1

s

2

Preface The goal of this book, CA Identity Manager Custom Connectors Guide, is let you to understand

the custom connectors’ concept faster. You will learn how to develop and deploy the custom connector,

step by step.

My CA Identity Manager (formerly CA IdentityMinder) Programming is a series of three books:

CA Identity Manager Volume I: Java Developer's Guide, for beginning level.

CA Identity Manager Volume II: Learn by Example Code, for advanced level.

CA Identity Manager: Custom Connectors Guide, for the custom connector developer.

Please visit book’s web site: http://www.CaIdentityManagerBook.com for more details

About This Book

This book contains:

How to develop connector.xml, metadata.xml and java code.

Understanding the connector’s objects and structure concept.

How to deploy connectors:

o Version 12.5

o Version 12.6

How to generate user console account screens.

Example code: basic custom connector

Example code: Generate user console account screens

Who this book for

This book is intended for custom connector developer who has some java programming

experience.

3

Convention

The following text conventions are used in this document:

Convention Meaning

Boldface Boldface type indicates book titles

Italic Italic type indicates emphasis, or placeholder variables

monospace Monospace type indicates language and syntax elements

Customer Support Feedback from our readers is always welcome. Let us know what you think about this book.

Please visit web site for more details:

The web site for books: http://www.caidentitymanagerbook.com

Blog and updated contents: http://caidentitymanager.blogspot.com

To send us general feedback or any questions, simply send an e-mail. Please check my email

from web site.

Download Source Code

Please visit our web site: http://www.caidentitymanagerbook.com

Trademarks

CA IdentityMinder, CA Identity Manager, CA Single Sign On and SiteMinder are registered

trademark of CA Technologies.

4

Please accept my apologies:

DELAY: I expected to release this book September 2013 but I delay almost one year.

GRAMMAR: Please accept my apology for grammar mistake. Reviewing process may require up

to 3 months. Hopefully, my next release will fix this issue.

SUPPORT: I am full time programmer. I may not response your email immediately. Please allow

24 hours for a response. My time zone is New York EST.

I apologize for all mistakes. I will fix by adding bonus chapters & VDO demo. Please visit my blog.

Hopefully, my second edition will be better and fix all these issues.

Regard,

Kosakarika

About Author I am Java Developer and live in New York.

Experience: Front End: ExtJS, JQuery, Content Management(WebSphere Portal), and Portlet

(WebSphere/Weblogic/SUN Portal) SOA: Rule JBoss Drools/Guvnor, ESB(ServiceMix/Camel) and BPEL(WebSphere Process Server) IDM and SSO: CA IdentityMinder, CA SiteMinder, and SUN Access Manager. Implemented Multi-threading, high transaction real-time brokerage projects.

Certification: Sun Certified Java Programmer 1.2 Sun Certified Business Component Developer 1.3 IBM Certified Developer - IBM WebSphere Portal Developer V6.1 IBM Certified Developer - Web Services Development for WebSphere V6.1 IBM System Administrator - WebSphere Application Server V6.1 IBM Enterprise Developer - IBM WebSphere Studio V5.0

5

Copyright © 2014 A. Kosakarika

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted

in any form or by any means, without the prior written permission of the author, except in the case of

brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information

presented. However, the information contained in this book is sold without warranty, either express or

implied. The author will be held liable for any damages caused or alleged to be caused directly or

indirectly by this book.

Author has endeavored to provide trademark information about all of the companies and products

mentioned in this book by the appropriate use of capitals. However, author cannot guarantee the

accuracy of this information.

First published: September 2014

6

Chapter 1 Connector Concept CA Identity Manager official document provides extensive custom connector details. It takes

time to understand or explain the whole thing. The goal of this book is let you understand how to

develop custom connector faster.

Technical Terms

To avoid confusion, we define some terms:

User means user information maintained by CA Identity Manager Server. User is stored in CA

Identity Manager User Store.

Global User means user information maintained by the Provisioning Server. It is stored in

Provisioning Director.

Account means user information in Endpoint. For example account in Active Directory.

Endpoint is destination of user information after provisioning.

Custom Connector means a connector implements by programming.

1.1 Connector Concept A connector is the software that enables communication between connector server and an

endpoint. Each connector can perform the following operations on managed objects on the endpoint:

add, modify, delete, rename, search etc.

