Skip Headers
Oracle® Identity Management Integration Guide
10g (10.1.4.0.1)

Part Number B15995-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

13 Deploying Provisioning-Integrated Applications

This chapter explains how to deploy provisioning-integrated applications with the Oracle Provisioning Service. It contains these topics:

Deployment Overview for Provisioning-Integrated Applications

To deploy provisioning-integrated applications with the Oracle Provisioning Service, you perform these general steps:

  1. Install Oracle Internet Directory, which includes Oracle Directory Integration Platform.

  2. Load user information into Oracle Internet Directory.

  3. Start the Oracle directory integration server by following the procedures in "Starting, Stopping, and Restarting the Oracle Directory Integration Platform".

  4. Install the applications and use the Provisioning Subscription Tool to create a provisioning profile for each application.

  5. Configure application registration by following the procedures described in "Registering Applications for Provisioning".

  6. Configure application provisioning by following the procedures described in "Configuring Application Provisioning Properties".

  7. Periodically monitor the status of the provisioning event propagation for each application. You can do this by using the Oracle Enterprise Manager 10g Application Server Control Console.


    See Also:

    The chapter on logging, auditing, and monitoring the directory in Oracle Internet Directory Administrator's Guide

Registering Applications for Provisioning

After you install an application and use the Provisioning Subscription Tool to create a provisioning profile for it, you must perform the following steps to register the application for provisioning:

  1. Perform the initial provisioning registration and create a provisioning-integration profile. The Oracle Directory Integration Platform Service uses the provisioning-integration profiles to identify provisioning-integrated applications.

  2. Provide the Oracle Directory Integration Platform Service with application- specific attributes, default values, and whether an attribute is mandatory when provisioning users for the application.

  3. Register any plug-ins that are required by the provisioning-integrated application. This can include application-specific plug-ins that the application uses to enforce business policies.


Note:

The Oracle Directory Integration Platform Service does not support instance-level provisioning of applications that support a multiple instance architecture. If you install multiple instances of the same application, the Oracle Directory Integration Platform Service treats each instance as a separate provisioning-integrated application.

When creating users with the Provisioning Console, an administrator can assign user attributes for a specific provisioning-integrated application. Because ­Oracle Internet Directory is the primary directory for attributes that the Provisioning Console manages, application-specific attributes are stored in Oracle Internet Directory for each user that is provisioned for an application. For better performance, provisioning-integrated applications usually cache a local copy of user attributes instead of retrieving them from Oracle Internet Directory. Applications are notified of user creations, user deletions, and attribute modifications either synchronously with the Data Access Java plug-in or asynchronously with a PL/SQL plug-in.

Registration creates a unique identity for an application in Oracle Internet Directory. Oracle applications typically register themselves for provisioning by using the repository APIs located in the repository.jar file, which Oracle Application Server installs by default in the $ORACLE_HOME/jlib directory. In addition to creating an application entry in Oracle Internet Directory, the repository APIs can be used to add applications to privileged groups.

For non-Oracle applications that are not capable of using the registration APIs, you can use LDAP commands and LDIF templates to create identities for the applications in Oracle Internet Directory. You create a container for the application under cn=Products,cn=OracleContext" or cn=Products, cn=OracleContext, Realm DN. The container where you create an application identity depends on whether the application will be available to users in a single realm or multiple realms. In most cases, you should create an application identity in the cn=Products, cn=OracleContext container so the application is not bound by the identity management policies of a specific Oracle Internet Directory identity management realm.

You can install multiple instances of the same application. Installing a new instance of a provisioning-integrated application creates a separate entry for the new instance under the application identity container. Although some configuration settings are instance-specific, other settings are shared across multiple instances of the same application. As an example, consider an application that is similar to Oracle Files. You can deploy multiple instances of Oracle Files in an environment where each instance is independent of other instances. You define each instance as a separate provisioning-integrated application. You can also provision users in multiple instances of the application.

When you install the first instance of an application, you must create in Oracle Internet Directory the entries shown in the following example. The example creates the application identity in the cn=Products, cn=OracleContext container, and assumes the application name and type are Files-App1 and FILES.

dn: cn=FILES,cn=Products,cn=OracleContext
changetype: add
objectclass: orclContainer

dn: orclApplicationCommonName=Files-App1,cn=FILES,cn=Products,cn=OracleContext
changetype: add
orclappfullname: Files Application Instance 1
userpassword: password
description: This is a test application instance.
protocolInformation: protocol information
orclVersion: 1.0
orclaci: access to entry by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext" (browse,proxy) by group="cn=User Provisioning Admins,cn=Groups,cn=OracleContext" (browse,proxy)
orclaci: access to attr=(*) by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext" (search,read,write,compare) by group="cn=User Provisioning Admins,cn=Groups,cn=OracleContext" (search,read,write,compare)

When you install the second instance of an application, you must create in Oracle Internet Directory the entries shown in the following example. The example also creates the application identity in the cn=Products, cn=OracleContext container, and assumes the application name is Files-App2.

dn: orclApplicationCommonName=Files-App2,cn=FILES,cn=Products,cn=OracleContext
changetype: add
orclappfullname: Files Application Instance 2
userpassword: password
description: This is a test Appliction instance.
protocolInformation: protocol information
orclVersion: 1.0
orclaci: access to entry by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext" (browse,proxy) by group="cn=User Provisioning Admins,cn=Groups,cn=OracleContext" (browse,proxy)
orclaci: access to attr=(*) by group="cn=odisgroup,cn=DIPAdmins,cn=Directory Integration Platform,cn=Products,cn=OracleContext" (search,read,write,compare) by group="cn=User Provisioning Admins,cn=Groups,cn=OracleContext" (search,read,write,compare)

After you successfully register a provisioned-integrated application with Oracle Internet Directory, you may need to add the application to various privileged groups. Table 13-1 lists common privileged groups in Oracle Internet Directory.

Table 13-1 Common Privileged Groups in Oracle Internet Directory

Group Description

OracleDASCreateUser

Create users

OracleDASEditUser

Edit users

OracleDASDeleteUser

Delete users

OracleDASCreateGroup

Create groups

OracleDASEditGroup

Edit groups

OracleDASDeleteGroup

Delete groups


The following LDIF file demonstrates how to grant create user privileges in all realms to the Files-App1 application:

dn:cn=OracleCreateUser,cn=Groups,cn=OracleContext 
changetype: modify
add: uniquemember
uniquemember: orclApplicationCommonName=Files-App1,cn=FILES,cn=Products,cn=OracleContext

Configuring Application Provisioning Properties

After you register a provisioning-integrated application, you must configure its properties. Each application's provisioning profile maintains its own provisioning configuration properties. Provisioning-integrated applications use properties to store the following types of metadata:

Oracle Directory Integration Platform Provisioning supports three versions of provisioning profiles: 1.1, 2.0, and 3.0. Version 3.0 provisioning profiles are only available with Oracle Identity Management 10g (10.1.4.0.1). Different applications support different provisioning profile versions. For example, many Oracle applications only support version 2.0. However, Oracle Collaboration Suite supports provisioning profile version 3.0. The primary differences between the provisioning profile versions are as follows: