2 Tasks to Be Performed Before You Create the Connector

The following sections of this chapter describe the procedures that you must perform before you create the connector:

• Configuring Oracle Identity Manager

• Configuring the Target System

• Configuring Secure Communication Between the Target System and Oracle Identity Manager

2.1 Configuring Oracle Identity Manager

This section describes the following procedures:

• Enabling Logging

• Adding New User-Defined Fields for the OIM User

• Using Lookup Definitions

• Copying the JDBC Drivers

• Exchanging Account Status Data with the Target System

• Copying the Provider Files

• Prerequisites for Creating the Connector

2.1.1 Enabling Logging

Depending on the Oracle Identity Manager release you are using, perform the instructions given in one of the following sections:

• Section 2.1.1.1, "Enabling Logging on Oracle Identity Manager Release 9.1.0.x"

• Section 2.1.1.2, "Enabling Logging on Oracle Identity Manager Release 11.1.1 and 11.1.2.x"

2.1.1.1 Enabling Logging on Oracle Identity Manager Release 9.1.0.x

Note:

In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• ALL

  This level enables logging for all events.

• DEBUG

  This level enables logging of information about fine-grained events that are useful for debugging.

• INFO

  This level enables logging of messages that highlight the progress of the application at a coarse-grained level.

• WARN

  This level enables logging of information about potentially harmful situations.

• ERROR

  This level enables logging of information about error events that might allow the application to continue running.

• FATAL

  This level enables logging of information about very severe error events that could cause the application to stop functioning.

• OFF

  This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

• Oracle WebLogic Server

  To enable logging:

  1. Add the following line in the OIM_HOME/xellerate/config/log.properties file:

     log4j.logger.OIMCP.DATC=LOG_LEVEL
     

  2. In this line, replace LOG_LEVEL with the log level that you want to set.

     For example:

     log4j.logger.OIMCP.DATC=INFO
     

  After you enable logging, log information is written to the following file:

  WEBLOGIC_HOME/user_projects/domains/DOMAIN_NAME/SERVER_NAME/SERVER_NAME.log

• IBM WebSphere Application Server

  To enable logging:

  1. Add the following line in the OIM_HOME/xellerate/config/log.properties file:

     log4j.logger.OIMCP.DATC=LOG_LEVEL
     

  2. In this line, replace LOG_LEVEL with the log level that you want to set.

     For example:

     log4j.logger.OIMCP.DATC=INFO
     

  After you enable logging, log information is written to the following file:

  WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/startServer.log

• JBoss Application Server

  To enable logging:

  1. In the JBOSS_HOME/server/default/conf/log4j.xml file, locate or add the following lines:

     <category name="OIMCP.DATC">
        <priority value="LOG_LEVEL"/>
     </category>
     

  2. In the second XML line, replace LOG_LEVEL with the log level that you want to set. For example:

     <category name="OIMCP.DATC">
        <priority value="INFO"/>
     </category>
     

  After you enable logging, log information is written to the following file:

  JBOSS_HOME/server/default/log/server.log

• Oracle Application Server

  To enable logging:

  1. Add the following line in the OIM_HOME/xellerate/config/log.properties file:

     log4j.logger.OIMCP.DATC=LOG_LEVEL
     

  2. In this line, replace LOG_LEVEL with the log level that you want to set.

     For example:

     log4j.logger.OIMCP.DATC=INFO
     

  After you enable logging, log information is written to the following file:

  ORACLE_HOME/opmn/logs/default_group~home~default_group~1.log

2.1.1.2 Enabling Logging on Oracle Identity Manager Release 11.1.1 and 11.1.2.x

Oracle Identity Manager uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.Logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• SEVERE.intValue()+100

  This level enables logging of information about fatal errors.

• SEVERE

  This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.

• WARNING

  This level enables logging of information about potentially harmful situations.

• INFO

  This level enables logging of messages that highlight the progress of the application.

