Oracle Identity Manager Connector Guide For UNIX SSH
Oracle Identity ManagerConnector Guide for UNIX SSHRelease 9.0.4E10447-12September 2013
Oracle Identity Manager Connector Guide for UNIX SSH, Release 9.0.4E10447-12Copyright 2011, 2013, Oracle and/or its affiliates. All rights reserved.Primary Author:Gauhar KhanContributing Authors: Sridhar Machani, Alankrita Prakash, Gowri G. R, Deena PurushothamanThis software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverseengineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.If this is software or related documentation that is delivered to the U.S. Government or anyone licensing iton behalf of the U.S. Government, the following notice is applicable:U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,any programs installed on the hardware, and/or documentation, delivered to U.S. Government end usersare "commercial computer software" pursuant to the applicable Federal Acquisition Regulation andagency-specific supplemental regulations. As such, use, duplication, disclosure, modification, andadaptation of the programs, including any operating system, integrated software, any programs installed onthe hardware, and/or documentation, shall be subject to license terms and license restrictions applicable tothe programs. No other rights are granted to the U.S. Government.This software or hardware is developed for general use in a variety of information managementapplications. It is not developed or intended for use in any inherently dangerous applications, includingapplications that may create a risk of personal injury. If you use this software or hardware in dangerousapplications, then you shall be responsible to take all appropriate failsafe, backup, redundancy, and othermeasures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damagescaused by use of this software or hardware in dangerous applications.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarksare used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD,Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of AdvancedMicro Devices. UNIX is a registered trademark of The Open Group.This software or hardware and documentation may provide access to or information on content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services. OracleCorporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to youraccess to or use of third-party content, products, or services.
ContentsPreface . ixAudience.Documentation Accessibility .Related Documents .Documentation Updates .Conventions .ixixixixxWhat's New in Oracle Identity Manager Connector for UNIX SSH? . xiSoftware Updates . xiDocumentation-Specific Updates. xix1About the .41.71.7.1Certified Components . 1-1Certified Languages. 1-3Connector Architecture. 1-3Reconciliation Process. 1-4Provisioning Process . 1-5Features of the Connector . 1-6Support for Both Target Resource and Trusted Source Reconciliation . 1-6Support for Limited Reconciliation. 1-6Support for Batched Reconciliation . 1-7Support for Both Full and Incremental Reconciliation . 1-7Support for Adding Custom Attributes for Reconciliation and Provisioning . 1-7Transformation of Account Data. 1-7Support for Reconciliation of User Status from the Target System . 1-7Lookup Definitions Used During Connector Operations. 1-7Lookup Definitions Synchronized with the Target System . 1-7Other Lookup Definitions . 1-8Connector Objects Used During Target Resource Reconciliation and Provisioning. 1-8User Attributes for Target Resource Reconciliation and Provisioning. 1-8Reconciliation Rule for Target Resource Reconciliation . 1-10Reconciliation Action Rules for Target Resource Reconciliation. 1-10Provisioning Functions . 1-12Connector Objects Used During Trusted Source Reconciliation . 1-12User Attributes for Trusted Source Reconciliation . 1-12iii
1.7.21.7.31.8Reconciliation Rule for Trusted Source Reconciliation . 1-13Reconciliation Action Rules for Trusted Source Reconciliation . 1-14Roadmap for Deploying and Using the Connector . 1-152 Deploying the Connector2.1Files and Directories on the Installation Media. 2-12.2Determining the Release Number of the Connector. 2-32.3Configuring the Target System . 2-32.3.1Platform-Specific Configuration Steps . 2-32.3.1.1Configuration Steps for Solaris and Linux . 2-32.3.1.2Configuration Steps for AIX . 2-42.3.1.3Configuration Steps for HP-UX. 2-42.3.2Installing OpenSSH . 2-52.3.3Creating a Target System User Account for Connector Operations . 2-72.3.3.1Creating a Target System User Account for Connector Operations on Solaris. 2-72.3.3.1.1Creating a Sudo User for Connector Operations . 2-72.3.3.1.2Creating an RBAC User Account for Connector Operations. 2-92.3.3.2Creating a Target System User Account for Connector Operations on HP-UX 2-102.3.3.3Creating a Target System User Account for Connector Operations on AIX . 2-122.3.3.4Creating a Target System User Account for Connector Operations on Red HatAdvanced Server 2.1 2-132.3.3.5Creating a Target System User Account for Connector Operations on Red HatEnterprise Linux 3.x or Red Hat Linux 4.x 2-152.3.4Public Key Authentication (SSH Key Generation) . 