Skip Headers
Oracle® Identity Manager Connector Guide for Oracle E-Business User Management
Release 9.1.0

E11203-13
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Deploying the Connector

The procedure to deploy the connector can be divided into the following stages:

2.1 Preinstallation

Preinstallation information is divided across the following sections:

2.1.1 Preinstallation on Oracle Identity Manager

This section contains the following topics:

2.1.1.1 Files and Directories on the Installation Media

Table 2-1 lists the files and directories on the installation media.

Table 2-1 Files and Directories on the Installation Media

File in the Installation Media Directory Description

config/ebsUMQuery.properties

This file contains SQL queries that are used for target resource reconciliation.

config/ebsUMLookupQuery.properties

This file contains SQL queries that are used for lookup field synchronization.

Files in the configuration directory

Oracle_EBS_User-Management-CI.xml

Oracle_EBS_User-HRMS-Management-CI.xml

Oracle_EBS_User-TCA-Management-CI.xml

This directory contains the configuration files that are used by the Connector Installer during installation of each connector.

lib/EBSUM.jar

This JAR file contains the class files that are used during reconciliation and provisioning operations. During connector installation, this file is copied to the following location:

  • For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/JavaTasks

  • For Oracle Identity Manager releases 11.1.x and 11.1.2.x:

    Oracle Identity Manager database

lib/EBSCommon.jar

This JAR file contains utility classes that support provisioning and reconciliation operations. During connector installation, this file is copied to the following location:

  • For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/JavaTasks

  • For Oracle Identity Manager releases 11.1.x and 11.1.2.x: Oracle Identity Manager database

lib/Common.jar

This JAR file contains classes that are used by all release 9.1.0 connectors. During connector installation, this file is copied to the following location:

  • For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/JavaTasks

  • For Oracle Identity Manager releases 11.1.x and 11.1.2.x: Oracle Identity Manager database

Files in the resources directory

Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied to the following location:

  • For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/connectorResources

  • For Oracle Identity Manager releases 11.1.x and 11.1.2 x: Oracle Identity Manager database

Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages.

scripts/script1/OIM.bat

scripts/script1/OIM.sh

This file contains commands to run the SQL scripts for creating a target system user and granting the required rights to the user.

See Section 2.1.2.1, "Creating a Target System User Account for Connector Operations" for more information about this user.

scripts/script1/OIM_FND_GLOBAL.pck

This is the customized apps.fnd_global package.

scripts/script1/OIM_FND_USER_PKG.pck

This is the customized apps.fnd_user package.

scripts/script1/OIM_EMPLOYEE_WRAPPER.pck

This is a customized wrapper package for creating and updating employee records.

scripts/script1/OIM_TCA_WRAPPER.pck

This is a customized wrapper package for creating and updating party records.

scripts/script1/OimUser.sql

scripts/script1/OimUserGrants.sql

scripts/script1/OimUserSynonyms.sql

script/script1/OimUserAppstablesSynonyms.sql

These file contains the SQL scripts to create a target system user account in a new tablespace, grant the required rights to the user, and create synonyms of various database objects to be used by the connector.

See Section 2.1.2.1, "Creating a Target System User Account for Connector Operations" for more information about this user.

scripts/script1/WL_LOCAL_SYNCH_PKG.pck

This is the customized version of the apps.wf_local_synch package. It is used for role management.

scripts/script1/EXECUTE ON APPS.UMX_ACCESS_ROLES_PVT

This is a customized wrapper package for updating user roles.

scripts/script1/EXECUTE ON APPS.FND_USER_RESP_GROUPS_API

This is a customized wrapper package for updating user responsibilities.

scripts/script2/ . . .

This directory contains copies of the files in the scripts/script1 directory. You use the contents of either the script1 or script2 directory depending on the target system release that you are using. Section 2.1.2.1, "Creating a Target System User Account for Connector Operations" provides more details.

test/config/config_um_prov.properties

This properties file contains data that is used by the testing utility.

See Section 5.1, "Running Test Cases" for more information.

test/config/config_um_prov_fileOption.properties

This properties file contains data that is used by the testing utility.

See Section 5.1, "Running Test Cases" for more information.

test/config/log.properties

This file contains properties that you use to enable log4j logging.

test/scripts/OracleEbiz.bat

test/scripts/OracleEbiz.sh

This file is used to run the testing utility.

xml/Oracle-eBusinessSuite-Main-ConnectorConfig.xml

This XML file contains configuration information about the User Management connector. The Connector Installer uses this XML file to create connector components that are used for both direct and request-based user account creation.

xml/Oracle-eBusinessSuite-HRMS-Main-ConnectorConfig.xml

This XML file contains configuration information about the User Management with HR Foundation connector. The Connector Installer uses this XML file to create connector components that are used for both direct and request-based creation of user records and person records.

xml/Oracle-eBusinessSuite-TCA-Main-ConnectorConfig.xml

This XML file contains configuration information about the User Management with TCA Foundation connector. The Connector Installer uses this XML file to create connector components that are used for both request-based creation of user records and TCA party records.

xml/Oracle-eBusinessSuite-HRMS-RequestApproval-ConnectorConfig.xml

This XML file is used for request-based entitlement provisioning in the User Management with HR Foundation connector.

xml/Oracle-eBusinessSuite-RequestApproval-ConnectorConfig.xml

This XML file is used for request-based entitlement provisioning in the User Management connector.

xml/Oracle-eBusinessSuite-TCA-RequestApproval-ConnectorConfig.xml

This XML file is used for request-based entitlement provisioning in the User Management with TCA Foundation connector.

documentation/javadocs

This directory contains information about the Java APIs used by the connector.


2.1.1.2 Determining the Release Number of the Connector

You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:

  1. In a temporary directory, extract the contents of the connector JAR file that is in the OIM_HOME/xellerate/JavaTasks directory.

    For 11.1.x and 11.1.2.x server, download Connector JAR file from OIM database using DownloadJars utility.

  2. Open the Manifest.mf file in a text editor. The Manifest.mf file is one of the files bundled inside the connector JAR file.

    In the Manifest.mf file, the release number of the connector is displayed as the value of the Version property.

2.1.1.3 Creating a Backup of the Existing Common.jar File

The Common.jar file is in the deployment package of each 9.1.x release of the connector. With each new release, code corresponding to that particular release is added to the existing code in this file. For example, the Common.jar file shipped with Connector Y on 12-July contains:

  • Code specific to Connector Y

  • Code included in the Common.jar files shipped with all other 9.1.x release of the connectors that were released before 12-July

If you have installed a release 9.1.x connector that was released after the current release of the Oracle E-Business User Management connector, back up the existing Common.jar file, install the Oracle E-Business User Management connector, and then restore the Common.jar file. The steps to perform this procedure are as follows:

Caution:

If you do not perform this procedure, then your release 9.1.x connectors might not work.

  1. Determine the release date of your existing release 9.1.x connector as follows:

    1. Extract the contents of the following file in a temporary directory:

      OIM_HOME/xellerate/JavaTasks/Common.jar

      Note:

      On Oracle Identity Manager releases 11.1.x and 11.1.2.x, use the Oracle Identity Manager Download JARs utility to download the Common.jar file from the database, and then extract the contents of this file into a temporary directory.