• CONFIG

  This level enables logging of information about fine-grained events that are useful for debugging.

• FINE, FINER, FINEST

  These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These log levels are mapped to ODL message type and level combinations as shown in Table 2-1.

Table 2-1 Log Levels and ODL Message Type:Level Combinations

Log Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.

To enable logging in Oracle WebLogic Server:

1. Edit the logging.xml file as follows:

   1. Add the following blocks in the file:

      <log_handler name='dbat-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='[FILE_NAME]'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      

      <logger name="OIMCP.DATC" level="[LOG_LEVEL]" useParentHandlers="false">
           <handler name="dbat-handler"/>
           <handler name="console-handler"/>
         </logger>
      

   2. Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-1 lists the supported message type and level combinations.

      Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

      The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME] :

      <log_handler name='dbat-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
       
      <logger name="OIMCP.DATC" level="NOTIFICATION:1" useParentHandlers="false">
           <handler name="dbat-handler"/>
           <handler name="console-handler"/>
         </logger>
      

   With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

2. Save and close the file.

3. Set the following environment variable to redirect the server logs to a file:

   For Microsoft Windows:

   set WLS_REDIRECT_LOG=FILENAME
    
   

   For UNIX:

   export WLS_REDIRECT_LOG=FILENAME
    
   

   Replace FILENAME with the location and name of the file to which you want to redirect the output.

4. Restart the application server.

2.1.2 Adding New User-Defined Fields for the OIM User

Note:

This is an optional procedure. Perform this procedure only if you want to add fields to the standard set of OIM User fields.

While creating the connector, when you perform the procedure described in "Step 3: Modify Connector Configuration Page", you create mappings between the OIM User fields and the corresponding target system fields (columns). If there are additional target system fields that you want to use during reconciliation or provisioning, then you can extend the set of OIM User fields by creating user-defined fields (UDFs). For information about creating UDFs, see one of the following guides:

• For Oracle Identity Manager release 9.1.0.x: Oracle Identity Manager Design Console Guide

• For Oracle Identity Manager release 11.1.1 and 11.1.2.x, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

The following are the standard OIM User fields on Oracle Identity Manager release 9.1.0.x:

• User ID

• First Name

• Last Name

• Organization Name

• User Type

• Employee Type

• Role

• Password

• Middle Name

• Status

• Provisioned Date

• Creation Date

• Manager ID

• End Date

• Start Date

• Email

The following are the standard OIM User fields on Oracle Identity Manager release 11.1.1 and 11.1.2.x:

• User Login

• First Name

• Last Name

• Organization

• User Type

• Password

• Middle Name

• Status

• Provisioning Date

• Creation Date

• Manager

• End Date

• Start Date

• Email

2.1.3 Using Lookup Definitions

Note:

This is an optional procedure. Perform this procedure only if you want to use lookup definitions as the input source for some of the fields on the process form during provisioning operations.

If you are configuring the connector for provisioning, then you may want to create lookup fields on the process form. For example, during provisioning operations, you may want to select the Country Code value from a lookup field. While creating the connector, you can set up this field as a lookup field by specifying an input source (other than the target system) for the field.

You can use a lookup definition as the input source. For example, you can create a lookup definition containing country codes and then set up the lookup definition as the input source for the Country field. If you want to use a lookup definition as the input source, then you must first create it.

See Also:

The "Lookup Definition Form" section in one of the following guides for information about creating lookup definitions:

• For Oracle Identity Manager release 9.1.0.x: Oracle Identity Manager Design Console Guide

• For Oracle Identity Manager release 11.1.1 and 11.1.2.x, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

Alternatively, you can create a lookup field that uses columns from Oracle Identity Manager database tables as its input source. For example, if country code values are stored in any Oracle Identity Manager database table, then you can use the columns of that table as the input source for the Country Code lookup field.

While performing the procedure described in "Step 3: Modify Connector Configuration Page", you specify the custom lookup definition as the input source.

2.1.4 Copying the JDBC Drivers

Note:

If the target system version is the same as the version of the database that Oracle Identity Manager is using, then you need not perform the procedure described in this section. This is because the JDBC drivers have already been copied into the specified application server directories on Oracle Identity Manager.

Depending on the target system that you use, download one of the following sets of JDBC drivers from the vendor's Web site:

Note:

If the target system has the primary key column defined with the autoincrement option, then:

• Ensure that you use JDBC3-compliant database drives.

• Ensure that the autoincrement mechanism is implemented on the target system. The connector does not generate and insert values in the autoincrementing field.

• A target system with Composite Primary Keys is not supported.

• For IBM DB2/UDB:

  • For all platforms: db2jcc.jar

  • For Microsoft Windows and UNIX platforms: db2jcc_license_cu.jar

  • For IBM z/OS platforms: db2jcc_license_cisuz.jar

  • For IBM DB2/UDB with the autoincrement option set on the primary key column: db2jcc4.jar and jdk 1.6

• For Microsoft SQL Server:

  • For Microsoft SQL Server 2005: sqljdbc.jar version 1.2

  • For Microsoft SQL Server 2008: sqljdbc4.jar

• For MySQL, you need the mysql-connector-java-5.1.8-bin.jar driver.

• For Oracle Database:

  • Oracle Database 10g release 2 (10.2.0.1), (10.2.0.2), or (10.2.0.3) drivers

  • Oracle Database 11g release 1 (11.1.0.6) drivers

  • Oracle Database 11g release 2 (11.2) drivers

    Note:

    If you are using Oracle Database 11g release 2 (11.2) drivers, then add the following system property to the startup parameter of the WebLogic Application Server:

    -Doracle.jdbc.J2EE13Compliant=true

  • Oracle RAC: Use the ojdbc14.jar file for JBoss Application Server. For all other application servers, use the ojdbc6.jar file.

  Note:

  The following is also mentioned as a limitation in the "Known Issues, Workarounds, and Troubleshooting" chapter:

  If you are using the ojdbc6.jar file, then the ArrayIndexOutOfBounds exception is encountered during a provisioning operation on Oracle Identity Manager 9.1.0.2 BP02 or later. To resolve this issue:

  On JBoss Application Server, replace the ojdbc6.jar file with the ojdbc14.jar file in the following directory:

  OIM_HOME/xellerate/ext and JBOSS_HOME/server/default/lib

  For all other certified application servers, apply Patch 7112447. This patch is available on My Oracle Support (formerly OracleMetaLink).

• For Sybase Adaptive Server Enterprise, use the jconn3.jar JDBC driver for all platforms.

Depending on the application server that you use, copy the JDBC drivers into one of the following directories:

Note:

In an Oracle Identity Manager cluster, copy the JDBC drivers into this directory on each node of the cluster.

• For Oracle Identity Manager release 9.1.0.x:

  • For Oracle WebLogic Server:

    WEBLOGIC_HOME/java/jre/lib/ext

  • For JBoss Application Server:

    JAVA_HOME/jre/lib/ext

  • For IBM WebSphere Application Server:

    WEBSPHERE_HOME/java/jre/lib/ext

  • For Oracle Application Server:

    There is no need to copy JDBC drivers to any specific location as they are already present in the specified application server directories on Oracle Identity Manager.

• For Oracle Identity Manager release 11.1.1 and 11.1.2.x on Oracle WebLogic Server:

  There is no need to copy JDBC drivers as they are already present in the specified application server directories on Oracle Identity Manager.

2.1.5 Exchanging Account Status Data with the Target System

This section discusses the following topics:

• Configuring Account Status Reconciliation

• Configuring Account Status Provisioning

2.1.5.1 Configuring Account Status Reconciliation

For a target system that you configure as a target resource, Oracle Identity Manager expects the following account status values during reconciliation:

• Enabled

• Disabled

If you are configuring the target system as a target resource and if the target system uses the same status values, then you need not perform the procedure to configure account status reconciliation.

