ Check the SAP HR Active Sync adapter log
1 From User Maintenance in SAP, enter a username in the user dialog box, then click the Create
icon.
2 Click the Address tab, then enter data in the last name and format fields.
3 Click the Logon Data tab, then define the initial password and set the user type to CPIC.
4 Click the Profiles tab, then add the SAP_ALL, SAP_NEW and S_A.CPIC profiles.
5 Click Save.
Note – Initially, you can create a dialog user to test your SAP system configuration. If there are
processing problems, you can analyze the dialog user in the debugger. You should also log into
the SAP system once to set this user’s password. After the system is tested and works properly,
you should switch to a CPIC user for security measures.
Note – Make sure that the JCo toolkit you download matches the bit version of Java your
application server runs on. For example, JCo is available in only in the 64-bit version on the
Solaris x86 platform. Therefore, your application server must be running the 64-bit version on
the Solaris x86 platform.
2 Unzip the toolkit and follow the installation instructions. Be sure to place library files in the
correct location and to set the environment variables as directed.
4 Download the SAP Java Base IDoc Class Library. The library will be in a zip file with a name
similar to sapidoc-1.0.1.zip.
7 Download the SAP Java Connector IDoc Class Library. The library will be in a zip file with a name
similar to sapidocjco-1.0.1.zip.
Usage Notes
This section provides information related to using the SAP HR Active Sync resource adapter,
which is organized into the following sections:
■ “General Notes” on page 369
■ “Enabling Secure Network Communications (SNC) Connections” on page 369
■ “SAP JCO and RFC Tracing” on page 369
General Notes
The following general notes are provided for the resource:
■ The sources.ResourceName.hosts property in the waveset.properties file can be used to
control which host or hosts in a cluster will be used to execute the synchronization portion
of an Active Sync resource adapter. ResourceName must be replaced with the name of the
Resource object.
The following environment variables can be set in the environment to enable SAP RFC tracing.
These variables must be set in the environment before starting the application server. They
control the shared library that JCO uses to communicate with the SAP system.
■ RFC_TRACE: 0 or 1
■ RFC_TRACE_DUMP: 0 or 1
■ RFC_TRACE_DIR: Path to the directory for the trace files
■ CPIC_TRACE_DIR: Path to the directory for the trace files
Note – If no JCO tracing is desired, set RFC_TRACE to 0 to ensure that no trace files are created.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses BAPI over SAP Java Connector (JCo) to communicate with the SAP
adapters.
Provisioning Notes
The default SAP HR Active Sync adapter is read-only. You cannot use this adapter to create or
modify accounts.
Feature Supported?
Enable/disable account No
Rename account No
Pass-through authentication No
Before/after actions No
Account Attributes
The account attributes in the schema map are now separated by a : (colon) instead of an _
(underscore). This allows an attribute from SAP HR to be a path to arbitrarily deep attributes
instead of a simple attribute within the infotype.
infoType:subType:iDocDef:attrName
Note – The iDocDef (IDoc definition) and attrName segments of an attribute path can be
expanded.
If the desired attribute is deeper than the first IDoc definition, an arbitrary number of IDoc
definitions can be specified before the attrName, as long as each one is separated by the
delimiter : (colon). For example, 0002::E2P0002001:E2Q0002002:PERNR has the following
elements:
infoType. 0002
subType. None. If an attribute does not have a subtype, use a null field or blank.
iDocDef1. E2P0002001
iDocDef2. E2Q0002002
attrName. PERNR
The IDoc Definition object can also be returned as a GenericObject. Using the above example,
to get the IDoc Definition of E2Q0002002 as a GenericObject, the resource user attribute would
be specified as 0002::E2P0002001:E2Q0002002 in the schema map.
In addition, [] (left and right brackets) can be appended to the pathname to indicate the
attribute is a list. For example, if it is possible for a particular attribute to have multiple values,
that attribute’s values will be returned as a list by appending [] to the attribute name. This
example would be similar to the following:
1001:B008:E2P1001001:VARYF[]
If the attribute has multiple values but [] is not appended to the attribute name, the last value
will be used as the value of the attribute.
The following tables provide information about SAP HR Active Sync account attributes.
Actions Attributes
org_jobtxt 0001::E2P0001001:JOBTXT
org_orgtxt 0001::E2P0001001:ORGTXT
org_postxt 0001::E2P0001001:POSTXT
Addresses Resources
recordnr_permanent_address 0006:1:E2P0006001:RECORDNR
recordnr_home_address 0006:3:E2P0006003:RECORDNR
Communication Resources
recordnr_communication_EMail 0105:0010:E2P0105001:RECORDNR
recordnr_communication_EMail2 0105:MAIL:E2P0105001:RECORDNR
Identity Template
$accountId$
Sample Forms
SAPForm.xml
SAPUserForm_with_RoleEffectiveDates_Timezone.xml
SAPHRActiveSyncForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
■ com.waveset.adapter.SAPHRActiveSyncAdapter
To determine which version of the SAP Java Connector (JCO) is installed, and to determine
whether it is installed correctly, run the following command:
The command returns the JCO version as well as the JNI platform-dependent and the RFC
libraries that communicate with the SAP system.
If the platform-dependent libraries are not found, refer to the SAP documentation to find out
how to correctly install the SAP Java Connector.
The SAP Enterprise Portal resource adapter supports the SAP NetWeaver Enterprise Portal. It is
defined in the com.waveset.adapter.SAPPortalResourceAdapter class.
Adapter Details
A Portal administrator must install the idmservice.par. This is done through the
administrative user interface for SAP Enterprise Portal by selecting the idmservice.par as the
file to upload.
Usage Notes
The SAP Enterprise Portal adapter accomplishes user provisioning by indirectly using the SAP
User Management Engine (UME). The adapter communicates with the Identity Manager portal
service. The portal service in turn makes direct UME calls.
383
Adapter Details
To communicate with the Identity Manager service installed on the SAP Portal, the Identity
Manager Portal Service Endpoint resource attribute must be configured.
https://myhost:50000/irj/servlet/prt/soap/com.sap.portal.
prt.soap.IDMService
The SAP Portal Administrator and SAP Portal Administrator Password resource attributes
define the username and password of an administrator of the SAP Portal.
The Test Configuration button verifies that the endpoint, username, and password are valid by
performing a status call on the Identity Manager portal service.
Security Notes
To enhance security, configure the following:
■ The com.sap.portal.prt.soap.IDMService portal service should only be accessible
through an SSL-encrypted port exposed by the Portal.
■ The com.sap.portal.prt.soap.IDMService/high_safety Security Zone should be
modified to include only the SAP super_admin role.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Before/after actions No
Account Attributes
The following table lists the SAP Enterprise Portal user account attributes. Unless otherwise
noted, the data type for all account attributes is String.
country country The ISO-3166 two-letter uppercase code of the country where
the user lives. This value does not necessarily match the
country specified in the locale.
currency currency The three letter uppercase code of the user’s currency, such as
USD, EUR, or YEN
salutation salutation The user’s form of address, such as Mr., Mrs., or Dr.
Identity Template
$accountId$
Sample Forms
A sample form is available at sample/forms/SAPPortalUserForm.xml is available. When this
sample form is used, you must also import sample/rules/SAPPortalUserFormRules.xml.
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.SAPPortalResourceAdapter
Additionally, you can set the following Identity Manager logging parameters for the resource
instance:
■ Log File Path
■ Maximum Log File Size
■ Log Level
To view the log for the portal service on the SAP Enterprise Portal server, see the
WEB-INF/portal/logs/idm.log file on the SAP server installation file
The portal service uses the logger idm_logger, which is defined in the PAR in the
PORTAL-INF/logger/logger.xml file. By default, the idm_logger is set to log ALL messages
Scripted Gateway
3 6
Adapter Details
com.waveset.adapter.ScriptedGatewayResourceAdapter
The Sun Identity Manager Gateway (gateway.exe) must be installed on the host specified in the
Host field for the adapter.
Usage Notes
■ “Resource Actions” on page 388
■ “Scripts” on page 388
■ “Result Handling” on page 389
387
Adapter Details
Resource Actions
The Scripted Gateway adapter allows you to create a set of actions that perform basic
provisioning functions such as creating, updating, deleting, and retrieving user accounts. Each
of these actions is defined in a Windows batch file.
create Creates a new user. No, but if not provided, users cannot be
created.
delete Deletes an existing user. No, but if not provided, users cannot be
deleted.
update Updates attributes for an existing user. No, but if not provided, users cannot be
updated.
For general information about resource actions, see Chapter 50, “Adding Actions to Resources.”
Scripts
The Scripted Gateway adapter implements actions as batch files that execute on the gateway.
These scripts must be written to run on the version of Windows that has been installed on the
machine running the scripts. The same account that runs the Gateway also runs the scripts.
Scripts should follow Windows conventions and exit with a return code of 0, which indicates
success. Returning a non-zero code (chosen by the script writer) indicates the operation may
not have been correctly completed.
Scripts may output text to the Windows standard error or standard output stream. Depending
on the nature of the operation, the context of the operation, and the type of failure, the text may
be displayed in the results for that operation.
For the getUser and getAllUsers operations, this text is parsed in the standard output stream to
determine the attributes of each user.
[email protected]
WSUSER_First Name=JUnit
WSUSER_Full Name=JUnit TestUser
WSUSER_Last Name=TestUser
WSUSER_User ID=USER5647
WSUSER_ws_action_type=WindowsBatch
WSOBJ_ID=testuser
WSOBJ_NAME=testuser
WSRSRC_NAME=Scripted Gateway
WSRSRC_CLASS=com.waveset.adapter.ScriptedGatewayResourceAdapter
WSRSRC_Host=localhost
WSRSRC_List Objects Timeout=900000
WSRSRC_Request Timeout=30000
WSRSRC_TCP Port=9278
WSRSRC_connectionLimit=10
Result Handling
The AttrParse mechanism processes the results returned by the getUser and getAllUsers actions
through the standard output stream. See Chapter 49, “Implementing the AttrParse Object,” for
details about implementing AttrParse objects.
For getUser actions, AttrParse returns a map of user attributes. For the getAllUsers action, it
generates a map of maps. Each entry for the returned map contains the following.
■ A value that is a map of user attributes like typically returned by AttrParse.
■ A key that is the account ID, or if that is not known, the name.
Gateway Timeouts
The Scripted Gateway adapter allows you to use the RA_HANGTIMEOUT resource attribute to
specify a timeout value, in seconds. This attribute controls how long before a request to the
gateway times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
The default value for this attribute is 0, indicating that Identity Manager will not check for a
hung connection.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
The Sun Identity Manager Gateway is required.
Provisioning Notes
The following table summarizes the provisioning capabilities of the Scripted Gateway adapter.
Feature Supported?
Feature Supported?
Rename account No
Pass-through authentication No
Before/after actions No
Account Attributes
The Scripted Gateway adapter does not provide default account attributes because the account
attributes vary greatly.
You must define an account attribute in which the Identity System user attribute is named
accountId.
Identity Template
None. You must supply the identity template with a valid value.
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.ScriptedGatewayResouceAdapter
Scripted Host
3 7
The Scripted Host resource adapter supports management of application user accounts on an
OS/390 mainframe. The adapter manages host applications over a TN3270 emulator session.
This adapter is a general purpose adapter, and is therefore highly configurable. The adapter
makes no assumptions about the host application being managed, and instead relies on calling
out to a set of customer-supplied scripts to perform the interactions with the host application.
Adapter Details
1 To add the Scripted Host resource to the Identity Manager resources list, you must add the
following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.ScriptedHostResourceAdapter
393
Adapter Details
2 Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager
installation.
Host On Demand The IBM Host Access Class Library (HACL) manages connections to the
mainframe. The recommended JAR file containing HACL is
habeans.jar. It is installed with the HOD Toolkit (or Host Access
Toolkit) that comes with HOD. The supported versions of HACL are in
HOD V7.0, V8.0, V9.0, and V10.
However, if the toolkit installation is not available, the HOD installation
contains the following JAR files that can be used in place of the
habeans.jar:
■ habase.jar
■ hacp.jar
■ ha3270.jar
■ hassl.jar
■ hodbase.jar
See http://www.ibm.com/software/webservers/hostondemand/ for
more information.
Attachmate WRQ The Attachmate 3270 Mainframe Adapter for Sun product contains the
files needed to manage connections to the mainframe.
■ RWebSDK.jar
■ wrqtls12.jar
■ profile.jaw
Contact Sun Professional Services about getting this product.
3 Add the following definitions to the Waveset.properties file to define which service manages
the terminal session:
serverSettings.serverId.mainframeSessionType=Value
serverSettings.default.mainframeSessionType=Value
4 When the Attachmate libraries are installed into a WebSphere or WebLogic application server,
add the property com.wrq.profile.dir=LibraryDirectory to the
WebSphere/AppServer/configuration/config.ini or startWeblogic.sh file.
This allows the Attachmate code to find the licensing file.
5 The Scripted Host adapter requires customer-supplied Javascripts. These scripts must be
compatible with Mozilla Rhino. Mozilla Rhino v1_5R2 ships with Identity Manager and is
located at $WSHOME/WEB-INF/lib/javascript.jar.
If you need improved Javascript error reporting capability, the latest version of Mozilla Rhino
(http://www.mozilla.org/rhino/) offers great improvement in the messages generated for syntax
errors and other errors. The default javascript.jar can be replaced with a newer version from
Mozilla.
6 Restart your application server so that the modifications to the Waveset.properties file can
take effect.
Usage Notes
This section provides information related to using the Scripted Host resource adapter, which is
organized into the following sections:
■ “Administrators” on page 395
■ “Specifying Resource Actions” on page 395
■ “SSL Configuration” on page 406
Administrators
Host resource adapters do not enforce maximum connections for an affinity administrator
across multiple host resources connecting to the same host. Instead, the adapter enforces
maximum connections for affinity administrators within each host resource.
If you have multiple host resources managing the same system, and they are currently
configured to use the same administrator accounts, you might have to update those resources to
ensure that the same administrator is not trying to perform multiple actions on the resource
simultaneously.
1 Loads the JavaScript from the ResourceAction corresponding to the current provisioning action.
2 Prepares the necessary Java input objects to make available to the JavaScript.
4 Processes the result returned (or exceptions and errors) from the JavaScript.
The $WSHOME/sample/ScriptedHost/ScreenSampleActions.xml file contains a set of sample
resource action definitions that could be used to provision users to a theoretical screen-based
host application. You will need to customize these definitions to your application.
The Scripted Host adapter supports end-user scripting for the following provisioning actions:
update Update attributes for an existing No, but if not provided, users
user. cannot be updated.
Every action script receives an actionContext map, as defined by the java.util.Map class. The
possible contents of the map vary for each action. The following sections describe each action,
and provide the following information about the action:
■ Context. Describes the set of entries available in the actionContext map added into the
Javascript execution context by the adapter before the script executes.
■ Error Handling. Notes describing how the script is expected to handle abnormal or error
conditions
For additional information about the actions listed in the previous table, see the following
sections:
■ “create Action” on page 397
■ “delete Action” on page 398
■ “disable Action” on page 399
■ “enable Action” on page 400
■ “getAccountIterator Action” on page 400
■ “getUser Action” on page 401
■ “listAll Action” on page 403
■ “login Action” on page 404
■ “logoff Action” on page 405
■ “update Action” on page 405
create Action
The create action creates a user in the host application. If the create action is not defined, then
new users cannot be added to the host application.
Context
attributes java.lang.Map Map of attributes to set for the new user. The
key identifies the attribute to set, and the value
is the decrypted value to which the attribute
should be set.
Error Handling
If any application-specific errors are found in a screen or response, the script should add
appropriate strings to the errors key. Determining that an error has occurred may require a
string search for various known error strings.
The presence of any items in the errors List is considered a creation failure. Additionally, any
throw from within the script is considered a creation failure.
delete Action
The delete action deletes a specified user from the host application. If no delete action is defined,
then users cannot be deleted from the host application.
Context
Error Handling
If any application-specific errors are found in a screen or response, the script should add
appropriate strings to the errors key. Determining that an error has occurred may require a
string search for various known error strings.
The presence of any items in the errors List is considered a deletion failure. Additionally, any
throw from within the script is considered a deletion failure.
disable Action
The disable action disables an existing user within the host application. If this action is not
defined, then users on the host application cannot be disabled.
Context
Error Handling
If any application-specific errors are found in a screen or response, the script should add
appropriate strings to the errors key. Determining that an error has occurred may require a
string search for various known error strings.
The presence of any items in the errors List is considered a disablement failure. Additionally,
any throw from within the script is considered a disablement failure.
enable Action
The enable action enables an existing user within the host application. If this action is not
defined, then users on the host application cannot be enabled.
Context
The actionContext map will contain the following entries:
errors java.util.List This is initially an empty list. The script must add
java.lang.String objects to this list if any errors
are found during processing.
Error Handling
If any application-specific errors are found in a screen or response, the script should add
appropriate strings to the errors key. Determining that an error has occurred may require a
string search for various known error strings.
The presence of any items in the errors List is considered an enablement failure. Additionally,
any throw from within the script is considered an enablement failure.
getAccountIterator Action
The getAccountIterator action returns an object used to perform iteration of existing users.
If you wish to perform account iteration (reconciliation, Load From Resource), either this
action or the listAll action must be defined.
If the getAccountIterator action is not defined, then account iteration will be performed by
calling listAll, and then calling getUser for each ID in the list from listAll.
If the getAccountIterator action is not defined and the listAll action is not defined, then account
iteration is not supported.
Inputs
The actionContext map will contain the following entries:
Return Value
The script must return a Java object that implements the Java interface
com.waveset.adapter.ScriptedHostAccessAdapter.ObjectIterator.
The nextObj Map argument to the next() method is to be populated by the script in the same
manner as the result entry discussed in the getUser action.
Error Handling
Any throw from within the script is considered an iteration failure.
Any thrown exceptions encountered while invoking methods on the Java object returned from
the script are also considered iteration failures.
getUser Action
The getUser action retrieves one of the following from the host application:
■ A string of screens or responses from which the adapter can parse the user attributes for a
given user.
■ A map of user attributes for a given user.
The getUser action must be defined.
Context
result java.util.Map The script adds entries to the map to return user
attributes. See the entry table below.
The result map is expected to be populated by the script with the following entries:
text String Contains the text to be parsed for the user attributes. This may be the
contents of one or more screens or responses.
The user attributes will be extracted from this string later using the
AttrParse object named in the attrParse entry of this map. Do not
put this entry into the map if no matching user is found.
