CA Identity Manager Connector Guides › Connectors Guide › Connecting to Endpoints › IBM i5/OS (OS/400) Connector › Connector Specific Features

Connector Specific Features

This section details your connector's specific management features, such as how to acquire and explore your endpoint. Also included are account, provisioning roles, account template, and group information specifically for your connector.

Acquire an OS/400 Maching Using the User Console

You must acquire the OS/400 machine before you can administer it with CA Identity Manager.

To acquire an OS/400 machine using the User Console

1. Select Endpoints, Manage Endpoints,Create Endpoint
2. Select OS400 from the drop-down list box on Create a new endpoint of Endpoint Type, and click Ok

   Use the Create OS400 Endpoint page to register an OS/400 machine. During the registration process, CA Identity Manager identifies the OS/400 machine you want to administer and gathers information about it.

3. After entering the required information, click Submit.

   You are now ready to explore and Correlate the endpoint.

4. Click Endpoints, Explore and Correlate Definitions, Create Explore and Correlate Definition to explore the objects that exist on the endpoint.

   The Exploration process finds all OS/400 accounts and groups. You can correlate the accounts with global users at this time or you can correlate them later.

5. Click OK to start a new definition.
6. Complete the Explore and Correlate Tab as follows:
   1. Fill in Explore and Correlate name with any meaningful name.

      Click Select Container/Endpoint/Explore Method to click an OS/400 endpoint to explore.

   2. Click the Explore/Correlate Actions to perform:
      • Explore directory for managed objects—Finds objects that are stored on the endpoint and not in the provisioning directory.
      • Correlate accounts to users—Correlates the objects that were found in the explore function with users in the provisioning directory. If the user is found, the object is correlated with the user. However, you can instead select that you want to assign the account to the existing user (the default user) or create the user.
      • Update user fields—If a mapping exists between the object fields and the user fields, the user fields are updated with data from the objects fields.
7. Complete the Recurrence tab if you want to schedule when the task to executes.
   1. Click Schedule.
   2. Complete the fields to determine when this task should execute.

      You may prefer to schedule the task to execute overnight to interfere less with routine access of the system.

   Note: This operation requires the client browser to be in the same time zone as the server. For example, if the client time is 10:00 PM on Tuesday when the server time is 7:00 AM, the Explore and Correlate definition will not work.

8. Click Submit.

To use an explore and correlate definition

1. In a CA Identity Manager environment, click Endpoints, Execute Explore and Correlate.
2. Click an explore and correlate definition to execute.
3. Click Submit.

   The user accounts that exist on the endpoint are created or updated in CA Identity Manager based on the explore and correlate definition you created.

Acquire an OS/400 Machine Using the Provisioning Manager

You must acquire the OS/400 machine before you can administer it with CA Identity Manager.

From the OS/400 Endpoint Property Sheet

1. Register the machine as an endpoint in CA Identity Manager.

   Provide the OS/400 server machine name, the user ID and password when acquiring an OS/400 system.

   Note: Before acquiring the endpoint, make sure that it is registered to use the Java connector. To do this:

   1. In Connector Xpress, right-click the OS400 endpoint
   2. Select Set Managing CS
   3. Select Java Connector

   During the registration process, CA Identity Manager identifies the OS/400 machine you want to administer and gathers information about it.

2. Explore the objects that exist on the endpoint.

   After registering the machine in CA Identity Manager, you can explore its contents. Use the Explore and Correlate Endpoint dialog. The Exploration process finds all OS/400 objects. You can correlate the accounts with global users at this time, or you can wait to correlate them.

3. Correlate the explored accounts to global users by choosing either of the following Connectors:
   • Use existing global users
   • Choose this option when there are already global users in CA Identity Manager and you want to connect the existing global users to the OS/400 accounts
   • Create global users as needed

     Choose this option when there are no global users and you want to populate CA Identity Manager from the OS/400 accounts.

   When you correlate accounts, CA Identity Manager creates or links the accounts on an endpoint with global users, as follows:

   1. CA Identity Manager attempts to match the user profile name with each existing global user name. If a match is found, CA Identity Manager associates the OS/400 account with the global user. If a match is not found, CA Identity Manager performs the next step.
   2. CA Identity Manager attempts to match the user profile name with each existing global user's full name. If a match is found, CA Identity Manager associates the OS/400 account with the global user. If a match is not found, CA Identity Manager performs the following step.
   3. CA Identity Manager associates the OS/400 account with the [default user] object or a new global user is created depending on your choice.

Note: More information on enabling Secure Socket Layer (SSL) communications between the Provisioning Server and the OS/400 system exists in the Provisioning Manager Help.

Streaming Search Results

During the explore operation, the connector returns accounts to the Provisioning server as soon as possible instead of waiting until all accounts have been reviewed. This reduces memory usage resulting in a more efficient explore process.