      See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) for instructions about using the Download JARs utility.

    2. Open the Manifest.mf file in a text editor.

    3. Note down the Build Date and Build Version values.

  2. Determine the Build Date and Build Version values of the current release of the Oracle E-Business User Management connector as follows:

    1. On the installation media for the connector, extract the contents of the lib/Common.jar and then open the Manifest.mf file in a text editor.

    2. Note down the Build Date and Build Version values.

  3. If the Build Date and Build Version values for the Oracle E-Business User Management connector are less than the Build Date and Build Version values for the connector that is installed, then:

    • If you are using Oracle Identity Manager release 9.1.0.x, then:

      1. Copy the OIM_HOME/xellerate/JavaTasks/Common.jar to a temporary location.

      2. After you perform the procedure described in Section 2.2, "Installation" overwrite the new Common.jar file in the OIM_HOME/xellerate/JavaTasks directory with the Common.jar file that you backed up in the preceding step.

    • If you are using Oracle Identity Manager release 11.1.x, then run the Oracle Identity Manager Upload JARs utility to post the Common.jar file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

      Note:

      Before you run this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

      For Microsoft Windows:

      OIM_HOME/server/bin/UploadJars.bat
      

      For UNIX:

      OIM_HOME/server/bin/UploadJars.sh
       
      

      When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.

      See Also:

      Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about the Upload JARs utility

2.1.2 Preinstallation on the Target System

Preinstallation on the target system involves performing the procedure described in the following sections:

2.1.2.1 Creating a Target System User Account for Connector Operations

Note:

You must have DBA privileges to grant the required permissions to the target system user account.

You must have Oracle Database Client installed on the computer on which you perform the procedure described in this section. The Oracle Database Client release must be the same as the database release. In addition, if Oracle Database Client is not installed on the database host computer, then the tnsnames.ora file on the Oracle Database Client host must contain an entry for the SID of the database.

Oracle Identity Manager requires a target system user account to access the target system during connector operations. You provide the credentials of this user account while performing the procedure described in Section 2.3.3.6, "Configuring the IT Resource."

To create a target system user account for connector operations:

  1. From the installation media, copy one of the following directories to a temporary directory on either the target system host computer or a computer on which the Oracle Database Client has been installed:

    See Also:

    Section 2.1.1.1, "Files and Directories on the Installation Media" for information about the contents of the scripts directory

    • scripts/script1

      The scripts in this directory create wrapper packages in the APPS schema. These wrapper packages are used for connector provisioning operations.

    • scripts/script2

      The scripts in this directory create wrapper packages in the schema of the user that you are creating. These wrapper packages are used for connector provisioning operations.

    To determine whether to copy the scripts in the script1 or the script2 directory:

    1. If you are using the User Management connector, then run the following queries:

      SELECT text FROM user_source WHERE name = 'FND_USER_PKG' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%';
      SELECT text FROM user_source WHERE name = 'FND_GLOBAL' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%';
      SELECT text FROM user_source WHERE name = 'WF_LOCAL_SYNCH' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%';
      SELECT text FROM user_source WHERE name = 'UMX_ACCESS_ROLES_PVT' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%';
      SELECT text FROM user_source WHERE name = 'FND_USER_RESP_GROUPS_API' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%';
      
    2. If you are using the User Management with HR Foundation connector, then run the following queries:

      SELECT text FROM user_source WHERE name = 'OIM_EMPLOYEE_WRAPPER' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%';
      
    3. If you are using the User Management with TCA Foundation connector, then run the following queries:

      SELECT text FROM user_source WHERE name = 'OIM_TCA_WRAPPER' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%';
      
    4. If any of the queries that you run returns a row containing the text AUTHID CURRENT_USER, then use the script1 directory. Otherwise, use either the script1 or the script2 directory.

  2. On the computer where you copy the scripts directory, verify that there is a TNS entry in the tnsnames.ora file for the target system database.

  3. Depending on the host platform, run either the OIM.sh or OIM.bat file.

  4. When you run the script, you are prompted for the following information:

    • ORACLE_HOME path

      This prompt is displayed only if the ORACLE_HOME environment variable has not been set on the computer on which you are running the script.

    • Enter the system user name

      Enter the login (user name) of a DBA account with the privileges to create and configure a new target system user.

    • Enter the name of the database

      Enter the connection string or service name given in the tnsnames.ora file to connect to the target system database.

    • Enter the name of the tablespace to be created

      Enter a name for the tablespace to be created for the user.

    • Enter the name of the datafile to be created

      Enter a name for the datafile to be created for the user.

    • Enter the path for the datafile to be created

      Enter the path where the datafile must be created. The path is relative to the repository of the directory in which the target system is installed. If you do not enter a value at this prompt, then the default directory is created.

    • Enter New database Username to be created

      Enter a user name for the target system account that you want to create.

    • Enter the New user password

      Enter a password for the target system account that you want to create.

    • Connecting with newly created database user

      Enter the connection string or service name that you provided earlier.

At the end of the operation, a log file (OIM_APPS_USER.log) is created in the scripts directory. If the user is successfully created, then a message to this effect is recorded in the log file.

During the account creation process, the following privileges are granted:

Privileges Granted to the Account for All 3 Connectors

The following privileges are granted to the new database user account for all 3 connectors:

EXECUTE ON APPS.WF_LOCAL_SYNCH

EXECUTE ON APPS.FND_USER_PKG

EXECUTE ON APPS.FND_API

EXECUTE ON APPS.FND_GLOBAL

EXECUTE ON APPS.UMX_ACCESS_ROLES_PVT

EXECUTE ON APPS.FND_USER_RESP_GROUPS_API

SELECT ON APPS.FND_APPLICATION

SELECT ON APPS.FND_RESPONSIBILITY

SELECT ON APPS.FND_RESPONSIBILITY_TL

SELECT ON APPS.FND_RESPONSIBILITY_VL

SELECT ON APPS.FND_USER_RESP_GROUPS_DIRECT

SELECT ON APPS. PER_ALL_PEOPLE_F

SELECT ON APPS.FND_APPLICATION_TL

SELECT ON APPS.WF_LOCAL_USER_ROLES

SELECT ON APPS.WF_USER_ROLES

SELECT ON APPS.WF_LOCAL_ROLES

SELECT, UPDATE ON APPS.FND_USER

SELECT ON APPS.FND_SECURITY_GROUPS

SELECT ON APPS.FND_SECURITY_GROUPS_TL

EXECUTE ON APPS.OIM_FND_USER_PKG

EXECUTE ON APPS.OIM_FND_GLOBAL

EXECUTE ON APPS.WF_LOCAL_SYNCH_PKG

EXECUTE ON APPS.OIM_UMX_ACCESS_ROLES_PVT

EXECUTE ON APPS.OIM_FND_USER_RESP_GROUPS_API

Additional Privileges Granted to the Account for the User Management with HR Foundation Connector

In addition to the privileges listed in the "Privileges Granted to the Account for All 3 Connectors" section, the following privileges are granted to the account for the User Management with HR Foundation connector:

