Delta Aggregation Settings and Common Configuration

Delta Aggregation

1. Enable Delta Aggregation to aggregate accounts that have changed since the last execution.

   Note
   Delta aggregation based on "account object type" is only applicable for managed systems that support the delta aggregation operation.

2. In the Account Delete Status Attribute field, enter an attribute value used to mark objects as deleted during delta aggregation processes.

   For example:

   deleted=true

Common Configuration

1. In the Connection Timeout (in seconds) field, enter the connection timeout value in seconds.

2. The Web Service source supports client certificate authentication for the API endpoints with SSL. Enter the valid details in the Client Certificate and Client Private Key fields, respectively.

   Important
   The connector only supports the PEM format for the Client Certificate and the private key. Additionally, the Web Services connector expects the PEM private key to be an RSA PEM private key. The following process enables you to convert the private key to an RSA private key on a Windows computer:

   1. Download openssl-1.0.2q-x64_86-win64.zip and extract it.

   2. Open cmd to OpenSSL path.

   3. Copy the Private_ADP_Key.key file to the extracted/openSSL path.

   4. Run the following command:

      openssl rsa -in Private_ADP_Key.key -out rsa_private_key.pem

      This will prompt for a pass phrase and must be decrypted as per the steps below:
      Conversion to a combined PEM file

      To convert a PFX file to a PEM file that contains both the certificate and private key, the following command needs to be used:

      # openssl pkcs12 -in filename.pfx -out cert.pem -nodes

      Conversion to separate PEM files

      • Extract the private key from PFX to PEM file with this command:
        # openssl pkcs12 -in filename.pfx -nocerts -out key.pem

      • Export the certificate with this command:
        # openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

      • Remove the password from the extracted private key with this command:
        # openssl rsa -in key.pem -out server.key

      Note
      When using openSSL on the VA, the command works without the additional steps. However, the generated key signature is not accepted. It is suggested not to use openSSL on the VA.

   5. Use this rsa_private_key.pem file in the connector.

3. In the Account Enable Status Attribute field, enter the attribute name and value to set the account status while loading accounts. The status of accounts with the specified attribute and value will be marked as Enabled; the status for all other accounts will be Disabled.

   For example, if you enter status=Active, the status of all accounts with the status attribute set to Active will be enabled.

   Note

   The Account Enable Status Attribute feature has the following limitations:

   • The feature only supports single value status attributes.

   • Conditional operators are not supported. Examples of unsupported operators are as follows:

     status=Active || status=Pending

     status=Active && status=Pending

   • The connector doesn’t support the ability to select the n-th element (including 1st element) from a list. This feature's supported types are string, integer, and Boolean.

     For example, this expression, values[?(@.name=="accountDisabled")].values[0] evaluates the expression value in a list format and is therefore not supported. You need to implement the Web Services After Operation Rule to configure enable/disable account for such scenario. For more information, refer to Web Services After Operation Rule.

4. In the Account Lock Status Attribute field, provide the value required to check the account lock status.

   For example if you enter status=inactive, the account schema status attribute will determine whether the account is locked or not. In this case, all accounts with their status attribute set to inactive will be considered locked by the connector, and therefore they will not be included in provisioning.

5. Enable Use hasMore Attribute for Aggregation Termination to enable the connector to terminate an aggregation process based on the setting for the hasMore attribute. If the hasMore attribute is set to false, the aggregation is terminated if the number of accounts returned is zero. If Use hasMore Attribute for Aggregation Termination attribute is disabled, aggregation processes are not terminated based on the hasMore attribute.

   Note
   The hasMore attribute is the Boolean attribute set in the transientValues map in the Before/After Operation rule.

6. Select Save.