OpenICF Connector
The Java-based OpenICF connector runs inside the Identity Java Connector Integration Framework. It communicates with an OpenICF connector server (Java- or .NET-based) using an internal OpenICF protocol. It dynamically converts SPMLv1 requests to OpenICF protocol operations, including automatic conversion of data types.
The connector is implemented in the class OpenIcfConnector in the package net.atos.dirx.dxi.connector.openicf.
The connector implements the common methods for the DirX Identity Connector API: add, modify, delete and search.
The operations are simply converted to the OpenICF API. The corresponding responses are again translated to SPMLv1 responses.
The connector can dynamically obtain information about required configuration parameters and data schema from a remote OpenICF server and its deployed OpenICF connector bundle.
The connector supports SSL/TLS authentication with the OpenICF server.
Prerequisites
SSL/TLS authentication requires the OpenICF server certificate to be trusted by the JRE used by the connector. Use a certificate issued by a trusted CA or use the Java keytool command (keytool -importcert) to import the server certificate into the DirX Identity JRE trust store (cacerts).
The connector requires the OpenICF connector framework bundle 1.1.1.0 or newer.
Configuration
The connector receives its configuration from the connector framework in a format that is specified there and reflects an XML document. Note that DirX Identity Manager presents configuration options in a more convenient way: bind credentials, SSL flag and service address are typically collected from appropriate LDAP entries found by selecting the appropriate connected directory and bind profile.
This section describes the configuration options based on the XML format. These options are either specified attributes in the XML schema of the element <connection> (referred to as standard properties) or can be specified as <property> sub-elements of the <connection> element (referred to as non-standard properties).
The connector uses two <connection> elements. The first element is related to the OpenICF connector server (type="OpenIcfServer"). The connector evaluates the following standard and non-standard properties for the OpenICF server:
Standard attributes:
-
server: required. This property provides information about the host name or IP address where an OpenICF connector server (Java- or .NET-based) is deployed. For example, localhost.
-
port: required. This property provides information about the port of an OpenICF connector server. For example, 8759.
-
ssl: optional. This property enables SSL/TLS authentication to an OpenICF server and secures the communication line.
-
password: required; the password is used as a shared secret between OpenICF connector and an OpenICF connector server.
The OpenICF connector evaluates the following non-standard properties beneath the <connection> for the OpenICF server:
-
timeout: optional. This property provides the timeout in seconds for communication with OpenICF server. The default value is 60 seconds.
-
bundleName: required. This property provides the name of the OpenICF connector bundle deployed on an OpenICF server that we want to use. For example, org.forgerock.openicf.connectors.solaris-connector. An OpenICF connector bundle is fully identified by bundleName, bundleVersion and implementationClassName.
-
bundleVersion: required. This property provides the version of the OpenICF connector bundle deployed on an OpenICF server that we want to use. For example, 1.1.1.0-SNAPSHOT. See the bundleName property for more information.
-
implementationClassName: required. This property provides the fully-qualified name of the main entry class of an OpenICF connector bundle deployed on an OpenICF server that we want to use. For example, org.identityconnectors.solaris.SolarisConnector. See the bundleName property for more information.
-
configurationMapping: optional. This master property provides mapping of the standard property names to an OpenICF connector-specific format. For example, user loginUser automatically converts the standard configuration property name user to OpenICF format loginUser. This property allows the use of the standard DirX Identity support mechanism for special cluster workflow handling. The list can contain more values separated by commas. The conversion is valid for the configuration related to OpenICF connector bundle (type="OpenIcfConnector").
The second connection element is related to the OpenICF connector bundle (type="OpenIcfConnector"). Since the configuration of OpenICF connector bundles is for the most part very different for each bundle type, standard properties are not pre-defined. The DirX Identity connector evaluates all of the properties passed to the connection element, converts them to the appropriate type and then sends them as configuration properties to a remote OpenICF connector server. It is necessary to study the documentation for a specific OpenICF connector bundle and to define and deliver all necessary properties properly.
Here is a sample configuration that uses some of the properties described here:
<connector className="net.atos.dirx.dxi.connector.openicf.OpenIcfConnector" name="TS" role="connector">
<!-- settings for OpenICF server -->
<connection type="OpenIcfServer" server="ALFA" port="8759" password="{SCRAMBLED}aG5WPw==" ssl="true">
<property name="timeout" value="60"/>
<property name="bundleName" value="org.forgerock.openicf.connectors.solaris-connector"/>
<property name="bundleVersion" value="1.1.1.0-SNAPSHOT"/>
<property name="implementationClassName" value="org.identityconnectors.solaris.SolarisConnector"/>
<property name="configurationMapping" value="server host,user loginUser"/>
</connection>
<!-- settings for OpenICF connector bundle -->
<connection type="OpenIcfConnector" password="{SCRAMBLED}aG5WPw==" server="someunixhost" user="root" port="22">
<property name="loginShellPrompt" value="#"/>
<property name="connectionType" value="ssh"/>
<property name="unixMode" value="linux"/>
</connection>
</connector>