EXECUTE ON APPS.HR_EMPLOYEE_API

EXECUTE ON APPS.HR_PERSON_API

SELECT ON APPS.PER_ALL_ASSIGNMENTS_F

SELECT ON APPS.PER_PEOPLE_F

SELECT ON APPS.PER_PERSON_TYPES

SELECT ON APPS.PER_PERIODS_OF_SERVICE

Additional Privileges Granted to the Account for the User Management with TCA Foundation Connector

In addition to the privileges listed in the "Privileges Granted to the Account for All 3 Connectors" section, the following privileges are granted to the account for the User Management with TCA Foundation connector:

EXECUTE ON APPS.FND_OID_USERS

EXECUTE ON APPS.FND_OID_UTIL

SELECT, UPDATE ON APPS.HZ_PARTIES

SELECT, UPDATE ON APPS.HZ_PERSON_PROFILES

REVOKE SELECT ON APPS.PER_ALL_PEOPLE_F

2.1.2.2 Compiling Custom Wrapper Packages

The following custom wrapper packages are used during the Person Create and Update operations:

  • OIM_EMPLOYEE_WRAPPER

  • OIM_TCA_WRAPPER

OIM_UMX_ACCESS_ROLES_PVT.pck wrapper package is used during the Revoke Role operation.

If you plan to use the APPS account for reconciliation, provisioning, and revoke role operations, then:

Note:

Do not perform these steps if you plan to use the account described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations".

  1. Copy the packages from the scripts directory on the installation media into a directory on the target system host computer.

  2. Log in to the database as the APPS user.

  3. Run the following commands at the SQL prompt:

    Note:

    See Section 2.1.1.1, "Files and Directories on the Installation Media" for information about the location of the packages containing these SQL scripts.

    @<DIRECTORY_PATH_WHERE_THE_PACKAGES_ARE_SAVED>/OIM_EMPLOYEE_WRAPPER.pck
    @<DIRECTORY_PATH_WHERE_THE_PACKAGES_ARE_SAVED>/OIM_TCA_WRAPPER.pck
    @<DIRECTORY_PATH_WHERE_THE_PACKAGES_ARE_SAVED>/OIM_UMX_ACCESS_ROLES_PVT.pck
    

2.1.2.3 Setting the Employee Number Creation Mode

Note:

Perform the procedure described in this section only if you plan to use the User Management with HR Foundation connector.

If you plan to use the User Management with HR Foundation connector, then the target system must be configured to manual mode for generating employee numbers. By default, employee numbers are automatically generated. To set the employee number generation mode to manual:

  1. Log in to the target system.

  2. Select the Oracle E-Business HRMS responsibility. For example: Human Resource Vision Enterprise.

  3. Navigate to Workstructures > Organization > Description.

  4. Search for and select the business group,

  5. Click Others.

  6. Select Business Group Info from the list of values.

  7. Open the flexfield to view the setting for employee number generation

  8. Set the value of Employee Number Generation to Manual.

  9. Click OK.

2.2 Installation

Installing the connector on Oracle Identity Manager release 9.1.0 or later involves the following procedures:

Note:

You can perform these procedures to install each connector, in any order.

2.2.1 Running the Connector Installer

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

Direct provisioning is automatically enabled after you run the Connector Installer. If required, you can enable request-based provisioning in the connector. See Section 2.3.3.9, "Enabling Request-Based Provisioning" if you want to use the request-based provisioning feature for this target system.

To run the Connector Installer:

  1. Copy the contents of the connector installation media directory into the following directory:

    Note:

    In an Oracle Identity Manager cluster, perform this step on each node of the cluster.

    • For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/ConnectorDefaultDirectory

    • For Oracle Identity Manager releases 11.1.x and 11.1.2.x: OIM_HOME/server/ConnectorDefaultDirectory

  2. Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of the following guide:

  3. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 9.1.0.x:

      Click Deployment Management, and then click Install Connector.

    • For Oracle Identity Manager release 11.1.x:

      On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Install Connector.

    • For Oracle Identity Manager release 11.1.2.x:

      1. Log in to Oracle Identity System Administration by using the user account described in the "Creating the User Account for Installing Connectors" section Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

      2. In the left pane, under System Management, click Manage Connector.

  4. The Connector List list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.

    You can select one of the following options:

    • For the User Management connector:

      Oracle EBS User Management RELEASE_NUMBER

    • For the User Management with HR Foundation connector:

      Oracle EBS HR Foundation User Management RELEASE_NUMBER

    • For the User Management with TCA Foundation connector:

      Oracle EBS TCA Foundation User Management RELEASE_NUMBER

    If you have copied the installation files into a different directory, then:

    1. In the Alternative Directory field, enter the full path and name of that directory.

    2. To repopulate the list of connectors in the Connector List list, click Refresh.

    3. From the Connector List list, select the connector that you want to install.

  5. Click Load. The following screenshot shows this page:

    Surrounding text describes installer_load.gif.
  6. To start the installation process, click Continue.

    The following tasks are performed in sequence:

    1. Configuration of connector libraries

    2. Import of the connector Target Resource user configuration XML file (by using the Deployment Manager).

    3. Compilation of adapters

    On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:

    • Retry the installation by clicking Retry.

    • Cancel the installation and begin again from Step 1.

  7. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. The following screenshot shows this page for Oracle Identity Manager release 9.1.0.x:

    Surrounding text describes installer_success.gif.

    In addition, a list of steps that you must perform after the installation is displayed. These steps are as follows:

    1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Section 2.3.3.3, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.

      The prerequisites for this connector are also described later in this guide.

    2. Configuring the IT resource for the connector

      Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.

    3. Configuring the scheduled tasks that are created when you installed the connector

      Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-1.

Installing the Connector in an Oracle Identity Manager Cluster

While installing Oracle Identity Manager in a cluster, you must copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster. See Section 2.1.1.1, "Files and Directories on the Installation Media" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.

2.2.2 Copying Files to the Oracle Identity Manager Host Computer

After you run the Connector Installer, you must manually copy the files listed in Table 2-2.

Note:

If a particular destination directory does not exist on the Oracle Identity Manager host computer, then create it.

Table 2-2 Files to Be Copied to the Oracle Identity Manager Host Computer

Files on the Installation Media Destination Directory on the Oracle Identity Manager Release 9.1.0.x Host Computer Destination Directory on the Oracle Identity Manager releases 11.1.x and 11.1.2.x Host Computer

Files in the config directory

OIM_HOME/xellerate/XLintegrations/EBSUM/config

OIM_HOME/server/XLintegrations/EBSUM/config

Files in the test/config directory

OIM_HOME/xellerate/XLintegrations/EBSUM/config

OIM_HOME/server/XLintegrations/EBSUM/config

Files in the test/scripts directory

OIM_HOME/xellerate/XLintegrations/EBSUM/scripts

OIM_HOME/server/XLintegrations/EBSUM/scripts


2.3 Postinstallation

Postinstallation steps are divided across the following sections:

2.3.1 Configuring SoD

This section discusses the following procedures:

Note:

The ALL USERS group has INSERT, UPDATE, and DELETE permissions on the UD_EBS_USER, UD_EBS_RESP, UD_EBS_RLS, UD_EBSH_USR, UD_EBSH_RSP, UD_EBST_RLS, UD_EBST_USR, UD_EBST_RSP, and UD_EBST_RLS process forms. This is required to enable the following process:

During SoD validation of an entitlement request, data first moves from a dummy object form to a dummy process form. From there, data is sent to the SoD engine for validation. If the request clears the SoD validation, then data is moved from the dummy process form to the actual process form. Because the data is moved to the actual process forms through APIs, the ALL USERS group must have INSERT, UPDATE, and DELETE permissions on the three process forms.