Do not add this field to the map. Populate the attrMap map instead.
attrParse String Name of an AttrParse object which will be used by the adapter to
parse user attributes from the string found in the text entry of this
map. Set this entry only in combination with setting the text entry.
attrMap java.util.Map If the script is capable of directly retrieving the user attributes, then
the script can set this entry with a map of the user attributes. Note
that this attrMap entry is respected by the adapter only if the text
entry of this map is not present.
Error Handling
If there is no matching user found, then the result map should be left empty.
If any application-specific errors are found in a screen or response, the script should add
appropriate strings to the errors key. Determining that an error has occurred may require a
string search for various known error strings.
The presence of any items in the errors List is considered a retrieval failure. Additionally, any
throw from within the script is considered a retrieval failure.
listAll Action
The listAll action retrieves a list of user IDs found for the host application.
If the listAll action is not defined, then you cannot call the FormUtil.listResourceObjects
methods for this resource instance from a form.
If the listAll action is not defined and the getAccountIterator action is not defined, then account
iteration (reconciliation, Load From Resource) is not supported.
Context
resultList java.util.List The script adds entries to this list. Each item
added to the list by the script should be a string
corresponding to a host account ID.
errors java.util.List This is initially an empty list. The script must add
java.lang.String objects to this list if any errors
are found during processing.
Error Handling
If any application-specific errors are found in a screen or response, the script should add
appropriate strings to the errors key. Determining that an error has occurred may require a
string search for various known error strings.
The presence of any items in the errors List is considered a retrieval failure. Additionally, any
throw from within the script is considered a retrieval failure.
login Action
The login action negotiates an authenticated session with the host required to manage users in
the custom host application. This action must be defined.
Context
errors java.util.List This is initially an empty list. The script must add
java.lang.String objects to this list if any errors
are found during processing.
Error Handling
If any application-specific errors are found in a screen or response, the script should add
appropriate strings to the errors key. Determining that an error has occurred may require a
string search for various known error strings.
The presence of any items in the errors List is considered a login failure. Additionally, any
throw from within the script is considered a login failure.
logoff Action
The logoff action performs a disconnect from the host. This is called when the connection is no
longer required. This action must be defined.
Context
Error Handling
If any application-specific errors are found in a screen or response, the script should add
appropriate strings to the errors key. Determining that an error has occurred may require a
string search for various known error strings.
The presence of any items in the errors List is considered a logoff failure. Additionally, any
throw from within the script is considered a logoff failure.
update Action
The update action updates a user in the host application. If the update action is not defined,
then users on the host application cannot be updated.
Context
errors java.util.List This is initially an empty list. The script must add
java.lang.String objects to this list if any errors are
found during processing.
Error Handling
If any application-specific errors are found in a screen or response, the script should add
appropriate strings to the errors key. Determining that an error has occurred may require a
string search for various known error strings.
The presence of any items in the errors List is considered an update failure. Additionally, any
throw from within the script is considered an update failure.
SSL Configuration
Identity Manager uses TN3270 connections to communicate with the resource.
See Chapter 53, “Mainframe Connectivity,” for information about setting up an SSL connection
to a RACF resource.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses TN3270 to communicate with the Scripted Host adapter.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Pass-through authentication No
Account Attributes
The Scripted Host adapter does not provide default account attributes, because the account
attributes will vary, depending on the host application being managed.
Identity Template
$accountId$
Sample Forms
None
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.ScriptedHostResourceAdapter
■ com.waveset.adapter.HostAccess
See the Troubleshooting for the Top Secret adapter for more information about
troubleshooting the HostAccess class.
Additionally, for temporary tracing to stdout, the Javascripts can make calls to the Java
System.out.println() method. For example:
java.lang.System.out.println(“Hello World”);
Scripted JDBC
3 8
Identity Manager provides a Scripted JDBC resource adapter to support management of user
accounts in any database schema and in any JDBC-accessible database. This adapter also
supports Active Sync to poll for account changes in the database.
Adapter Details
The Scripted JDBC resource adapter is a general purpose adapter, and is therefore highly
configurable. The adapter makes no assumptions about the database schema that is being
managed. Instead, the adapter calls out to a set of customer-supplied scripts to perform JDBC
interactions with the database. Currently, customer-supplied scripts can be written in
JavaScript (Rhino) or BeanShell.
Note – All connections to SQL Server must be performed using the same version of the
Microsoft SQL Server JDBC driver. (The possible versions are the 2005 or the 2000 version.)
This includes the repository as well as all resource adapters that manage or require SQL Server
accounts or tables, including the Microsoft SQL adapter, Microsoft Identity Integration Server
adapter, Database Table adapter, Scripted JDBC adapter, and any custom adapter based on
these adapters. Conflict errors occur if you attempt use different versions of the driver.
Installation Notes
Copy the appropriate JDBC driver jar for the database you will manage to the WEB-INF\lib
directory of your Identity Manager installation.
409
Adapter Details
Usage Notes
The customer-supplied scripts called by the Scripted JDBC adapter must be written in
Javascript or BeanShell. Identity Manager stores these scripts in the Identity Manager repository
as named ResourceAction objects.
Each Scripted JDBC resource instance is configured through a set of resource attributes that
reference the appropriate ResourceAction objects by name. At run-time, the adapter
1 Loads the script from the ResourceAction corresponding to the current provisioning action
(such as create, delete, or update).
2 Prepares the necessary Java input objects to make them available to the script.
create Create a new user No, but if not provided, you cannot create
users
delete Delete an existing user No, but if not provided, you cannot delete
users
disable Natively disable an existing user No, but if not provided, you cannot natively
disable users
enable Natively enable an existing user No, but if not provided, you cannot natively
enable users
getAccountIterator Return an object used to perform No, but if you do not provide either
iteration of existing users. getAccountIterator or listAll, you cannot
perform account iteration
getActiveSyncIterator Return an object used to perform No, but if not provided, Active Sync is not
Active Sync iteration supported
getUser Fetch attributes for an existing user No, but if not provided, user actions are not
supported
listAll Return a list of existing user (or other No, but if you do not provide
object type) IDs getAccountIterator or listAll, you cannot
perform account iteration
update Update attributes, rename, or change No, but if not provided, you cannot modify,
password of an existing user rename, or change user passwords
authenticate Verify user ID and password No, but required to perform pass-through
authentication
Every action script receives an actionContext map, as defined by the java.util.Map class.
The possible map content varies for each action.
For additional information about the actions listed in the previous table, see the following
sections in this chapter:
■ “create Action” on page 412
■ “getUser Action” on page 413
■ “delete Action” on page 414
■ “update Action” on page 415
■ “enable Action” on page 416
■ “disable Action” on page 416
■ “listAll Action” on page 417
■ “getAccountIterator Action” on page 418
■ “getActiveSyncIterator Action” on page 420
■ “authenticate Action” on page 422
■ “test Action” on page 423
■ “getActiveSyncIterator Action” on page 420
In addition to a description of these action, each section provides the following information:
■ Context. This section describes the set of entries that are available in the actionContext
map the adapter adds into the JavaScript execution context before the script executes.
■ Error Handling. This section describes how the script is expected to handle abnormal or
error conditions.
create Action
Use the create action to create a user in the customer’s database. If the create action is not
defined, then the adapter cannot create new users in the customer’s database.
Context
The actionContext map contains the following entries:
password java.lang.String If present, this value is the new user’s decrypted password
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may also add appropriate strings to the errors
key. The presence of any items in the errors List is considered a creation failure.
getUser Action
The getUser action retrieves a map of existing user attributes from the customer’s database. If
the getUser action is not defined, the adapter cannot perform any user actions.
Context
The actionContext map contains the following entries:
result java.util.Map ■ If the user does not currently exist in the database,
the script should leave this map empty.
■ If the user does exist, see the following description
of the expected map.
The adapter expects the result map to be populated with the following entries:
attrMap java.util.Map If the script is capable of directly retrieving the user attributes,
then the script can set this entry with a map of the user
attributes. The attribute names are defined in the Resource User
Attribute column of the resource’s schema map.
isDisabled java.lang.Boolean or If set by the script to a Boolean.TRUE or a true string, then the
java.lang.String user is considered disabled.
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, it may add appropriate strings to the errors key. The
presence of any items in the errors List is considered a fetch failure.
delete Action
Use the delete action to delete users from the customer’s database. If the delete action is not
defined, then the adapter cannot delete users from the customer’s database.
Context
The actionContext map contains the following entries:
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may add appropriate strings to the errors key.
The presence of any items in the errors List is considered a deletion failure.
update Action
Use the update action to update existing users in the customer’s database. An update can
include changing attributes, changing passwords, or renaming. If you do not define the update
action, the adapter cannot update users in the customer’s database.
Context
The actionContext map contains the following entries:
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may add the appropriate strings to the errors key.
The presence of any items in the errors List is considered an update failure.
enable Action
Use the enable action to enable users in the customer’s database. Implement this action if the
schema of a user in the customer’s database supports the concept of enabled/disabled. If you do
not define the enable action, the adapter cannot enable users directly in the customer’s
database.
Context
The actionContext map contains the following entries:
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may add the appropriate strings to the errors key.
The presence of any items in the errors List is considered a failure.
disable Action
Use the disable action to disable users in the customer’s database. Implement this action if the
schema of a user in the customer’s database supports the concept of enabled/disabled. If you do
not define the disable action, the adapter cannot disable users directly in the customer’s
database.
Context
The actionContext map contains the following entries:
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may add the appropriate strings to the errors key.
The presence of any items in the errors List is considered a failure.
listAll Action
Use the listAll action to retrieve a list of user (or other object type) IDs found in the
customer’s database. If you do not define the listAll action, you cannot call the
FormUtil.listResourceObjects methods from a form for this resource instance.
In addition, if you do not define the listAll action or the getAccountIterator action, then
account iteration (reconciliation, Load From Resource) is not supported.
Context
The actionContext map contains the following entries:
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may also add appropriate strings to the errors
key. The presence of any items in the errors List is considered a failure.
getAccountIterator Action
Use the getAccountIterator action to return an object to the adapter used to perform iteration
of existing users.
To perform account iteration (reconciliation, Load From Resource), you must define this action
or the listAll action. If you do not define the getAccountIterator action, account iteration
will be performed by calling listAll, and then calling getUser for each ID in the list from
listAll.
In addition, if you do not define the getAccountIterator or the listAll action, then account
iteration is not supported.
Context
The actionContext map contains the following entries:
The adapter expects the result map to be populated with the following entry:
iterator com.waveset.adapter.script.The script must set this value to a generated instance of the
ScriptedIterator ScriptedIterator interface.
public interface ScriptedIterator
{ public boolean hasNext(); public void
next(java.util.Map nextObj); public void close();}
See the next table for information about the nextObj map.
The object must be capable of iterating over all the users in the
customer’s database.
The samples demonstrate how to accomplish this in BeanShell and
Javascript.
The adapter expects the nextObj map passed to the next method to be populated by the iterator
with attributes for each iterated user.
attrMap java.util.Map If the script is capable of directly retrieving the user attributes,
then the script can set this entry with a map of the user
attributes. The attribute names are defined in the Resource User
Attribute column of the resource’s schema map.
isDisabled java.lang.Boolean or If set by the script to a Boolean.TRUE or a true string, then the
java.lang.String user is considered disabled.
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may also add appropriate strings to the errors
key. The presence of any items in the errors List is considered a failure.
getActiveSyncIterator Action
The getActiveSyncIterator action returns an object to the adapter used to perform Active
Sync iteration.
If you want the resource to support Active Sync, you must define this action.
Context
The actionContext map contains the following entries:
The adapter expects the result map to be populated with the following entry:
iterator com.waveset.adapter.script. The script must set this value to a generated instance of the
ScriptedIterator ScriptedIterator interface.
public interface ScriptedIterator { public boolean
hasNext(); public void next(java.util.Map nextObj);
public void close();}
See the next table for information about the nextObj map.
The object must be capable of iterating over all the users in the
customer’s database.
The samples demonstrate how to accomplish this in BeanShell
and Javascript.
The adapter expects the nextObj map passed to the next method to be populated by the iterator
with attributes for each iterated user.
attrMap java.util.Map If the script is capable of directly retrieving the user attributes,
then the script can set this entry with a map of the user
attributes. The attribute names are defined in the Resource User
Attribute column of the resource’s schema map.
isDisabled java.lang.Boolean or If set by the script to a Boolean.TRUE or a true string, then the
java.lang.String user is considered disabled.
Error Handling
Any throw from within the script is considered a failure.
If the script encounters any errors, the script may also add appropriate strings to the errors
key. The presence of any items in the errors List is considered a failure.
authenticate Action
Use the authentication action to authenticate user IDs/passwords against the customer’s
database. If you do not define the authentication action, the resource cannot support
pass-through authentication.
Context
The actionContext map contains the following entries:
result java.util.Map The script can add an entry with the expired key and
a Boolean.TRUE value to indicate that the user’s
password has expired.
Error Handling
If the script executes without failure, the ID and password are considered valid.
If the script encounters any errors, the script may alias appropriate strings to the errors key.
The presence of any items in the errors List is considered an authentication failure.
test Action
If defined, the test action is called during Test Configuration of the resource. A common use of
the test script is to verify the adapter’s ability to access required database tables.
Context
The actionContext map contains the following entries:
Error Handling
Any throw from within the script is considered a test failure.
If the script encounters any errors, the script may add the appropriate strings to the errors key.
The presence of any items in the errors List is considered a test failure.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter:
Feature Supported?
Account Attributes
The Scripted JDBC adapter does not provide any default account attributes because account
attributes vary greatly depending on the database schema being managed.
This adapter supports binary datatypes, including BLOBs in Oracle. The corresponding
attributes must be marked as binary on the schema map. Sample binary attributes include
graphics files, audio files, and certificates.
Security Notes
To determine supported connections and which administrative privileges are required, refer to
the product documentation for your managed database.
Identify Template
$accountId$
Sample Forms
■ MultiValueUserForm.xml
■ SimpleTableUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes/packages:
■ com.waveset.adapter.ScriptedJdbcResourceAdapter
■ com.waveset.adapter.JdbcResourceAdapter
■ com.waveset.adapter.script
Additionally, you can use the following scripts to perform tracing or writing output.
■ With Beanshell, the following statement enables line tracing:
this.interpreter.TRACE=true;
■ With BeanShell, the following, Java-style statement writes a string to stdout:
java.lang.System.out.println(“Hello World”);
■ With JavaScript, the following, Java-style statement writes a string to stdout:
Packages.java.lang.System.out.println(“Hello World”);
If Active Sync is being performed, then you can set the following Identity Manager Active Sync
logging parameters for the resource instance:
■ Maximum Log Archives
■ Maximum Active Log Age
■ Maximum Log File Size
■ Log File Path
■ Log Level
SecurID ACE/Server
3 9
Identity Manager provides resource adapters for supporting RSA SecurID ACE/Server.
Adapter Details
The following table summarizes the attributes of these adapters:
427
Adapter Details
■ This SecurID user must login to the ACE/Server with a password instead of a tokencode. Set
the RSA ACE Server user’s password to the same value specified on the adapter.
If the current RSA ACE Server system policy does not allow a password to be set using the
characters you need (for example, an alphanumeric PIN), or if you need to change the
default setting for user password expiration, edit the system parameters on the RSA ACE
Server Database console.
A password changed through the RSA ACE Server administrator console is a one-time
password that will expire the first time this user logs in. Use the RSA ACE Agent Test
Authentication facility to login so that you can change the user’s password to one that will
not expire immediately. Note that you may change it to the same value, so it’s still the same
as the password specified in the resource adapter.
■ On Windows, an RSA ACE Agent Host must be added for the host where the Identity
Manager gateway is running. This can be configured from the Database Administration -
Host Mode console interface on the system where the RSA ACE Server is running. You must
configure the DNS host name and network address, and you must specify which users have
access. In addition, the agent type must be set to Net OS Agent.
■ If a SecurId group name or site name contains a comma, Identity Manager might not be able
to parse the name correctly. Avoid using commas in SecurId group names and site names.
Usage Notes
This section provides information related to using the SecurID ACE/Server resource adapter,
which is organized into the following sections:
■ “Enabling Pass-Through Authentication on UNIX” on page 428
■ “Enabling Multiple Tokens” on page 429
■ “Password Policies” on page 432
Identity Manager <--> SecurID Unix Resource Adapter <--> SecurID Windows Adapter <-->
Sun Identity Manager Gateway <--> RSA ACE Agent for Windows <--> RSA UNIX Server
Note the following configuration and implementation points when enabling pass-through
authentication with the SecurID ACE/Server UNIX adapter:
■ The Sun Identity Manager Gateway and the RSA ACE Agent Host must reside on the same
Windows host. See the Resource Configuration Notes section for more information.
■ If the UNIX RSA server lists itself as a client, the account used to authenticate users must be
defined on the UNIX resource. See the Resource Configuration Notes section for more
information.
■ You must specify a value for the ACE Server Authentication Resource resource parameter
in the SecurID ACE/Server UNIX adapter. This value must match a resource name specified
in a valid SecurID ACE/Server (for Windows) adapter.
■ SecurID’s authentication policies require that the UNIX SecurID server must be aware of the
RSA ACE Agent for Windows. The sdconf.rec file must be present and configured
correctly on the Windows host.
■ The RSA ACE Agent for Windows must be activated for users attempting to use
pass-through authentication.
■ Identity Manager must be configured to use the SecurID ACE/Server or SecurID
ACE/Server UNIX login module.
■ Candidate users for authentication must be configured with an Identity Manager role and
organization.