Similarly, for a target system that you configure as a trusted source, Oracle Identity Manager expects the following account status values during reconciliation:

• Active

• Disabled

If you are configuring the target system as a trusted source and if the target system uses the same status values, then you need not perform the procedure to configure account status reconciliation.

However, if the target system does not use status values that are compatible with Oracle Identity Manager, then you must configure account status reconciliation as follows:

Note:

For detailed instructions to perform these steps, see "Configuring Account Status Reconciliation" in one of the following chapters:

• For Oracle Identity Manager release 9.1.0.x: "Predefined Generic Technology Connector Providers Shipped with Oracle Identity Manager" chapter in Oracle Identity Manager Administrative and User Console Guide

• For Oracle Identity Manager release 11.1.1 and 11.1.2.x: "Predefined Providers for Generic Technology Connectors" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

1. Create a lookup definition that maps the status values used in the target system with the status values used in Oracle Identity Manager.

2. While creating the connector, use the Translation Transformation Provider to create a transformation mapping between the fields that hold account status values in the Source and Reconciliation Staging data sets. The Translation Transformation Provider converts the target system status values into values that are compatible with Oracle Identity Manager.

3. Create a mapping between the field that holds account status values in the Reconciliation Staging data set and one of the following fields:

   • The OIM Object Status field of the OIM - Account data set, for target resource reconciliation

     Note:

     You must remove the status field that is shown in the OIM - Account data set after metadata detection.

   • The Status field of the OIM - User data set, for trusted source reconciliation

2.1.5.2 Configuring Account Status Provisioning

For a target system that you configure as a target resource, Oracle Identity Manager sends the following account status values during provisioning:

• enable

• disable

If the target system does not use the same values, then you must perform the following steps:

1. Create a lookup definition that maps the status values used in Oracle Identity Manager with the status values used in the target system.

   See Also:

   The "Lookup Definition Form" section in one of the following guides for information about creating lookup definitions:

   • For Oracle Identity Manager release 9.1.0.x: Oracle Identity Manager Design Console Guide

   • For Oracle Identity Manager release 11.1.1 and 11.1.2.x, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager

   The following table shows the Code Key and Decode values for the lookup definition that you must create:

   Code Key	Decode
   enable	Status value used in the target system for an account that is in the Enabled state
   disable	Status value used in the target system for an account that is in the Disabled state

   
   

2. While performing the procedure described in "Step 2: Specify Parameter Values Page":

   • Use the Status Attribute parameter to enter the name of the target system column that stores account status values.

   • Use the Status Lookup Code parameter to enter the name of the lookup definition that you create.

3. While performing the procedure described in "Step 3: Modify Connector Configuration Page", remove the status field from the Provisioning Staging data sets and from the OIM - Account data set.

2.1.6 Copying the Provider Files

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

The files that contain the definitions of the predefined providers are placed in the Database Application Tables directory on the installation media. You must run the Connector Installer to install the connector.

To install the connector:

1. Copy the Database Application Tables directory from the installation media into the following directory:

   For Oracle Identity Manager release 9.1.0.x:

   OIM_HOME/xellerate/ConnectorDefaultDirectory

   For Oracle Identity Manager release 11.1.1 and 11.1.2.x:

   OIM_HOME/server/ConnectorDefaultDirectory

2. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 9.1.0.x:

     1. Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Identity Manager Administrative and User Console Guide.

     2. Click Deployment Management, and then click Install Connector.

   • For Oracle Identity Manager release 11.1.1:

     1. Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

     2. On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.

     3. In the Manage Connector page, click Install.

   • For Oracle Identity Manager release 11.1.2.x:

     1. Log in to Oracle Identity System Administration by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

     2. In the left pane, under System Management, click Manage Connector.

     3. In the Manage Connector page, click Install.

3. From the Connector List list, select the connector that you want to install. This list displays the names and release numbers of connectors whose installation files you copy into the ConnectorDefaultDirectory directory.

