2 Deploying the Connector

The procedure to deploy the connector can be divided into the following stages:

• Section 2.1, "Preinstallation"

• Section 2.2, "Installation"

• Section 2.3, "Postinstallation"

2.1 Preinstallation

Preinstallation information is divided across the following sections:

• Section 2.1.1, "Preinstallation on Oracle Identity Manager"

• Section 2.1.2, "Preinstallation on the Target System"

2.1.1 Preinstallation on Oracle Identity Manager

This section contains the following topics:

• Section 2.1.1.1, "Files and Directories On the Installation Media"

• Section 2.1.1.2, "Determining the Release Number of the Connector"

• Section 2.1.1.3, "Creating a Backup of the Existing Common.jar File"

2.1.1.1 Files and Directories On the Installation Media

Table 2-1 describes the contents of the connector deployment directory.

Table 2-1 Files and Directories On the Installation Media

File in the Installation Media Directory	Description
config/ebsERQuery.properties	This file contains the SQL queries that are used during reconciliation. See Section 4.5, "Configuring Reconciliation Queries" for more information.
configuration/Oracle_Employee_Reconciliation-CI.xml	This XML file contains configuration information that is used during connector installation.
lib/EBSER.jar	This JAR file contains the class files that are required for reconciliation. During connector deployment, this file is copied to the following location: For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/ScheduleTask Oracle Identity Manager release 11.1.x: Oracle Identity Manager database
lib/EBSCommon.jar	This JAR file contains the class files that are used by both this connector and the Oracle E-Business User Management connector. During connector deployment, this file is copied to the following location: For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/JavaTasks Oracle Identity Manager release 11.1.x: Oracle Identity Manager database
lib/Common.jar	This JAR file contains classes that are used by all release 9.1.0 connectors. During connector deployment, this file is copied to the following location: For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/JavaTasks Oracle Identity Manager release 11.1.x: Oracle Identity Manager database
Files in the resources directory	Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied to the following location: For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/connectorResources Oracle Identity Manager release 11.1.x: Oracle Identity Manager database Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages.
scripts/OimUserSynonyms.sql	This file contains commands to create synonyms for the Oracle Identity Manager wrapper and various tables used in the target system schema for reconciliation. This file is used when you perform the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations".
scripts/OimUserGrants.sql	The file contains commands to provide the required grants to the target system account that is used for connector operations. This file is used when you perform the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations".
scripts/OimUser.sql	The file contains commands to create and configure the target system account that is used for connector operations. This file is used when you perform the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations".
scripts/OIM.sh scripts/OIM.bat	The script contains commands to call the SQL files in the scripts directory. This script is used when you perform the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations".
scripts/OIM_FND_GLOBAL.pck scripts/OIM_FND_USER_PKG.pck	These files contain the code that is called when you create the target system user account. These files are used when you perform the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations".
xml/Oracle-eBusinessSuite_ER-ConnectorConfig.xml	This XML file contains definitions for the following components of the connector: IT resource type IT resource Resource object Scheduled task for trusted source reconciliation

2.1.1.2 Determining the Release Number of the Connector

You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:

1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 9.1.0.x:

     In a temporary directory, extract the contents of the connector JAR file that is in the OIM_HOME/xellerate/ScheduleTask directory.

   • For Oracle Identity Manager release 11.1.x:

     In a temporary directory, download the connector JAR file from Oracle Identity Manager database using the DownloadJars utility.

2. Open the Manifest.mf file in a text editor. The Manifest.mf file is one of the files bundled inside the connector JAR file.

   In the Manifest.mf file, the release number of the connector is displayed as the value of the Version property.

2.1.1.3 Creating a Backup of the Existing Common.jar File

The Common.jar file is in the deployment package of each 9.1.x release of the connector. With each new release, code corresponding to that particular release is added to the existing code in this file. For example, the Common.jar file shipped with Connector Y on 12-July contains:

• Code specific to Connector Y

• Code included in the Common.jar files shipped with all other 9.1.x release of the connectors that were released before 12-July

If you have installed a release 9.1.x connector that was released after the current release of the Oracle E-Business Employee Reconciliation connector, back up the existing Common.jar file, install the Oracle E-Business Employee Reconciliation connector, and then restore the Common.jar file. The steps to perform this procedure are as follows:

Caution:

If you do not perform this procedure, then your release 9.1.x connectors might not work.

1. Determine the release date of your existing release 9.1.x connector as follows:

   1. Extract the contents of the following file in a temporary directory:

      OIM_HOME/xellerate/JavaTasks/Common.jar

      Note:

      On Oracle Identity Manager release 11.1.x, use the Oracle Identity Manager Download JARs utility to download the Common.jar file from the database, and then extract the contents of this file into a temporary directory.

      See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for instructions about using the Download JARs utility.