2-172.3.4.1Configuring Public Key Authentication . 2-172.3.4.2Configuring SSH Public Key Authentication . 2-182.4Installing the Connector on Oracle Identity Manager Release 9.1.0.x or Release 11.1.1 2-212.4.1Running the Connector Installer . 2-212.4.2Copying the sshfactory.jar File . 2-232.4.3Configuring the IT Resource . 2-242.4.4Copying the Configuration Files . 2-262.5Configuring the Oracle Identity Manager Server . 2-262.5.1Configuring the Target System As a Trusted Source . 2-272.5.2Changing to the Required Input Locale . 2-282.5.3Clearing Content Related to Connector Resource Bundles from the Server Cache 2-282.5.4Enabling Logging. 2-302.5.4.1Enabling Logging on Oracle Identity Manager Release 9.1.0.x . 2-302.5.4.2Enabling Logging on Oracle Identity Manager Release 11.1.1 . 2-322.5.5Configuring Oracle Identity Manager for Request-Based Provisioning . 2-342.5.5.1Importing Request Datasets Using Deployment Manager . 2-352.5.5.2Copying Predefined Request Datasets . 2-352.5.5.3Importing Request Datasets into MDS. 2-362.5.5.4Enabling the Auto Save Form Feature . 2-372.5.5.5Running the PurgeCache Utility . 2-373Using the Connector3.1ivPerforming First-Time Reconciliation. 3-1
Scheduled Task for Lookup Field Synchronization. 3-2Configuring Reconciliation. 3-3Full Reconciliation . 3-3Limited Reconciliation . 3-4Batched Reconciliation . 3-4Reconciliation Scheduled Tasks. 3-4Configuring Scheduled Tasks . 3-6Configuring Scheduled Tasks on Oracle Identity Manager Release 9.1.0.x or Release11.1.1 3-73.5Guidelines on Performing Provisioning Operations . 3-83.6Performing Provisioning Operations. 3-93.6.1Direct Provisioning. 3-103.6.2Request-Based Provisioning. 3-113.6.2.1End User's Role in Request-Based Provisioning . 3-123.6.2.2Approver's Role in Request-Based Provisioning . 3-133.7Switching Between Request-Based Provisioning and Direct Provisioning on OracleIdentity Manager Release 11.1.1 3-133.23.33.3.13.3.23.3.33.3.43.43.4.14 Extending the Functionality of the Connector4.14.24.34.4Adding Custom Attributes for Target Resource Reconciliation .Adding Custom Attributes for Provisioning .Configuring the Connector for Multiple Installations of the Target System .Transforming Data Reconciled Into Oracle Identity Manager.4-14-34-74-85 Testing and Troubleshooting6 Known IssuesA Privileges Required for Performing Provisioning and ReconciliationA.1A.2A.3Privileges Required for Running Commands on Non-AIX. A-1Privileges Required for Running Commands on HP-UX . A-1Privileges Required for Running Commands on AIX. A-1B Sample Transformation ClassIndexv
vi
List of Figures1–11–21–31–41–5Architecture of the Connector . 1-3Reconciliation Rule for Target Resource Reconciliation . 1-10Reconciliation Action Rules for Target Resource Reconciliation. 1-11Reconciliation Rule for Trusted Source Reconciliation . 1-14Reconciliation Action Rules for Trusted Source Reconciliation. 1-15vii
List of 23–13–23–3viiiCertified Components . 1-2Other Lookup Definitions. 1-8User Attributes for Target Resource Reconciliation and Provisioning. 1-9Action Rules for Target Resource Reconciliation. 1-11Provisioning Functions . 1-12User Attributes for Trusted Source Reconciliation . 1-12Action Rules for Target Source Reconciliation . 1-14Files and Directories on the Installation Media. 2-1Log Levels and ODL Message Type:Level Combinations . 2-32Attributes of the Scheduled Tasks for Lookup Field Synchronization . 3-3Attributes of the User Reconciliation Scheduled Tasks . 3-5Scheduled Tasks for Lookup Field Synchronization and Reconciliation . 3-6
PrefaceThis guide describes the connector that is used to integrate Oracle Identity Managerwith UNIX SSH.AudienceThis guide is intended for resource administrators and target system integrationteams.Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the OracleAccessibility Program website athttp://www.oracle.com/pls/topic/lookup?ctx acc&id docacc.Access to Oracle SupportOracle customers have access to electronic support through My Oracle Support. Forinformation, visithttp://www.oracle.com/pls/topic/lookup?ctx acc&id info or visithttp://www.oracle.com/pls/topic/lookup?ctx acc&id trs if you arehearing impaired.Related DocumentsFor information about installing and using Oracle Identity Manager, see the OracleIdentity Manager documentation library.For generic information about connectors, see Oracle Identity Manager ConnectorConcepts.The following Oracle Technology Network page provides links to Oracle IdentityManager umentation/oim.htmlDocumentation UpdatesOracle is committed to delivering the best and most recent information available. Forinformation about updates to the Oracle Identity Manager Connectors documentation,visit Oracle Technology Network im.htmlix
ConventionsThe following text conventions are used in this document:xConventionMeaningboldfaceBoldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.italicItalic type indicates book titles, emphasis, or placeholder variables forwhich you supply particular values.monospaceMonospace type indicates commands within a paragraph, URLs, codein examples, text that appears on the screen, or text that you enter.