User ID Limitation

When creating User profiles in an Os/400 system, avoid using User ID numbers larger than 2147483647. A User ID larger than this cannot be mapped to global user UID.

Non-Latin Characters are not Supported

When creating an OS/400 endpoint, non-latin character encodings are not supported.

OS/400 Provisioning Roles and Account Templates

The OS/400 Default Policy, provided with the OS/400 Connector, gives a user the minimum security level needed to access an endpoint. You can use it as a model to create new account templates.

Policy Default Values

The new account templates are created with default values for most attributes. The new account templates are valid as soon as they are created and the attributes can be customized as necessary.

OS/400 Cascading Delete

In previous versions, if an OS400 account owned objects, the account could not be deleted from CA Identity Manager. In this version, a flag called “cascadingDelete” in the OS400 connector.xml in CA IAM Connector Server can be used to change this behavior. When the flag is set to true, the account and all objects owned by the account will be deleted. The default value is set to true.

If you want to override the default value, you must:

1. From a command prompt issue the following command:

   cd cs-home\conf\override\as400\
   copy SAMPLE.connector.xml connector.xml
   

2. Edit connector.xml to set "cascadingDelete" property value to either "true" or "false" as desired.
3. Restart the im_jcs so that the change takes effect.

   Note: See Customize the Configuration for a Connector for more information on override connector.xml files.

OS/400 Security Requirements

The OS/400 Connector issues remote commands to the endpoint system to manage accounts. The managing user profile must have permission to issue remote commands for creating, reading, modifying, and deleting accounts. Areas of security to consider include, special authorities of the managing account (*SECADM is mandatory), exit programs implementing security, and authorization to user profiles.

OS/400 Groups

You can create and maintain OS/400 groups using the Endpoint type task view. Use the OS/400 Group property sheet when managing your groups.

When a new group is defined, you should perform another exploration on the endpoint so CA Identity Manager has an updated group list.

Deleting Account Members from Groups

Account members cannot be deleted from a group if that group is designated as the primary group. You must remove the group from the account member . For example, ProvisioningGroup has two account members, Prov1 and Prov2, and ProvisioningGroup is the primary group of Prov1. Prov2 has a primary group FinancialGroup and a supplement group called ProvisioningGroup. If you try to delete Prov1 and Prov2 from ProvisioningGroup, only Prov2 is removed successfully. Prov1 remains as an account member of ProvisioningGroup.

OS/400 Directory Entry Names

When an account or group is created, a directory entry is created to store personal information about the user. Previously, the directory entry name was assumed to be the same as the user profile name. The attributes can now be set independently. If the Directory Entry Name is not specified, then a directory entry is not created for that user and many attributes cannot be set. Directory entry names must be unique across accounts and groups.

Changing Connection Settings

The connection settings associated with each endpoint cannot be changed using the Endpoint property sheet. To change incorrect connection settings, follow these steps:

1. Right-click the endpoint name.

   The context sensitive menu appears.

2. Select Custom…, Change Admin Password.

   The Change Password Dialog appears.

3. Fill in the dialog and select OK.

   The dialog closes.

After the connection settings are changed, they are verified by attempting a connection to the OS/400 machine. The new settings are only saved if the connection is successful.

Conventions

Use the following OS/400 conventions in your etautil commands:

• The endpoint type name (eTNamespaceName) is OS400
• The endpoint type prefix is AS4. Therefore, the OS/400 class names are:
  • eTAS4Directory for an endpoint
  • eTAS4PolicyContainerName for an account template container
  • eTAS4Policy for an account template

OS/400 Native Program Exits

The Java OS/400 Connector supports Native Program Exits in the same way as the eTrust Admin 8.1 SP2 OS/400 Connector did with the following limitations:

• Only one parameter of the Command Call format can be specified in Program Exits.
• The Program Exits can target only account objects, not groups.

Note: CA IAM Connector Server provides a Scripting Style Processor interface for connectors. You can write code in the JavaScript scripting language to add extra logic to, or change the behavior of the OS/400 connector's operations. This approach is much more powerful than the C++ OS/400 Connector's Native Program Exits approach because you can access the full operation's details and write whatever you want to achieve for both account and group objects.

An example of this approach follows:

To change the description for each new account to the value of 'To demo scripting program exit concept works', use the conf/as4script_opbindings.xml file within the OS/400 Connector's archive file: <jcs-home>/lib/jcs-connector-as400.jar. Uncomment the "staticMethodScriptStyleMetaDataFile" in <jcs-home>/conf/override/as400/connector.xml and restart the im_jcs to turn on this behaviour.

See the Connector Programming Guide for more information on scripting-style programming.