   2. Open the Manifest.mf file in a text editor.

   3. Note down the Build Date and Build Version values.

2. Determine the Build Date and Build Version values of the current release of the Oracle E-Business Employee Reconciliation connector as follows:

   1. On the installation media for the connector, extract the contents of the lib/Common.jar and then open the Manifest.mf file in a text editor.

   2. Note down the Build Date and Build Version values.

3. If the Build Date and Build Version values for the Oracle E-Business Employee Reconciliation connector are less than the Build Date and Build Version values for the connector that is installed, then:

   • If you are using Oracle Identity Manager release 9.1.0.x, then:

     1. Copy the OIM_HOME/xellerate/JavaTasks/Common.jar to a temporary location.

     2. After you perform the procedure described in Section 2.2, "Installation" overwrite the new Common.jar file in the OIM_HOME/xellerate/JavaTasks directory with the Common.jar file that you backed up in the preceding step.

   • If you are using Oracle Identity Manager release 11.1.x, then run the Oracle Identity Manager Upload JARs utility to post the Common.jar file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

     Note:

     Before you run this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

     For Microsoft Windows:

     OIM_HOME/server/bin/UploadJars.bat
     

     For UNIX:

     OIM_HOME/server/bin/UploadJars.sh
      
     

     When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.

     See Also:

     Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about the Upload JARs utility

2.1.2 Preinstallation on the Target System

Preinstallation on the target system involves performing the following procedure:

2.1.2.1 Creating a Target System User Account for Connector Operations

Note:

You must have DBA privileges to be able to grant the required permissions to the target system user account.

You must have Oracle Client installed on the computer on which you perform the procedure described in this section. The Oracle Client release must be the same as the database release. In addition, if Oracle Client is not installed on the database host computer, then the tnsnames.ora file on the Oracle Client host must contain an entry for the SID of the database.

Oracle Identity Manager requires a target system user account to access the target system during reconciliation operations. You provide the credentials of this user account while performing the procedure described in the Section 2.3.6, "Configuring the IT Resource" section.

To create a target system user account for connector operations:

1. Copy the scripts directory from the installation media to a temporary directory on either the target system server or to a computer on which the Oracle Database client has been installed.

2. On the computer where you copy the scripts directory, verify that there is a TNS entry in the tnsnames.ora file for the target system database.

3. Depending on the host platform, run either the OIM.sh or OIM.bat file.

4. When you run the script, you are prompted to enter the following information:

   • ORACLE_HOME path

     This prompt is displayed only if the ORACLE_HOME environment variable has not been set on the computer on which you are running the script.

   • Enter the system user name

     Enter the login (user name) of a DBA account with the privileges to create and configure a new target system user.

   • Enter the name of the database

     Enter the connection string or service name given in the tnsnames.ora file to connect to the target system database.

   • Enter the name of the tablespace to be created

     Enter a name for the tablespace to be created for the user.

   • Enter the name of the datafile to be created

     Enter a name for the datafile to be created for the user.

   • Enter the path for the datafile to be created

     Enter the path where the datafile must be created. The path is relative to the repository of the directory in which the target system is installed. If you do not enter a value at this prompt, then the default directory is created.

   • Enter the password

     Enter the password of the DBA account whose login you enter earlier.

   • Details of the target system account that you want to create

     Enter a user name and password for the target system account that you want to create.

   • Connecting with newly created database user

     Enter the connection string or service name that you provided earlier.

During the account creation process, the following privileges are granted to the account:

Note:

The OimUserGrants.sql file contains commands to grant these permissions.

SELECT ON APPS.PER_ALL_PEOPLE_F

SELECT ON APPS.PER_ADDRESSES

SELECT ON APPS.PER_ALL_ASSIGNMENTS_F

SELECT ON APPS.HR_LOCATIONS_ALL

SELECT ON APPS.HR_ALL_ORGANIZATION_UNITS

SELECT ON APPS.PER_PERIODS_OF_SERVICE

SELECT ON APPS.PER_PERSON_TYPE_USAGES_F

SELECT ON APPS.PER_JOBS

SELECT ON APPS.PER_GRADES

CREATE SESSION

CREATE SYNONYM

At the end of the operation, a log file (OIM_APPS_USER.log) is created in the scripts directory. Verify that there are no error messages in the log file. If no error messages are recorded in the log file, then the account has been created successfully.

2.2 Installation

Installing the connector on Oracle Identity Manager involves the following procedures:

• Section 2.2.1, "Running the Connector Installer"

• Section 2.2.2, "Copying Files to the Oracle Identity Manager Host Computer"

2.2.1 Running the Connector Installer

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

Installing the connector involves running the Connector Installer.

To run the Connector Installer:

1. Copy the contents of the connector installation media into the following directory:

   Note:

   In an Oracle Identity Manager cluster, perform this step on each node of the cluster.

   • For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/ConnectorDefaultDirectory

   • For Oracle Identity Manager release 11.1.x: OIM_HOME/server/ConnectorDefaultDirectory

2. Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of the following guide:

   • For Oracle Identity Manager release 9.1.0.x:

     Oracle Identity Manager Administrative and User Console Guide

   • For Oracle Identity Manager release 11.1.x:

     Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager

3. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 9.1.0.x:

     Click Deployment Management, and then click Install Connector.