3 Rename the following Identity Manager User Attributes on the left side of SecurID ACE/Server
schema map:
Original Identity Manager User Attribute Renamed Identity Manager User Attribute
tokenClearPin token1ClearPin
tokenDisabled token1Disabled
tokenLost token1Lost
tokenLostPassword token1LostPassword
tokenLostExpireDate token1LostExpireDate
tokenLostExpireHour token1LostExpireHour
tokenLostLifeTime token1LostLifeTime
tokenPinToNTC token1PinToNTC
tokenPinToNTCSequence token1PinToNTCSequence
expirePassword token1NewPinMode
password token1Pin
tokenResync token1Resync
tokenFirstSequence token1FirstSequence
tokenNextSequence token1NextSequence
tokenSerialNumber token1SerialNumber
tokenUnassign token1Unassign
4 Add the following fields to the schema map to accommodate a second token:
token2ClearPin token2ClearPin
token2Disabled token2Disabled
token2Lost token2Lost
token2LostPassword token2LostPassword
token2LostExpireDate token2LostExpireDate
token2LostExpireHour token2LostExpireHour
token2LostLifeTime token2LostLifeTime
token2NewPinMode token2NewPinMode
token2PinToNTC token2PinToNTC
token2PinToNTCSequence token2PinToNTCSequence
password token2Pin
token2Resync token2Resync
token2FirstSequence token2FirstSequence
token2NextSequence token2NextSequence
token2SerialNumber token2SerialNumber
token2Unassign token2Unassign
5 Add the following fields to the schema map to accommodate a third token:
token3ClearPin token3ClearPin
token3Disabled token3Disabled
token3Lost token3Lost
token3LostPassword token3LostPassword
token3LostExpireDate token3LostExpireDate
token3LostExpireHour token3LostExpireHour
token3LostLifeTime token3LostLifeTime
token3NewPinMode token3NewPinMode
token3PinToNTC token3PinToNTC
token3PinToNTCSequence token3PinToNTCSequence
password token3Pin
token3Resync token3Resync
token3FirstSequence token3FirstSequence
token3NextSequence token3NextSequence
token3SerialNumber token3SerialNumber
token3Unassign token3Unassign
<defvar name=’unassignedTokens’>
<invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>
<ref>:display.session</ref>
<s>ListTokensByField</s>
<ref>resource</ref>
<map>
<s>field</s>
<s>7</s>
<s>compareType</s>
<s>2</s>
<s>value</s>
<s>128</s>
<s>templateParameters</s>
<ref>accounts[$(resource)].templateParameters</ref>
</map>
<s>false</s>
</invoke>
</defvar>
The values that may be assigned to the field, compareType, and value strings are defined in the
documentation for the RSA Sd_ListTokensByField function. Refer to the RSA publication
Customizing Your RSA ACE/Server Administration for more information.
Password Policies
If Identity Manager uses passwords that contain alphabet characters, and SecurID does not
permit alphabet characters in a PIN, the following message will be returned:
To correct this error, either modify the Identity Manager password policy for the resource so
that it cannot contain alphabet characters, or change the PIN restrictions on the resource to
permit alphabet characters.
Gateway Timeouts
The SecurID ACE/Server for Windows adapter allows you to use the RA_HANGTIMEOUT resource
attribute to specify a timeout value, in seconds. This attribute controls how long before a
request to the gateway times out and is considered hung.
You must manually add this attribute to the Resource object as follows:
The default value for this attribute is 0, indicating that Identity Manager will not check for a
hung connection.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager can use the following to communicate with the SecurID ACE/Server adapter:
■ Sun Identity Manager Gateway (Windows only)
■ Telnet (UNIX only)
■ SSH (UNIX only)
■ SSHPubKey (UNIX only)
For SSHPubKey connections, the private key must be specified on the Resource Parameters
page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END
PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the
server.
A test connection can use different command options than a normal provision run.
Note – The Resource SecurID Administrators report lists all available administrators for the
SecurID resource. This report describes the properties of each administrator, including
administrator name, Admin level, Admin task list, Admin site, and Admin group. You can
download this report in both .csv and .pdf formats.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Before/after actions No
Account Attributes
The following table provides information about SecurID ACE/Server account attributes. The
data type for all attributes is String, unless otherwise noted.
The SecurID ACE/Server adapters do not support custom account attributes (known as User
Extension Data on SecurId) that contain multiple values.
adminLevel adminLevel The administrative level of the user. The value can be
realm, site, or group. This is a read-only attribute.
adminSite adminSite The sites to which the administrator has access to.
This is a read-only attribute.
adminTaskList adminTaskList The name of the set of tasks that the administrator
can perform. This is a read-only attribute.
remoteRealm remoteRealm For remote users, the realm the user is part of.
tokenClearPin token1ClearPin When set on a user update, it will cause the user’s
PIN to be cleared.
tokenDisabled token1Disabled When set on a user update, it will cause the user’s
PIN to be disabled.
tokenLost token1Lost When set to true on a user update, the account will
be put in emergency access mode within RSA.
tokenLostPassword token1LostPassword When the value is not blank, then the lost token will
use the value given as the temporary passcode. If the
value is blank, then the legacy behavior of having
RSA assign temporary passcodes is performed. This
is a write-only attribute.
tokenLostExpireDate token1LostExpireDate Specifies the date when the “lost token” temporary
password expires. This attribute is meaningful only
when tokenLostPassword is not blank and
tokenLostLifeTime is either blank or zero. This is a
write-only attribute.
This attribute is not implemented in the sample user
form.
tokenLostExpireHour token1LostExpireHour Specifies the hour when the “lost token” temporary
password expires. (For example, use 16 to represent
4:00 P.M.) This attribute is meaningful only when
tokenLostPassword is not blank and
tokenLostLifeTime is either blank or zero. This is a
write-only attribute.
This attribute is not implemented in the sample user
form.
tokenNewPinMode token1NewPinMode When the users account has been placed in New PIN
Mode, specifies the user’s new PIN.
tokenPinToNTC token1PinToNTC If set to true, begins the process of setting a PIN for a
specified assigned token to next tokencode.
Identity Template
$accountId$
Sample Forms
SecurID User Form
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.SecurIdResourceAdapter
■ com.waveset.adapter.SecurIdUnixResourceAdapter
■ com.waveset.adapter.SVIDResourceAdapter
Tracing can also be enabled on the following methods to diagnose problems connecting to the
gateway on Windows systems:
■ com.waveset.adapter.AgentResourceAdapter#sendRequest
■ com.waveset.adapter.AgentResourceAdapter#getResponse
Shell Script
4 0
Identity Manager provides the Shell Script resource adapter to manage a resource that is
controlled by shell scripts running on the system hosting the resource. This adapter is a general
purpose adapter, and is therefore highly configurable.
Adapter Details
Usage Notes
Do not use control characters (for example, 0x00, 0x7f) in user passwords.
439
Adapter Details
Resource Actions
The Shell Script adapter allows you to create a set of actions that perform basic provisioning
functions such as creating, updating, deleting, and retrieving user accounts. Each of these
actions is defined in a shell script. The Shell Script adapter works by running resource actions as
a UNIX resource adapter. To run resource actions, this adapter must
■ Run its create, delete, and update operations under its /tmp directory.
■ Have the ability to run commands such as mkdir, umask, touch, cat, chmod, rm - f, rmdir,
find, set, and use operators such as <, <<, >, >>.
The adapter supports the provisioning actions listed in the following table:
create Creates a new user. No, but if not provided, users cannot be created.
delete Deletes an existing user. No, but if not provided, users cannot be deleted.
getAllUsers Gets information about all users on the No, but if not provided, operations that depend
resource on account iteration, such as reconciliation and
Load From Resource will not be available.
update Updates attributes for an existing user. No, but if not provided, users cannot be
updated.
For general information about resource actions, see Chapter 50, “Adding Actions to Resources.”
Scripts
The Shell Script adapter implements actions as shell script files that execute on the resource
host. These scripts must be written to run on the shell that has been configured for the account
running the scripts on the resource host.
Scripts should follow conventions and exit with a return code of 0, which indicates success.
Returning a non-zero code (chosen by the script writer) indicates the operation may not have
been correctly completed.
Scripts may output text to the standard error or standard output stream. Depending on the
nature of the operation, the context of the operation, and the type of failure, the text may be
displayed in the results for that operation.
For the getUser and getAllUsers operations, this text is parsed in the standard output stream to
determine the attributes of each user.
Generally, if an attribute’s value is null, you can omit the corresponding environment variable
instead of having the value of a zero-length string.
For more information about the variables available in a script, see Chapter 50, “Adding Actions
to Resources.”
Result Handling
The AttrParse mechanism processes the results returned by the getUser and getAllUsers
actions through the standard output stream. See Chapter 49, “Implementing the AttrParse
Object,” for more information about this mechanism.
For getUser actions, AttrParse returns a map of user attributes. For the getAllUsers action, it
generates a map of maps. Each entry for the returned map contains the following.
■ A value that is a map of user attributes similar to those typically returned by AttrParse.
■ A key that is the account ID, or if that is not known, the name.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the following connections to communicate with the shell script adapter:
■ Telnet
■ SSH (SSH must be installed independently on the resource.)
■ SSHPubKey
For SSHPubKey connections, the private key must be specified on the Resource Parameters
page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END
PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the
server.
Provisioning Notes
The following table summarizes the provisioning capabilities of the Shell Script adapter.
Feature Supported?
Pass-through authentication No
Before/after actions No
Data loading methods If the getAllUsers action is defined, then the following data loading
methods are supported:
■ Import directly from resource
■ Reconciliation
Account Attributes
The Shell Script adapter does not provide default account attributes because the account
attributes vary greatly.
The account must have an account attribute in which the Identity System user attribute is
named accountId.
Identity Template
None. You must supply the identity template with a valid value.
Sample Forms
There are no sample user forms, but an example resource and AttrParse definition are
provided in the following location:
$WSHOME/sample/ShellScript/ShellScriptResourceObjects55.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.ShellScriptResouceAdapter
Siebel CRM
4 1
Adapter Details
1 To add the Siebel CRM resource to the resources list, you must add the following value in the
Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.SiebelCRMResourceAdapter
2 Copy the appropriate JAR files to the InstallDir\idm\WEB-INF\lib directory, as listed in the
following table.
The JAR file versions must match the version of the Siebel CRM resource:
■ SiebelJI_Common.jar ■ Siebel.jar
■ SiebelJI_enu.jar ■ SiebelJI_enu.jar
■ SiebelJI.jar
445
Adapter Details
Note – Do not copy the JAR files for multiple versions of Siebel into the
InstallDir\idm\WEB-INF\lib directory. You might encounter conflicts between versions.
Usage Notes
Choosing Business Objects and Components
By default, the Siebel CRM adapter uses the Employee Siebel business component of the
Employee Siebel business object for account provisioning. However, you can configure the
adapter to use any Siebel business component of any Siebel business object for account
provisioning.
■ To use a different business object, set the Account Business Object resource parameter
appropriately.
■ To use a different business component, set the Account Business Component resource
parameter to the name of the preferred business component.
Note – You must specify the business component within the specified business object.
You can use the Siebel Tools Client to inspect your business component and to verify which
attributes are available for provisioning. The default schema map has some common attributes
that are useful for the default Employee business component.
You may have to add, remove, or change attributes to manage your Siebel environment–
especially if you have configured the adapter to use a business object or business component
other than the default.
The following steps are a basic guide to discovering which attributes Identity Manager can
provision to your Siebel environment using the Siebel Tools client:
For a pick list field: The right-hand side must use the field!!keyAttr format, where:
■ field represents the name of the pick list field
■ keyAttr represents the name of a field within the associated pick-list business component
used to uniquely identify a member of the pick list.
For example: Employee Organization!!Name
If there are currently multiple values in an MVG with one of the values marked as the primary:
■ If any non-primary values are deleted from the set, the current primary will remain as the
primary.
■ If the MVG value set is replaced with a new single value, then the new single value will be
inserted and marked as the primary. All previous values are then removed.
■ If other non-primary values have been added, by default, the primary value will remain
unchanged.
To move a primary marker from an existing value to a new value when multiple values exist,
you must add an account attribute to the schema map. The name of this attribute must be in the
Advanced Navigation
The advanced navigation feature of the Siebel CRM adapter allows you to create and update
child business components. This is an advanced feature that is not typically implemented in
Identity Manager.
The advanced navigation feature allows you to optionally specify the following information
needed to create and update child business components:
■ business object name
■ parent business component name
■ parent search attribute
■ target business component
■ target search attribute
■ in scope attributes (which attributes of the business component should be set/updated)
■ optional co-action
An advanced navigation rule can be used during create and update actions. It cannot be used for
other types of actions.
To implement the advanced navigation feature of the Siebel CRM adapter, you must perform
the following tasks:
■ Add an attribute to the schema map in which the Resource User Attribute (right hand side)
is named PARENT_COMP_ID.
■ Use the debug page to manually add the following ResourceAttribute to your resource’s
XML
<ResourceAttribute name=’AdvancedNavRule’
displayName=’Advanced Nav Rule’
value=’MY_SIEBEL_NAV_RULE’>
</ResourceAttribute>
Attribute Definition
parentBusComp The name of the parent business component for busObj. The context of the business
object is updated by moving to the first qualified (see parentSearchAttr) record of
this business component
parentSearchAttr The attribute to use as the search field in the parentBusComp. The value to search for
is expected to be present as the value for the attribute whose Resource User Attribute
name is PARENT_COMP_ID.
busComp The name of final business component to create or update. If creating, then a new
record of this business component will be created in the business object. If updating,
then the business component record to update is selected by moving to the first
qualified (see searchAttr) record of this business component.
searchAttr The attribute to use as the search field in the busComp. The value to search for is the
user’s account ID.
attributes A list of strings that specifies the set of fields in the busComp that will be set or
updated. This list overrides the attributes defined in the resource’s schema map for
the action being performed.
coAction If the requested action (resource.action) is create, then specify a coAction value
of update to instruct the adapter to also perform an update immediately following
the create. This may be necessary if the create cannot set all the necessary fields, and
therefore an update must also occur to logically complete the create. This attribute
will be ignored unless resource.action is create and coAction is set to update.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Enable/disable account No
Feature Supported?
Before/after actions No
Account Attributes
The default schema map assumes that the Employee business object and Employee business
component are configured. You might have to add, remove, or change attributes to manage
your Siebel environment– especially if you have configured the adapter to use a business object
or business component other than the default.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager can use HTTP or RSA to communicate with the Siebel CRM adapter. (See the
Siebel user documentation for more information.)
If necessary, you can manually configure the adapter to support additional resource object types
by editing the resource prototype XML as follows:
1 Add a new <ObjectType> element to the XML, following the default Employee:Position object
type example.
2 Replace Employee with the name of the preferred Siebel business object.
3 Replace Position with the name of the preferred Siebel business component.
4 Verify that the embedded <ObjectAttributes> element has an idAttr attribute that names
which <ObjectAttribute> will be used to uniquely identity each item in the business
component.
Identify Template
The default identity template is $accountId$.
Sample Forms
The following sample forms are provided with this resource adapter:
Form File
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.SiebelCRMResourceAdapter
Additionally, you can set the following Identity Manager Active Sync logging parameters for the
resource instance:
■ Maximum Log Archives
■ Maximum Active Log Age
■ Maximum Log File Size
■ Log File Path
■ Log Level
SiteMinder
4 2
Adapter Details
Identity Manager provides adapters for supporting the following SiteMinder features:
■ Administrator accounts
■ LDAP repository users
■ Database table repository users
SiteminderAdmin com.waveset.adapter.SiteminderAdminResourceAdapter
SiteminderLDAP com.waveset.adapter.SiteminderLDAPResourceAdapter
SiteminderExampleTable com.waveset.adapter.SiteminderExampleTableResourceAdapter
a. Create the host configuration object for your Web application server (copy of default
settings with Policy Server IP).
453
Adapter Details
b. Use smreghost (from the agent installation directory) to register your application server.
1 Add the one of the following values in the Custom Resources section of the Configure Managed
Resources page.
■ com.waveset.adapter.SiteminderAdminResourceAdapter
■ com.waveset.adapter.SiteminderLDAPResourceAdapter
■ com.waveset.adapter.SiteminderExampleTableResourceAdapter
3 If you plan to use the SiteMinder Admin resource adapter, you must set the LIBPATH (or
LD_LIBPATH, or SHLIB_PATH, depending on the application server platform) in the application
server startup script or environment before starting the application server.
For example, on Solaris, the Web agent is installed in the following directory, which contains a
file named nete_wa_env.sh:
/opt/netegrity/siteminder/webagent
For WebLogic, add these lines to start Weblogic.sh in
/bea/wlserver_Version/config/mydomain:
Usage Notes
None.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses JNDI over SSL to communicate with SiteMinder.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Enable/disable account Yes for SiteMinder LDAP and Table. Not applicable for SiteMinder
Admin
Rename account No
Before/after actions No
Account Attributes
SiteMinder Admin
The following table lists the default account attributes for the SiteMinder Admin adapter.
smAdminScope String Admin scope defined for the host, port and auth
scheme to which the credentials apply
expirePassword Boolean Forces the user to supply a new password upon login.
SiteMinder LDAP
The following table lists the default account attributes for the SiteMinder LDAP adapter.
accountId String User ID. This attribute maps to the uid resource user
attribute.
accountId String Required. The user’s full name. This attribute maps to
the cn resource user attribute.
expirePassword Boolean Forces the user to supply a new password upon login.
Identity Template
$accountId$
Sample Forms
SiteminderAdminUserForm.xml
SiteminderExampleTableUserForm.xml
SiteminderLDAPUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.SiteminderAdminResourceAdapter
■ com.waveset.adapter.SiteminderLDAPResourceAdapter
■ com.waveset.adapter.SiteminderExampleTableResourceAdapter
Solaris
4 3
Adapter Details
If you manage NIS accounts on Solaris, install patch 125549-01 for SPARC systems or patch
125550–01 for x86 systems to improve the performance of the logins command and the Solaris
adapter.
Usage Notes
The Solaris resource adapter primarily provides support for the following Solaris commands:
■ useradd, usermod, userdel
■ groupadd, groupmod, groupdel
■ passwd
For more information about supported attributes and files, refer to the Solaris manual pages for
these commands.
459
Adapter Details
When a rename of a user account is executed on a Solaris resource, the group memberships are
moved to the new user name. The user’s home directory is also renamed if the following
conditions are true:
■ The original home directory name matched the user name.
■ A directory matching the new user name does not already exist.
The Bourne-compliant shell (sh, ksh) must be used as the root shell when connecting to a UNIX
resource (AIX, HP-UX, Solaris, or Linux).
The administrative account that manages Solaris accounts must use the English (en) or C locale.
This can be configured in the user’s .profile file.
In environments in which NIS is implemented, you can increase performance during bulk
provisioning by implementing the following features:
■ Add an account attribute named user_make_nis to the schema map and use this attribute in
your reconciliation or other bulk provisioning workflow. Specifying this attribute causes the
system to bypass the step of connecting to the NIS database after each user update on the
resource.
■ To write the changes to the NIS database after all provisioning has completed, create a
ResourceAction named NIS_password_make in the workflow.
New user accounts on Solaris resources remain locked until the passwd(1) command is
executed. After the user account on Solaris has been created, executing passwd -s <user> will
show the status as locked(LK). After an account is created natively, the “Locked out Accounts”
section of the Solaris Risk Analysis report will report the newly created account. In addition, the
“Accounts With No Password” section of the Risk Analysis report will not list the newly created
account.