2.3.1.1 Configuring the Oracle Applications Access Controls Governor to Act As the SoD Engine

If you are using Oracle Identity Manager release 9.1.0.x, then see the "Configuring Oracle Application Access Controls Governor" section in the "Segregation of Duties (SoD) in Oracle Identity Manager" chapter in Oracle Identity Manager Tools Reference for information about this procedure.

If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x, then see the "Configuring Oracle Application Access Controls Governor" section of the "Configuring SoD Validation" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about this procedure.

2.3.1.2 Specifying a Value for the TopologyName IT Resource Parameter

The TopologyName IT resource parameter holds the name of the combination of the following elements that you want to use for SoD validation of entitlement provisioning operations:

  • Oracle Identity Manager installation

  • Oracle Applications Access Controls Governor installation

  • Oracle E-Business Suite installation

The value that you specify for the TopologyName parameter must be the same as the value of the topologyName element in the SILConfig.xml file. For Oracle Identity Manager releases 11.1.x and 11.1.2.x, if you are using default SIL registration, then specify sodoaacg as the value of the topologyName parameter.

See one of the following for more information about this element:

  • For Oracle Identity Manager release 9.1.0.x, the "Segregation of Duties (SoD) in Oracle Identity Manager" chapter in Oracle Identity Manager Tools Reference.

  • For Oracle Identity Manager releases 11.1.x and 11.1.2.x, the "Configuring SoD Validation" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

See Section 2.3.3.6, "Configuring the IT Resource" section for information about specifying values for parameters of the IT resource.

2.3.1.3 Disabling and Enabling SoD

This section describes the procedures to disable and enable SoD.

To disable SoD:

Note:

The SoD feature is disabled by default. Perform the following procedure only if the SoD feature is currently enabled and you want to disable it.

  1. Log in to one of the following consoles:

    • If you are using Oracle Identity Manager release 9.1.0.x, then log in to the Design Console.

    • If you are using Oracle Identity Manager release 11.1.x, then log in to the Administrative and User Console.

    • If you are using Oracle Identity Manager release 11.1.2.x, then log in to the System Administration console.

  2. Set the XL.SoDCheckRequired system property to FALSE as follows:

    For Oracle Identity Manager release 9.1.0.x:

    1. Expand Administration, and then double-click System Configuration.

    2. Search for and open the XL.SoDCheckRequired system property.

    3. Set the value of the system property to FALSE. The following screenshot shows this page:

      Surrounding text describes xl_sodcheckrequired_fl.gif.

      Note:

      You need not change the values of the XL.SIL.Home.Dir and Triggers Synchronous SoD checks offline system properties.

    4. Click the Save icon.

    For Oracle Identity Manager releases 11.1.x:

    1. On the Welcome page, click Advanced in the upper-right corner of the page.

    2. On Welcome to Identity Manager Advanced Administration page, in the System Management section, click Search System Properties.

    3. On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired, which is the name of the system property as the search criterion.

    4. In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.

    5. On the System Property Detail page, in the Value field, enter FALSE.

    6. Click Save to save the changes made.

      A message confirming that the system property has been modified is displayed.

    For Oracle Identity Manager releases 11.1.2.x:

    1. In the left pane, under System Management, click System Configuration. The Advanced Administration is displayed with the System Configuration section in the System Management tab is active.

    2. On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired, which is the name of the system property as the search criterion.

    3. In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.

    4. On the System Property Detail page, in the Value field, enter FALSE.

    5. Click Save to save the changes made.

      A message confirming that the system property has been modified is displayed.

  3. If you are going to perform the procedure described in Section 2.3.3.9, "Enabling Request-Based Provisioning", then for all approval process definitions, the human approval tasks must be made unconditional as follows:

    • Log in to the Design Console.

    • Expand Process Management, and then double-click Process Definition.

    • Search for and open the approval-type process definition for the connector that you are using. See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for information about the connector objects.

    • On the Task tab, search for the Manager Approval task.

    • Make this task unconditional by deselecting the Conditional check box. See the following screenshot:

      Surrounding text describes sod_desel_cond.gif.
    • Save the changes to the process definition.

  4. Restart Oracle Identity Manager.

To enable SoD:

Note:

If you are enabling SoD for the first time, then see one of the following documents for detailed information:

  1. Log in to one of the following consoles:

    • If you are using Oracle Identity Manager release 9.1.0.x, then log in to the Design Console.

    • If you are using Oracle Identity Manager release 11.1.x, then log in to the Administrative and User Console.

    • If you are using Oracle Identity Manager release 11.1.2.x, then log in to the System Administration console.

  2. Set the XL.SoDCheckRequired system property to TRUE as follows:

    For Oracle Identity Manager release 9.1.0.x:

    1. Expand Administration, and then double-click System Configuration.

    2. Search for and open the XL.SoDCheckRequired system property.

    3. Set the value of the system property to TRUE. The following screenshot shows this page:

      Surrounding text describes xl_sodcheckrequired_fl.gif.

      Note:

      You need not change the values of the XL.SIL.Home.Dir and Triggers Synchronous SoD checks offline system properties.

    4. Click the Save icon.

    For Oracle Identity Manager releases 11.1.x:

    1. On the Welcome page, click Advanced in the upper-right corner of the page.

    2. On Welcome to Identity Manager Advanced Administration page, in the System Management section, click Search System Properties.

    3. On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired, which is the name of the system property as the search criterion.

    4. In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.

    5. On the System Property Detail page, in the Value field, enter FALSE.

    6. Click Save to save the changes made.

      A message confirming that the system property has been modified is displayed.

    For Oracle Identity Manager releases 11.1.2.x:

    1. In the left pane, under System Management, click System Configuration. The Advanced Administration is displayed with the System Configuration section in the System Management tab is active.

    2. On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired, which is the name of the system property as the search criterion.

    3. In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.

    4. On the System Property Detail page, in the Value field, enter FALSE.

    5. Click Save to save the changes made.

      A message confirming that the system property has been modified is displayed.

  3. If you are using Oracle Identity Manager release 9.1.0.x, then:

    1. In the Design Console, expand Administration, and then double-click System Configuration.

    2. Search for and open the XL.SIL.Home.Dir system property.

    3. Verify that the value of this system property is set to the full path and name of the SIL_HOME directory. Here, SIL_HOME is the directory in which you have copied the SIL XML files.