   • For Oracle Identity Manager release 11.1.1.x:

     On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Install Connector.

   • For Oracle Identity Manager release 11.1.2.x or later:

     1. Log in to Oracle Identity System Administration by using the user account described in the "Creating the User Account for Installing Connectors" section Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

     2. In the left pane, under System Management, click Manage Connector.

4. From the Connector List list, select Oracle EBS Employee Reconciliation RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory:

   OIM_HOME/xellerate/ConnectorDefaultDirectory

   The following screenshot shows the Administrative and User Console page on which you select the connector for installation:

   
   

   If you have copied the installation files into a different directory, then:

   1. In the Alternative Directory field, enter the full path and name of that directory.

   2. To repopulate the list of connectors in the Connector List list, click Refresh.

   3. From the Connector List list, select Oracle EBS Employee Reconciliation RELEASE_NUMBER.

5. Click Load.

6. To start the installation process, click Continue.

   The following tasks are performed in sequence:

   1. Configuration of connector libraries

   2. Import of the connector configuration XML file (by using the Deployment Manager).

   3. Compilation of adapters

   On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:

   • Retry the installation by clicking Retry.

   • Cancel the installation and begin again from Step 1.

7. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed, as shown in the following screenshot:

   
   

   In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:

   1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Section 2.1.2, "Preinstallation on the Target System" for information about running the PurgeCache utility.

      The prerequisites for this connector are also described later in this guide.

   2. Configuring the IT resource for the connector

      Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is in Section 2.3.6, "Configuring the IT Resource".

   3. Configuring the scheduled tasks that are created when you installed the connector

      Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described in Section 3.2.7, "Configuring the Reconciliation Scheduled Tasks".

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-1.

Installing the Connector in an Oracle Identity Manager Cluster

While installing Oracle Identity Manager in a clustered environment, you must copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster. See Section 2.1.1.1, "Files and Directories On the Installation Media" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.

2.2.2 Copying Files to the Oracle Identity Manager Host Computer

After you run the Connector Installer, depending on the Oracle Identity Manager release you are using, manually copy the following files:

Note:

If a particular destination directory does not exist on the Oracle Identity Manager host computer, then create it.

• For Oracle Identity Manager release 9.1.0.x:

  Copy the files in the config directory to the OIM_HOME/xellerate/XLintegrations/EBSER/config directory.

• For Oracle Identity Manager release 11.1.x:

  Copy the files in the config directory to the OIM_HOME/server/XLintegrations/EBSER/config directory.

2.3 Postinstallation

Postinstallation procedures are described in the following sections:

• Section 2.3.1, "Clearing Content Related to Connector Resource Bundles from the Server Cache"

• Section 2.3.2, "Enabling Logging"

• Section 2.3.3, "Setting Up Connection Pooling"

• Section 2.3.4, "Configuring Secure Communication Between the Target System and Oracle Identity Manager"

• Section 2.3.5, "Determining Values for the JDBC URL and Connection Properties Parameters"

• Section 2.3.6, "Configuring the IT Resource"

• Section 2.3.7, "Displaying UDFs in Oracle Identity Manager 11.1.2 or Later"

2.3.1 Clearing Content Related to Connector Resource Bundles from the Server Cache

Note:

In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME/xellerate/connectorResources directory for Oracle Identity Manager release 9.1.0.x and Oracle Identity Manager database for Oracle Identity Manager release 11.1.x. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then switch to the OIM_HOME/xellerate/bin directory.

   • If you are using Oracle Identity Manager release 11.1.x, then switch to the OIM_HOME/server/bin directory.

   Note:

   You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:

   For Oracle Identity Manager release 9.1.0.x:

   OIM_HOME/xellerate/bin/SCRIPT_FILE_NAME
   

   For Oracle Identity Manager release 11.1.x:

   OIM_HOME/server/bin/SCRIPT_FILE_NAME
   

2. Enter one of the following commands:

   • For Oracle Identity Manager release 9.1.0.x:

     On Microsoft Windows: PurgeCache.bat ConnectorResourceBundle

     On UNIX: PurgeCache.sh ConnectorResourceBundle

     Note:

     You can ignore the exception that is thrown when you perform Step 2. This exception is different from the one mentioned in Step 1.

     In this command, ConnectorResourceBundle is one of the content categories that you can delete from the server cache. See the following file for information about the other content categories:

     OIM_HOME/xellerate/config/xlconfig.xml

   • For Oracle Identity Manager release 11.1.x:

     On Microsoft Windows: PurgeCache.bat All

     On UNIX: PurgeCache.sh All

     When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:

     t3://OIM_HOST_NAME:OIM_PORT_NUMBER
     

     In this format:

     • Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.

     • Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

   See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

2.3.2 Enabling Logging

Depending on the Oracle Identity Manager release you are using, perform instructions in one of the following sections:

• Section 2.3.2.1, "Enabling Logging on Oracle Identity Manager Release 9.1.0.x"

• Section 2.3.2.2, "Enabling Logging on Oracle Identity Manager Release 11.1.x"

2.3.2.1 Enabling Logging on Oracle Identity Manager Release 9.1.0.x

Note:

In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• ALL

  This level enables logging for all events.

• DEBUG

  This level enables logging of information about fine-grained events that are useful for debugging.

• INFO

  This level enables logging of messages that highlight the progress of the application at a coarse-grained level.

• WARN

  This level enables logging of information about potentially harmful situations.

• ERROR

  This level enables logging of information about error events that might allow the application to continue running.

• FATAL

  This level enables logging of information about very severe error events that could cause the application to stop functioning.

• OFF

  This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use. Depending on the application server that you use, perform the procedure given in one of the following sections:

• Section 2.3.2.1.1, "Enabling Logging on IBM WebSphere Application Server and Oracle WebLogic Server"

• Section 2.3.2.1.2, "Enabling Logging on JBoss Application Server"

• Section 2.3.2.1.3, "Enabling Logging on Oracle Application Server"

2.3.2.1.1 Enabling Logging on IBM WebSphere Application Server and Oracle WebLogic Server

To enable logging on IBM WebSphere Application Server or Oracle WebLogic Server:

1. Make the following changes in the OIM_HOME/config/log.properties:

   • Search for the following line:

     log4j.rootLogger=WARN,stdout
     

   • Make this line a comment and uncomment the line preceding this line.

   • Locate the following lines, and then uncomment them by removing the number sign (#) at the start of the lines:

     #log4j.appender.logfile=org.apache.log4j.DailyRollingFileAppender
     #log4j.appender.logfile.DatePattern='.'yyyy-MM-dd
     

     Note:

     You can change the default date format given in the preceding line.

     #log4j.appender.logfile.File=c:/oracle/xellerate/logs/xel.log
     #log4j.appender.logfile.MaxBackupIndex=20
     #log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
     #log4j.appender.logfile.layout.ConversionPattern=%p %t %c - %m%n
     

2. In the following line, replace c:/oracle/xellerate/logs/xel.log with the name and the location of the file to which the logs listed in the preceding step must be written:

   log4j.appender.logfile.File=c:/oracle/xellerate/logs/xel.log
   

3. Add the following line in the OIM_HOME/config/log.properties file:

   log4j.logger.OIMCP.EBSER=LOG_LEVEL
   

4. In this line, replace LOG_LEVEL with the log level that you want to set.

   For example:

   log4j.logger.OIMCP.EBSER=DEBUG

After you enable logging, the log information is written to the following file:

DIRECTORY_PATH/xel.log

2.3.2.1.2 Enabling Logging on JBoss Application Server

To enable logging on JBoss Application Server:

1. In the JBOSS_HOME/server/default/conf/jboss-log4j.xml file, locate or add the following lines:

   <category name="OIMCP.EBSER">
      <priority value="LOG_LEVEL"/>
   </category>
   

2. In the second XML code line of each set, replace LOG_LEVEL with the log level that you want to set. For example:

   <category name="OIMCP.EBSER">
      <priority value="DEBUG"/>
   </category>
   

After you enable logging, the log information is written to the following file:

JBOSS_HOME/server/default/log/server.log

2.3.2.1.3 Enabling Logging on Oracle Application Server

To enable logging on Oracle Application Server:

1. Add the following line in the OIM_HOME/xellerate/config/log.properties file:

   log4j.logger.OIMCP.EBSER=LOG_LEVEL
   

2. In this line, replace LOG_LEVEL with the log level that you want to set.

   For example:

   log4j.logger.OIMCP.EBSER=DEBUG
   

After you enable logging, the log information is written to the following file:

ORACLE_HOME/opmn/logs/default_group~home~default_group~1.log

2.3.2.2 Enabling Logging on Oracle Identity Manager Release 11.1.x

Note:

In an Oracle Identity Manager cluster, perform this step on each node of the cluster. Then, restart each node.

Oracle Identity Manager release 11.1.x uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• SEVERE.intValue()+100

  This level enables logging of information about fatal errors.

• SEVERE

  This level enables logging of information about errors that may allow Oracle Identity Manager to continue running.

• WARNING

  This level enables logging of information about potentially harmful situations.

• INFO

  This level enables logging of messages that highlight the progress of the application.

• CONFIG

  This level enables logging of information about fine-grained events that are useful for debugging.

• FINE, FINER, FINEST

  These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These log levels are mapped to the ODL message type and level combinations as shown in Table 2-2.

Table 2-2 Log levels and ODL Message Type:Level Combinations

Log Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.

