You can control the operation of the driver by modifying the properties described in the following sections.
IMPORTANT:Changing these values requires a restart of the driver.
To change import-only properties, you must re import the driver configuration file RACF-IDM3_6_0-V5.xml over the existing driver, or add the required additional Designer packages. For details, see Creating the Driver in Designer.
To edit the properties shown on the Driver Configuration page and the Global Configuration Values page:
In iManager, select Identity Manager Overview from the Identity Manager task list on the left side of the window.
Navigate to your driver set by searching the tree or by entering its name.
Click the driver to open its overview.
Click the driver icon.
Select Driver Configuration or Global Config Values as appropriate.
Edit the property values as desired, then click OK.
Properties that you can set only during driver import are used to generate policies and other configuration details.
Table 5-1 Driver Import-Only Parameters
|
Property Name |
Values or Format |
|---|---|
|
|
|
|
|
|
|
|
|
Bidirectional: Identities are synchronized from both the Identity Vault and the connected system (application). After all pending events are processed, the Identity Vault and connected system mirror each other.
Application to Identity Vault: Identities are synchronized from the connected system (application) to the Identity Vault, but not vice versa. For example, an identity created in the Identity Vault is not created on the connected system unless explicitly migrated.
Identity Vault to Application: Identities are synchronized from the Identity Vault to the connected system (application), but not vice versa. For example, changes made to a RACF identity are not synchronized to the Identity Vault.
Yes: Enables prompts for the default TSO account number and default TSO procedure.
No: Disables prompts for the default TSO account number and default TSO procedure.
Yes: Enables prompts for the UID and GID number assignment source (RACF or Identity Vault), the default home directory path and the default program.
No: Disables prompts for the UID and GID number assignment source (RACF or Identity Vault), the default home directory path and the default program.
Specifies whether the driver uses either Approval Flow or Roles-Based Entitlements with the Entitlements Service driver.
Enable entitlements for the driver only if you plan to use the User Application or Roles-Based Entitlements with the driver.
You can use Role-Based Entitlements to integrate the driver with the Identity Manager User Application. For more information about Roles-Based Entitlements, see the Identity Manager 4.8 Documentation Web site.
Specifies whether the driver uses Secure Sockets Layer (SSL) to encrypt the connection between the Identity Vault and the application.
NetIQ strongly recommends that you use SSL. If you do not use SSL, your identity data, including passwords, is sent across the network in clear text.
Table 5-2 Driver Configuration Page
|
Property Name |
Values or Format |
|---|---|
|
Driver Module |
Connect to Remote Loader must be selected |
|
Text value |
|
|
Authentication ID |
Not used |
|
Authentication Context |
Not used |
|
Host name or IP address and port number of the driver shim on the connected system, and the RDN of the object with the server certificate |
|
|
Driver Cache Limit |
The recommended value is 0 (zero) |
|
Application Password |
Not used |
|
Text value |
|
|
Startup Option |
|
|
|
|
Number of seconds |
|
|
Number of seconds |
|
|
The Driver object password is used by the driver shim (embedded Remote Loader) to authenticate itself to the Metadirectory engine. This must be the same password that is specified as the Driver object password on the connected system driver shim.
The Remote Loader Connection Parameters option specifies information that the driver uses for Secure Sockets Layer (SSL) communication with the connected system.
Table 5-3 Remote Loader Connection Parameters
|
Parameter |
Description |
|---|---|
|
host=hostName |
Connected system host name or IP address. |
|
port=portNumber |
Connected system TCP port number. The default is 8090. |
|
kmo=objectRDN |
The RDN of the object with the server certificate signed by the tree’s certificate authority. Enclose the RDN in double quotes (") if the name contains spaces. |
The following is an example Remote Loader connection parameter string:
hostname=192.168.17.41 port=8090 kmo="SSL CertificateDNS"
The Remote Loader password is used to control access to the driver shim (embedded Remote Loader). This must be the same password that is specified as the Remote Loader password on the connected system driver shim.
Specifies whether the driver shim discards events that would cause loopback conditions. This function supplements the loopback detection provided by the Metadirectory engine. The RACF driver provides its own loopback detection, so this option should always be set to No.