  4. If you are going to perform the procedure described in Section 2.3.3.9, "Enabling Request-Based Provisioning", then for all approval process definitions, the human approval tasks must be made conditional as follows:

    • On the Design Console.

    • Expand Process Management, and then double-click Process Definition.

    • Search for and open the approval-type process definition for the connector that you are using. See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for information about the connector objects.

    • On the Task tab, search for the Manager Approval task.

    • Make this task conditional by selecting the Conditional check box. See the following screenshot:

      Surrounding text describes sod_sel_cond.gif.
    • Save the changes to the process definition.

  5. Restart Oracle Identity Manager.

2.3.2 Configuring Secure Communication Between the Target System and Oracle Identity Manager

To secure communication between Oracle Database and Oracle Identity Manager, you can perform either one or both of the following procedures:

Note:

To perform the procedures described in this section, you must have the permissions required to modify the TNS listener configuration file.

2.3.2.1 Configuring Data Encryption and Integrity in Oracle Database

See Oracle Database Advanced Security Administrator's Guide for information about configuring data encryption and integrity.

2.3.2.2 Configuring SSL Communication in Oracle Database

To enable SSL communication between Oracle Database and Oracle Identity Manager:

  1. See Oracle Database Advanced Security Administrator's Guide for information about enabling SSL communication between Oracle Database and Oracle Identity Manager.

  2. Export the certificate on the Oracle Database host computer.

  3. Copy the certificate to Oracle Identity Manager.

  4. Import the certificate into the JVM certificate store of the application server on which Oracle Identity Manager is running.

    To import the certificate into the certificate store, run the following command:

    keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
    

    In this command:

    • Replace FILE_LOCATION with the full path and name of the certificate file.

    • Replace ALIAS with an alias for the certificate.

    • Replace TRUSTSTORE_PASSWORD with a password for the certificate store.

    • Replace TRUSTSTORE_LOCATION with one of the certificate store paths given in Table 2-3. This table shows the location of the certificate store for each of the supported application servers.

    Note:

    In an Oracle Identity Manager cluster, you must import the file into the certificate store on each node of the cluster.

    Table 2-3 Certificate Store Locations

    Application Server Certificate Store Location

    Oracle WebLogic Server

    • If you are using Oracle jrockit_R27.3.1-jdk, then copy the certificate into the following directory:

      JROCKIT_HOME/jre/lib/security

    • If you are using the default Oracle WebLogic Server JDK, then copy the certificate into the following directory:

      WEBLOGIC_HOME/java/jre/lib/security/cacerts

    IBM WebSphere Application Server

    • For a nonclustered configuration of any supported IBM WebSphere Application Server release, import the certificate into the following certificate store:

      WEBSPHERE_HOME/java/jre/lib/security/cacerts

    • For IBM WebSphere Application Server 6.1.x, in addition to the cacerts certificate store, you must import the certificate into the following certificate store:

      WEBSPHERE_HOME/Web_Sphere/profiles/SERVER_NAME/config/cells/CELL_NAME/nodes/NODE_NAME/trust.p12

      For example:

      C:/Web_Sphere/profiles/AppSrv01/config/cells/tcs055071Node01Cell/nodes/tcs055071Node0/trust.p12

    • For IBM WebSphere Application Server 5.1.x, in addition to the cacerts certificate store, you must import the certificate into the following certificate store:

      WEBSPHERE_HOME/etc/DummyServerTrustFile.jks

    JBoss Application Server

    JAVA_HOME/jre/lib/security/cacerts

    Oracle Application Server

    ORACLE_HOME/jdk/jre/lib/security/cacerts


2.3.3 Postinstallation on Oracle Identity Manager

Configuring Oracle Identity Manager involves performing the following procedures:

2.3.3.1 Modifying Dependent Lookup Query Properties for Lookup Fields on Microsoft SQL Server

Note:

Perform the procedure described in this section only if your Oracle Identity Manager installation is running on Microsoft SQL Server.

In this connector, the child forms of a resource implement the dependent lookup feature of Oracle Identity Manager. By default, the queries for synchronization of lookup field values from the target system are based on Oracle Database SQL. If your Oracle Identity Manager installation is running on Microsoft SQL Server, then you must modify the lookup queries for synchronization of lookup definitions as follows:

  1. On the Design Console, expand Development Tools and double-click Form Designer.

  2. Search for and open the process form for the connector that you are using.

  3. Click Create New Version to create a version of the process form. Then, enter a version name and click the Save icon.

  4. Go to the Properties tab.

  5. Select the properties of the attribute according to your requirement.

  6. Modify the Lookup Query property for the field. Existing and new values are listed in Table 2-4. The following screenshot shows this page:

    Surrounding text describes modify_query.gif.
  7. Click the Save icon.

  8. Click Make Version Active to activate the new version of the process form.

  9. Create a new version of the parent form for the child form you modified and make that version active.

    See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for information about the process forms.

Table 2-4 Queries for Lookup Field Synchronization

Field Name Oracle Database Version of the Query Microsoft SQL Server Version of the Query

User Management connector

   

UD_EBS_RLO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_UO_EBS_ITRES$', '~'))>0

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_UO_EBS_ITRES$' + '~' , lkv_encoded)>0

UD_EBS_RLO_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBS_RLO_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBS_RLS_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_USER_EBS_ITRES$', '~'))>0

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_USER_EBS_ITRES$' + '~' , lkv_encoded)>0

UD_EBS_RLS_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLS_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBS_RLS_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBS_RSO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_UO_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_UO_EBS_ITRES$' + '~' , lkv_encoded)>0

UD_EBS_RSO_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBS_RSO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBS_RSO_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBS_RSO_SEC_GROUP

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBS_UO_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBS_UO_EBS_ITRES$' + '~' , lkv_encoded)>0

UD_EBS_RESP_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_USER_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_USER_EBS_ITRES$' + '~' , lkv_encoded)>0

UD_EBS_RESP_SEC_GROUP

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBS_USER_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBS_USER_EBS_ITRES$' + '~' , lkv_encoded)>0

UD_EBS_RESP_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBS_RESP_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBS_RESP_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBS_RLCO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLPO_EBS_INST$', '~'))>0

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_RLPO_EBS_INST$' + '~' ,lkv_encoded)>0

UD_EBS_RLCO_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLCO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBS_RLCO_APP_NAME$' + '~',lkv_encoded)>0

UD_EBS_RLCP_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLPP_EBS_INST$', '~'))>0

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_RLPP_EBS_INST$' + '~',lkv_encoded)>0

UD_EBS_RLCP_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLCP_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBS_RLCP_APP_NAME$' + '~' ,lkv_encoded)>0

UD_EBS_RSCO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_RSPO_EBS_INST$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_RSPO_EBS_INST$' + '~' , lkv_encoded)>0

UD_EBS_RSCO_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBS_RSCO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBS_RSCO_APP_NAME$' + '~' , lkv_encoded )>0

UD_EBS_RSCP_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_RSPP_EBS_INST$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_RSPP_EBS_INST$' + '~' , lkv_encoded)>0

UD_EBS_RSCP_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBS_RSCP_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBS_RSCP_APP_NAME$' + '~' , lkv_encoded)>0