To enable logging in Oracle WebLogic Server:

1. Edit the logging.xml file as follows:

   1. Add the following blocks in the file:

      <log_handler name='ebs-er-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='[FILE_NAME]'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      

      <logger name="OIMCP.EBSER" level="[LOG_LEVEL]" useParentHandlers="false">
           <handler name="ebs-er-handler"/>
           <handler name="console-handler"/>
         </logger>
      

   2. Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-2 lists the supported message type and level combinations.

      Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

      The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME] :

      <log_handler name='ebs-er-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
       
      <logger name="OIMCP.EBSER" level="NOTIFICATION:1" useParentHandlers="false">
           <handler name="ebs-er-handler"/>
           <handler name="console-handler"/>
         </logger>
      

   With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

2. Save and close the file.

3. Specify the following environment variable to redirect the server logs to a file:

   For Microsoft Windows:

   set WLS_REDIRECT_LOG=<filename>
   

   For UNIX:

   export WLS_REDIRECT_LOG=<filename>
   

   Replace the tag <filename> with the actual name of the file to which you want to redirect the output.

4. Restart the application server.

2.3.3 Setting Up Connection Pooling

If you want to use the connection pooling feature, then:

1. Configure the Lookup.EBS.ER.Configurations lookup definition as follows:

   1. Log in to the Design Console.

   2. Expand the Administration folder, and then double-click Lookup Definition.

   3. Search for and open the Lookup.EBS.ER.Configurations lookup definition.

   4. In the Decode column for the USE_CONNECTION_POOLING Code Key, enter Yes.

      The following screenshot shows the Lookup.EBS.ER.Configurations lookup definition:

      
      

   5. Click the Save icon.

2. Specify values for the IT resource parameters that are related to connection pooling. The procedure to configure the IT resource is described later in this guide.

3. If Oracle Identity Manager is running on Oracle Application Server, then edit the opmn.xml file as follows:

   1. Open the following file in a text editor:

      OAS_HOME/opmn/conf/opmn.xml

   2. Search for the following block of lines:

              <process-type id="ADMIN_SERVER" module-id="OC4J" status="enabled"> 
              <module-data> 
              <category id="start-parameters"> 
      

      Replace ADMIN_SERVER with the name of the Oracle Application Server instance.

   3. After this block of lines, add the following line:

      <data id="oc4j-options" value="-userThreads"/>
      

   4. Save and close the file.

   5. Restart the server.

2.3.4 Configuring Secure Communication Between the Target System and Oracle Identity Manager

To secure communication between Oracle Database and Oracle Identity Manager, you can perform either one or both of the following procedures:

Note:

To perform the procedures described in this section, you must have the permissions required to modify the TNS listener configuration file.

• Section 2.3.4.1, "Configuring Data Encryption and Integrity in Oracle Database"

• Section 2.3.4.2, "Configuring SSL Communication in Oracle Database"

2.3.4.1 Configuring Data Encryption and Integrity in Oracle Database

See Oracle Database Advanced Security Administrator's Guide for information about configuring data encryption and integrity.

2.3.4.2 Configuring SSL Communication in Oracle Database

To enable SSL communication between Oracle Database and Oracle Identity Manager:

1. See Oracle Database Advanced Security Administrator's Guide for information about enabling SSL communication between Oracle Database and Oracle Identity Manager.

2. Export the certificate on the Oracle Database host computer.

3. Copy the certificate to Oracle Identity Manager.

4. Import the certificate into the JVM certificate store of the application server on which Oracle Identity Manager is running.

   To import the certificate into the certificate store, run the following command:

   keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
   

   In this command:

   • Replace FILE_LOCATION with the full path and name of the certificate file.

   • Replace ALIAS with an alias for the certificate.

   • Replace TRUSTSTORE_PASSWORD with a password for the certificate store.

   • Replace TRUSTSTORE_LOCATION with one of the certificate store paths given in Table 2-3. This table shows the location of the certificate store for each of the supported application servers.

   Note:

   In an Oracle Identity Manager cluster, you must import the file into the certificate store on each node of the cluster.

   Table 2-3 Certificate Store Locations

   Application Server	Certificate Store Location
   Oracle WebLogic Server	If you are using Oracle jrockit_R27.3.1-jdk, then copy the certificate into the following directory: JROCKIT_HOME/jre/lib/security If you are using the default Oracle WebLogic Server JDK, then copy the certificate into the following directory: WEBLOGIC_HOME/java/jre/lib/security/cacerts
   IBM WebSphere Application Server	For a nonclustered configuration of any supported IBM WebSphere Application Server release, import the certificate into the following certificate store: WEBSPHERE_HOME/java/jre/lib/security/cacerts For IBM WebSphere Application Server 6.1.x, in addition to the cacerts certificate store, you must import the certificate into the following certificate store: WEBSPHERE_HOME/Web_Sphere/profiles/SERVER_NAME/config/cells/CELL_NAME/nodes/NODE_NAME/trust.p12 For example: C:/Web_Sphere/profiles/AppSrv01/config/cells/tcs055071Node01Cell/nodes/tcs055071Node0/trust.p12 For IBM WebSphere Application Server 5.1.x, in addition to the cacerts certificate store, you must import the certificate into the following certificate store: WEBSPHERE_HOME/etc/DummyServerTrustFile.jks
   JBoss Application Server	JAVA_HOME/jre/lib/security/cacerts
   Oracle Application Server	ORACLE_HOME/jdk/jre/lib/security/cacerts

   
   

2.3.5 Determining Values for the JDBC URL and Connection Properties Parameters

This section discusses the JDBC URL and Connection Properties parameters. You apply the information in this section while performing the procedure described in the Section 2.3.6, "Configuring the IT Resource" section.

