Oracle Identity Manager Connector Guide For RSA .

Transcription

Oracle Identity ManagerConnector Guide for RSA Authentication ManagerRelease 9.0.3B32366-01February 2007

Oracle Identity Manager Connector Guide for RSA Authentication Manager, Release 9.0.3B32366-01Copyright 1991, 2007, Oracle. All rights reserved.Primary Authors:Debapriya Datta, Shiladitya GuhaContributing Authors:Don Gosselin, Lyju VadasseryThe Programs (which include both the software and documentation) contain proprietary information; theyare provided under a license agreement containing restrictions on use and disclosure and are also protectedby copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly,or decompilation of the Programs, except to the extent required to obtain interoperability with otherindependently created software or as specified by law, is prohibited.The information contained in this document is subject to change without notice. If you find any problems inthe documentation, please report them to us in writing. This document is not warranted to be error-free.Except as may be expressly permitted in your license agreement for these Programs, no part of thesePrograms may be reproduced or transmitted in any form or by any means, electronic or mechanical, for anypurpose.If the Programs are delivered to the United States Government or anyone licensing or using the Programs onbehalf of the United States Government, the following notice is applicable:U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical datadelivered to U.S. Government customers are "commercial computer software" or "commercial technical data"pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. Assuch, use, duplication, disclosure, modification, and adaptation of the Programs, including documentationand technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle licenseagreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, CommercialComputer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA94065.The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherentlydangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup,redundancy and other measures to ensure the safe use of such applications if the Programs are used for suchpurposes, and we disclaim liability for any damages caused by such use of the Programs.Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respective owners.The Programs may provide links to Web sites and access to content, products, and services from thirdparties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites.You bear all risks associated with the use of such content. If you choose to purchase any products or servicesfrom a third party, the relationship is directly between you and the third party. Oracle is not responsible for:(a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with thethird party, including delivery of products or services and warranty obligations related to purchasedproducts or services. Oracle is not responsible for any loss or damage of any sort that you may incur fromdealing with any third party.

ContentsPreface . vAudience.Documentation Accessibility .Related Documents .Documentation Updates .Conventions .vvviviviWhat's New in the Oracle Identity Manager Connector for RSA AuthenticationManager? . viiSoftware Updates . viiDocumentation-Specific Updates. viii1About the ConnectorSupported Functionality .Multilanguage Support.Reconciliation Module .Reconciling Multivalue Attribute Groups.Provisioning Module.RSA Authentication Manager User Provisioning .RSA Authentication Manager Token Provisioning.Files and Directories That Comprise the Connector .Determining the Release Number of the Connector.21-11-41-41-41-51-51-51-51-7Deploying the ConnectorStep 1: Verifying Deployment Requirements.Step 2: Configuring the Target System.Setting Up the Remote Manager .Configuring Strong Authentication Between Oracle Identity Manager and the RemoteManager 2-4Configuring SSL Client (Oracle Identity Manager Server) Authentication .Step 3: Copying the Connector Files.Step 4: Configuring the Oracle Identity Manager Server.Changing to the Required Input Locale.Clearing Content Related to Connector Resource Bundles from the Server Cache .Enabling Logging .2-12-22-22-42-62-72-72-72-8iii

Step 5: Importing the Connector XML Files.Defining IT Resources .IT Resource: ACE Remote Manager.IT Resource: ACE Server Remote .Step 6: Configuring Reconciliation.Configuring Trusted Source Reconciliation .Installing Software Tokens .Creating Scheduled Tasks.Enabling Reconciliation in Oracle Identity Manager Release 9.0.1 .Step 7: Compiling Adapters .Configuring the Connector for Multiple Installations of the Target System ing and TroubleshootingRunning Connector Tests. 3-1Troubleshooting. 3-44Known IssuesIndexiv