Do not use control characters (for example, 0x00, 0x7f) in user passwords.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager can use the following connections to communicate with the Solaris adapter:
■ Telnet
■ SSH (SSH must be installed independently on the resource.)
■ SSHPubKey
For SSHPubKey connections, the private key must be specified on the Resource Parameters
page. The key must include comment lines such as --- BEGIN PRIVATE KEY --- and --- END
PRIVATE KEY --. The public key must be placed in the /.ssh/authorized_keys file on the
server.
The adapter also supports the sudo facility (version 1.6.6 or later), which can be installed on
Solaris 9 from a companion CD. sudo allows a system administrator to give certain users (or
groups of users) the ability to run some (or all) commands as root or another user.
In addition, if sudo is enabled for a resource, its settings will override those configured on the
resource definition page for the root user.
If you are using sudo, you must set the tty_tickets parameter to true for the commands
enabled for the Identity Manager administrator. Refer to the man page for the sudoers file for
more information.
The administrator must be granted privileges to run the following commands with sudo:
Note – A test connection can use different command options than a normal provision run.
The adapter provides basic sudo initialization and reset functionality. However, if a resource
action is defined and contains a command that requires sudo authorization, then you must
specify the sudo command along with the UNIX command. (For example, you must specify
sudo useradd instead of just useradd.) Commands requiring sudo must be registerd on the
native resource. Use visudo to register these commands.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Enable/disable account Solaris does not natively support Identity Manager enable and disable
actions. Identity Manager simulates enabling and disabling accounts
by changing the user password. The changed password is exposed on
enable actions, but it is not exposed on disable actions.
As a result, enable and disable actions are processed as update actions.
Any before or after actions that have been configured to operate on
updates will execute.
You can define resource attributes to control the following tasks for all users on this resource:
■ Create a home directory when creating the user
■ Copy files to the user’s home directory when creating the user
■ Delete the home directory when deleting the user
Account Attributes
The following table lists the Solaris user account attributes. Attributes are optional unless noted
in the description. All attributes are Strings.
Home directory dir The user’s home directory. Any value specified in this
account attribute takes precedence over a value specified in
the Home Base Directory resource attribute.
Expiration date expire Last date the account can be accessed. This attribute is not
supported for NIS accounts.
Last login time time_last_login The date and time of the last login. This value is read-only.
expirePassword force_change Forces the user to supply a new password upon login. This
attribute is not listed in the schema map by default.
Identity Template
$accountId$
Sample Forms
Built-In
■ Solaris Group Create Form
■ Solaris Group Update Form
Also Available
SolarisUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.SolarisResourceAdapter
■ com.waveset.adapter.SVIDResourceAdapter
■ com.waveset.adapter.ScriptedConnection
Identity Manager provides the Sun JavaTM System Communications Services resource adapter to
support Sun Java System Messaging Server (Messaging Server) and the Sun Java System
Calendar Server (Calendar Server): These systems must be implementing LDAP Schema 2. In
addition, Sun Java System Directory Server must be used as the user store.
The Sun Java System Communications Services resource adapter is defined in the
com.waveset.adapter.SunCommunicationsServicesResourceAdapter class.
Adapter Details
This adapter extends the LDAP resource adapter. See the documentation for the LDAP adapter
for information about implementing LDAP-specific features.
The Communications Services adapter provides provisioning services for standard Directory
Server installations. It can also read the replication changelog of Directory Server and apply
those changes to Identity Manager users or custom workflows.
465
Adapter Details
2 To verify that the server is configured to maintain special attributes for newly created or
modified entries, in the Directory Server console, click Configuration > select the root entry in
the navigation tree in the left pane.
3 Click Settings > verify that the Track Entry Modification Times box is checked.
The server adds the following attributes to a newly created or modified entry to determine if an
event was initiated from Identity Manager.
■ creatorsName: The DN of the person who initially created the entry.
■ modifiersName: The DN of the person who last modified the entry.
Usage Notes
Service Accounts
Create an Identity Manager service account to connect to Communications Services, rather
than using the administrator account CN=Directory Manager. Use your Directory Server
management tool to set permissions through an ACI (access control instructions) at each base
context.
Set the permissions in the ACI based on the source. If the adapter is connecting to an
authoritative source, then set read, search, and possibly compare permissions only. If the
adapter is used to write back, then you will need to set write and possibly delete permissions.
Note – If the account will be used for monitoring the changelog, an ACI should also be created
on cn=changelog. The permissions should be set to read and search only, because you cannot
write or delete changelog entries.
The following example script could be run on the proxy resource after creating a user:
SET PATH=c:\Sun\Server-Root\lib
SET SYSTEMROOT=c:\winnt
SET CONFIGROOT=C:/Sun/Server-Root/Config
mboxutil -c -P user/%WSUSER_accountId%.*
The following example script will delete the user’s mailboxes when the user is deleted.
SET PATH=c:\Sun\Server-Root\lib
SET SYSTEMROOT=c:\winnt
SET CONFIGROOT=C:/Sun/Server-Root/Config
mboxutil -d -P user/%WSUSER_accountId%.*
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses Java Naming and Directory Interface (JNDI) over TCP/IP or SSL to
communicate with the Communications Services adapter.
■ If you are using TCP/IP, specify port 389 on the Resource Attributes page.
■ If you are using SSL, specify port 636.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Feature Supported?
Account Attributes
The syntax (or type) of an attribute usually determines whether the attribute is supported. In
general, Identity Manager supports Boolean, string, integer, and binary syntaxes. A binary
attribute is an attribute that can be safely expressed only as a byte array.
The following table lists the supported LDAP syntaxes. Other LDAP syntaxes might be
supported, as long as it is Boolean, string, or integer in nature. Octet strings are NOT supported.
DN String 1.3.6.1.4.1.1466.115.121.1.12
The following table lists additional supported attributes that are defined in the inetUser object
class.
inetUserStatus Directory string String Specifies the status of a user’s account with
regard to global server access. The possible
values are active, inactive, and deleted.
Attribute
Resource User Attribute LDAP Syntax Type Description
destinationIndicator Printable string String This attribute is used for the telegram
service.
physicalDeliveryOfficeName Directory string String The office where deliveries are routed
to.
postalAddress Postal address String The office location in the user’s place
of business.
Attribute
Resource User Attribute LDAP Syntax Type Description
postalCode Directory string String The postal or zip code for mail
delivery.
postOfficeBox Directory string String The P.O. Box number for this object.
title Directory string String Contains the user’s job title. This
property is commonly used to indicate
the formal job title, such as Senior
Programmer, rather than
occupational class, such as
programmer. It is not typically used
for suffix titles such as Esq. or DDS.
initials Directory string String Initials for parts of the user’s full name
ipUser
The ipUser object class holds the reference to the personal address book container and the class
of service specifier.
The following table lists additional supported attributes that are defined in the ipUser object
class.
Resource User
Attribute Syntax Attribute Type Description
inetCoS String, String Specifies the name of the Class of Service (CoS)
multi-valued template supplying values for attributes in the
user entry.
pabURI String, single String LDAP URI specifying the container of the
valued personal address book entries for this user.
userPresenceProfile
The userPresenceProfile object class stores the presence information for a user.
This object class may contain the vacationStartDate and vacationEndDate attribute, which
are present as account attributes by default.
iplanet-am-managed-person
The iplanet-am-managed-person object class contains attributes that Sun Java System Access
Manager needs to manage users.
The following table lists additional supported attributes that are defined in the ipUser object
class.
iplanet-am-static-group-dn DN, String Defines the DNs for the static groups the
multi-valued user belongs to.
inetMailUser
The inetMailUser extends the base entry created by inetOrgPerson to define a messaging
service user. It represents a mail account and is used in conjunction with inetUser and
inetLocalMailRecipient.
The following table lists additional supported attributes that are defined in the inetMailUser
object class.
inetLocalMailRecipient
The inetLocalMailRecipient object class stores information that provides a way to designate an
LDAP entry as one that represents a local email recipient, to specify the recipient’s email
addresses, and to provide routing information pertinent to the recipient.
The following table lists additional supported attributes that are defined in the
inetLocalMailReceipient object class. (All other attributes in this object class are present as
account attributes by default.)
Attribute
Resource User Attribute LDAP Syntax Type Description
icsCalendarUser
The icsCalendarUser object class defines a Calendar Server user.
The following table lists additional supported attributes that are defined in the icsCalendarUser
object class. (All other attributes in this object class are present as account attributes by default.)
icsSet String, String Defines one group of calendars. The value for
multi-valued this attribute is a six-part string, with each
part separated by a dollar sign ($).
icsTimezone String String The default time zone for this user or resource
calendar if one is not explicitly assigned
through their own user preferences.
Identity Template
None. You must supply the identity template with a valid value.
Sample Forms
■ Sun Java System Communications Services ActiveSync Form
■ Sun Java System Communications Services Create Group Form
■ Sun Java System Communications Services Create Organizational Unit Form
■ Sun Java System Communications Services Create Organization Form
■ Sun Java System Communications Services Update Group Form
■ Sun Java System Communications Services Update Organizational Unit Form
Troubleshooting
Use the Identity Manager debug pages to set trace options on one or more of the following
classes:
■ com.waveset.adapter.SunCommunicationsServicesResourceAdapter
■ com.waveset.adapter.LDAPResourceAdapter
■ com.waveset.adapter.LDAPResourceAdapterBase
Sybase ASE
4 5
The Sybase ASE resource adapter supports Sybase Adaptive Server Enterprise. It is defined in
the com.waveset.adapter.SybaseASEResourceAdapter class. This adapter replaces the
deprecated Sybase adapter (com.waveset.adapter.SybaseResourceAdapter).
Adapter Details
Use this adapter to support user accounts for logging into Sybase Adaptive Server Enterprise. If
you have a custom Sybase table, see Chapter 10, “Database Table”for information about using
the Resource Adapter Wizard to create a custom Sybase table resource.
2 Add the following value in the Custom Resources section of the Configure Managed Resources
page.
com.waveset.adapter.SybaseASEResourceAdapter
481
Adapter Details
Usage Notes
None
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses JDBC over SSL to communicate with this adapter.
sp_helpuser None
sp_password Only a System Security Officer can execute sp_password to change another
user’s password. Any user can execute sp_password to change his or her
own password.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Before/after actions No
Account Attributes
The following table lists the default account attributes. All the default attributes are strings.
Because multiple databases can be managed, the Identity Manager administrator must add
account attributes for each database to be managed. These attributes must include the database
name as part of the attribute name in order to differentiate them from attributes for other
managed databases:
userNameDBName String The user name of the account on the database. Setting a
userName for a database will grant access to the database for
the account, and clearing the userName for a database will
remove access.
Managed Objects
This adapter does not manage objects on the Sybase ASE resource.
Listable Objects
The following table describes the Sybase objects that can be called using the listAllObjects
method within a user form.
Object Description
managedDatabases Lists the databases managed on the resource. This list is set on the
Databases resource attribute.
Identity Template
$accountId$
Sample Forms
SybaseASEUserForm
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.SybaseASEResourceAdapter
■ com.waveset.adapter.JdbcResourceAdapter
Adapter Details
General Configuration
Follow these steps when setting up the IBM Tivoli Access Manager resource for use with
Identity Manager:
1 Install the IBM Tivoli Access Manager Java Runtime Component on the Identity Manager server.
2 Set your PATH variable to include the path to the JVM for your application server.
3 Run the pdjrtecfg -action config command to install the following Access Manager .jar
files to the JRE’s lib/ext directory:
■ ibmjceprovider.jar
485
Adapter Details
■ ibmjsse.jar
■ ibmpkcs.jar
■ jaas.jar
■ local_policy.jar
■ PD.jar
■ US_export_policy.jar
■ ibmjcefw.jar
For more information, see the IBM Tivoli Access Manager Base Installation Guide.
4 Remove the following jar files from the InstallDir\idm\WEB-INF\lib directory (depending on
your application server, these files may have been removed during the Identity Manager
product installation):
■ jsse.jar
■ jcert.jar
■ jnet.jar
■ cryptix-jce-api.jar
■ cryptix-jce-provider.jar
5 Add the following lines to the java.security file, if they do not already exist:
security.provider.2=com.ibm.crypto.provider.IBMJCEsecurity.provider.3=
com.ibm.net.ssl.internal.ssl.Provider
The number that follows security.provider in each line specifies the order in which Java consults
security provider classes and should be unique. The sequence numbers may vary in your
environment. If you already have multiple security providers in the java.security file, insert the
new security providers in the order given above and renumber any existing security providers.
Do not remove the existing security providers and do not duplicate any providers.
-Djava.protocol.handler.pkgs=sun.net.www.protocol| \ com.ibm.net.ssl.
internal.www.protocol
7 Make sure the IBM Tivoli Access Manager Authorization Server is configured and running.
The am directory must already exist. Successful completion creates these files in the c:\am
directory:
■ configfile
■ keystore
For more information, see IBM Tivoli Access Manager Authorization Java Classes
Developer’s Reference and IBM Tivoli Access Manager Administration Java Classes
Developer’s Reference.
3 Create the Access Manager SSL Config files on the Identity Manager server.
4 Create a Junction in Access Manager for the Identity Manager URLs. Refer to the Tivoli Access
Manager product documentation for more details.
The following example pdadmin command illustrates how to create a junction:
pdadmin server task WebSealServer create -t Connection
/ -p Port -h Server -c ListOfCredentials -r -i
JunctionName
5 Configure the Identity Manager Base HREF property for the WebSeal Proxy Server.
The Access Manager resource adapter is a custom adapter. You must perform the following
steps to complete the installation process:
1 Copy the pd.jar file from the Access Manager installation media to the $WSHOME/WEB-INF/lib
directory.
2 Add the following value in the Custom Resources section of the Configure Managed Resources
page:
com.waveset.adapter.AccessManagerResourceAdapter
Usage Notes
This section lists dependencies and limitations related to using the Access Manager resource
adapter.
If you want to use the Identity Manager single sign-on or pass-through authentication features
with this resource, you must use Access Manager as the Identity Manager proxy server. For
more information on proxy servers, see Identity Manager Deployment Guide.
4 You may edit the resource credential user ID and/or password by editing the appropriate field.
For security reasons, the credential password is never retrieved.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses JNDI over SSL to communicate with Access Manager.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Before/after actions No
Feature Supported?
Account Attributes
Attribute Date Type Description
registryUID String Required. The account name stored in the user registry.
groups String The Access Manager groups that the user is a member of.
ssoUser Boolean Indicates whether the user has single sign-on abilities.
importFromRgy Boolean Indicates whether to import group data from the user registry.
gsoWebCreds String A list of Web resource credentials the user has access to.
gsoGroupCreds String A list of resource group credentials the user has access to.
Identity Template
The account name syntax is:
$accountId$
Sample Forms
Identity Manager provides the AccessManagerUserForm.xml sample form.
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.AccessManagerResourceAdapter
Top Secret
4 7
The Top Secret resource adapter supports management of user accounts and memberships on
an OS/390 mainframe using a TN3270 emulator session.
Adapter Details
The Top Secret resource adapter is defined in the
com.waveset.adapter.TopSecretResourceAdapter class.
An optional Generational Data Group (GDG) can be set up to contain the results of the
TSSAUDIT output. A GDG stores previous versions of the TSSAUDIT output. The Active Sync
adapter supports retrieving from a GDG to help avoid missing events if it is not able to run at its
normal time. The adapter can be configured to go back multiple generations to pick up any
events that it might have missed
493
Adapter Details
1 To add the Top Secret resource to the Identity Manager resources list, you must add the
following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.TopSecretResourceAdapter
2 Copy the appropriate JAR files to the WEB-INF/lib directory of your Identity Manager
installation.
Host On Demand The IBM Host Access Class Library (HACL) manages connections to the
mainframe. The recommended JAR file containing HACL is habeans.jar. It is
installed with the HOD Toolkit (or Host Access Toolkit) that comes with HOD.
The supported versions of HACL are in HOD V7.0, V8.0, V9.0, and V10.
However, if the toolkit installation is not available, the HOD installation
contains the following JAR files that can be used in place of the habeans.jar:
■ habase.jar
■ hacp.jar
■ ha3270.jar
■ hassl.jar
■ hodbase.jar
See http://www.ibm.com/software/webservers/hostondemand/
(http://www.ibm.com/software/webservers/hostondemand/) for more
information.
Attachmate WRQ The Attachmate 3270 Mainframe Adapter for Sun product contains the files
needed to manage connections to the mainframe.
■ RWebSDK.jar
■ wrqtls12.jar
■ profile.jaw
Contact Sun Professional Services about getting this product.
3 Add the following definitions to the Waveset.properties file to define which service manages
the terminal session:
serverSettings.serverId.mainframeSessionType=Value
serverSettings.default.mainframeSessionType=Value
4 When the Attachmate libraries are installed into a WebSphere or WebLogic application server,
add the property com.wrq.profile.dir=LibraryDirectory to the
WebSphere/AppServer/configuration/config.ini or startWeblogic.sh file.
This allows the Attachmate code to find the licensing file.
5 Restart your application server so that the modifications to the Waveset.properties file can
take effect.
Usage Notes
This section provides information related to using the Top Secret resource adapter, which is
organized into the following sections:
■ “Administrators” on page 496
■ “Resource Actions” on page 496
■ “SSL Configuration” on page 496
Administrators
TSO sessions do not allow multiple, concurrent connections. To achieve concurrency for
Identity Manager Top Secret operations, you must create multiple administrators. Thus, if two
administrators are created, two Identity Manager Top Secret operations can occur at the same
time. You should create at least two (and preferably three) administrators.
CICS sessions are not limited to one session per admin; however, you can define more than one
admin if desired.
If you are running in a clustered environment, you must define an admin for each server in the
cluster. This applies even if (as in the case of CICS) it is the same admin. For TSO, there must be
a different admin for each server in the cluster.
If clustering is not being used, the server name should be the same for each row (the name of the
Identity Manager host machine).
Note – Host resource adapters do not enforce maximum connections for an affinity
administrator across multiple host resources connecting to the same host. Instead, the adapter
enforces maximum connections for affinity administrators within each host resource.
If you have multiple host resources managing the same system, and they are currently
configured to use the same administrator accounts, you might have to update those resources to
ensure that the same administrator is not trying to perform multiple actions on the resource
simultaneously.