The values that you specify for the JDBC URL and Connection Properties parameters depend on the security measures that you have implemented. This section contains the following topics:

• Section 2.3.5.1, "Supported JDBC URL Formats"

• Section 2.3.5.2, "Only Data Encryption and Integrity Is Configured"

• Section 2.3.5.3, "Only SSL Communication Is Configured"

• Section 2.3.5.4, "Both Data Encryption and Integrity and SSL Communication Are Configured"

2.3.5.1 Supported JDBC URL Formats

The following are the supported JDBC URL formats:

• Multiple database instances support one service (Oracle RAC)

  JDBC URL format:

  jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=HOST1_NAME.DOMAIN)(PORT=PORT1_NUMBER))(ADDRESS=(PROTOCOL=TCP)(HOST=HOST2_NAME.DOMAIN)(PORT=PORT2_NUMBER))(ADDRESS=(PROTOCOL=TCP)(HOST=HOST3_NAME.DOMAIN)(PORT=PORT3_NUMBER)) . . . (ADDRESS=(PROTOCOL=TCP)(HOST=HOSTn_NAME.DOMAIN)(PORT=PORTn_NUMBER))(CONNECT_DATA=(SERVICE_NAME=ORACLE_DATABASE_SERVICE_NAME)))

  Sample value:

  jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST= host1.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host2.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host3.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host4.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME= srvce1)))

• One database instance supports one service

  JDBC URL format:

  jdbc:oracle:thin:@HOST_NAME.DOMAIN:PORT_NUMBER:ORACLE_DATABASE_SERVICE_NAME

  Sample value:

  jdbc:oracle:thin:@host1.example:1521:srvce1

• One database instance supports multiple services (for Oracle Database 10g and later)

  JDBC URL format:

  jdbc:oracle:thin:@//HOST_NAME.DOMAIN:PORT_NUMBER/ORACLE_DATABASE_SERVICE_NAME

  Sample value:

  jdbc:oracle:thin:@host1.example.com:1521/srvce1

2.3.5.2 Only Data Encryption and Integrity Is Configured

If you have configured only data encryption and integrity, then enter the following values:

• JDBC URL parameter

  While creating the connector, the value that you specify for the JDBC URL parameter must be in the following format:

  jdbc:oracle:thin:@TARGET_HOST_NAME_or_IP_ADDRESS:PORT_NUM:sid
  

  The following is a sample value for the JDBC URL parameter:

  jdbc:oracle:thin:@ten.mydomain.com:1521:cust_db
  

• Connection Properties parameter

  After you configure data encryption and integrity, the connection properties are recorded in the sqlnet.ora file. The value that you must specify for the Connection Properties parameter is explained by the following sample scenario:

  See Also:

  Oracle Database Advanced Security Administrator's Guide for information about the sqlnet.ora file

  Suppose the following entries are recorded in the sqlnet.ora file:

  SQLNET.ENCRYPTION_SERVER=REQUIRED
  SQLNET.ENCRYPTION_TYPES_SERVER=(3DES168, DES40, DES, 3DES112)
  SQLNET.CRYPTO_CHECKSUM_SERVER=REQUESTED
  SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1,MD5)
  

  While creating the connector, you must specify the following as the value of the Connection Properties parameter:

  Note:

  • The property-value pairs must be separated by commas.

  • As shown in the following example, for the encryption_types and crypto_checksum_types properties, you can select any of the values recorded in the sqlnet.ora file.

  oracle.net.encryption_client=REQUIRED,oracle.net.encryption_types_client=(3DES168),oracle.net.crypto_checksum_client=REQUESTED,oracle.net.crypto_checksum_types_client=(MD5)
  

2.3.5.3 Only SSL Communication Is Configured

After you configure SSL communication, the database URL is recorded in the tnsnames.ora file. See Oracle Database Net Services Reference for detailed information about the tnsnames.ora file.

The following are sample formats of the contents of the tnsnames.ora file. In these formats, DESCRIPTION contains the connection description, ADDRESS contains the protocol address, and CONNECT_DATA contains the database service identification information.