User Management with HR Foundation connector

   

UD_EBSH_RLO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBSH_UO_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBSH_UO_EBS_ITRES$' + '~', lkv_encoded)>0

UD_EBSH_RLO_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBSH_RLO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBSH_RLO_APP_NAME$' + '~',lkv_encoded)

UD_EBSH_RLS_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBSH_USR_EBS_ITRES$', '~'))>0

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBSH_USR_EBS_ITRES$' + '~', lkv_encoded)>0

UD_EBSH_RLS_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBSH_RLS_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBSH_RLS_APP_NAME$' + '~', lkv_encoded)>0

UD_EBSH_RSO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBSH_UO_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBSH_UO_EBS_ITRES$' + '~' ,lkv_encoded)>0

UD_EBSH_RSO_SEC_GROUP

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBSH_UO_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBSH_UO_EBS_ITRES$' + '~' ,lkv_encoded)>0

UD_EBSH_RSO_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBSH_RSO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBSH_RSO_APP_NAME$' + '~', lkv_encoded)>0

UD_EBSH_RSP_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBSH_USR_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBSH_USR_EBS_ITRES$' + '~' ,lkv_encoded)

UD_EBSH_RSP_SEC_GROUP

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBSH_USR_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBSH_USR_EBS_ITRES$' + '~' ,lkv_encoded)

UD_EBSH_RSP_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBSH_RESP_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBSH_RESP_APP_NAME$' + '~' ,lkv_encoded)

UD_EBH_RLCO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBH_RLPO_EBS_INST$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBH_RLPO_EBS_INST$' + '~' , lkv_encoded)>0

UD_EBH_RLCO_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBH_RLCO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBH_RLCO_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBH_RLCP_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBH_RLPP_EBS_INST$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBH_RLPP_EBS_INST$' + '~' , lkv_encoded)>0

UD_EBH_RLCP_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBH_RLCP_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBH_RLCP_APP_NAME$' + '~', lkv_encoded)>0

UD_EBH_RSCO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBH_RSPO_EBS_INST $','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data. UD_EBH_RSPO_EBS_INST $' + '~' , lkv_encoded)>0

UD_EBH_RSCO _RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data. UD_EBH_RSPO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data. UD_EBH_RSPO_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBH_RSCP_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBH_RSPP_EBS_INST$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBH_RSPP_EBS_INST$' + '~' , lkv_encoded)>0

UD_EBH_RSCP_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBH_RSCP_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBH_RSCP_APP_NAME$' + '~' , lkv_encoded)>0

User Management with TCA Foundation connector

   

UD_EBST_RLO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBST_UO_EBS_ITRES$', '~'))>0

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBST_UO_EBS_ITRES$' + '~', lkv_encoded)>0

UD_EBST_RLO_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBST_RLO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBST_RLO_APP_NAME$' + '~' ,lkv_encoded)

UD_EBST_RLS_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBST_USR_EBS_ITRES$', '~'))>0

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBST_USR_EBS_ITRES$' + '~' , lkv_encoded )>0

UD_EBST_RLS_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBST_RLS_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBST_RLS_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBST_RSO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBST_UO_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBST_UO_EBS_ITRES$' + '~', lkv_encoded )>0

UD_EBST_RSO_SEC_GROUP

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBST_UO_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBST_UO_EBS_ITRES$' + '~', lkv_encoded )>0

UD_EBST_RSO_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBST_RSO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBST_RSO_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBST_RSP_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBST_USR_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBST_USR_EBS_ITRES$' + '~' , lkv_encoded)>0

UD_EBST_RSP_SEC_GROUP

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBST_USR_EBS_ITRES$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBST_USR_EBS_ITRES$' + '~' , lkv_encoded)>0

UD_EBST_RSP_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBST_RSP_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBST_RSP_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBT_RLCO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBT_RLPO_EBS_INST$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBT_RLPO_EBS_INST$' + '~' , lkv_encoded)>0

UD_EBT_RLCO_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBT_RLCO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBT_RLCO_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBT_RLCP_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBT_RLPP_EBS_INST$', '~'))>0

select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBT_RLPP_EBS_INST$' + '~' , lkv_encoded)>0

UD_EBT_RLCP_ROLE_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBT_RLCP_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBT_RLCP_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBT_RSCO_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBT_RSPO_EBS_INST$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBT_RSPO_EBS_INST$' + '~' , lkv_encoded)>0

UD_EBT_RSCO_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBT_RSCO_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBT_RSCO_APP_NAME$' + '~' , lkv_encoded)>0

UD_EBT_RSCP_APP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBT_RSPP_EBS_INST$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBT_RSPP_EBS_INST$' + '~' , lkv_encoded)>0

UD_EBT_RSCP_RESP_NAME

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBT_RSCP_APP_NAME$','~'))>0

select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBT_RSCP_APP_NAME$' + '~' , lkv_encoded)>0


2.3.3.2 Configuring Oracle Identity Manager 11.1.2 or Later

If you are using Oracle Identity Manager release 11.1.2.x or later, you must create additional metadata such as a UI form and an application instance. In addition, you must run entitlement and catalog synchronization jobs. These procedures are described in the following sections:

2.3.3.2.1 Creating and Activating a Sandbox

Create and activate a sandbox as follows. For detailed instructions, see the "Managing Sandboxes" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

  1. On the upper navigation bar, click Sandboxes. The Manage Sandboxes page is displayed.

  2. On the toolbar, click Create Sandbox. The Create Sandbox dialog box is displayed.

  3. In the Sandbox Name field, enter a name for the sandbox. This is a mandatory field.

  4. In the Sandbox Description field, enter a description of the sandbox. This is an optional field.

  5. Click Save and Close. A message is displayed with the sandbox name and creation label.

  6. Click OK. The sandbox is displayed in the Available Sandboxes section of the Manage Sandboxes page.

  7. Select the sandbox that you created.

  8. From the table showing the available sandboxes in the Manage Sandboxes page, select the newly created sandbox that you want to activate.

  9. On the toolbar, click Activate Sandbox.

    The sandbox is activated.

2.3.3.2.2 Creating a New UI Form

Create a new UI form as follows. For detailed instructions, see the "Managing Forms" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

  1. In the left pane, under Configuration, click Form Designer.

  2. Under Search Results, click Create.

  3. Select the resource type for which you want to create the form, for example, Peoplesoft User.

  4. Enter a form name and click Create.

2.3.3.2.3 Creating an Application Instance

Create an application instance as follows. For detailed instructions, see the "Managing Application Instances" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

  1. In the System Administration page, under Configuration in the left pane, click Application Instances.

  2. Under Search Results, click Create.

  3. Enter appropriate values for the fields displayed on the Attributes form and click Save.

  4. In the Form drop-down list, select the newly created form and click Apply.

  5. Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See the "Managing Organizations Associated With Application Instances" section in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed instructions.

2.3.3.2.4 Publishing a Sandbox

To publish the sandbox that you created in Section 2.3.3.2.1, "Creating and Activating a Sandbox.":

  1. Close all the open tabs and pages.

  2. From the table showing the available sandboxes in the Manage Sandboxes page, select the sandbox that you created in Section 2.3.3.2.1, "Creating and Activating a Sandbox."