Specifies the number of seconds that the Publisher shim waits after running the polling exec and sending events from the change log to the Metadirectory engine. The default interval is 60 seconds.
Specifies whether the Publisher shim is active.
Select Yes if you are using Identity Vault to Application (one-way) data flow. This saves processing time.
Specifies how often, in seconds, the driver shim contacts the Metadirectory engine to verify connectivity. Specify 0 to disable the heartbeat.
Table 5-4 Global Configuration Values
|
Property Name |
Values or Format |
|---|---|
|
Text value |
|
|
Text value |
|
|
Text value |
|
|
Text value |
|
|
Text value |
|
|
Text value |
|
|
|
|
Text value |
|
|
Text value |
|
|
The RACF Connected System Accepts Passwords from the Identity Vault |
|
|
The Identity Vault Accepts Passwords from the RACF Connected System |
|
|
|
|
|
|
Require Password Policy Validation before Publishing Passwords |
|
|
Reset User’s External System Password to the Identity Manager Password on Failure |
|
|
Synchronize RACF Pass Phrases to Identity Vault Passwords on the Publisher Channel |
|
|
Synchronize RACF Pass Phrases to Identity Vault Passwords on the Publisher Channel |
|
|
Synchronize Identity Vault Passwords to RACF Pass Phrases on the Subscriber Channel |
|
|
Synchronize RACF Passwords to Identity Vault Passwords on the Publisher Channel |
|
|
Identity Vault Container object |
|
|
Identity Vault Container object |
To view and edit Password Management GCVs, select Show for Show Password Management Policy.
To view and edit User and Group Placement GCVs, select Show for Show User and Group Placements.
Specifies the name of the driver. This value is used by the e-mail notification templates.
Specifies the default group for new users.
Specifies the default owner for new users.
When a Group Membership (CONNECT) is added in RACF, additional operands can be specified as properties of the CONNECT. This field allows you to edit the default values. The default values are
authority(use) uacc(read)
Specifies the default account number for new users.
Specifies the default cataloged procedure name for new users. For example, IKJACCNT.
Specifies how UID and GID numbers are assigned to new users and groups. Select Assign by RACF or Assign by Identity Vault.
Specifies the default OMVS home directory path for new users. Include the ending slash (/) in the directory path. The user’s user ID is appended to the value that you specify. Use a value similar to the following:
/home/
In this example, the home directory that is assigned by the driver for a user whose user ID is IBMUSER is /home/IBMUSER.
Specifies the default OMVS program (login shell). Use a value similar to the following:
/bin/sh
Specifies whether the driver allows passwords to flow from the Identity Vault to the connected system.
Specifies whether the driver allows passwords to flow from the connected system to the Identity Vault.
Specifies whether the driver uses passwords from the connected system to set NDS® passwords in the Identity Vault. NDS passwords in the Identity Vault are not bidirectional and cannot be synchronized to another system.
Specifies whether the driver uses passwords from the connected system to set NMAS™ Distribution Passwords, which are used for Identity Manager password synchronization.
Specifies whether the driver applies NMAS password policies to published passwords. If so, a password is not written to the Identity Vault if it does not conform.
Specifies whether, on a publish Distribution Password failure, the driver attempts to reset the password on the connected system using the Distribution Password from the Identity Vault.
Specifies whether the driver sends an e-mail to a user if the password cannot be synchronized.
Specifies whether the driver should publish and synchronize changes to the RACF pass phrase to the Identity Vault password.
Specifies whether password changes in the Identity Vault should be synchronized with the RACF pass phrase.
Specifies whether password changes in RACF should be synchronized with the Identity Vault password.
Specifies the base container object in the Identity Vault for user synchronization. This container is used in the Subscriber channel Event Transformation policy to limit the Identity Vault objects being synchronized. This container is used in the Publisher channel Placement policy as the destination for adding objects to the Identity Vault. Use a value similar to the following:
users.myorg
Specifies the base container object in the Identity Vault for group synchronization. This container is used in the Subscriber channel Event Transformation policy to limit the Identity Vault objects being synchronized. This container is used in the Publisher channel Placement policy as the destination when adding objects to the Identity Vault. Use a value similar to the following:
groups.myorg