   If you have copied the Database Application Tables directory into a different directory, then:

   1. In the Alternative Directory field, enter the full path and name of that directory.

   2. To repopulate the list of connectors in the Connector List list, click Refresh.

   3. From the Connector List list, select the connector that you want to install.

4. Click Load.

5. To start the installation process, click Continue.

   You can ignore the messages that are displayed after the process is completed.

6. Click Finish.

7. Restart Oracle Identity Manager.

Table 2-2 lists the provider files and their destination directories on Oracle Identity Manager.

Note:

If you are using Oracle Identity Manager release 9.1.0.x, then the provider files must be manually copied to the destination directories. On Oracle Identity manager release 11.1.x, when you install the connector, the provider files are automatically copied to the destination directories. Additionally, you must manually copy the lib/DatabaseApplicationTables.jar file to the OIM_HOME/server/JavaTasks directory.

Table 2-2 Provider Files for the Connector

File in the Installation Media Directory	Description	Destination Directory on OIM 9.1.0.x	Destination Directory on OIM 11.1.x
lib/DatabaseApplicationTables.jar	This file contains the code implementation of all the providers.	OIM_HOME/xellerate/JavaTasks	Oracle Identity Manager database OIM_HOME/server/JavaTasks
Files in the ProviderDefinitions directory DBProvisioningFormat.xml DBProvisioningTransport.xml DBReconFormat.xml DBReconTransport.xml	Each XML file in this directory contains the definition of one of the predefined providers.	OIM_HOME/xellerate/GTC/ProviderDefinitions	/db/GTC/ProviderDefinitions location in MDS
Files in the resources directory	Each of these resource bundles contains language-specific information that is used by the connector. Note: A resource bundle is a file containing localized versions of the text strings that include GUI element labels and messages.	OIM_HOME/xellerate/connectorResources	Oracle Identity Manager database

2.1.7 Prerequisites for Creating the Connector

Note:

Perform the instructions described in this section only if both conditions are true:

• You are using Oracle Identity Manager release 11.1.2.x.

• Oracle Identity manager 11.1.2.x is running on IBM WebSphere Application Server.

The following procedure is a prerequisite for creating the connector:

1. Stop the IBM WebSphere Application Server.

2. Copy the commons-pool-1.2.jar file from oim.ear/xlWebApp.war/WEB-INF/lib/ directory to the oim.ear/APP-INF/lib directory.

3. Restart IBM WebSphere Application Server.

2.2 Configuring the Target System

Configuring the target system involves performing the following optional procedures:

• Using Read-Only Views

• Ensuring That There Are No Target System Columns Named ID

• Configuring Oracle Database

• Creating Target System User Accounts for Connector Operations

2.2.1 Using Read-Only Views

Note:

This is an optional procedure. Perform this procedure only if the target system is composed of read-only views.

Provisioning involves updating data stored in the target system. If the target system is composed of read-only views, then you must create INSTEAD OF triggers to enable modification of the read-only views during provisioning operations. For information about creating INSTEAD OF triggers, refer to the documentation for the target system database.

2.2.2 Ensuring That There Are No Target System Columns Named ID

Note:

This is an optional procedure. Perform this procedure only if you are creating a connector for target resource reconciliation.

When you start creating the connector by using the Administrative and User Console, the ID field is added by default to the OIM - Account data set. Database Application Tables connectors do not need to use this field. If the target system were to contain a column named ID, then that column would overwrite the default ID field and the connector would not be created correctly. As a workaround, you can create a view based on the table and provide a different name for the column named ID.

2.2.3 Configuring Oracle Database

Note:

This is an optional procedure. Perform this procedure on an Oracle database table only if you want an autoincrementing primary key.