What's New in Oracle Identity ManagerConnector for UNIX SSH?This chapter provides an overview of the updates made to the software anddocumentation for the UNIX SSH connector in release 9.0.4.15.Note: Release 9.0.4.15 of the connector comes after release 9.0.4.12.Release numbers 9.0.4.13 and 9.0.4.14 have not been used.The updates discussed in this chapter are divided into the following categories: Software UpdatesThis section describes updates made to the connector software. Documentation-Specific UpdatesThis section describes major changes made to this guide. These changes are notrelated to software updates.Software UpdatesThe following sections discuss software updates: Software Updates in Release 9.0.4.15 Software Updates in Release 9.0.4.12 Software Updates in Release 9.0.4.11 Software Updates in Release 9.0.4.7 Software Updates in Release 9.0.4.6 Software Updates in Release 9.0.4.5 Software Updates in Release 9.0.4.4 Software Updates in Release 9.0.4.3 Software Updates in Release 9.0.4.2Software Updates in Release 9.0.4.15The following are software updates implemented in release 9.0.4.15: Support for New Target System Support for Importing Request Dataset XML Filesxi
Resolved Issues in Release 9.0.4.15Support for New Target SystemFrom this release onward, the connector adds support for HP-UX version 11iv3 (11.31)as the target system.See Section 1.1, "Certified Components" for the full list of certified target systems.Support for Importing Request Dataset XML FilesFrom this release onward, the connector provides support for importing a requestdataset XML file into Oracle Identity Manager by using the Deployment Manager onOracle Identity Manager 11g release 1 (11.1.1).The installation media of this release includes a request dataset file,SSHConnectorRequestDatasets.xml, which is available in the xml directory.See Section 2.5.5.1, "Importing Request Datasets Using Deployment Manager" for moreinformation.Resolved Issues in Release 9.0.4.15The following table describes issues resolved in release 9.0.4.15:Bug NumberIssueResolution12547932The performance of the connectorwas slow.This issue has been resolved. The reconciliation ofrecords can now be initiated in parallel, whichreduces the time taken for reconciliation.9314911The connector did not support AIX6.1 as a target resource.This issue has been resolved. AIX 6.1 is nowsupported as a target resource.11737066When running the SSH User TargetResource Reconciliation Task, if thenumber of users to be reconciled isgreater than the batch size, anexception is thrown.This issue has been resolved. The reconciliation taskruns successfully for multiple batches.7498112This issue has been resolved. HP-UX11I V2,V3 isThe connector did not supportHP-UX11I V2,V3 as a target resource. now supported as a target resource.Software Updates in Release 9.0.4.12The following are the software updates in release 9.0.4.12: Support for New Oracle Identity Manager Release Support for Request-Based Provisioning Support for New Target System Support for User Account Status Reconciliation Resolved Issues in Release 9.0.4.12Support for New Oracle Identity Manager ReleaseFrom this release onward, the connector can be installed and used on Oracle IdentityManager 11g release 1 (11.1.1). Where applicable, instructions specific to this OracleIdentity Manager release have been added in the guide.See Section 1.1, "Certified Components" for the full list of certified Oracle IdentityManager releases.xii
Support for Request-Based ProvisioningFrom this release onward, the connector provides support for request-basedprovisioning on Oracle Identity Manager 11g release 1 (11.1.1).See Section 3.6.2, "Request-Based Provisioning" for more information.Support for New Target SystemFrom this release onward, the connector adds support for IBM AIX 5L Version 6.1 asthe target system.See Section 1.1, "Certified Components" for the full list of certified target systems.Support for User Account Status ReconciliationFrom this release onward, the connector can reconcile user account status informationfrom the target systemResolved Issues in Release 9.0.4.12The following table lists issues resolved in release 9.0.4.12:Bug NumberIssueResolution7374688Reconciliation of user records in thesudo mode failed because theconnector attempted to run a shell.This issue has been resolved.9295029When an update task failed, thestatus of the corresponding processtask adapters changed fromProvisioned to Provisioning.This issue has been resolved. The status of theprocess task adapters do not change when thecorresponding update task fails.9611960When performing a Create Userprovisioning operation on AIX, thegroup name must be specified as thevalue of the Primary Group Namelookup field. However, instead ofdisplaying group names, the PrimaryGroup Name lookup field displayedgroup IDs. The happened due to thefollowing reason:This issue has been resolved. After you performlookup field synchronization, the connector nowreconciles group names into the Code Key column,and group IDs into the Decode column of theUD Lookup SSH PrimaryGroupNames lookupdefinition. Therefore, for AIX and the other targetsystems, the connector passes the group nameinstead of the group ID.After performing lookup fieldsynchronization by running theTelnetSSHGroupLookupReconTaskscheduled task, the Code Keycolumn of theUD Lookup SSH PrimaryGroupNames lookup definition contained thegroup IDs, and the Decode columncontained the group names.9611211The Confirm Password field on theprocess form required users to entertheir passwords 2 times.The Confirm Password field has been removedfrom the process form.Software Updates in Release 9.0.4.11The following table lists issues resolved in release 9.0.4.11:Bug NumberIssueResolution9100879The Delete User provisioningoperation did not work.This issue has been resolved. The Delete Userprovisioning operation now works correctly.xiii
Bug NumberIssueResolution9195323The Create User provisioningoperation failed when it was retried.This issue has been resolved. The Create Userprovisioning operation can be retried.Software Updates in Release 9.0.4.7The following table lists issues resolved in release 9.0.4.7:Bug NumberIssueResolution7520249During reconciliation, you could not This issue has been resolved. You can nowtransform values of the target system transform the values of the target system fieldsfield before they were stored inbefore they are stored in Oracle Identity Manager.Oracle Identity Manager.See the "Transforming Data Reconciled Into OracleIdentity Manager" chapter in the connector guidefor more information.7563415During reconciliation, the GroupName field was reconciled as anumber and not as the exact namebecause it was stored directly as thegroup ID in the target system.This issue has been resolved. During reconciliation,the exact name of the Group Name field isreconciled.8341984In the Create User process task, thedefault value of the Map To variablewas IT Resource. This value wasincorrect.This issue has been resolved. The Map To variablein the Create User process task displays the correctdefault value. The default value of Map To variableis now Process Data.8396795During connector deployment, thelib/xliSSH.jar file on the installationmedia was not automatically copiedinto theOIM HOME/xellerate/ScheduleTask directory.This issue has been resolved. The lib/xliSSH.jar fileis now automatically copied to theOIM HOME/xellerate/ScheduleTask directory.Software Updates in Release 9.0.4.6The following table lists issues resolved in release 9.0.4.6:Bug NumberIssueResolution7478452You use the IT resource to specify thecredentials of the SUDO user thatyou want to use for connectoroperations. If this SUDO user did nothave the required permissions, thenthe target system did not allow youto perform Disable User provisioningoperations. This is expectedbehavior. However, the status of theuser was set to Disabled on OracleIdentity Manager even though thestatus of the user on the targetsystem remained unchanged.This issue has been resolved. If the SUDO user doesnot have the permissions required to disable userson the target system, then an appropriate messageis displayed on the Administrative and UserConsole.xiv
Bug NumberIssueResolution7503701The target system does not allow youto delete a user who is logged in tothe system. This is expectedbehavior. However, even when thetarget system did not allow thedeletion of a user, the status of theuser (resource) on Oracle IdentityManager was changed to Deleted(Revoked).This issue has been resolved. If the target systemdoes not allow the deletion of a user, then anappropriate message is displayed as the outcome ofthe Delete User provisioning operation.The item describing this issue has been removedfrom Chapter 6, "Known Issues".Software Updates in Release 9.0.4.5The following are software updates in release 9.0.4.5: Support for Role-Based Access Control (RBAC) on Solaris Resolved Issues in Release 9.0.4.5Support for Role-Based Access Control (RBAC) on SolarisIn earlier releases, you had to provide the credentials of the root or sudo user forletting Oracle Identity Manager communicate with the Solaris target system. Thisrelease supports the role-based access control (RBAC) feature of Solaris. From thisrelease onward, Oracle