Sample Format 1:

NET_SERVICE_NAME=
 (DESCRIPTION=
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (CONNECT_DATA= 
     (SERVICE_NAME=SERVICE_NAME)))

Sample Format 2:

NET_SERVICE_NAME= 
 (DESCRIPTION_LIST=
  (DESCRIPTION= 
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (CONNECT_DATA= 
     (SERVICE_NAME=SERVICE_NAME)))
  (DESCRIPTION= 
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (CONNECT_DATA= 
     (SERVICE_NAME=SERVICE_NAME))))

Sample Format 3:

NET_SERVICE_NAME= 
 (DESCRIPTION= 
  (ADDRESS_LIST= 
   (LOAD_BALANCE=on)
   (FAILOVER=off)
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)))
  (ADDRESS_LIST= 
   (LOAD_BALANCE=off)
   (FAILOVER=on)
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)))
  (CONNECT_DATA=
   (SERVICE_NAME=SERVICE_NAME)))

If you have configured only SSL communication and imported the certificate that you create on the target system host computer into the JVM certificate store of Oracle Identity Manager, then enter the following values:

JDBC URL parameter

While creating the connector, the value that you specify for the JDBC URL parameter must be derived from the value of NET_SERVICE_NAME in the tnsnames.ora file. For example:

Note:

As shown in this example, you must include only the (ADDRESS=(PROTOCOL=TCPS)(HOST=HOST_NAME)(PORT=2484)) element because you are configuring SSL. You need not include other (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) elements.

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))

Connection Properties parameter

Whether or not you need to specify a value for the Connection Properties parameter depends on the certificate store into which you import the certificate:

• If you import the certificate into the certificate store of the JVM that Oracle Identity Manager is using, then you need not specify a value for the Connection Properties parameter.

• If you import the certificate into any other certificate store, then while creating the connector, specify a value for the Connection Properties parameter in the following format:

  javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStoreType=JKS,javax.net.ssl.trustStorePassword=STORE_PASSWORD
  

  When you specify this value, replace STORE_LOCATION with the full path and name of the certificate store, and replace STORE_PASSWORD with the password of the certificate store.

2.3.5.4 Both Data Encryption and Integrity and SSL Communication Are Configured

If both data encryption and integrity and SSL communication are configured, then:

• JDBC URL parameter

  While creating the connector, to specify a value for the JDBC URL parameter, enter a comma-separated combination of the values for the JDBC URL parameter described in the Section 2.3.5.2, "Only Data Encryption and Integrity Is Configured" and Section 2.3.5.3, "Only SSL Communication Is Configured" sections. For example:

  jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))
  

• Connection Properties parameter

  While creating the connector, to specify a value for the Connection Properties parameter, enter a comma-separated combination of the values for the Connection Properties parameter described in the Section 2.3.5.2, "Only Data Encryption and Integrity Is Configured" and Section 2.3.5.3, "Only SSL Communication Is Configured" sections. For example:

  oracle.net.encryption_client=REQUIRED,oracle.net.encryption_types_client=(3DES168),oracle.net.crypto_checksum_client=REQUESTED,oracle.net.crypto_checksum_types_client=(MD5),javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStoreType=JKS,javax.net.ssl.trustStorePassword=STORE_PASSWORD
  

  As shown in the following example, for the encryption_types and crypto_checksum_types properties, you can select any of the values recorded in the sqlnet.ora file. When you specify this value, replace STORE_LOCATION with the full path and name of the certificate store, and replace STORE_PASSWORD with the password of the certificate store.

2.3.6 Configuring the IT Resource

The IT resource is automatically created when you run the Connector Installer. You must specify values for the parameters of the IT resource as follows:

Note:

The EBS-HRMS-APPS12 IT resource is an instance of the eBusiness Suite HRMS IT resource type. If you do not want to use this IT resource, then you must create a different IT resource of the eBusiness Suite HRMS IT resource type.

You must use the Administrative and User Console to configure the IT resource. Values set for the connection pooling parameters will not take effect if you use the Design Console to configure the IT resource.

1. If you are using Oracle Identity Manager release 9.1.0.x or 11.1.1.x, log in to the Administrative and User Console.

2. If you are using Oracle Identity Manager release 9.1.0.x, then expand Resource Management, and then click Manage IT Resource.

3. If you are using Oracle Identity Manager release 11.1.1, then:

   1. On the Welcome to Oracle Identity Manager Self Service page, click Advanced.

   2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration section, click Manage IT Resource.