PrefaceOracle Identity Manager Connector Guide for RSA Authentication Manager providesinformation about integrating Oracle Identity Manager with RSA AuthenticationManager.Some parts of the product and documentation still refer to theoriginal Thor company name and Xellerate product name and will berebranded in future releases.Note:AudienceThis guide is intended for users who want to deploy the Oracle Identity Managerconnector for RSA Authentication Manager.Documentation AccessibilityOur goal is to make Oracle products, services, and supporting documentationaccessible, with good usability, to the disabled community. To that end, ourdocumentation includes features that make information available to users of assistivetechnology. This documentation is available in HTML format, and contains markup tofacilitate access by the disabled community. Accessibility standards will continue toevolve over time, and Oracle is actively engaged with other market-leadingtechnology vendors to address technical obstacles so that our documentation can beaccessible to all of our customers. For more information, visit the Oracle AccessibilityProgram Web site y of Code Examples in DocumentationScreen readers may not always correctly read the code examples in this document. Theconventions for writing code require that closing braces should appear on anotherwise empty line; however, some screen readers may not always read a line of textthat consists solely of a bracket or brace.Accessibility of Links to External Web Sites in DocumentationThis documentation may contain links to Web sites of other companies ororganizations that Oracle does not own or control. Oracle neither evaluates nor makesany representations regarding the accessibility of these Web sites.v

TTY Access to Oracle Support ServicesOracle provides dedicated Text Telephone (TTY) access to Oracle Support Serviceswithin the United States of America 24 hours a day, seven days a week. For TTYsupport, call 800.446.2398.Related DocumentsFor more information, refer to the following documents in the Oracle Identity Managerdocumentation library: Oracle Identity Manager Release Notes Oracle Identity Manager Installation Guide for JBoss Oracle Identity Manager Installation Guide for Oracle Containers for J2EE Oracle Identity Manager Installation Guide for WebLogic Oracle Identity Manager Installation Guide for WebSphere Oracle Identity Manager Administrative and User Console Guide Oracle Identity Manager Administrative and User Console Customization Guide Oracle Identity Manager Design Console Guide Oracle Identity Manager Tools Reference Guide Oracle Identity Manager Audit Report Developer Guide Oracle Identity Manager Best Practices Guide Oracle Identity Manager Globalization Guide Oracle Identity Manager Glossary of TermsThe following document is available in the Oracle Identity Manager Connector Packdocumentation library: Oracle Identity Manager Connector Framework GuideDocumentation UpdatesOracle is committed to delivering the best and most recent information available. Forinformation about updates to the Oracle Identity Manager 9.0.3 connectordocumentation set, visit Oracle Technology Network ndex.htmlConventionsThe following text conventions are used in this document.viConventionMeaningboldfaceBoldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.italicItalic type indicates book titles, emphasis, or placeholder variables forwhich you supply particular values.monospaceMonospace type indicates commands within a paragraph, URLs, codein examples, text that appears on the screen, or text that you enter.

What's New in the Oracle Identity ManagerConnector for RSA Authentication Manager?This chapter provides an overview of the updates made to the connector anddocumentation for RSA Authentication Manager in release 9.0.3 of the Oracle IdentityManager connector pack.See Also: The 9.0.2 release of this guide for information aboutupdates that were new for the 9.0.2 releaseThe updates discussed in this chapter are divided into the following categories: Software UpdatesThese include updates made to the connector software. Documentation-Specific UpdatesThese include major changes made to the connector documentation. Thesechanges are not related to software updates.See Also:Oracle Identity Manager Release NotesSoftware UpdatesThis section discusses the following software updates implemented in this release ofthe connector.Enhancement in the Multilanguage Support FeatureIn addition to the three languages supported by the earlier release, this release of theconnector supports seven new languages. All the supported languages are listed in the"Multilanguage Support" section on page 1-4.RSA APIs do not support certain characters of the Japanese, Simplified Chinese,Traditional Chinese, Korean, and French languages. An item pertaining to thislimitation of the target system has been added in the Known Issues list in Chapter 4.Reconciling Multivalue Attribute GroupsThe "Reconciling Multivalue Attribute Groups" section on page 1-4 providesinformation about this functionality.Support for OC4JEarlier releases of the connector supported the following application servers:vii

JBoss Application Server BEA WebLogic IBM WebSphereThis release of the connector also supports Oracle Containers for J2EE (OC4J).Correction in Commands for ACE 5.0, 5.2, and 6.0The commands for ACE 5.0, 5.2, and 6.0 have been changed in the following sections: Step 4 of the "Setting Up the Remote Manager" section on page 2-2 The "Running Connector Tests" section on page 3-1Addition of Configuration FileThe configuration file that is added in the XML directory is mentioned in "Files andDirectories That Comprise the Connector" section on page 1-5.New Scheduled Task AttributesThe "Creating Scheduled Tasks" section on page 2-14, provides descriptions for thefollowing attributes that have been added in the scheduled task definition: IsTrusted IsDeleteAllowedDocumentation-Specific Updates viiiThe following IT resource parameters have been moved from the "IT Resource:ACE Remote Manager" section to the "IT Resource: ACE Server Remote" sectionon page 2-11:–Target Locale: Country–Target Locale: LanguageIn the "Enabling Logging" section on page 2-8, instructions for each of theapplication servers that are supported by this release of the connector have beenadded.In the "Step 7: Compiling Adapters" section on page 2-15, the instruction aboutrestarting the node has been removed from Step 4 of the procedure to compileadapters.All content pertaining to RSA Authentication Manager 6.0.2 has been removed.

1About the ConnectorOracle Identity Manager automates access rights management, security, andprovisioning of IT resources. Oracle Identity Manager connectors are used to integrateOracle Identity Manager with third-party applications. The connector for RSAAuthentication Manager is used to integrate Oracle Identity Manager with RSAAuthentication Manager.Oracle Identity Manager connectors were referred to asresource adapters prior to the acquisition of Thor Technologies byOracle.Note:This chapter contains the following sections: Supported Functionality Multilanguage Support Reconciliation Module Files and Directories That Comprise the Connector Determining the Release Number of the ConnectorSupported FunctionalityThe following table lists the functions that are available with this connector.FunctionTypeDescriptionCreate UserProvisioningCreates a userDelete UserProvisioningDeletes a userThis function would not run if the user to be deleted is anadministrator.Enable TokenProvisioningEnables a disabled tokenDisable TokenProvisioningDisables an existing tokenAbout the Connector1-1

Supported FunctionalityFunctionTypeAssign SecurID ProvisioningTokens toUsersDescriptionAssigns a token to a userWhile assigning a software token to the user, the Type ofAlgorithm field must be filled in the process form. If SID is selected in the Type of Algorithm field, thenvalues must be specified for the following fields inthe process form:- Software Token File Name: This is the name of theRSA SecurID software token file in which user andtoken information is saved. You must enter the filename with the full directory path and ensure that theextension is .sdtid.- Encryption Key Type- Copy Protection Flag- Password Usage and Interpretation Method- Password- Encryption Key Type- Password Usage and Interpretation Method- PasswordNote: If these combinations do not matter, then youcan accept the default options. If AES is specified in the Type of Algorithm field,then:You must enter a value in the Software Token FileName field of the process form. This is the name ofthe RSA SecurID software token file in which userand token information is saved. You must enter thefile name with the full directory path and ensure thatthe extension is .sdtid.The Password field is optional.The following fields can be ignored:- Encryption Key Type- Copy Protection Flag- Password Usage and Interpretation MethodRevokeSecurIDTokens fromUsersProvisioningRevokes a token from a user1-2 Oracle Identity Manager Connector Guide for RSA Authentication Manager

Supported FunctionalityFunctionTypeProvisioningAssign Usersto RSAAuthenticationManagerGroupsDescriptionAssigns a user to a groupYou must ensure that the following prerequisites are metbefore you use this function: Valid groups exist in RSA Authentication Manager.The required lookup codes (corresponding to validgroup names) are added in theUD Lookup.ACE Group lookup definition. Forexample, for a group called Managers defined inACE DB, the following entry must be added as thelookup code:Code Key: ManagersDecode: ManagersLang: enCountry: USRemove Users Provisioningfrom RSAAuthenticationManagerGroupsRemoves a user from a groupYou must ensure that the following prerequisites are metbefore you use this function: Set Token PINProvisioningValid groups exist in ACE DB.This function is run only after the Assign Users toRSA Authentication Manager Groups function hasbeen run.Updates the configuration of a token according to achange in the PIN attributeSet PIN to Next ProvisioningToken CodeModeSets the PIN to the next token code mode in RSAAuthentication ManagerTrack LostTokensProvisioningUpdates the configuration of a token according to achange in the Track Lost attributeTest LoginProvisioningVerifies the login for a new user to whom a token hasbeen assignedYou must ensure that the following prerequisites are metbefore you use this function: An agent host is defined in the RSA AuthenticationManager database.The user for whom the Test Login function is to beimplemented is enabled on this agent host. After thisis done, the RSA Authentication Manager is restarted(Broker as well as Authentication Server).For software token types, you must enter the passcode,instead of the token code, in the Current Token Code fieldin the process form.The passcode can be viewed by using the software tokenapplication, which is installed on the Oracle IdentityManager server.See Also: The "Installing Software Tokens" section onpage 2-13 for more informationUpdate UserIDProvisioningUpdates the configuration of a user according to a changein the User ID attributeAbout the Connector1-3