Identity Manager can communicate with Solaris by using auser account to which you assign the minimum required privileges.See Section 2.3.3.1.2, "Creating an RBAC User Account for Connector Operations" onfor more information.The following are some of the changes made in the IT resource: The Whether SUDO Admin Mode parameter has been renamed to Sudo OrRBAC.Descriptions of the Admin UserId and Admin Password/Private file Pwdparameters have been modified.The RBAC Role Name and RBAC Role Passwd parameters have been added.See Chapter 2, "Deploying the Connector" for information about these parameters.Resolved Issues in Release 9.0.4.5The following table lists issues resolved in release 9.0.4.5:Bug NumberIssueResolution5503263The "Create Home Directory" field isa check box on the Administrativeand User Console. If you selected thischeck box, the numeral 1 wasdisplayed on the page thatsummarizes input you provideduring provisioning operations.The check box has been changed to a radio button.If you select the "Create Home Directory" option,then the word "Yes" is displayed on the page thatsummarizes input. If you do not select the option,then the word "No" is displayed.7133380Password change at first login is not enforced forA user for whom an SSH accountnewly created SSH accounts on AIX.was created on AIX through aprovisioning operation was forced tochange the password at first login.xv
Bug NumberIssueResolution7225692To stop a scheduled task, you use the You can now use the Stop Execution option to stopStop Execution option in the Design scheduled tasks.Console. This option did not work inNote: When you stop a batched reconciliation run,earlier releases.reconciliation stops at the end of the batch beingreconci
2.3.3.2 Creating a Target System User Account for Connector Operations on HP-UX 2-10 2.3.3.3 Creating a Target System User Account for Connector Operations on AIX . 2-12 2.3.3.4 Creating a Target System User Account for Connector Operations on Red Hat Advanced Server 2.1 2-13 2.3.3.5 Creating a Target System User Account for Connector .
Oracle e-Commerce Gateway, Oracle Business Intelligence System, Oracle Financial Analyzer, Oracle Reports, Oracle Strategic Enterprise Management, Oracle Financials, Oracle Internet Procurement, Oracle Supply Chain, Oracle Call Center, Oracle e-Commerce, Oracle Integration Products & Technologies, Oracle Marketing, Oracle Service,
7 Messaging Server Oracle Oracle Communications suite Oracle 8 Mail Server Oracle Oracle Communications suite Oracle 9 IDAM Oracle Oracle Access Management Suite Plus / Oracle Identity Manager Connectors Pack / Oracle Identity Governance Suite Oracle 10 Business Intelligence
Oracle is a registered trademark and Designer/2000, Developer/2000, Oracle7, Oracle8, Oracle Application Object Library, Oracle Applications, Oracle Alert, Oracle Financials, Oracle Workflow, SQL*Forms, SQL*Plus, SQL*Report, Oracle Data Browser, Oracle Forms, Oracle General Ledger, Oracle Human Resources, Oracle Manufacturing, Oracle Reports,
Customizing Oracle Identity Manager Effective mm/dd/yy Page 2 of 105 Rev 1 Customizing Oracle Identity Manager Distribution Product Administrator or System Administrator for Oracle Identity Manager 11g R2 PS1 Overview The Identity Self Service user interface (UI) in
Advanced Replication Option, Database Server, Enabling the Information Age, Oracle Call Interface, Oracle EDI Gateway, Oracle Enterprise Manager, Oracle Expert, Oracle Expert Option, Oracle Forms, Oracle Parallel Server [or, Oracle7 Parallel Server], Oracle Procedural Gateway, Oracle Replication Services, Oracle Reports, Oracle
Figure 2. Rear view 1 Optional connector 2 2 1 3 Security-lock slot 4 Wi-Fi antenna slot 5 Ethernet connector 6 USB 3.1 Gen 2 connectors (2) 7 USB 3.1 Gen 1 connector 8 HDMI 1.4 out connector 9 USB 3.1 Gen 1 connector 10 DisplayPort 1.2 out connector 11 Power adapter connector 1 Optional connector 2 Depending on the computer model, the connector might vary.
Identity, Credential, and Access Management (ICAM) Identity Manager User Guide - Access Role User: OCIO MobileLinc_IT-Support-OCIO-IT 5 P a g e USDA For Official Use Only 2. Log into Identity Manager 2.1 Access the Identity Manager User Interface To access EEMS Identity Manager, go to the following URL: https://www.eauth.usda.gov
Specific tasks you can accomplish using Oracle Sales Compensation Oracle Oracle Sales Compensation setup Oracle Oracle Sales Compensation functions and features Oracle Oracle Sales Compensation windows Oracle Oracle Sales Compensation reports and processes This preface explains how this user's guide is organized and introduces