At any time after creating the Oracle database table, you can set up an autoincrementing primary key column for that database table. To set the autoincrementing primary key, create a sequence, and then create a trigger that inserts a unique autogenerated number in the primary key field while inserting a new record into the parent table. The following is a trigger that you can use:

CREATE OR REPLACE TRIGGER trigger_name
BEFORE INSERT ON table_name FOR EACH ROW
BEGIN
SELECT sequence_name.nextval INTO :new.primaty_Key_column_name FROM DUAL;
END;

2.2.4 Creating Target System User Accounts for Connector Operations

Oracle Identity Manager requires a target system user account to access target system tables during reconciliation and provisioning operations. You provide the credentials of this user account while configuring the IT Resource for the target system.

The target system user account for performing connector operations on database tables must have the following permissions:

• For provisioning operations: The user account must have permissions to perform select, insert, update, and delete operations on the tables to be managed by this connector.

• For reconciliation: The user account must have permissions to run Select statements on the tables that must be managed by this connector.

2.3 Configuring Secure Communication Between the Target System and Oracle Identity Manager

Note:

It is recommended that you perform the procedure described in this section to secure communication between the target system and Oracle Identity Manager.

The procedure to secure communication depends on the database that you are using:

• Configuring Secure Communication Between IBM DB2/UDB and Oracle Identity Manager

• Configuring Secure Communication Between Microsoft SQL Server and Oracle Identity Manager

• Configuring Secure Communication Between MySQL and Oracle Identity Manager

• Configuring Secure Communication Between Oracle Database and Oracle Identity Manager

• Configuring Secure Communication Between Sybase Adaptive Server Enterprise and Oracle Identity Manager

2.3.1 Configuring Secure Communication Between IBM DB2/UDB and Oracle Identity Manager

Note:

IBM DB2/UDB version 9.1 Fix Pack 2 and later support secure communication over SSL.

SSL communication is not supported if IBM DB2/UDB is running on IBM z/OS. This has been mentioned in the "Known Issues, Workarounds, and Troubleshooting" chapter.

To configure secure communication between IBM DB2/UDB and Oracle Identity Manager:

1. Refer to IBM DB2/UDB documentation for information about enabling SSL communication between IBM DB2/UDB and a client system. In this context, the client is Oracle Identity Manager.

   Export the certificate on the IBM DB2/UDB host computer.

2. Copy the certificate to the Oracle Identity Manager host computer.

3. Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.

   To import the certificate into the truststore, run the following command:

   ..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
   

   In this command:

   • Replace FILE_LOCATION with the full path and name of the certificate file.

   • Replace ALIAS with an alias for the certificate.

   • Replace TRUSTSTORE_PASSWORD with a password for the truststore.

   • Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-4. This table shows the location of the truststore for each of the supported application servers.

   Note:

   In an Oracle Identity Manager cluster, you must import the file into the truststore on each node of the cluster.

   Table 2-3 Truststore Locations on Supported Application Servers

   Application Server	Truststore Location
   For Oracle Identity Manager release 9.1.0.x on Oracle WebLogic Server	WEBLOGIC_HOME/java/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on IBM WebSphere Application Server	WEBSPHERE_HOME/java/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on JBoss Application Server	JAVA_HOME/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on Oracle Application Server	ORACLE_HOME/jdk/jre/lib/security/cacerts
   For Oracle Identity Manager release 11.1.1 and 11.1.2.x on Oracle Application Server	JAVA_HOME/jre/lib/security/cacerts

   
   

2.3.2 Configuring Secure Communication Between Microsoft SQL Server and Oracle Identity Manager

To configure secure communication between Microsoft SQL Server and Oracle Identity Manager:

1. Refer to Microsoft SQL Server documentation for information about enabling SSL communication between Microsoft SQL Server and a client system. In this context, the client is Oracle Identity Manager.

   Export the certificate on the Microsoft SQL Server host computer.

2. Copy the certificate to the Oracle Identity Manager host computer.

3. Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.