Resource Actions
The Top Secret adapter requires login and logoff resource actions. The login action negotiates
an authenticated session with the mainframe. The logoff action disconnects when that session is
no longer required.
See “Mainframe Examples” on page 536 for more information about creating login and logoff
resource actions.
SSL Configuration
Identity Manager uses TN3270 connections to communicate with the resource.
See Chapter 53, “Mainframe Connectivity,” for information about setting up an SSL connection
to a RACF LDAP resource.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
Rename account No
Pass-through authentication No
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses TN3270 to communicate with the Top Secret adapter.
Account Attributes
The following table provides information about the default Top Secret account attributes.
TSOO Access TSO_ACCESS Boolean Indicates whether the user has TSO access
OMVS Access OMVS_ACCESS Boolean Indicates whether the user has OMVS
access
The following table lists account attributes that are supported, but are not listed in the schema
map by default. The data type for these attributes is string.
CICS.OPTIME Controls the period of time allowed before CICS considers a terminal user to be
timed-out.
SOURCE Specifies a list of source readers or terminal prefixes through which the
associated ACID may enter the system.
TSO.TRBA Specifies the relative block address (RBA) of the user’s mail directory entry in the
broadcast data set
TSO.TSODEST Provides a default destination identifier for TSO generated JCL for TSO users.
TSO.TSOHCLASS Assigns a default hold class for TSO generated JCL for TSO users.
TSO.TSOJCLASS Assigns a default job class for TSO generated job cards from TSO users.
TSO.TSOMCLASS Assigns a default message class for TSO generated JCL for TSO users.
TSO.TSOMSIZE Defines the maximum region size (in kilobytes) that a TSO user may specify at
logon.
TSO.TSOOPT Assigns default options that a TSO user may specify at logon.
TSO.TSOSCLASS Assigns a default SYSOUT class for TSO generated JCL for TSO users.
TSO.TSOUNIT Assigns a default unit name to be used for dynamic allocations under TSO.
Contact your services organization for details about supporting other Top Secret resource
attributes.
Identity Template
$accountId$
Sample Forms
Built-In
None
Also Available
TopSecretUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following classes:
■ com.waveset.adapter.HostAccess
■ com.waveset.adapter.TopSecretResourceAdapter
The hostAccess object may be traced in Identity Manager. The class to trace through the debug
pages is com.waveset.adapter.HostAccess. Trace level 3 is sufficient to identify which
keystrokes and wait messages were sent to the mainframe; trace level 4 will display the exact
message sent and the response from the mainframe.
Note – Verify that the Trace File location is meaningful. By default the trace file is placed in the
application directory under InstallDir/idm/config. If the application is deployed from a WAR,
the path may need to be hard-coded with an absolute directory path. In a clustered
environment, the trace file should be written to a network share.
In addition to source tracing, it may also be useful to log the screen text before each attempt to
send keystrokes. This can be accomplished through a file writer. The sequence of commands is:
2 hostAccess.sendKeysAndWait(<cmd>,<msg>);
3 writer.newLine();
4 writer.write(hostAccess.getScreen());
5 writer.flush();
6 writer.close();
<filename> should reference a the location of a file on the local file system of the application
server. The writer will open a handle to that location and write what is stored in it’s buffer when
the flush() method is invoked. The close() method releases the handle to the file. The
getScreen() method is useful to pass to this function to get a dump of the screen contents for
debugging purposes. This tracing should, of course, be removed once the screens are
successfully navigated and login / logout is performed successfully.
Windows NT
4 8
The Windows NT resource adapter is supported only for Windows local account management
on Windows OS versions currently supported by the gateway.
Adapter Details
The Windows NT resource adapter is defined in com.waveset.adapter.NTResourceAdapter
class.
503
Adapter Details
■ The gateway does a local login to authenticate user accounts, so its domain needs to trust the
domain for those accounts.
■ The resource admin account must be a member of the Account Operators group in each
domain that will be used to manage accounts. Each of these domains must trust the domain
that contains the resource admin account.
■ You cannot add an account to a local group unless the account's domain is trusted by the
local group's domain.
■ The domain of the service account must be trusted by the gateway domain.
When the gateway service is started, a local login of the service account is done. If any of the
resource admin accounts are different than the service account or you will be doing
pass-through authentication for any of the domains, then the service account needs the Act As
Operating System and Bypass Traverse Checking user rights in the gateway domain. These
rights are required for the service account to login as and impersonate another.
If you will be creating home directories, then the resource admin account needs to be able to
create directories on the file system on which the directories will be created. If the home
directory will be created on a network drive, the resource admin account must have write access
to the file system in the Temp or TMP environmental variables of the gateway process; or, if not
defined, the gateway process's working directory (this is either WINNT or WINNT\system32).
If you will be running before, after, or resource actions, the resource admin account needs read
and write access to the file system in the TEMP or TMP environment variables of the gateway
process; or, if not defined, the gateway processes' working directory (this is either WINNT or
WINNT\system32).
The gateway writes the scripts and the script output to one of these directories (the directory is
selected in the order in which they are mentioned).
Configure a separate resource adapter for each domain. The same gateway host can be used.
It should be possible to manage multiple domains using a single resource by overriding any
domain-specific resource attributes (the domain and possibly the administrator and password)
for each user.
Note –
■ Since a domain trusts itself, some of the trust relationships do not need to be made explicit
when the two domains in questions are really the same domain.
■ You can use the same account for the resource admin account for all managed domains, as
well as the service account, if you set up the appropriate trust relationships, group
membership, and user rights.
Usage Notes
The Scripted Gateway adapter allows you to use the RA_HANGTIMEOUT resource attribute
to specify a timeout value in seconds. This attribute controls how long before a request to the
gateway times out and is considered hung. You must manually add this attribute to the resource
object as follows:
The default value for this attribute is 0, indicating that Identity Manager will not check for a
hung connection.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
Identity Manager uses the Sun Identity Manager Gatewayto communicate with this adapter.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported?
The following administrative privileges are required to support Active Directory pass-through
authentication for Windows 2003 running in Windows 2000 mode.
■ When configuring the Gateway to run as a user, that user must have the Act As Operating
System User Right to perform pass-through authentication for the Windows NT and
Windows 2000/Active Directory resources. The user must also have the Bypass Traverse
Checking User Right, but this right is enabled for all users by default.
■ Accounts being authenticated must have the Access This Computer From The Network
User Right on the Gateway system.
■ When Identity Manager is updating user rights, there may be a delay before the security
policy is propagated. Once the policy has been propagated, you must restart the Gateway.
■ When performing account authentication, use the LogonUser function with the
LOGON32_LOGON_NETWORK logon type and the LOGON32_PROVIDER_DEFAULT
logon provider. (The LogonUser function is provided with the Microsoft Platform Software
Development Kit.)
Account Attributes
The following table provided information about Windows NT account attributes.
Identity Template
$accountId$
Sample Forms
Built-In
Windows NT Create Group Form
Also Available
NTForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.NTResourceAdapter
The AttrParse object encapsulates a grammar used to parse user listings. It is used primarily by
mainframe-based resource adapters that receive a screen of data at a time and must parse out
the desired results. (This technique is often called screen scraping.) The Shell Script and
Scripted Gateway adapters also use AttrParse with getUser and getAllUsers actions.
The adapters that use the AttrParse object model the screen as a Java string. An instantiation of
an AttrParse object contains one or more tokens. Each token defines a portion of the screen.
These tokens are used to “tokenize” the screen string and allow the adapters to discover the user
properties from the user listing.
After parsing a user listing, AttrParse returns a map of user attribute name/value pairs.
Configuration
As with all other Identity Manager objects, the AttrParse objects are serialized to XML for
persistent storage. AttrParse objects can then be configured to support differences in customer
environments. For example, the ACF2 mainframe security system is often customized to
include additional fields and field lengths. Since AttrParse objects reside in the repository, they
can be changed and configured to account for these differences without requiring that a custom
adapter be written.
As with all Identity Manager configuration objects, objects that are to be changed should be
copied, renamed, and then modified.
2 From the list of available objects, select the object you want to edit.
509
AttrParse Element and Tokens
4 From the Configure page, select Import Exchange File to import the new file into Identity
Manager.
5 In your resource, change the AttrParse resource attribute to the name of the new AttrParse
string.
For examples of AttrParse objects that ship with Identity Manager see the
sample\attrparse.xml file. It lists the default AttrParse objects used by the screen scraping
adapters.
AttrParse Element
The AttrParse element defines the AttrParse object.
Attributes
Attribute Description
name Uniquely defines the AttrParse object. This value will be specified on the
Resource Parameters page for the adapter.
Data
One or more tokens that parse user listings. The following tokens supported by the AttrParse
object
■ “collectCsvHeader Token” on page 511
■ “collectCsvLines Token” on page 512
■ “eol Token” on page 513
■ “flag Token” on page 514
■ “int Token” on page 515
■ “loop Token” on page 516
■ “multiLine Token” on page 516
■ “opt Token” on page 517
■ “skip Token” on page 518
■ “skipLinesUntil Token” on page 519
■ “skipToEol Token” on page 519
■ “skipWhitespace Token” on page 520
Example
The following example reads the first 19 characters of a line, trims extraneous white space, and
assigns the string as the value to the USERID resource attribute. It then skips forward five spaces
and extracts the NAME resource attribute. This attribute has a maximum of 21 characters, and
white space is trimmed. The sample checks for the string “Phone number: “. A telephone
number will be parsed out and assigned to the PHONE resource attribute. The phone number
begins after the space in “Phone number: “ and ends at the next space encountered. The trailing
space is trimmed.
The following strings satisfy the Example AttrParse grammar. (The• symbols represent spaces.)
gwashington123•••••ABCD•George•Washington••••Phone•number:•123-1234•
alincoln•••••••••••XYZ••Abraham•Lincoln••••••Phone•number:•321-4321•
In the first case after parsing, the user attribute map would contain:
collectCsvHeader Token
The collectCsvHeader token reads a line designated as the header of a comma-separated
values (CSV) file.
The Scripted Gateway adapter and Shell Script adapter, among others, can use this token. The
collectCsvHeader and collectCsvLines tokens are the only tokens that the Scripted Gateway
adapter can use.
Each name in the header must be the same as a resource user attribute on the schema map on
the resource adapter. If a string in the header does not match a resource user attribute name, it
and the values in the corresponding position in the subsequent data lines will be ignored.
Attributes
Attribute Description
idHeader Specifies which value in the header is considered the account ID. This attribute is optional,
but recommended. If it is not specified, then the value for the nameHeader attribute will be
used.
nameHeader Specifies which value in the header is considered the name for the account. This is often
the same value as idHeader, and if not specified, the value in idHeader is used. This
attribute is optional but recommended.
delim Optional. The string that separates values in the header. The default value is , (comma).
minCount Specifies the minimum number of instances of the string specified in the delim attribute
that a valid header must have.
trim Optional. If set to true, then if a value has leading or trailing blanks, remove them. The
default is false.
unQuote Optional. If set to true, then if a value is enclosed in quotes, remove them. The default is
false.
Data
None
Example
The following example identifies accountId as the value to be used for the account ID. White
space and quotation marks are removed from values.
collectCsvLines Token
The collectCvsLines token parses a line in a comma-separated values (CSV) file. The
collectCvsHeader token must have been previously invoked.
The Scripted Gateway adapter and Shell Script adapter, among others, can use this token. The
collectCsvHeader and collectCsvLines tokens are the only tokens that the Scripted Gateway
adapter can use.
Attributes
If any of the following attributes are not specified, then the value is inherited from the
previously-issued collectCsvHeader token.
Attribute Description
nameHeader Specifies which value is considered the name for the account.
delim Optional. The string that separates values in the header. The default value is , (comma).
trim Optional. If set to true, then if a value has leading or trailing blanks, remove them. The
default is false.
unQuote Optional. If set to true, then if a value is enclosed in quotes, remove them. The default is
false.
Data
None
Example
The following example removes white space and quotation marks from values.
eol Token
The eol token matches the end of line character (\n). The parse position will be advanced to the
first character on the next line.
Attributes
None
Data
None
Example
The following token matches the end-of-line character.
<eol/>
flag Token
The flag token is often used inside an opt token to determine if a flag that defines an account
property exists on a user account. This token searches for a specified string. If the text is found,
AttrParse assigns the boolean value true to the attribute, then adds the entry to the attribute
map.
The parse position will be advanced to the first character after the matched text.
Attributes
Attribute Description
name The name of the attribute to use in the attribute value map. The name is usually the same as a
resource user attribute on the schema map on the resource adapter, but this is not a
requirement.
offset The number of characters to skip before searching for the text for the token. The offset can
have the following values:
■ 1 or higher moves the specified number of characters before trying to match the token’s
text.
■ 0 searches for text at the current parse position. This is the default value.
■ -1 indicates the token’s text will be matched at the current parse position, but the parse
position will not go past the string specified in the termToken attribute, if present.
termToken A string to use as an indicator that the text being searched for is not present. This string is
often the first word or label in the next line on the screen output.
The parse position will be the character after the termToken string.
The termToken attribute can only be used if the len attribute is negative one (-1).
Data
The text to match.
Examples
1 The following token will match AUDIT at the current parse position, and if found, adds
AUDIT_FLAG=true to the user attribute map.
<flag offset=’-1’ name=’AUDIT’>AUDIT_FLAG</flag>
2 The following token will match xxxxCICS at the current parse position, where xxxx are any four
characters, including spaces. If this string is found, AttrParse adds CICS=true to the user
attribute map.
<flag offset=’4’ name=’CICS’>CICS</flag>
int Token
The int token captures an account attribute that is an integer. The attribute name and integer
value will be added to the account attribute map. The parse position will be advanced to the first
character after the integer.
Attributes
Attribute Description
name The name of the attribute to use in the attribute value map. The name is usually the same as a
resource user attribute on the schema map on the resource adapter, but this is not a
requirement.
len Indicates the exact length of the expected integer. The length can have the following values:
■ 1 or higher captures the specified number of characters and checks to see if the text is an
integer value or if it matches the characters specified in the noval attribute.
■ -1 indicates the parser will take the longest string of digits starting at the current parse
position unless the next characters equal the noval attribute. This is the default value.
noval Optional. A label on the screen that indicates the attribute does not have an integer value.
Essentially, it is a null value indicator. The parse position will be advanced to the first character
after the noval string.
Data
None
Examples
1 The following token matches a 6-digit integer and puts integer value of those digits into the
attribute value map for the SALARY attribute.
<int name=’SALARY’ len=’6’/>
If the value 010250 is found, AttrParse adds SALARY=10250 to the value map.
2 The following token matches any number of digits and adds that integer value to the attribute
map for the AGE attribute.
<int name=’AGE’ len=’-1’ noval=’NOT GIVEN’/>
If the value 34 is found, for example, AGE=34 would be added to the attribute map. For string NOT
GIVEN, a value will not be added to the attribute map for the AGE attribute.
loop Token
The loop token repeatedly executes the elements it contains until the input is exhausted.
Attributes
None
Data
Varies
Example
The following example reads the contents of a CSV file.
<loop>
<skipLinesUntil token=’,’ minCount=’4’ />
<collectCsvHeader idHeader=’accountId’ />
<collectCvsLines />
</loop>
multiLine Token
The multiLine token matches a pattern that recurs on multiple lines. If the next line matches
the multiLine’s internal AttrParse string, the parsed output will be added to the account
attribute map at the top level. The parse position will be advanced to the first line that doesn’t
match the internal AttrParse string.
Attributes
Attribute Description
Data
Any AttrParse tokens to parse a line of data.
Example
The following multiLine token matches multiple group lines that have a
GROUPS[space][space][space]= tag and a space delimited group list.
<multiLine opt=’true’>
<t>GROUPS[space][space][space]=</t>
<str name=’GROUP’ multi=’true’ delim=’ ’ trim=’true’/>
<skipToEol/>
</multiLine>
GROUPS[space][space][space]= Group1[space]Group2\n
GROUPS[space][space][space]= Group3[space]Group4\n
Unrelated text...
opt Token
The opt token parses optional strings that are arbitrarily complex, such as those that are
composed of multiple tokens. If the match token is present, then the internal AttrParse string
is used to parse the next part of the screen. If an optional section is present, the parse position
will be advanced to the character after the end of the optional section. Otherwise, the parse
position is unchanged.
Attributes
None
Data
Contains the apMatch token, followed by an AttrParse token.
apMatch. Contains the token to match to determine whether the optional section is present.
apMatch is a subtoken that can be used only within the opt token. apMatch token always
contains the flag token as a subtoken.
AttrParse. Specifies how to parse the optional part of the screen. This version of the AttrParse
element does not use the name argument. It can contain any other token.
Example
The following opt token attempts to match a CONSNAME= text token. If it is found, then it will
parse a string of length 8, trim white space, and add the string to the account attribute map for
the NETVIEW.CONSNAME attribute.
<opt>
<apMatch>
<t offset=’-1’> CONSNAME= </t>
</apMatch>
<AttrParse>
<str name=’NETVIEW.CONSNAME’ len=’8’ trim=’true’ />
</AttrParse>
</opt>
skip Token
The skip token tokenizes areas of the screen that can be skipped and that don’t contain useful
information about the user that should be parsed. The parse position will be advanced to the
first character after the skipped characters.
Attributes
Attribute Description
Data
None
Examples
In the following examples, the first token skips 17 characters, while the second skips only one
character.
<skip len=’17’/>
<skip len=’1’/>
skipLinesUntil Token
The skipLinesUntil token skips over lines of input until one is found that has at least the
specified number of instances of a given string.
Attributes
Attribute Description
minCount The minimum number of instances of the string specified in the token attribute that must
be present.
Data
None
Example
The following token skips forward to the next line that contains two commas. The parse
position will be at the first character of that line.
skipToEol Token
The skipToEol token skips all characters from the current parse position to the end of the
current line. The parse position will be advanced to the first character on the next line.
Attributes
None
Data
None
Example
The following token skips all characters until the end of the current line. The parse position will
be at the first character of the next line.
<skipToEol/>
skipWhitespace Token
The skipWhitespace token is used to skip any number of white-space characters. The system
uses Java’s definition of white space. The parse position will be advanced to the first
non-white-space character.
Attributes
None
Data
None
Example
The following token skips all the white space at the current parse position.
<skipWhitespace/>
str Token
The str token captures an account attribute that is a string. The attribute name and string value
will be added to the account attribute map. The parse position will be advanced to the first
character after the string.
Attributes
Attribute Description
name The name of the attribute to use in the attribute value map. The name is usually the
same as a resource user attribute on the schema map on the resource adapter, but
this is not a requirement.
len Indicates the exact length of the expected string. The length can have the following
values:
■ 1 or higher captures the specified number of characters, unless the characters
equal the noval attribute.
■ -1 captures all the characters from the current parse position until the next
white-space character, unless the next characters equal the noval attribute. This
is the default.
Attribute Description
term A string that indicates parsing should stop for this str token when any of the
characters in the string are reached. If the len argument is 1 or higher, then either the
str token will end at len, or the term character, whichever comes first.
termToken A string to use as an indicator that the text being searched for is not present. This
string is often the first word or label in the next line on the screen output.
The parse position will be the character after the termToken string. The string added
to the attribute map will be all the characters before the termToken was found.
The termToken attribute can only be used if the len attribute is negative one (-1).
trim Optional. A true or false value that indicates whether the returned value or
multiple values (if the multi attribute is specified) are trimmed before being added to
the account attribute map. The default value is false.
noval A label on the screen that indicates the attribute doesn’t have an string value.
Essentially, it is a null value indicator. The parse position will be advanced to the first
character after the noval string.
multiLine A true or false value that indicates whether the string will span multiple screen
lines.
This attribute can only be used if a len attribute is supplied and is assigned a value
greater than zero. If multiLine is present, end of line characters will be skipped until
the number of characters specified in the len attribute have been parsed.
multi A true or false value that indicates that the string captured is a multi-valued
attribute that must be further parsed to find each sub-value. The multiple values can
either be appended together using the appendSeparator or can be turned into a list
of values.
delim A delimiter for parsing the multi-valued string. This attribute can only be used if the
multi attribute is specified.
If this is not specified, then the multi str token is assumed to be delimited by spaces.
append A true or false value that indicates that the multiple values should be appended
together into a string using the appendSeparator. If append is not present, the
multiple values will be put into a list for the account attribute value map. This
attribute is used in conjunction with the multi attribute.
appendSeparator Indicates the string to separate the multiple values for an append token. This
attribute is only valid if the append attribute is set to true. If the appendSeparator is
not present, the append attribute does not use a separator. Instead, it concatenates
the multiple values into the result string.
Data
None
Examples
■ The following token matches a string of length 21 characters and trims white space off the
front and back.
<str name=’NAME’ trim=’true’ len=’21’/>
Given the string [space][space]George Washington[space][space], AttrParse adds
NAME=”George Washington” to the account attribute map.
■ The following token matches a string of length 21 characters and trims white space off the
front and back.
<str name=’NAME’ trim=’true’ len=’21’/>
Given the string [space][space]George Washington[space][space], AttrParse adds
NAME=”George Washington” to the account attribute map.
■ The following token matches a string of arbitrary length terminated by a ) (right
parenthesis).
<str name=’STATISTICS.SEC-VIO’ term=’)’ />
Given the string, 2– Monday, Wednesday - )text, AttrParse adds
STATISTICS.SEC-VIO=”2– Monday, Wednesday - “ to the account attribute map.
■ The following token matches a list of words delimited by spaces from the current parse
position to the end of the current line.
<str name=’GROUP’ multi=’true’ delim=’ ’ trim=’true’/>
Given the string, Group1 Group2 newGroup lastGroup\n, AttrParse adds a list of group
name strings {Group1, Group2, newGroup, lastGroup} to the account attribute map for the
GROUP attribute.
■ The following token performs the same function as the previous example, except the
account attribute map will contain GROUP={Group1:Group2:newGroup:lastGroup}
<str name=’GROUP’ multi=’true’ delim=’ ’ trim=’true’ append=’true’ appendSeperator=’:’
/>
t Token
The t token is used to tokenize text. It is commonly used to recognize labels during screen
scraping and provide knowledge of where on the screen you are parsing. The parse position will
be advanced to the first character after the matched text. The parser always moves left to right
within a line of text.
Attributes
Attribute Description
offset The number of characters to skip before searching for the text for the token. The offset can
have the following values:
■ 1 or higher moves the specified number of characters before trying to match the token’s
text.
■ 0 searches for text at the current parse position. This is the default value.
■ -1 indicates the token’s text will be matched at the current parse position, but the parse
position will not go past the string specified in the termToken attribute, if present.
termToken A string that indicates parsing should stop for this token. The parse position will be the
character after the termToken string.
The termToken attribute can only be used if the offset attribute is negative one (-1).
Data
The text to match
Examples
■ The following token matches Address Line 1:[space] at the current parse position.
<t offset=’-1’>Address Line 1: </t>
■ The following token matches xxZip Code:[space] at the current parse position, where xx
can be any two characters, including spaces.
<t offset=’2’>Zip Code: </t>
■ The following token matches Phone:[space] at the current parse position. If AttrParse finds
the string Employee ID first, then it will generate an error.
<t offset=’-1’ termToken=’Employee ID’>Phone: </t>
This chapter describes how to create and implement actions for resource adapters. Refer to the
documentation for each adapter to determine if the adapter supports actions.
Use actions to perform work that is not performed directly against the resource account object
but is instead performed before or after that resource account is created, updated, or deleted.
Resource actions support copying files to a new user’s directory, updating the SUDOers file on
UNIX for the user after they have been created, or other native activities. You could perform
this type of work by using a custom resource adapter. However, it is simpler to deploy a
resource adapter with actions than to deploy a custom resource adapter.
525
Supported Processes
Supported Processes
The following processes support before and after actions:
■ create
■ update
■ delete
■ enable
■ disable
■ login and logoff (mainframe adapters only)
Defining Actions
An action has the following structure:
<ResourceAction name=’Name’>
<ResTypeAction restype=’ResourceType’ actionType=’Language’ timeout=’Milliseconds’>
<act>
...
</act>
</ResTypeAction>
</ResourceAction>
where:
■ Name is the name of the resource action.
■ ResourceType is the type of resource (such as AIX or HP-UX).
■ Milliseconds (optional) is the amount of time to wait for the action to complete.
■ Language (optional) is the language of the script. This parameter is required for the Oracle
ERP adapter. The Oracle ERP adapter supports actionType values of Javascript and
Beanshell.
The <act> element defines the action. It contains code that is executed on the resource. For
example, the following XML defines an action for a Solaris resource:
#exit 0
exit $DISPLAY_INFO_CODE
</act>
</ResTypeAction>
</ResourceAction>
</Waveset>
Note – The code contained within the <act> elements is the same as seen in a UNIX script (ksh
or sh) or a Windows batch script.
Because OS/400 does not have variable substitution in its command language, the resource
adapter looks for variable names, and carries out the substitution before transmitting the
command line to the resource. To make recognition of variables possible, you must add a $
before and after a variable. Specifically, to use WSUSER_AccountId in an OS/400 script, enter
the following text in the command line: $accountId$. Note the exclusion of “WSUSER”.
Example usage:
1 Add an extra attribute to the resource’s schema map that mimics the account attribute that you
need to access. For example, if you need to access the fullname account attribute, you could
create an attribute named shadow_fullname. In the Resource User Attribute column of the
schema map, add the value IGNORE_ATTR. for this new attribute to prevent the adapter from
trying to use it.
2 Set the value in your user form so that the attribute is populated:
<Field name=’accounts[ResourceName].shadow_fullname’>
<Expansion>
<ref>accounts[ResourceName].fullname</ref>
</Expansion>
</Field>
2 From the menu bar, select Configure, then Import Exchange File.
3 Enter or browse for the XML file containing the action, and then click Import.
Implementing Actions
After you have defined an action, follow these steps to implement it:
2 Add entries to the schema map for the resources on which you want to invoke the action.
In this example, the field defines an action named after-create that runs after a user create
operation:
For detailed information about working with forms in Identity Manager, refer to Deployment
Reference.
1 Click Resources on the Identity Manager menu bar, and then select a resource.
3 On the schema map, click Add Attribute to add a row to the schema map.
4 In the Identity System User Attribute column, enter create after action.
5 Enter IGNORE_ATTR in the Resource User Attribute column. The IGNORE_ATTR entry causes the
attribute to be ignored during normal account attribute processing.
6 Click Save.
1 Enter create after action in the Identity Manager User Attribute column of the resource’s
schema map.
3 In the Resource User Attribute column, enter IGNORE_ATTR. Leave the Required, Audit, Read
Only, and Write Only columns unchecked.
4 Add the following code to the user form you are using to create or edit users:
<Field name=’resourceAccounts.currentResourceAccounts[AD].attributes.
create after action’>
<Expansion>
<s>AfterCreate</s>
</Expansion>
</Field>
5 Create the following XML file and import it into Identity Manager. (Change the file paths
according to your environment.)
<?xml version=’1.0’ encoding=’UTF-8’?>
<!DOCTYPE Waveset PUBLIC ’waveset.dtd’ ’waveset.dtd’>
<Waveset>
<ResourceAction name=’AfterCreate’>
<ResTypeAction restype=’Windows Active Directory’ timeout=’6000’>
<act>
echo create >> C:\Temp\%WSUSER_accountId%.txt
exit
</act>
</ResTypeAction>
</ResourceAction>
</Waveset>
1 Enter update after action in the Identity Manager User Attribute column of the Active
Directory schema map.
3 In the Resource User Attribute column, enter IGNORE_ATTR. Leave the Required, Audit, Read
Only, and Write Only columns unchecked.
4 Add the following fields to the user form that you are using to create and edit users:
<Field name=’resourceAccounts.currentResourceAccounts[AD].
attributes.update after action’>
<Expansion>
<s>AfterUpdate</s>
</Expansion>
</Field>
5 Create the following XML file and import it into Identity Manager. (Change file paths according
to your environment.)
<?xml version=’1.0’ encoding=’UTF-8’?>
<!DOCTYPE Waveset PUBLIC ’waveset.dtd’ ’waveset.dtd’>
<Waveset>
<ResourceAction name=’AfterUpdate’>
<ResTypeAction restype=’Windows Active Directory’ timeout=’6000’>
<act>
echo update >> C:\Temp\%WSUSER_accountId%.txt
exit
</act>
</ResTypeAction>
</ResourceAction>
</Waveset>
1 Enter delete after action in the Identity Manager User Attribute column of the resource’s
schema map.
3 In the Resource User Attribute column, enter IGNORE_ATTR. Leave the Required, Audit, Read
Only, and Write Only columns unchecked.
4 Add this to the Deprovision Form user form after the </Include> tag:
<Field name= ’resourceAccounts.currentResourceAccounts[AD].attributes.
delete after action’>
<Expansion>
<s>AfterDelete</s>
</Expansion>
</Field>
5 Create the following XML file and import into Identity Manager. (Change file paths according to
your environment.)
<?xml version=’1.0’ encoding=’UTF-8’?> <!DOCTYPE Waveset PUBLIC
’waveset.dtd’ ’waveset.dtd’>
<Waveset>
<ResourceAction name=’AfterDelete’>
<ResTypeAction restype=’Windows Active Directory’ timeout=’6000’>
<act>
echo delete >> C:\Temp\%WSUSER_accountId%.txt
exit
</act>
</ResTypeAction>
</ResourceAction>
</Waveset>
6 Edit the XML for the Active Directory resource and add information to the“delete after action”
schema mapping. Here is an example of a complete schema mapping for this resource with the
new additions. (You will be adding the views-related information.)
<AccountAttributeType id=’12’ name=’delete after action’ syntax=’string’
mapName=’IGNORE_ATTR’ mapType=’string’>
<Views>
<String>Delete</String>
</Views>
</AccountAttributeType>
Domino Examples
Domino resources support before and after actions.
There are currently two supported types of actions: LotusScript and cmd shell. Any operation
action can have any number of actions that will be executed.
The following examples demonstrate the use of LotusScript and cmd shell resource actions.
LotusScript Example
<ResourceAction name=’iterateAttributes’ createDate=’1083868010032’>
<ResTypeAction restype=’Domino Gateway’ actionType=’lotusscript’>
<act>
Sub Initialize
Main
End Sub
Sub Main
Dim session As New NotesSession
Dim doc As NotesDocument
Set doc = session.DocumentContext
Forall i In doc.Items
Dim attrVal As Variant
attrVal = doc.GetItemValue(i.Name)
End Forall
End Sub
</act>
</ResTypeAction>
</ResourceAction>
Running LotusScript
On Domino, the execution of LotusScript is handled by an agent attached to a database. The
Domino adapter will execute LotusScript in any one of the following ways:
Input Results
agentName and script Updates the agent with the script and runs the agent.
Input Results
agentName, agentCreate, and Creates an agent with the script and runs the agent.
script
The following customized account attributes can be used with LotusScript. If any of these
attributes are to be used, add the attribute on the Domino Gateway schema map. Specify
IGNORE_ATTR as the value in the Resource User Attribute column.
■ agentName. Identifies the name of the agent to execute. This attribute must be specified, or
an error will be returned.
■ agentServer. Specifies the location of the database where the agent has been installed, and
where to run the agent. This attribute defaults to the value specified in the Registration
Server Machine resource parameter (REG_SERVER) if not present.
■ agentDBName. Specifies the database name where the agent can be found. This attribute
defaults to the value specified in the Names Database resource parameter (NAB) on the
resource.
■ agentCreate. Specifies the flag that indicates whether the adapter should create a new agent,
if the named agent is not found. This attribute defaults to false. A non-NULL value enables
this flag.
Note – If you specify agentCreate you must also specify LotusScript to be executed.
Arguments to LotusScript
Agents arguments will be given in a note handle to LotusScript in a special property from the
back-end NotesSession class. It can be defined as follows:
NotesDocument = NotesSession.DocumentContext
The NotesDocument can be instantiated by the action script routine and its field values can be
read in as parameters to the LotusScript subroutine.
The following is a Lotus script example that gets the name a value of any arguments defined in
the document.
Forall i In doc.Items
Dim attrVal As Variant
attrVal = doc.GetItemValue(i.Name)
Print(" Attribute Name: " + i.Name + " Value: " + attrVal(0))
End Forall
All of the attributes defined during the action call will be put into the NotesDocument prefixed
with WSUSER_, just as in the case of the NT actions.
WSUSER_groups=staff|admin|users
Mainframe Examples
The ACF2, RACF, and Top Secret adapters require login and logoff resource actions. The login
action negotiates an authenticated session with the mainframe. The logoff action disconnects
when that session is no longer required.
A thin client host access 3270 emulator is provided to the context of the resource action by the
resource adapter to simplify execution of commands in the scripted session. The emulator is
defined in the com.waveset.object.HostAccess class. Refer to the JavaDoc for the HostAccess
class for details about the methods available on hostAccess object passed to the resource action.
Object Description
Object Description
identity A string that contains the accountId for the user on the resource.
user Contains the name of the administrative user that should be logged on.
userAttrs An instance of java.util.Map containing values for each of the Resource User
Attributes needed by the action
password Encrypted object which stores the password of the mainframe user; use
password.decryptToString() to convert to plain text.
Page Up [pageup]
Reset [reset]
Login Action
The following code is a complete sample of login and logoff resource actions. The sample is
tailored to a specific customer’s environment using a Top Secret resource. As such, the text of
commands, prompt, and command sequences will most likely differ across deployments. Note
that the resource actions wrap Javascript inside of XML.
hostAccess.waitForString("==>", stringsToHide);
hostAccess.waitForInput();
hostAccess.sendKeys("[pf6]");
hostAccess.waitForInput();
</act>
</ResTypeAction>
</ResourceAction>
Logoff Action
<ResourceAction name=’ACME Logoff Action’>
<ResTypeAction restype=’TopSecret’>
<act>
var TSO_PROMPT = " READY";
hostAccess.sendKeys("[clear]end[enter]");
hostAccess.waitForString(TSO_PROMPT);
hostAccess.sendKeys("logoff[enter]");
</act>
</ResTypeAction>
</ResourceAction>
Extending Views
You can add attributes to a view. All attributes must be registered.
The user attributes that are available to the different provisioning activities in Identity Manager
are limited to those necessary to complete the action. For example, when editing a user, all
possible user attributes are retrieved from the assigned resources and available for update. In
contrast, the Change Password process needs only a subset of attributes to perform the request.
Attribute Registration
Attributes can be registered in one of two locations:
AccountAttributeType ... the attributes you want to update are specific to a particular resource,
definition in the resource rather than to all resources of that type.
System Configuration object ...you want to make global registrations for all resources of a particular type.
These registrations must be done in XML format.
You can register different attributes for different views. For example, you can register the lock
attribute for the Password view and the firstname attribute for the Rename view or the
resource action for the Enable, Disable, or Deprovision view.
Note – In the case of before or after actions, you must extend the view for any process except the
create or update user process. For information on extending a view, see Identity Manager
Views.
Global Registration
To make global registrations, add an attribute in the System Configuration object with this
path:
updatableAttributes.ViewName.ResourceTypeName
where ViewName is one of Password, Reset, Enable, Disable, Rename, or Delete, and
ResourceTypeName is the name of the resource type. The type name all is reserved for
registrations that apply to all resources.
The value of this attribute must be a List of <String>s. The strings are names of the attributes
you want to update. The following example registers the attribute named delete before
action in the Deprovision view for all resources.
<Attribute name=’updatableAttributes’>
<Object>
<Attribute name=’Delete’>
<Object>
<Attribute name=’all’>
<List>
<String>delete before action</String>
</List>
</Attribute>
</Object>
</Attribute>
<Attribute name=’Enable’>
<Object>
<Attribute name=’all’>
<List>
<String>enable before action</String>
</List>
</Attribute>
</Object>
</Attribute>
</Object>
</Attribute>
Resource-Specific Registration
To make resource-specific registrations, modify the resource object from the Identity Manager
Debug page and insert a <Views> sub-element in the AccountAttributeType element. <Views>
must contain a list of strings whose values are the names of the views in which this attribute can
be updated.
In the view, attributes you want to modify are placed within this object:
resourceAccounts.currentResourceAccounts[ResourceTypeName].attributes
Example:
This chapter describes the Identity Manager product enhancements to support password
synchronization from the Sun JavaTM System Directory Server (formerly known as Sun ONE
Directory Server and iPlanet Directory Server) to the Identity Manager system.
Overview
Directory Server allows password changes to be processed by third parties through its public
plug-in API. A custom plug-in, Password Capture plug-in, was developed to capture password
changes in Directory Server.
The Directory Server Retro Changelog plug-in must be installed on the directory server before
the Password Capture plug-in can be implemented. The Retro Changelog plug-in records
changes to the idmpasswd attribute in the changelog database after the operation is executed by
the directory server core.
The LDAP resource adapter with Active Sync enabled polls the changelog database at regular
intervals, parses relevant changes, and feeds these changes into Identity Manager. The LDAP
adapter parses the idmpasswd attribute, decrypts the password using the shared secret, and
makes the real password available to the rest of the system.
543
Overview
Schema Changes
The idmpasswd attribute is defined as an operational attribute. Operational attributes do not
require any changes to the objectclass definitions of the target entry. As a result, existing or new
users in Directory Server do not need to be modified to use the password synchronization
feature.
The idmpasswd attribute is defined in the schema as follows:
2 In the Active Sync wizard for the resource, set the input form to LDAP Password ActiveSync
Form.
■ Schema change. Updates the Directory Server schema to allow the use of the idmpasswd
operational attribute
■ Plugin definition. Registers the plug-in with the Directory Server and enables the plug-in
■ Plugin configuration. Provides basic configuration of the plug-in. For example, the
obfuscated password encryption key is in the configuration entry.
1 Open the Identity Manager Configure Password Synchronization page, which is located at
http://PathToIdentityManager/configure/passwordsync.jsp .
2 Select the LDAP resource that will be used to synchronize passwords from the Resource menu.
4 Click OK. The page refreshes to display a new item in the Action menu.
8 Select the resource’s operating system from the Operating System Type menu.
9 In the Plugin Installation Directory field, enter the directory on the host where the plug-in will
be installed.
10 Click OK to generate and download the LDIF file. If necessary, you may now regenerate an
encryption key.
Note – If your Directory Server users do not have the default objectclasses (person,
organizationalPerson or inetorgperson), then you must edit the LDIF file created when you
selected Download plugin configuration LDIF. You must replace the default value assigned in
the idm-objectclass attribute with an objectclass implemented in your environment so that
the plug-in can capture the password change.
For example, if your users are defined with the account, posixaccount and shadowaccount
objectclasses, replace the default value assigned in the idm-objectclass attribute with one or
more of these classes.
For example:
idm-objectclass: account
idm-objectclass: posixaccount
Note that multivalued attributes should not be represented as comma-separated strings. Each
value for the idm-objectclass that you want to match must be entered on a separate line on the
LDIF configuration. Passwords are captured for entries that match any of the idm-objectclass
values.
After password synchronization is enabled, the following attributes on the Resource Specific
Settings page on Active Sync wizard parameters page of the resource will be displayed.
■ Enable password synchronization
■ Password encryption key
■ Password encryption salt
Only the Enable password synchronization field may be changed on this page. The encryption
attributes should only be updated using the JSP page.
Note – If the Directory Server instances are set up in a multi-master replicated environment,
then the plug-in must be installed and configured on each master replica.
To install the Password Capture plug-in, you must perform the following general steps. See the
product documentation for detailed information about performing these tasks.
2 For Directory Server versions 5.2 P4 and earlier only, place the plug-in binary (idm-plugin.so)
on the host where the Directory Server is running. In this example, /opt/SUNWidm/plugin.
Make sure that the user running the directory server is able to read the plug-in library.
Otherwise, the Directory Server will fail to start.
Note –
■ In a multi-master replicated environment, new plug-in configuration must be generated for
each installation (unless the operating system type and the plug-in installation directory are
the same on each host). In this type of environment, repeat the procedure described in “Step
2: Enable Password Synchronization Features” on page 545 on each installation.
■ Directory Server must be restarted whenever you make changes to the plug-in
configuration.
After the Password Capture plug-in is enabled, clients must have the MODIFY right to both the
userPassword and the idmpasswd attribute to make password changes. Adjust the access
control information settings in your directory tree accordingly. This is usually necessary if
administrators other than the directory manager have the ability to update the password of
other users.
The Active Directory synchronization failover uses a task to periodically collect and maintain a
history of the HighestCommittedUSN from a configurable set of domain controllers to which it
can fail over. If the Active Sync domain controller goes down, another task can be run that will
change the configuration of the Active Directory resource to point to one of the failover domain
controllers. Because changes made in Active Directory can take a while to replicate to all
domain controllers, Active Directory Active Sync cannot just start processing only new changes
on the failover domain controller. Instead, it must also look at older changes made on the
failover domain controller that might not have been replicated to the domain controller before
it went down. To this end, it will use a saved HighestCommittedUSN for the failover domain
controller that is far enough in the past to account for any replication delay. This prevents
Active Sync from missing events, but some changes will likely be processed twice.
Architectural Components
This procedure involves the following components:
■ The Active Directory Synchronization Failure Process, which is defined on the Active
Directory resource by the On Synchronization Failure Process Active Directory resource
attribute
■ Active Directory Recovery Collector Task
■ Active Directory Failover Task
549
Architectural Components
This attribute gives Identity Manager administrators the ability to execute a process when
Active Directory synchronization failures occur.
You can also design a business process that, when a specified error occurs, automatically calls
the Synchronization Failover task after an approval by an administrator is given.
Process Context
The following arguments are available to the native process.
Argument Description
resultErrors Lists strings that represent the errors returned by the poll method
This task collects and stores resource recovery information in a Configuration object named
ADSyncRecovery_resourceName. The extension to this configuration object is a GenericObject
that stores a list of HighestCommittedUSN and the timestamp (milliseconds) that was collected
for each domain controller.
During each execution, the task prunes old values for HighestCommittedUSN from the recovery
data. You can configure the length of time to store this data through the daysToKeepUSNS
argument.
Arguments
Argument Description
resourceName Specifies the Active Directory resource for which Identity Manager collects
backup data.
backupDCs Lists the fully qualified domain controller hostnames that should be
contacted for recovery data. This can and should include the original host,
which permits Identity Manager to include the source resource host if
Identity Manager must fail over to the resource.
When synchronizing against a global catalog, back up hosts in this list will
be assumed to be global catalogs.
daysToKeepUSNS Specifies the number of days for which Identity Manager stores the data
(default is 7 days).
Certain errors can identify conditions where failover is appropriate. One example of the
potential difficulty of automatically calling the failover task is the
java.net.UnknownHostException error message. The failure indicated by this message can
occur for at least two reasons:
■ The host cannot be reached from the gateway machine due to a temporary routing issue.
■ The host cannot be reached and will be down for the next eight hours due to a planned
outage.
Failover Modes
You can take one of two approaches towards implementing Active Directory failover
resolution:
■ Manual mode. When a problem occurs, the administrator specifies which backup domain
controller and USN to use. This is the only mode available when running tasks from the
Identity Manager interface.
■ Semi-auto mode. Semi-auto mode permits you to semi-automate the fail-over resolution
process. In semi-auto mode, the task uses the collected data to identify the best backup
domain controller and USN to use. It computes this by looking for a collection point that is
closest to a derived TargetTimestamp without exceeding this value
where TargetTimestamp = (FailureTimestamp - replicationTime)
Semi-auto mode is not available from the Identity Manager Administrator interface.
Arguments
If you have determined that launching semi-auto failover is appropriate for a particular error,
set the following task arguments. (The on-error workflow must launch the Active Directory
Synchronization failover task.) Setting these arguments reconfigures the failed resource and the
IAPI Object to use an alternate domain controller and usnChanged starting point.
Argument Description
resourceName Identifies (by name or resource ID) where the failure has occurred.
failureTimestamp Indicates when the failure occurred. This value is derived from the onSync
failure process.
replicationTime Specifies the maximum time in hours for data to replicate across an Active
Directory environment.
To manually specify which domain controller to fail over to and which saved
HighestCommittedUSN number to start from, set the following arguments.
Argument Description
resourceName Specifies the name or ID of the resource where the failure has occurred.
backupDC Specifies the name of the host with which to begin the synchronization
process.
restartActiveSync Specifies whether to start Active Sync after the switch to the new domain
controller is complete.
subdomains resource attribute is set to true, and the global catalog attribute value is not empty,
the global catalog server attribute is changed. Otherwise, the LDAPHostname is changed to the
name of the backup domain controller.
Configure this process to notify an administrator through email when an error occurs. Include
the error text in the email body so that the administrator can determine if the error warrants
that Identity Manager fails over to another domain controller.
Using the error text, the administrator is alerted to a potentially lengthy outage or an outrage
due to a temporary, quickly resolved issue (such as a temporary routing issue that is resolved by
the next poll attempt).
Step 3: Run Active Directory Synchronization Failover Task for the Failed
Resource
If the domain controller returns an error that warrants failing over to another domain
controller, run the Active Directory Synchronization Failover task from the Task page.
You also must choose whether to restart Active Sync after the switch to a new domain controller
is complete.
▼ Task Actions
<Extension>
<WFProcess title=’Example AD Sync OnError Workflow’>
<Variable name=’resultErrors’ input=’true’>
<Comments>Errors returned from the resource.
</Comments>
</Variable>
<Variable name=’resourceName’ input=’true’>
<Comments>Name of the AD resource that returned the errors.
</Comments>
</Variable>
<Variable name=’failureTimestamp’ input=’true’>
<Comments>Failure timestamp, when it occurred.
</Comments>
</Variable>
<Activity name=’start’>
<Transition to=’checkErrors’/>
</Activity>
<Activity name=’checkErrors’>
<Variable name=’criticalError’>
<Comments>Local variable to hold if we need to notify
</Comments>
</Variable>
<Action name=’iterateMessage’>
<dolist name=’msg’>
<ref>resultErrors</ref>
<cond>
<match>
<ref>msg</ref>
<s>java.net.UnknownHostException</s>
</match>
<set name=’criticalError’>
<s>true</s>
</set>
</cond>
</dolist>
</Action>
<Transition to=’notify’>
<notnull>
<ref>criticalError</ref>
</notnull>
</Transition>
<Transition to=’end’/>
</Activity>
<Activity name=’notify’>
<Action application=’notify’>
<Argument name=’template’
value=’#ID#EmailTemplate:ADSyncFailoverSample’/>
<Argument name=’resultErrors’ value=’$(resultErrors)’/>
</Action>
<Transition to=’end’/>
</Activity>
<Activity name=’end’/>
</WFProcess>
</Extension>
</TaskDefinition>
Mainframe Connectivity
This chapter describes how to establish a connection to a mainframe resource using IBM’s Host
On Demand or the Attachmate 3270 Mainframe Adapter for Sun Emulator Class Library.
1 Obtain the Telnet/TN3270 server’s certificate in the PKCS #12 file format. Use hod as the
password for this file. Consult your server’s documentation on how to export the server’s
certificate. The procedure “Generating a PKCS #12 File”on page 558 provides some general
guidelines.
2 Create a CustomizedCAs.class file from the PKCS #12 file. If you are using a recent version of
HOD, use the following command to do this.
..\hod_jre\jre\bin\java -cp ../lib/ssliteV2.zip;
../lib/sm.zip com.ibm.eNetwork.HOD.convert.CVT2SSLIGHT CustomizedCAs.p12
hod CustomizedCAs.class
557
SSL Configuration with Host On Demand
3 Place the CustomizedCAs.class file somewhere in the Identity Manager server’s classpath,
such as $WSHOME/WEB-INF/classes.
4 If a resource attribute named Session Properties does not already exist for the resource, then
use the [Please define the IDMIDE text entity] or debug pages to add the attribute to the
resource object. Add the following definition in the <ResourceAttributes> section:
<ResourceAttribute name=’Session Properties’
displayName=’Session Properties’ description=’Session Properties’ multi=’true’>
</ResourceAttribute>
5 Go to the Resource Parameters page for the resource and add values to the Session Properties
resource attribute:
SESSION_SSL
true
1 Create a new HODServerKeyDb.kdb file using the IBM Certificate Management tool. As part of
that file, create a new self-signed certificate as the default private certificate.
If you get a message that is similar to “error adding key to the certificate database” when you are
creating the HODServerKeyDb.kdb file, one or more of the Trusted CA certificates may be
expired. Check the IBM website to obtain up-to-date certificates.
3 Create a new PKCS #12 file named CustomizedCAs.p12 with the IBM Certificate Management
tool by adding the exported certificate from the cert.arm file to the Signer Certificates. Use hod
as the password for this file.
Troubleshooting
You can enable tracing of the HACL by adding the following to the Session Properties resource
attribute:
SESSION_TRACE
ECLSession=3 ECLPS=3 ECLCommEvent=3 ECLErr=3 DataStream=3 Transport=3 ECLPSEvent=3
Note – The trace parameters should be listed without any new line characters. It is acceptable if
the parameters wrap in the text box.
The Telnet/TN3270 server should have logs that may help as well.
2 Go to the Resource Parameters page for the resource and add the following values to the
Session Properties resource attribute:
encryptStream
true
hostURL
tn3270://hostname:SSLportkeystoreLocation
Path_To_Trusted_ps.pfx_file
To avoid these conflicts, you should make a backup of RWebSDK.jar, and edit the RWebSDK.jar
with an appropriate tool (such as WinZip), remove the com.jcraft classes, and save the file.
This will eliminate the unwanted version of the JCraft classes, and SSH will function correctly.
RWebSDK.jar is not distributed with Identity Manager, and is only available as part of
Attachmate 3270 Mainframe Adapter for Sun.
This chapter describes how to enable the Access Enforcer, SAP, and SAP HR resource adapters
to communicate with SAP systems securely using Secure Network Communications (SNC).
You must obtain SECUDE Secure Login, a separate third-party product. For more information
about this product, go to http://www.secude.com .
You must install this product and create a Personal Security Environment (PSE) for Identity
Manager before you can enable SNC connections. Refer to the Secude Secure Login product
documentation for information about accomplishing these tasks.
The -a “Identity Manager” argument is optional. The -O argument should be the name of the
operating system user that will execute the application server.
561
Obtain a Certificate for Identity Manager
Use the following commands to obtain a base64-encoded certificate for use in the Identity
Manager adapter configuration. The first command exports the certificate into a PKCS12
encoding. The second command converts this certificate into the required base64 encoding.
On UNIX:
On Windows:
4 In the bottom pane on the right side, the Owner field is the DN.
SNC_LIB=PathToSecudeLibrary/secude_library (All)
This chapter lists resource adapters that have been deprecated. Refer to a previous version of the
Resources Reference for information about these deprecated adapters.
Adapter Comments
ActivCard No replacement
Natural No replacement.
565
List of Deprecated Adapters
Sun ONE Identity Server Use the Sun Java System Access Manager or Sun Java System Access Manager
Realm adapter instead.
This chapter introduces Identity Connectors, a newly supported feature of Identity Manager.
Connectors provide an alternative to resource adapters for managing identities and other object
types in native resources. This chapter includes the following connector-related topics:
■ “Introduction to Identity Connectors” on page 567
■ “Migrating from Existing Resources ” on page 568
■ “Configuring and Managing Connectors” on page 569
■ “Additional Management Topics” on page 572
■ “Debugging and Troubleshooting” on page 574
For updated information on identity connector development and implementation issues, a road
map of connector development, and code downloads, visit
https://identityconnectors.dev.java.net.
Identity connectors provide advantages over resource adapters, including the following:
■ Simplified deployment and management because connectors are less tightly bound with
Identity Manager than resource adapters. By placing Java connector bundles in the
appropriate directory within your web application, or placing .NET bundles in the
appropriate directory in a remote .NET directory, you can extend on-demand the types of
native resources that you can manage. Identity Manager automatically detects any newly
deployed connectors.
■ Connector release cycles do not rely upon Identity Manager release cycles. Connector
releases can differ from Identity Manager releases , and you can add or update connectors in
your deployment with less dependence on the particular version of Identity Manager you
are currently using.
567
Migrating from Existing Resources
■ Identity Manager loads each connector in a separate class loader. This enhances support for
using multiple versions of a native API from within a single Identity Manager server.
■ Use of the separate and less complex identity connector SPI to develop connectors (Java or
.NET). You do not need to know or use any Identity Manager APIs.
When there is a new connector type available that can replace an existing resource adapter, a
migration path is provided to enable customers to switch over to use the connector.
In general, the greater the number and the more complex your customized forms and
workflows, the more complicated the conversion process. To prepare to migrate from an
adapter-based resource to a connector-based one,
■ Evaluate all existing forms and workflows that are related to the migrated resource for
instances where searchFilter is set to a string.
■ Replace each occurrence with connectorFilter. The value of the connectorFilter entry
will be an instance of a filter, which is made by using the FilterBuilder class by an <invoke>.
2 Follow all the Identity Manager-specific installation steps documented for the connector,
including importing any needed Exchange files.
3 Follow the migration procedure documented for the connector. Typically, this involves running
a declared migration server task from Server Tasks > Run Tasks.
1 Login in to Identity Manager Administrator Interface as an administrator who has the Resource
Administrator capability
2 Select Resources > Resource Type Actions > Configure Managed Resources. The Resource
Connectors area lists all the connectors that Identity Manager currently recognizes.
Downloading Connectors
You can download additional Identity Manager-supported identity connectors from
https://identityconnectors.dev.java.net.
For a more detailed explanation, see “Installing a Java Connector” on page 570.
2 Copy the connector jar file into the WEB-INF/bundles directory of your Identity Manager web
application.
3 Extract the connector ZIP file into the your Identity Manager web application directory.
4 Start your Identity Manager web application, and follow any additional connector-specific
installation notes.
Your newly installed Java connector should now be visible to Identity Manager. Log in to the
Identity Manager Administrator interface as an Administrator who has the Resource
Administrator capability. Select Resources > Resource Type Actions > Configure Managed
Resources, and confirm that the new Java connector is listed (associated in the displayed table
with the LOCAL connector server).
5 (Optional) You may be required to import one or more Exchange files before using the new
connector.
Note that before you install the .NET zip files, you must install and register a .NET connector
server. A connector server manages one or more .NET bundles, and handles requests between
Identity Manager and the .NET bundles. A .NET connector server is roughly analogous to the
Identity Manager gateway. For more information, see
■ “Installing a .NET Connector Server” on page 571
■ “Registering a Connector Server” on page 572
Note – You must install a .NET connector server before installing the .NET executable connector
zip file.
1 If the connector server is already installed and running, stop the Connector Server service.
2 Unzip the ZIP file into the connector server installation directory.
3 Start the Connector Server service. If the connector server is not yet declared in Identity
Manager, see Registering a Connector Server.
2 Extract the connector ZIP file into the your Identity Manager web application directory, and
restart your Identity Manager.
4 (Optional) You may be required to import one or more Exchange files before using the new
connector.
After following this procedure, the new .NET connector should now be visible to Identity
Manager. To confirm this, log in to the Identity Manager Administrator Interface as an
administrator who has the Resource Administrator capability. Confirm that the .NET
connector is listed in the displayed table with the appropriate connector server by checking
Resources > Resource Type Actions > Configure Managed Resources.