Multilanguage SupportMultilanguage SupportThis release of the connector supports the following languages: English Brazilian Portuguese French German Italian Japanese Korean Simplified Chinese Spanish Traditional ChineseSee Also: Oracle Identity Manager Globalization Guide for informationabout supported special charactersReconciliation ModuleThe reconciliation module extracts the following elements from the target system toconstruct reconciliation event records: Default Login First Name Last Name Group Name Group Login Token Serial Number Type of TokenReconciling Multivalue Attribute GroupsThe following are features related to the reconciliation of multivalue attribute groups: Group names that include the names of sites are entered in thegroup name@domain name format. In Oracle Identity Manager 9.0.3, you canchoose not to include the domain name while creating or updating the name of agroup. Similarly, regardless of whether or not the name of a group in the targetsystem includes a domain name, it is reconciled in Oracle Identity Manager.The term "domain name" in the Oracle Identity Managercontext is the same as "site name" in RSA Authentication Manager.Note: When a user is deleted from a group in ACE, the group is also deleted from theuser's ACE process child table.1-4 Oracle Identity Manager Connector Guide for RSA Authentication Manager

Files and Directories That Comprise the ConnectorProvisioning ModuleThis section discusses the fields that are provisioned.RSA Authentication Manager User ProvisioningThe following fields are provisioned: Default Login First Name Last Name Group Login Group NameRSA Authentication Manager Token ProvisioningThe following fields are provisioned: Token Serial Number PIN Current Token Code Lifetime (hours) Number of Digits Type of Token Copy Protection Flag Password Password Usage and Interpretation Method Software Token File Name Encryption Key Type Type of AlgorithmFiles and Directories That Comprise the ConnectorThe files and directories that comprise this connector are compressed in the followingdirectory on the installation media:Security Applications\RSA Authentication ManagerThese files and directories are listed in the following table.File in the Installation Media DirectoryDescriptionlib\xliACE.jarThis file contains the Java classes that are required forprovisioning in RSA Authentication Manager.remotePackage\config\xl.policyThis file contains the security configuration that isrequired for the RMI server codebase for running callson RSA Authentication Manager for This file contains the shared library that is required tosupport provisioning in RSA ACE Server 5.0.About the Connector1-5

Files and Directories That Comprise the ConnectorFile in the Installation Media r.dllThis file contains the shared library that is required tosupport provisioning in RSA ACE Server 5.2.remotePackage\lib\ACE52Sol\libACEUser.soThis file contains the shared library that is required tosupport provisioning in RSA Authentication s file contains the shared library that is required tosupport provisioning in RSA Authentication er.soThis file contains the shared library that is required tosupport provisioning in RSA Authentication Manager6.0, on Solaris.remotePackage\lib\xliACE.jarThis file contains the Java classes that are required forprovisioning in RSA Authentication batThis file contains the script for importing the requiredsecurity certificate into the remote manager rImportXLCert.shThis file contains the script for importing the requiredsecurity certificate into the remote manager keystore(.xlkeystore) on Solaris.remotePackage\tests\config\xl.policyThis file contains the security configuration required forthe RMI server codebase to run test calls on RSAAuthentication arThis file contains the Java classes that are required torun the RMI server for running test calls on RSAAuthentication Manager.remotePackage\tests\logsThis directory is used by the connector test suite to logthe results of the tests. The log files are created in erver.batThis file contains the script that is required to run theRMI server for running test calls on RSA runTestServer.shThis file contains the script that is required to run theRMI server for running test calls on RSA AuthenticationManager, on Solaris.Files in the resources directoryEach of these resource bundle files containslanguage-specific information that is used by theconnector.Note: A resource bundle is a file containing localizedversions of the text strings that are displayed on theuser interface of Oracle Identity Manager. These textstrings include GUI element labels and messagesdisplayed on the Administrative and User Console.scripts\AuthMgrImportRMCert.batThis file contains the script for importing the requiredsecurity certificate in the Oracle Identity Manager serverkeystore (.xlkeystore).scripts\AuthMgrImportRMCert.shThis file contains the script for importing the requiredsecurity certificate in the Oracle Identity Manager serverkeystore (.xlkeystore) on Solaris.tests\config\config.propertiesThis file contains the properties required by the RMIclient for running test calls from the Oracle IdentityManager server.1-6 Oracle Identity Manager Connector Guide for RSA Authentication Manager