4. If you are using Oracle Identity Manager release 11.1.2.x or later, then:

   1. Log in to Oracle Identity System Administration.

   2. Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see the "Managing Sandboxes" section of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

   3. In the left pane, under Configuration, click IT Resource.

5. In the IT Resource Name field on the Manage IT Resource page, enter EBS-HRMS-APPS12 and then click Search.

6. Click the edit icon for the IT resource.

   The following screenshot shows the Administrative and User Console page on which you click the edit icon:

   
   

7. From the list at the top of the page, select Details and Parameters and then click Edit.

   The following screenshot shows the Administrative and User Console page on which you set values for the IT resource parameters:

   
   

8. Specify values for the parameters of the IT resource. Table 2-4 describes each parameter.

   Table 2-4 IT Resource Parameters

   Parameter	Description
   Admin ID	Enter the user name of the target system account to be used for connector operations. You create this account by performing the procedure described in the Section 2.1.2.1, "Creating a Target System User Account for Connector Operations" section. Default value: apps
   Admin Password	Enter the password of the target system account specified by the Admin ID parameter.
   Connection Properties	Specify the connection properties for the target system database. See Section 2.3.5, "Determining Values for the JDBC URL and Connection Properties Parameters" for detailed information.
   Connection Retries	Enter the number of consecutive attempts to be made at establishing a connection with the target system. Default value: 3
   Connection Timeout	Enter the time in milliseconds within which the target system is expected to respond to a connection attempt. For a particular connection attempt, if the target system does not respond within the time interval specified by the Connection Timeout parameter, then it is assumed that the connection attempt has failed. Default value: 1200
   JDBC URL	Specify the JDBC URL for the target system database. See Section 2.3.5, "Determining Values for the JDBC URL and Connection Properties Parameters" for detailed information.
   Retry Interval	Enter the interval in milliseconds between consecutive attempts at establishing a connection with the target system. Default value: 10000
   SID Name	Enter the SID of the target system database.
   SSL Enabled	Enter yes if you plan to configure SSL to secure communication between Oracle Identity Manager and the target system. Otherwise, enter no. Default value: no
   Statement Timeout	Enter the time in milliseconds within which a query run on the target system is expected to return results. If the results of a query are not returned within the specified time, then it is assumed that the connection with the target system has failed. The connector then attempts to reestablish a connection with the target system. Default value: 1200
   Configuration Lookup Name	This parameter holds the name of the lookup definition that contains configuration information. Default value: Lookup.EBS.ER.Configurations Note: You must not change the value of this parameter. However, if you create a copy of all the connector objects, then you can specify the unique name of the copy of this lookup definition as the value of the Configuration Lookup Name parameter in the copy of the IT resource.
   Connection Pooling Parameters
   Abandoned connection timeout	Time (in seconds) after which a connection must be automatically closed if it is not returned to the pool Note: You must set this parameter to a value that is high enough to accommodate processes that take a long time to complete (for example, full reconciliation). Default value: 600
   Connection wait timeout	Maximum time (in seconds) for which the connector must wait for a connection to be available Default value: 60
   Inactive connection timeout	Time (in seconds) of inactivity after which a connection must be dropped and replaced by a new connection in the pool Default value: 600
   Initial pool size	Number of connections that must be established when the connection pool is initialized The pool is initialized when it receives the first connection request from a connector. Default value: 1 Sample value: 3
   Max pool size	Maximum number of connections that must be established in the pool at any point of time This number includes the connections that have been borrowed from the pool. Default value: 100 Sample value: 30
   Min pool size	Minimum number of connections that must be in the pool at any point of time This number includes the connections that have been borrowed from the pool. Default value: 5
   Validate connection on borrow	Specifies whether or not a connection must be validated before it is lent by the pool The value can be true or false. It is recommended that you set the value to true. Default value: true
   Timeout check interval	Time interval (in seconds) at which the timeouts specified by the other parameters must be checked Default value: 30
   Pool preference	Preferred connection pooling implementation Value: Default Note: Do not change this value of this parameter.
   Connection pooling supported	Enter true if you want to enable connection pooling for this target system installation. Otherwise, enter false. Default value: true
   Target supports only one connection	Indicates whether the target system can support one or more connections at a time Value: false Note: Do not change the value of this parameter.
   ResourceConnection class definition	Implementation of the ResourceConnection class Default value: oracle.iam.connectors.ebs.common.vo.EBSResourceConnectionImpl Note: Do not change the value of this parameter.
   Native connection pool class definition	Wrapper to the native pool mechanism that implements the GenericPool Note: Do not specify a value for this parameter.
   Pool excluded fields	Comma-separated list of IT parameters whose change shouldn't trigger a refresh of the connector pool Default value: Configuration Lookup Name,Statement Timeout Note: You must not change the value of this parameter.

   
   

9. To save the values, click Save.

2.3.7 Displaying UDFs in Oracle Identity Manager 11.1.2 or Later

In Oracle Identity Manager release 11.1.2 or later, some user attributes (UDFs) such as Department, Job Code and Supervisor are not displayed after running the employee reconciliation. If you want to display these attributes as form fields in the Oracle Identity Manager user interface, then you must customize the associated pages on the interface to add the custom form fields. To do so, perform the following procedure:

1. Perform eBusiness HRMS Trusted Reconciliation.

2. Log in to Oracle Identity System Administration.

3. Create and activate a sandbox.

4. From the Identity System Administration Console, in the Upgrade region, click Upgrade User Form.

   All the UDFs are listed.

5. Click Upgrade now.

6. Publish the sandbox.

   For more information about UDFs, see the "Configuring Custom Attributes" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.