The minimal requirements for a machine that will run a connector server include:
■ Windows Server 2003 or 2008
■ .NET 3.5 or later
To install a connector server on a Windows host, refer to the connector server installation notes
on https://identityconnectors.dev.java.net. You must record for later use the following
information regarding your connector server installation:
■ Host name or IP address
■ Connector server port
■ Connector server key
■ whether SSL is enabled
See “Registering a Connector Server” on page 572 to declare the newly installed connector
server within Identity Manager.
1 Log on to the Identity Manager as an administrator who has the Resource Administrator
capability.
4 Complete the required fields in the New Connector Server. See the online help for information
about each field.
5 Click Save. Identity Manager will display“Available”in the Status column for the new Connector
Server definition if Identity Manager can successfully communicate with the remote connector
server.
1 From the Resource page, select the resource you want to edit.
2 Select the Resource Actions > Change Connector Parameters menu option. Note that Identity
Manager permits you to select only a connector server that has at least one version of the
connector available. The only versions displayed are those provided by the selected connector
server.
Note – Tracing of local Java connectors can be limited on a class level only. This differs from the
method-level tracing supported for other classes. Identity Manager does not support the ability
to manage tracing on remote connectors.
API-Layer Tracing
Use this level of tracing to determine whether the problem is within Identity Manager or the
connector itself. This trace method works for both remote and local connectors. To enable
connector API-level tracing, enable level 4 Identity Manager tracing for class
org.identityconnectors.framework.impl.api.LoggingProxy. This type of tracing focuses
on the arguments and return values of every connector API method call.
.NET Tracing
.NET connectors call the standard .NET trace API. No centralized tracing control by Identity
Manager. You cannot view .NET trace files from within Identity Manager. You must edit the
local connector server configuration file to configure .NET tracing.
You can enable the tracing of local Java connectors by using the standard Identity Manager
tracing debug page. The connector's log calls will write to the same trace file as all Identity
Manager tracing.
You cannot manage logging for remote connectors. Instead, you must use the native Windows
tools to configure logging for remote connectors locally on the machine where the remote
connector host is running.
Because a connector-based resource looks like a typical resource to the rest of Identity Manager,
you can use the JMX tools already present for resources and resource adapters (including Active
Sync JMX) to monitor the use and performance of connector-based resources.
The connector framework API maintains the connection pool used by local Java connectors,
and there is currently no visibility or management for that information. There is also no such
tool provided by the connector API for remote connectors.
This chapter describes installation and configuration issues for the Active Directory connector.
The Active Directory connector shares a significant feature set with the Active Directory
resource adapter.
For current information on identity connector installation and configuration issues, see
https://identityconnectors.dev.java.net. For a general discussion of identity connectors,
see Chapter 56, “Identity Connectors Overview.”
Connector Details
Bundle Name
Windows Active Directory Connector
Bundle Version
1.0.0.3663
577
Connector Details
The LDAP Hostname resource attribute tells the connector to bind to a particular DNS
hostname or IP address. This is the opposite of a serverless bind. However, the LDAP Hostname
does not necessarily have to specify a specific domain controller. The DNS name of an AD
domain can be used. If the connector's DNS server is configured to return multiple IP addresses
for that DNS name, then one of them will be used for the directory bind. This avoids having to
rely on a single domain controller.
Some operations, including pass-through authentication and before and after actions, require
that the connector server be a member of a domain.
If you run the connector server as an account other than Local System, then connector server
service account requires the “Act As Operating System” and “Bypass Traverse Checking” user
rights. It uses these rights for pass-through authentication and for changing and resetting
passwords in certain situations.
Most of the management of AD is done using the administrative account specified in the
resource. However, some operations are done as the connector server service account. This
means that the connector server service account must have the appropriate permissions to
perform these operations. Currently, these operations are:
■ Creating home directories
■ Running actions (including before and after actions)
When performing before and after action scripts, the connector server may need the Replace a
process level token right. This right is required if the connector server attempts to run the
script subprocess as another user, such as the resource administrative user. In this case, the
connector server process needs the right to replace the default token associated with that
subprocess.
If this right is missing, the following error may be returned during subprocess creation:
The Replace a process level token right is defined in the Default Domain Controller Group
Policy object and in the local security policy of workstations and servers. To set this right on a
system, open the Local Security Policies application within the Administrative Tools folder,
then navigate to Local Policies > User Rights Assignment > Replace a process level token.
Usage Notes
This section lists dependencies and limitations related to using the Active Directory connector,
including:
■ Checking Password History
■ Configuring Active Sync
■ Specifying a Domain for Pass-Through Authentication
See Chapter 52, “Active Directory Synchronization Failover,” for information about limiting the
number of repeated events that occur when you switch to a new domain controller.
In an environment with multiple trusted domains and Active Directory forests, the
authentication can fail using any of these configurations because the Global Catalog does not
contain cross-forest information. If a user supplies a wrong password, it could also lead to
account lockout in the user’s domain if the number of domains is greater than the lockout
threshold.
Login failures will occur in domains if the user exists in the domain and the password is not
synchronized.
It is not possible to use multiple data sources for the domain information in one Login Module
Group.
Security Notes
This section provides information about supported connections and privilege environments.
Update Active Directory User accounts Read All Properties, Write All Properties
Note: If only a subset of the properties are to be
managed from Identity Manager, then Read/Write
access can be given to just those properties.
Reset Password
The permissions to perform Create, Delete, and Update of resource objects are as expected. The
account needs the Create and Delete permissions for the corresponding object type and you
need appropriate Read/Write permissions on the properties that need to be updated.
Pass-Through Authentication
To support Active Directory (AD) pass-through authentication:
■ When configuring the connector server to run as a user, that user account must have the
“Act As Operating System” and “Bypass Traverse Checking” user rights. By default, the
connector server runs as the Local System account, which should already have these rights.
Also, the “Bypass Traverse Checking” user right is enabled for all users by default.
Note – If you must update user rights, there might be a delay before the updated security policy is
propagated. Once the policy has been propagated, you must restart the connector server.
■ Accounts being authenticated must have “Access This Computer From The Network” user
rights on the connector server.
The connector server uses the LogonUser function with the LOGON32_LOGON_NETWORK log-on
type and the LOGON32_PROVIDER_DEFAULT log-on provider to perform pass-through
authentication. The LogonUser function is provided with the Microsoft Platform Software
Development Kit.
Provisioning Notes
The following table summarizes the provisioning capabilities of this connector.
Feature Supported?
Account Attributes
The syntax (or type) of an attribute usually determines whether the attribute is supported. In
general, Identity Manager supports Boolean, string, and integer syntaxes. Binary strings and
similar syntaxes are not supported.
Supported Syntaxes
The following table lists the Active Directory syntax supported by Identity Manager:
Identity Manager
AD Syntax Syntax Syntax ID OM ID ADS Type
Unsupported Syntaxes
The following table lists the Active Directory syntaxes that are not supported by Identity
Manager:
Identity Manager supports the jpegPhoto and thumbnailPhoto account attributes, which use
the Replica Link syntax. Other Replica Link attributes might be supported, but they have not
been tested.
Allows Multiple
Name Attribute Type Create? Update? Values
cn String No No Yes
ou String No No No
displayName String No No No
The attributes that can be managed on resource objects are also generally dictated by the
attribute syntaxes. The attributes for these object types are similar as those for user accounts
and are supported accordingly.
Identity Template
Windows Active Directory is a hierarchically based resource. The identity template will provide
the default location in the directory tree where the user will be created. The default identity
template is
CN=$fullname$,CN=Users,DC=mydomain,DC=com
Sample Forms
This section lists the sample forms provided for the Active Directory resource adapter.
Built-In
■ Active Directory ActiveSync Form
■ Windows Active Directory Create Container Form
■ Windows Active Directory Create Group Form
■ Windows Active Directory Create Organizational Unit Form
■ Windows Active Directory Create Person Form
■ Windows Active Directory Create User Form
■ Windows Active Directory Update Container Form
■ Windows Active Directory Update Group Form
■ Windows Active Directory Update Organizational Unit Form
■ Windows Active Directory Update Person Form
■ Windows Active Directory Update User Form
Also Available
ADUserForm.xml
Troubleshooting
See Chapter 56, “Identity Connectors Overview,” for information on logging and tracing
information.
SPML Connector
5 8
This section describes connection and configuration issues for the SPML2 connector.
For current information on identity connector installation and configuration issues, see
https://identityconnectors.dev.java.net. For a general discussion of identity connectors,
see Chapter 56, “Identity Connectors Overview.”
Connector Details
‘
Bundle Name
SPML
Bundle Version
1.0
Configuration Notes
Connection Parameters
The SPML Connector configuration parameters include:
589
Connector Details
Scripting Parameters
Scripting parameters include scripting language, which defines the scripting language that
you use to write scripts. Groovy support is included with the connector framework. Since SPML
2.0 does not specify how to establish and maintain a session, the SPML 2.0 connector allows
scripts to be performed at specified points in the execution so that session management can be
performed. These points of execution include:
■ after a connection has been established
■ before a request is sent
■ after a response has been received
■ before a connection is disposed
After a connection has been established, the Post-Connect script is run with the following
variables defined.
Before a request is sent, the Pre-Send script is run with the following variables defined.
After a response is received, the Post-Receive script is run with the following variables defined.
Before a connection is terminated, the Pre-Disconnect script is run with the following variables
defined.
Additionally, you can execute scripts to change the attributes before the attributes are sent to
the server, or after they are received back from the server. This can be necessary since the
connector framework uses reserved names for some attributes (for example, NAME for name)
that may not correspond to the names used by the server.
You can execute a script to modify attribute names during create and modify operations. This
script should return the name to be used. The following variables will be available to the Map
'set' Name script:
You can execute a script to modify attributes that are returned as a result of search operations.
The script should return the attribute to be used. The following variables will be available to the
Map Attribute script:
attribute com.sun.openconnectors.framework.common.objects.
Attribute
You can execute a script to modify attributes that are returned during query operations. The
script should return the name to be used. The Map 'query' Name script should return the name
to be used.
Finally, you must specify a mapping between the SPML object classes and the Connector
Framework object classes. This is done with a table containing one row for each supported
Connector Framework object class (for example, __ACCOUNT__) and four columns that
contain :
■ Connector Framework Object Class name
■ SPML object class name
■ SPML target containing the object class
■ attribute in the SPML object class that should be mapped to the
org.identityconnectors.framework.common.objects.Name
Usage Notes
Default Schema
OperationalAttributes.PASSWORD_NAME (if the "password" capability is present)
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter.
Feature Supported
Rename account No
Pass-through authentication No
Before/after actions No
595
Index
597
Index
C com.waveset.adapter. (Continued)
cascade deletes, 257 MSSQLServerResourceAdapter class, 229
certificates MySQLResourceAdapter, 235
exporting, 240 NDSResourceAdapter, 239
issuing, 170 NDSSecretStoreResourceAdapter, 239
Public Key Certificate, 240 OS400ResourceAdapter, 283
SecretStore, 240 PeopleSoftCompIntfcAdapter class, 307
Signer, 558 PeopleSoftComponentActiveSyncAdapter
SSL, 240 class, 289
Telnet/TN3270 server, 557 RACFResourceAdapter class, 317
userCertificate, 252 RemedyResourceAdapter class, 341
userSMIME, 252 SAPHRActiveSyncAdapter, 359
X.509, 101 SAPPortalResourceAdapter class, 383
change pointers, SAP, 366 ScriptedConnection class, 132
classes ScriptedHostResourceAdapter class, 387, 393, 439
com.waveset.adapter SecurIdResourceAdapter, 427
SecurIdUnixResourceAdapter, 427
See com.waveset.adapter classes
SiebelCRMResourceAdapter, 445
for tracing and debugging, 37
SiteminderAdminResourceAdapter, 453
ClearTrust adapter
SiteminderExampleTableResourceAdapter, 453
account attributes, 146, 147
SiteminderLDAPResourceAdapter, 453
entitlements, 146
SolarisResourceAdapter class, 459
identity template, 147
SunAccessManagerResourceAdapter class, 55, 67
jar file requirements, 40
SunCommunicationsServicesResourceAdapter
supported connections, 146 class, 325, 465
troubleshooting, 147 TopSecretResourceAdapter class, 493
ClearTrustUserForm.xml, 147 com.waveset.adapter, SmartRolesResourceAdapter
client encryption, Oracle, 263 class, 133
clustered environment and ACF2, 77 comma-separated value (CSV) files, 181, 184
cmd shell, Windows, 536 communication resources, SAP HR Active
collectCsvHeader token, 511 Sync, 379-380
collectCvsLines token, 512 Configure Managed Resources page, 38
com.waveset.adapter. configuring
AccessManagerResourceAdapter class, 485, 491 Access Manager resources, 485
ACF2ResourceAdapter class, 75 Active Sync, 43
ADSIResourceAdapterceAdapter class, 125 Database Table adapter, 150
AIXResourceAdapter class, 127, 132 Domino adapter, 159-160
ClearTrustResourceAdapter class, 145 PeopleSoft, 289-301
DatabaseTableResourceAdapter class, 149 PeopleTools, 300-301
DB2ResourceAdapter class, 155 resources, 38
DominoResourceAdapter class, 159 SAP and SAP HR Active Sync, 347, 359-368
FlatFileActiveSyncAdapter class, 181 SecurID ACE/Server, 427-428
INISafeNexessResourceAdapter class, 197 SSL, 557-558
JmsListenerResourceAdapter class, 201, 207 Sun Java Sysem Access Manager adapter, 55-60,
MIISResourceAdapter class, 225 67-69
599
Index
601
Index
603
Index
605
Index
SAP Application Link Enabling (ALE) technology, 360 Scripted Host adapter (Continued)
SAP Enterprise Portal adapter supported connections, 406
account attributes, 384 troubleshooting, 408
configuring, 383 scripts, Scripted Gateway, 388-389, 440-441
identity template, 386 searchFilter, implementing for Domino, 167-168
overview, 386 SecretStore, 239, 244
portal archive file, 383 certificates, 240
troubleshooting, 386 SecurID ACE/Server adapter
SAP Gateway, 362-363 account attributes, 434
SAP HR Active Sync, 359 configuring, 427-428
adapter jar file requirements, 41 enabling multiple tokens, 429-432
SAP User Management Engine (UME), 383 enabling pass-through authentication on
SAPForm.xml, 357, 380 UNIX, 428-429
SAPHRActiveSyncForm.xml, 357, 380 identity template, 437
SAPPortalUserForm.xml, 386 password policies, 432
SAPPortalUserFormRules.xml, 386 required administrative privileges, 433-434
SAPUserForm_with_RoleEffectiveDates_Timezone.xml, 348,supported connections, 433
349, 357, 380 troubleshooting, 437
SAPUserForm.xml, 349 securingAttrs attribute, 264
schema map entries, adding, 530 security notes, 37, 44
schema maps, 45 Semi-auto mode for failovers, 552
screen scraping, 509 SendKeys Method, 537-538
ScreenSampleActions.xml, 396 serverconfig.xml, 57
Scripted Gateway adapter setting trace options, 37
account attributes, 391, 443 Siebel CRM adapter
environment variables, 389, 441 account attributes, 450
identity template, 391, 443 account provisioning, 446-449
installing, 387, 439 identity template, 451
required administrative privileges, 390, 442 installing, 445
resource actions, 388, 440 jar file requirements, 42, 445
resource objects, 391, 443 required administrative privileges, 451
result handling, 389-390, 442 resource object management, 451
scripts, 388-389, 440-441 supported connections, 450
supported connections, 390, 442 troubleshooting, 452
troubleshooting, 391, 444 Siebel Tools Client, 446
Scripted Host adapter Signer certificates, 558
account attributes, 407 SiteMinder adapter
administrators, 395 identity template, 458
identity template, 407 installing, 454
installing, 393 jar file requirements, 42, 454
jar file requirements, 41 supported connections, 455
Javascript, 395 troubleshooting, 458
overview, 393 SiteminderAdminUserForm.xml, 458
resource actions, 395-406 SiteminderExampleTableUserForm.xml, 458
607
Index
troubleshooting (Continued) X
Sybase, 484 X.509 certificates, 101
Top Secret, 500 XML files
TSO, 77, 319, 327, 496 AccessManagerUserForm.xml, 491
ACF2UserForm.xml, 86
ADUserForm.xml, 125, 588
AIXUserForm.xml, 132
U ClearTrustUserForm.xml, 147
ums.xml, 57 DominoActiveSyncForm.xml, 174
update actions, 310, 405 HP-UXUserForm.xml, 195
usage notes, 37 LDAPActiveSyncForm.xml, 223
Use Blocks resource attribute, 212 logger.xml, 386
user attributes, default, 37 MSSQLServerUserForm.xml, 233
User Model resource parameter, 236 NDSUserForm.xml, 253
USER_PROFLE component interface, 310 OracleEBSUserForm.xml, 282
user types, Oracle, 256 OS400UserForm.xml, 287
userCertificate attribute, 252 PeopleSoftComponentInterfaces.xml, 308, 315
userPresenceProfile object class, 474 PeopleSoftForm.xml, 304
userSMIMECertificate attribute, 252 RACFUserForm.xml, 324
SAPForm.xml, 357, 380
SAPHRActiveSyncForm.xml, 357, 380
SAPPortalUserForm.xml, 386
V SAPPortalUserFormRules.xml, 386
variables SAPUserForm_with_RoleEffectiveDates_Timezone.xml, 348,
USUSER_UNID, 168 349, 357, 380
WSUSER_accountId, 168 SAPUserForm.xml, 349
versions, Sun Java System Access Manager, 67 ScreenSampleActions.xml, 396
viewing repository forms, 46 serverconfig.xml, 57
SiteminderAdminUserForm.xml, 458
views, extending, 540-542
SiteminderExampleTableUserForm.xml, 458
virtual list view support, LDAP adapter, 212-213
SiteminderLDAPUserForm.xml, 458
VLV, 212-213
SmartRolesUserForm.xml, 142
SolarisUserForm.xml, 464
SunAMRealmUserForm.xml, 73
W SunAMUserForm.xml, 64
web access control, configuring, 487 TopSecretUserForm.xml, 500
ums.xml, 57
WebLogic application server, 455
WebSphere application server, 488
Windows authentication, 230
Windows NT adapter, example actions, 530-533
WSAttributes object, 43
WSUSER_accountId variable, 168
WSUSER_UNID variable, 168
609
610