   To import the certificate into the truststore, run the following command:

   ..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
   

   In this command:

   • Replace FILE_LOCATION with the full path and name of the certificate file.

   • Replace ALIAS with an alias for the certificate.

   • Replace TRUSTSTORE_PASSWORD with a password for the truststore.

   • Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-4. This table shows the location of the truststore for each of the supported application servers.

   Note:

   In an Oracle Identity Manager cluster, you must import the file into the truststore on each node of the cluster.

   Table 2-4 Truststore Locations on Supported Application Servers

   Application Server	Truststore Location
   For Oracle Identity Manager release 9.1.0.x on Oracle WebLogic Server	WEBLOGIC_HOME/java/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on IBM WebSphere Application Server	WEBSPHERE_HOME/java/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on JBoss Application Server	JAVA_HOME/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on Oracle Application Server	ORACLE_HOME/jdk/jre/lib/security/cacerts
   For Oracle Identity Manager release 11.1.1 and 11.1.2.x on Oracle Application Server	JAVA_HOME/jre/lib/security/cacerts

   
   

2.3.3 Configuring Secure Communication Between MySQL and Oracle Identity Manager

To configure secure communication between MySQL and Oracle Identity Manager:

1. See MySQL documentation for information about enabling SSL communication between MySQL and a client system. In this context, the client is Oracle Identity Manager.

2. Export the certificate on the MySQL host computer.

3. Restart the MySQL database service by using the certificate exported in the preceding step. See MySQL documentation for information on restarting the database service.

4. Copy the ca-cert.pem and client-cert.pem certificates to the Oracle Identity Manager host computer.

5. Import the certificates into the JVM truststore of the application server on which Oracle Identity Manager is running.

   To import the certificates into the truststore, run the following command for each certificate:

   keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
   

   In this command:

   • Replace FILE_LOCATION with the full path and name of the certificate file.

   • Replace ALIAS with an alias for the certificate.

   • Replace TRUSTSTORE_PASSWORD with a password for the truststore.

   • Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-5. This table shows the location of the truststore for each of the supported application servers.

   Note:

   In an Oracle Identity Manager cluster, you must import the file into the truststore on each node of the cluster.

   Table 2-5 Truststore Locations on Supported Application Servers

   Application Server	Truststore Location
   For Oracle Identity Manager release 9.1.0.x on IBM WebSphere Application Server	For any supported IBM WebSphere Application Server release, import the certificate into the following certificate store: WEBSPHERE_HOME/java/jre/lib/security/cacerts In addition to importing the certificate into the cacerts certificate store, you must import the certificate into one of the following certificate stores: For IBM WebSphere Application Server 6.1.x, import the certificate into the following certificate store: WEBSPHERE_HOME/Web_Sphere/profiles/SERVER_NAME/config/cells/CELL_NAME/nodes/NODE_NAME/trust.p12 For example: C:/Web_Sphere/profiles/AppSrv01/config/cells/tcs055071Node01Cell/nodes/tcs055071Node0/trust.p12 For IBM WebSphere Application Server 5.1.x, in addition to the cacerts certificate store, you must import the certificate into the following certificate store: WEBSPHERE_HOME/etc/KEY_STORE Here, KEY_STORE is the name of the keystore.
   For Oracle Identity Manager release 9.1.0.x on JBoss Application Server	JAVA_HOME/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on Oracle WebLogic Server	If you are using Oracle jrockit_R27.3.1-jdk, then import the certificate into the keystore in the following directory: JROCKIT_HOME/jre/lib/security If you are using the default Oracle WebLogic Server JDK, then import the certificate into the keystore in following directory: WEBLOGIC_HOME/java/jre/lib/security/cacerts If you are using a JDK other than Oracle jrockit_R27.3.1-jdk or Oracle WebLogic Server JDK, then import the certificate into your keystore at the following directory: JAVA_HOME/jre/lib/security/cacerts
   For Oracle Identity Manager release 11.1.1and 11.1.2.x on Oracle WebLogic Server	JAVA_HOME/jre/lib/security/cacerts

