Chapter 1 Connector Concept [sample chapter]

PDF version HERE


CA IdentityMinder official document provides extensive connector details. It takes time to understand or explain the whole thing. The goal of this book is let you understand how to develop custom connector quickly.

Technical Terms

              To avoid confusion, we define some terms:
  •        User means user information maintained by CA IdentityMinder Server. User is stored in CA IdentityMinder User Store.
  •         Global User means user information maintained by the Provisioning Server. It is stored in Provisioning Director.
  •         Account means user information in Endpoint.  For example account in Active Directory.
  •         Endpoint is destination of user information after provisioning.
  •         Custom Connector means a connector implements by programming.





1.1 Connector Concept

A connector is the software that enables communication between connector server and an endpoint.  Each connector can perform the following operations on managed objects on the endpoint: add, modify, delete, rename, search etc.

An endpoint is a platform or application which has identity and role data on it. Endpoint can be active directory, database, operation system, application etc.

There are 3 types of connector

    •     Downloaded connector from CA web site. CA provides connectors for the popular endpoints such as active directory, DB2, SAP etc. Please go check documents “Connector Guide” and “Connector download page”.
    •     Created by Connector Xpress. Connector Xpress is a utility tool for create connector without programming. Connector Xpress support only database or directory endpoint type. Please check the document; platform support matrix.
    •     Custom Connector or programming connector is main topic for this book. When downloaded connector or connector Xpress does not support your endpoint, you have to write your own custom connector. For example calling web services to add or remove account from endpoint.

    Connector Server
    Connector server is used by CA IdentityMinder (and provisioning server) connects the endpoints through connector. There are 2 types of connector servers:

      •     CA IAM CS or Java connector server manages the java connector and the dynamic connectors that were created with Connector Xpress.
      • CCS or C++ connector server manages all of the C++ connectors.


      Figure 1-1 shows connector is connect between connector servers and endpoints.

      1.2 How to implement custom connector.



                     We give the big picture of custom connector implementation. The custom connector coding requires 3 parts:

      1.             connector.xml, we start from this file because it links to the others part.
      2.             The metadata xml file describes object model. The connector has related objects for example account, group, policy, etc.
      3.             Java code is the logic implementation. The connector can add, remove, modify and search. The java code


      When you finish the code, you have to deploy our connector to connector server. We will go details step by steps in code examples.

      1.3 Connector.xml or Configuration file





      We start development from connector xml file first. This file is main part, it has given name, links to metadata file and java class. This file is spring’s configuration of bean com.ca.jcs.ImplBundle. There are some important property elements:

      •     <property name="name"> this value of this property must match exactly with property implementationBundle in metadata xml file.
      •     <property name="connectorTypeName"> this value of this property must match exactly with namespace attribute in metadata xml file.
      •     <property name="staticMetadataFile"> specifics location of metadata file.
      •     <property name="connectorClass"> specifics java code that implement connector logic.





      Figure 1-2 shows our example content of connector.xml




      There are a lot of details in connector.xml. For starter development, you should skip convertor and validator in <property name="defaultConnectorConfig">. You can add convertor and validator after your basic function works.




      1.4 Understanding the connector’s objects and structure.

                  
        The metadata is the most complicated part of custom connector. So before we go details of metadata, you need to understand the connector’s objects and structure.

                    As we have mentioned there are 3 types of connector; downloaded connector, connector created by connector Xpress and the custom connector. Please use LDAP explorer or LDAP client connects to provisioning directory, and explorer any connector under path dc = im, dc = eta. You will see the structure as below picture.

                    Please note, the picture below shows the simple connector’s structure (that created by connector Xpress). Some connector has hierarchy such as Active directory.

      Figure 1-3 shows the basic connector’s object and structure inside provisioning directory

      The left side of picture, we can explain the related objects and how CA provisioning server organizes these objects:

         
         
          §  Endpoint Type is top level of connector. It contains Endpoint and Policy container.
          §  Endpoint is container. It contains account and role container. (This endpoint is same endpoint in CA IdentityMinder, for example you can have 2 endpoints under endpoint type ActiveDirectory.)
          o   Account Container is container. It contains accounts.
          o   Accounts represents the account in endpoint
          §  Group or Role Container is container. It contains group.
          o   Groups or roles represent the groups or roles in endpoint. (Some connector may not have group or role)
          §  Policy Container is container. It contains policies.
          o   Policy represents account template
         
         

      The right side of picture above is example of Endpoint Type: CRM that created by connector Xpress. CRM (Endpoint Type) contains ForwardIncCRM (endpoint) and DYN Policies (policy container). ForwardIncCRM (endpoint) contains Accounts (account container) and Roles Container (role container).  DYN Policies (policy container) contains 2 policies; DefaultPolicy and ForwardIncCRM.

      Please note, the connector Xpress and custom connector keep the policies under policy container as we describes. For downloaded connectors, it keeps policy under eTNamespaceName=CommonObjects. For example, Active Directory endpoint type keeps policy under eTADSPolicyContainerName = Active Directory Policies, eTNamespaceName = CommonObjects, dc = im, dc = eta.


      ====== END OF SAMPLE ======
      The rest of chapter:

      1.5 Metadata xml file describes the object model

      1.6 Java code

      1.7 Deploy connector

      1.8 Generate User Console Account Screens



      Chapter 2 Code Examples

      2.1 Import Source Code

      2.2 Basic Connector

      2.3 Generate User Console Account Screens

      2.4 Conclusion

       

       

       

       

       

       

       

       




      3 comments:

      1. UnknownDecember 22, 2016 at 10:52 AM

        Hello, I have all three volumes and they are great.
        One question on Connector Xpress. how does one pass the password to a SQL database? I have the SQL statement to encrypt the password, but where would I inject in the connector? As the state is :
        OPEN SYMMETRIC KEY USER_ACCT_TableKey DECRYPTION BY CERTIFICATE EncryptPasswordCert
        UPDATE cp_user SET password=EncryptByKey(Key_GUID('USER_ACCT_TableKey'), '') WHERE user_id='';


        Thanks

        ReplyDelete
      2. WinnyMay 14, 2018 at 8:19 PM

        Hi, I am sorry, i just saw your comment. if you have any question, please email me directly.

        ReplyDelete
      3. JC_bloggingSeptember 27, 2019 at 9:02 AM

        I want your books..Pls respond to my email

        ReplyDelete

      Subscribe to: Posts (Atom)