Determining the Release Number of the ConnectorFile in the Installation Media This file contains the Java classes required to run theRMI client for running test calls from the Oracle IdentityManager server.tests\logsThis directory is used by the connector test suite to logthe results of the tests. The log files are created in thisdirectory.tests\scripts\runTestClient.batThis file contains the script required to run the RMIclient for running test calls from the Oracle IdentityManager Server, for Microsoft Windows.tests\scripts\runTestClient.shThis file contains the script required to run the RMIclient for running test calls from the Oracle IdentityManager Server, for Solaris.xml\xliAuthMgrScheduledTask DM.xmlThis file contains definitions for the componentsrequired for reconciliation.xml\xliAuthMgrToken DM.xmlThis file contains definitions for the following ACEToken components of the connector: ACE Token IT resource type Custom process form Process task and rule-generator adapters (alongwith their mappings) Resource object Provisioning process Pre-populate rules that are used with this connectorxml\xliAuthMgrTrusted.xmlThis file contains configuration parameters for theXellerate User. You must import this file only if you planto use the connector in trusted source reconciliationmode.xml\xliAuthMgrUser DM.xmlThis file contains definitions for the following ACE Usercomponents of the connector: IT resource type Custom process form Process task and rule-generator adapters (alongwith their mappings) Resource object Provisioning process Pre-populate rules that are used with this connectorNote: The files in the tests directory are used only to run tests onthe connector.The "Step 3: Copying the Connector Files" section on page 2-6 provides instructions tocopy these files into the required directories.Determining the Release Number of the ConnectorTo determine the release number of the connector that you have deployed:About the Connector1-7

Determining the Release Number of the Connector1.Extract the contents of the xliACE.jar file. For a connector that has beendeployed, this file is in the following directory:OIM home\xellerate\JavaTasks2.Open the manifest.mf file in a text editor. The manifest.mf file is one of thefiles bundled inside the xliACE.jar file.In the manifest.mf file, the release number of the connector is displayed as thevalue of the Version property.See Also:Oracle Identity Manager Design Console Guide1-8 Oracle Identity Manager Connector Guide for RSA Authentication Manager

2Deploying the ConnectorDeploying the connector involves the following steps: Step 1: Verifying Deployment Requirements Step 2: Configuring the Target System Step 3: Copying the Connector Files Step 4: Configuring the Oracle Identity Manager Server Step 5: Importing the Connector XML Files Step 6: Configuring Reconciliation Step 7: Compiling AdaptersIf you want to configure the connector for multiple installations of RSA AuthenticationManager, then perform the following procedure: Configuring the Connector for Multiple Installations of the Target SystemStep 1: Verifying Deployment RequirementsThe following table lists the deployment requirements for the connector.ItemRequirementOracle Identity Manager Oracle Identity Manager release 8.5.3 or laterTarget systemTarget system hostplatformsThe target system can be any one of the following: RSA Authentication Manager 6.0 RSA ACE Server 5.2 RSA ACE Server 5.0The target system host platform can be any one of thefollowing: Microsoft Windows

Oracle Identity Manager with third-party applications. The connector for RSA Authentication Manager is used to integrate Oracle Identity Manager with RSA Authentication Manager. This chapter contains the following sections: Supported Functionality Multilanguage Support Reconciliation