An endpoint is a platform or application which has identity and role data on it. Endpoint can be

active directory, database, operation system, application etc.

There are 3 types of connector

Embedded or downloaded connector from CA web site. CA provides some connectors for the

popular endpoints such as active directory, DB2, SAP etc. Please see official documents

“Connector Guide” and “Connector download page”.

Created by Connector Xpress. Connector Xpress is a utility tool for create connector without

programming. Connector Xpress support only database or directory endpoint type. Please check

the document; platform support matrix.

Custom Connector or programming connector is main topic for this book. When downloaded

connector or connector Xpress does not support your endpoint, you have to write your own

custom connector. For example calling web services to add or remove account from endpoint.

7

Connector Server

Connector server is used by CA Identity Manager (and provisioning server) connects the

endpoints through connector. There are 2 types of connector servers:

CA IAM CS or Java connector server manages the java connector and the dynamic connectors

that were created with Connector Xpress.

CCS or C++ connector server manages all of the C++ connectors.

Figure 1-1 shows connector server is between provisioning servers and connector/endpoint.

1.2 How to implement custom connector. This chapter, we will give the big picture of custom connector implementation. The custom

connector coding requires 3 parts:

1. connector.xml, we start from this file because it links to the others part.

2. The metadata xml file describes object model. The connector requires related objects for

example account, group, policy, etc. We have to define properties in this file

3. Java code is the logic implementation. The connector can add, remove, modify and search. The

java code

When you finish the code, you have to deploy our connector to connector server. We will go

details step by steps in code examples.

8

1.3 Connector.xml or Configuration file We start development from connector xml file first. This file is main part, it has given name, links

to metadata file and java class. This file is spring’s configuration of bean com.ca.jcs.ImplBundle. There

are some important property elements:

<property name="connectorTypeName"> this value of this property must match exactly with

namespace attribute in metadata xml file.

<property name="name"> this value of this property must match exactly with property

implementationBundle in metadata xml file.

<property name="staticMetadataFile"> specifics location of metadata file.

<property name="connectorClass"> specifics java code that implement connector logic.

Figure 1-2 shows our example content of connector.xml

There are a lot of details in connector.xml. For starter development, you should skip convertor

and validator in <property name="defaultConnectorConfig">. You can add convertor and validator after

your basic function works.

9

1.4 Understanding the connector’s objects and structure. The metadata is the most complicated part of custom connector. So before we go details of

metadata.xml, you need to understand the connector’s objects and structure.

As we have mentioned there are 3 types of connector; downloaded connector, connector

created by connector Xpress and the custom connector. Please use LDAP explorer or LDAP client

connects to provisioning directory, and explorer any connector under path dc = im, dc = eta. You will see

the structure as below picture.

Figure 1-3 shows the basic connector’s object and structure inside provisioning directory

Please note, the picture below shows the simple connector’s structure (that created by

connector Xpress). Some connector has hierarchy such as Active directory.

The left side of picture, we can see the related objects and how CA provisioning server organizes

these objects:

10

Endpoint Type is top level of connector. It contains Endpoint and Policy container.

Endpoint is container. It contains account and role/group container. (This endpoint is the

same endpoint in CA Identity Manager, for example you can have 2 endpoints under

endpoint type ActiveDirectory.)

o Account Container is container. It contains accounts.

o Accounts represents the account in endpoint

Group or Role Container is container. It contains group.

o Groups or roles represent the groups or roles in endpoint. (Some connector may

not have group or role)

Policy Container is container. It contains policies.

o Policy represents account template.

The right side of picture above is example of Endpoint Type: CRM that created by connector

Xpress. CRM (Endpoint Type) contains ForwardIncCRM (endpoint) and DYN Policies (policy container).

ForwardIncCRM (endpoint) contains Accounts (account container) and Roles Container (role container).

DYN Policies (policy container) contains 2 policies; DefaultPolicy and ForwardIncCRM.

Please note, the connector Xpress and custom connector keep the policies under policy

container as we describes. For downloaded connectors, it keeps policy under

eTNamespaceName=CommonObjects. For example, Active Directory endpoint type keeps policy under

eTADSPolicyContainerName = Active Directory Policies, eTNamespaceName = CommonObjects, dc = im,

dc = eta.

[END OF SAMPLE]