   
   

2.3.4 Configuring Secure Communication Between Oracle Database and Oracle Identity Manager

To secure communication between Oracle Database and Oracle Identity Manager, you can perform either one or both of the following procedures:

• Configuring Data Encryption and Integrity in Oracle Database

• Configuring SSL Communication in Oracle Database

2.3.4.1 Configuring Data Encryption and Integrity in Oracle Database

Refer to Oracle Database Advanced Security Administrator's Guide for information about configuring data encryption and integrity.

2.3.4.2 Configuring SSL Communication in Oracle Database

Note:

Database Application Tables connectors do not support SSL communication between an Oracle Database target system and Oracle Identity Manager running on IBM WebSphere Application Server or Oracle Application Server. This is also mentioned in the "Known Issues, Workarounds, and Troubleshooting" chapter (see Bug 6696248).

To enable SSL communication between Oracle Database and Oracle Identity Manager:

1. Refer to Oracle Database Advanced Security Administrator's Guide for information about enabling SSL communication between Oracle Database and Oracle Identity Manager.

   Export the certificate on the Oracle Database host computer.

2. Copy the certificate to Oracle Identity Manager.

3. Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.

   To import the certificate into the truststore, run the following command:

   ..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
   

   In this command:

   • Replace FILE_LOCATION with the full path and name of the certificate file.

   • Replace ALIAS with an alias for the certificate.

   • Replace TRUSTSTORE_PASSWORD with a password for the truststore.

   • Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-6. This table shows the location of the truststore for each of the supported application servers.

   Note:

   In an Oracle Identity Manager cluster, you must import the file into the truststore on each node of the cluster.

   Table 2-6 Truststore Locations on Supported Application Servers

   Application Server	Truststore Location
   For Oracle Identity Manager release 9.1.0.x on Oracle WebLogic Server	WEBLOGIC_HOME/java/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on JBoss Application Server	JAVA_HOME/jre/lib/security/cacerts
   For Oracle Identity Manager release 11.1.1 and 11.1.2.x on Oracle WebLogic Server	JAVA_HOME/jre/lib/security/cacerts

   
   

2.3.5 Configuring Secure Communication Between Sybase Adaptive Server Enterprise and Oracle Identity Manager

To configure secure communication between Sybase Adaptive Server Enterprise and Oracle Identity Manager:

1. Refer to Sybase Adaptive Server Enterprise documentation for information about enabling SSL communication between Sybase Adaptive Server Enterprise and a client system. In this context, the client is Oracle Identity Manager.

   Export the certificate on the Sybase Adaptive Server Enterprise host computer.

2. Copy the certificate to the Oracle Identity Manager host computer.

3. Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.

   To import the certificate into the truststore, run the following command:

   ..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
   

   In this command:

   • Replace FILE_LOCATION with the full path and name of the certificate file.

   • Replace ALIAS with an alias for the certificate.

   • Replace TRUSTSTORE_PASSWORD with a password for the truststore.

   • Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-7. This table shows the location of the truststore for each of the supported application servers.

   Note:

   In an Oracle Identity Manager cluster, you must import the file into the truststore on each node of the cluster.

   Table 2-7 Truststore Locations on Supported Application Servers

   Application Server	Truststore Location
   For Oracle Identity Manager release 9.1.0.x on Oracle WebLogic Server	WEBLOGIC_HOME/java/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on IBM WebSphere Application Server	WEBSPHERE_HOME/java/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on JBoss Application Server	JAVA_HOME/jre/lib/security/cacerts
   For Oracle Identity Manager release 9.1.0.x on Oracle Application Server	ORACLE_HOME/jdk/jre/lib/security/cacerts
   For Oracle Identity Manager release 11.1.1 and 11.1.2.x on Oracle WebLogic Server	JAVA_HOME/jre/lib/security/cacerts