  3. On the toolbar, click Publish Sandbox. A message is displayed asking for confirmation.

  4. Click Yes to confirm. The sandbox is published and the customizations it contained are merged with the main line.

2.3.3.2.5 Harvesting Entitlements and Sync Catalog

To harvest entitlements and sync catalog:

  1. Run the scheduled jobs for lookup field synchronization.

  2. Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table. See the "Predefined Scheduled Tasks" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about this scheduled job.

  3. Run the Catalog Synchronization Job scheduled job. See the "Predefined Scheduled Tasks" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about this scheduled job.

2.3.3.2.6 Updating an Existing Application Instance with a New Form

For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:

  1. Create a sandbox and activate it as described in Section 2.3.3.2.1, "Creating and Activating a Sandbox."

  2. Create a new UI form for the resource as described in Section 2.3.3.2.2, "Creating a New UI Form."

  3. Open the existing application instance.

  4. In the Form field, select the new UI form that you created.

  5. Save the application instance.

  6. Publish the sandbox as described in Section 2.3.3.2.4, "Publishing a Sandbox."

2.3.3.3 Clearing Content Related to Connector Resource Bundles from the Server Cache

Note:

In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME/xellerate/connectorResources directory for Oracle Identity Manager release 9.1.0.x and Oracle Identity Manager database for Oracle Identity Manager releases 11.1.x and 11.1.2.x Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

  1. In a command window, perform one of the following steps:

    • If you are using Oracle Identity Manager release 9.1.0.x, then switch to the OIM_HOME/xellerate/bin directory.

    • If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x, then switch to the OIM_HOME/server/bin directory.

    Note:

    You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:

    For Oracle Identity Manager release 9.1.0.x:

    OIM_HOME/xellerate/bin/SCRIPT_FILE_NAME
    

    For Oracle Identity Manager releases 11.1.x and 11.1.2.x:

    OIM_HOME/server/bin/SCRIPT_FILE_NAME
    
  2. Enter one of the following commands:

    • For Oracle Identity Manager release 9.1.0.x:

      On Microsoft Windows: PurgeCache.bat ConnectorResourceBundle

      On UNIX: PurgeCache.sh ConnectorResourceBundle

      Note:

      You can ignore the exception that is thrown when you perform Step 2. This exception is different from the one mentioned in Step 1.

      In this command, ConnectorResourceBundle is one of the content categories that you can delete from the server cache. See the following file for information about the other content categories:

      OIM_HOME/xellerate/config/xlconfig.xml

    • For Oracle Identity Manager releases 11.1.x and 11.1.2.x:

      On Microsoft Windows: PurgeCache.bat All

      On UNIX: PurgeCache.sh All

      When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:

      t3://OIM_HOST_NAME:OIM_PORT_NUMBER
      

      In this format:

      • Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.

      • Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

    See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

2.3.3.4 Enabling Logging

Depending on the Oracle Identity Manager release you are using, perform instructions in one of the following sections:

2.3.3.4.1 Enabling Logging on Oracle Identity Manager Release 9.1.0.x

Note:

In an Oracle Identity Manager cluster, you must perform this procedure on each node of the cluster. Then, restart each node.

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

  • ALL

    This level enables logging for all events.

  • DEBUG

    This level enables logging of information about fine-grained events that are useful for debugging.

  • INFO

    This level enables logging of messages that highlight the progress of the application at a coarse-grained level.

  • WARN

    This level enables logging of information about potentially harmful situations.

  • ERROR

    This level enables logging of information about error events that might allow the application to continue running.

  • FATAL

    This level enables logging of information about very severe error events that could cause the application to stop functioning.

  • OFF

    This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

  • IBM WebSphere Application Server

    To enable logging:

    1. Add the following line in the OIM_HOME/xellerate/config/log.properties file:

      log4j.logger.OIMCP.EBSUM=log_level
      
    2. In this line, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.OIMCP.EBSUM=INFO
      

    After you enable logging, log information is written to the following file:

    WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/SystemOut.log

  • JBoss Application Server

    To enable logging:

    1. In the JBOSS_HOME/server/default/conf/jboss-log4j.xml file, add the following lines if they are not already present in the file:

      <category name="ADAPTER.OIMCP.EBSUM">
         <priority value="log_level"/>
      </category>
      
    2. In the second XML code line, replace log_level with the log level that you want to set. For example:

      <category name="ADAPTER.OIMCP.EBSUM">
         <priority value="INFO"/>
      </category>
      

    After you enable logging, log information is written to the following file:

    JBOSS_HOME/server/default/log/server.log

  • Oracle Application Server

    To enable logging:

    1. Add the following line in the OIM_HOME/xellerate/config/log.properties file:

      log4j.logger.OIMCP.EBSUM=log_level
      
    2. In this line, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.OIMCP.EBSUM=INFO
      

    After you enable logging, log information is written to the following file:

    OC4J_HOME/opmn/logs/default_group~home~default_group~1.log

  • Oracle WebLogic Server

    To enable logging:

    1. Add the following line in the OIM_HOME/xellerate/config/log.properties file:

      log4j.logger.OIMCP.EBSUM=log_level
      
    2. In this line, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.OIMCP.EBSUM=INFO
      

    After you enable logging, log information is displayed on the server console.

2.3.3.4.2 Enabling Logging on Oracle Identity Manager Releases 11.1.x and 11.1.2.x

Note:

In an Oracle Identity Manager cluster, you must perform this procedure on each node of the cluster. Then, restart each node.

Oracle Identity Manager releases 11.1.x and 11.1.2.x uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

  • SEVERE.intValue()+100

    This level enables logging of information about fatal errors.

  • SEVERE

    This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.

  • WARNING

    This level enables logging of information about potentially harmful situations.

  • INFO

    This level enables logging of messages that highlight the progress of the application.

  • CONFIG

    This level enables logging of information about fine-grained events that are useful for debugging.

  • FINE, FINER, FINEST

    These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These log levels are mapped to ODL message type and level combinations as shown in Table 2-5.

Table 2-5 Log Levels and ODL Message Type:Level Combinations

Log Level ODL Message Type:Level

SEVERE.intValue()+100

INCIDENT_ERROR:1

SEVERE

ERROR:1

WARNING

WARNING:1

INFO

NOTIFICATION:1

CONFIG

NOTIFICATION:16

FINE

TRACE:1

FINER

TRACE:16

FINEST

TRACE:32


The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.

To enable logging in Oracle WebLogic Server:

  1. Edit the logging.xml file as follows:

    1. Add the following blocks in the file:

      <log_handler name='ebs-um-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='[FILE_NAME]'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      
      <logger name="OIMCP.EBSUM" level="[LOG_LEVEL]" useParentHandlers="false">
           <handler name="ebs-um-handler"/>
           <handler name="console-handler"/>
         </logger>
      
    2. Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-5 lists the supported message type and level combinations.

      Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

      The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME] :

      <log_handler name='ebs-um-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
       
      <logger name="OIMCP.EBSUM" level="NOTIFICATION:1" useParentHandlers="false">
           <handler name="ebs-um-handler"/>
           <handler name="console-handler"/>
         </logger>
      

    With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

  2. Save and close the file.

  3. Set the following environment variable to redirect the server logs to a file:

    For Microsoft Windows:

    set WLS_REDIRECT_LOG=FILENAME
    

    For UNIX:

    export WLS_REDIRECT_LOG=FILENAME
    

    Replace FILENAME with the location and name of the file to which you want to redirect the output.

  4. Restart the application server.

2.3.3.5 Determining Values for the JDBC URL and Connection Properties Parameters

This section discusses the JDBC URL and Connection Properties parameters. You apply the information in this section while performing the procedure described in Section 2.3.3.6, "Configuring the IT Resource".

The values that you specify for the JDBC URL and Connection Properties parameters depend on the security measures that you have implemented:

2.3.3.5.1 Supported JDBC URL Formats

The following are the supported JDBC URL formats:

  • Multiple database instances support one service (Oracle RAC)

    JDBC URL format:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=HOST1_NAME.DOMAIN)(PORT=PORT1_NUMBER))(ADDRESS=(PROTOCOL=TCP)(HOST=HOST2_NAME.DOMAIN)(PORT=PORT2_NUMBER))(ADDRESS=(PROTOCOL=TCP)(HOST=HOST3_NAME.DOMAIN)(PORT=PORT3_NUMBER)) . . . (ADDRESS=(PROTOCOL=TCP)(HOST=HOSTn_NAME.DOMAIN)(PORT=PORTn_NUMBER))(CONNECT_DATA=(SERVICE_NAME=ORACLE_DATABASE_SERVICE_NAME)))

    Sample value:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST= host1.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host2.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host3.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host4.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME= srvce1)))

  • One database instance supports one service

    JDBC URL format:

    jdbc:oracle:thin:@HOST_NAME.DOMAIN:PORT_NUMBER:ORACLE_DATABASE_SERVICE_NAME

    Sample value:

    jdbc:oracle:thin:@host1.example:1521:srvce1

  • One database instance supports multiple services (for Oracle Database 10g and later)

    JDBC URL format:

    jdbc:oracle:thin:@//HOST_NAME.DOMAIN:PORT_NUMBER/ORACLE_DATABASE_SERVICE_NAME

    Sample value:

    jdbc:oracle:thin:@host1.example.com:1521/srvce1

2.3.3.5.2 Only Data Encryption and Integrity Is Configured

If you have configured only data encryption and integrity, then enter the following values:

  • JDBC URL parameter

    While creating the connector, the value that you specify for the JDBC URL parameter must be in the following format:

    jdbc:oracle:thin:@TARGET_HOST_NAME_or_IP_ADDRESS:PORT_NUM:sid
    

    The following is a sample value for the JDBC URL parameter:

    jdbc:oracle:thin:@ten.mydomain.com:1521:cust_db
    
  • Connection Properties parameter

    After you configure data encryption and integrity, the connection properties are recorded in the sqlnet.ora file. The value that you must specify for the Connection Properties parameter is explained by the following sample scenario:

    See Also:

    Oracle Database Advanced Security Administrator's Guide for information about the sqlnet.ora file

    Suppose the following entries are recorded in the sqlnet.ora file:

    SQLNET.ENCRYPTION_SERVER=REQUIRED
    SQLNET.ENCRYPTION_TYPES_SERVER=(3DES168, DES40, DES, 3DES112)
    SQLNET.CRYPTO_CHECKSUM_SERVER=REQUESTED
    SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1,MD5)
    

    While creating the connector, you must specify the following as the value of the Connection Properties parameter:

    Note:

    • The property-value pairs must be separated by commas.

    • As shown in the following example, for the encryption_types and crypto_checksum_types properties, you can select any of the values recorded in the sqlnet.ora file.

    oracle.net.encryption_client=REQUIRED,oracle.net.encryption_types_client=(3DES168),oracle.net.crypto_checksum_client=REQUESTED,oracle.net.crypto_checksum_types_client=(MD5)
    
2.3.3.5.3 Only SSL Communication Is Configured

After you configure SSL communication, the database URL is recorded in the tnsnames.ora file. See Oracle Database Net Services Reference for detailed information about the tnsnames.ora file.

The following are sample formats of the contents of the tnsnames.ora file. In these formats, DESCRIPTION contains the connection descriptor, ADDRESS contains the protocol address, and CONNECT_DATA contains the database service identification information.

Sample Format 1:

NET_SERVICE_NAME=
 (DESCRIPTION=
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (CONNECT_DATA= 
     (SERVICE_NAME=SERVICE_NAME)))

Sample Format 2:

NET_SERVICE_NAME= 
 (DESCRIPTION_LIST=
  (DESCRIPTION= 
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (CONNECT_DATA= 
     (SERVICE_NAME=SERVICE_NAME)))
  (DESCRIPTION= 
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (CONNECT_DATA= 
     (SERVICE_NAME=SERVICE_NAME))))

Sample Format 3:

NET_SERVICE_NAME= 
 (DESCRIPTION= 
  (ADDRESS_LIST= 
   (LOAD_BALANCE=on)
   (FAILOVER=off)
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)))
  (ADDRESS_LIST= 
   (LOAD_BALANCE=off)
   (FAILOVER=on)
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)))
  (CONNECT_DATA=
   (SERVICE_NAME=SERVICE_NAME)))

If you have configured only SSL communication and imported the certificate that you create on the target system host computer into the JVM certificate store of Oracle Identity Manager, then enter the following values:

JDBC URL parameter

While creating the connector, the value that you specify for the JDBC URL parameter must be derived from the value of NET_SERVICE_NAME in the tnsnames.ora file. For example:

Note:

As shown in this example, you must include only the (ADDRESS=(PROTOCOL=TCPS)(HOST=HOST_NAME)(PORT=2484)) element because you are configuring SSL. You need not include other (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) elements.

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))

Connection Properties parameter

Whether or not you need to specify a value for the Connection Properties parameter depends on the certificate store into which you import the certificate:

  • If you import the certificate into the certificate store of the JVM that Oracle Identity Manager is using, then you need not specify a value for the Connection Properties parameter.

  • If you import the certificate into any other certificate store, then while creating the connector, specify a value for the Connection Properties parameter in the following format:

    javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStoreType=JKS,javax.net.ssl.trustStorePassword=STORE_PASSWORD
    

    When you specify this value, replace STORE_LOCATION with the full path and name of the certificate store, and replace STORE_PASSWORD with the password of the certificate store.

2.3.3.5.4 Both Data Encryption and Integrity and SSL Communication Are Configured

If both data encryption and integrity and SSL communication are configured, then:

  • JDBC URL parameter

    While creating the connector, to specify a value for the JDBC URL parameter, enter a comma-separated combination of the values for the JDBC URL parameter described in Section 2.3.3.5.2, "Only Data Encryption and Integrity Is Configured" and Section 2.3.3.5.3, "Only SSL Communication Is Configured". For example:

    jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))
    
  • Connection Properties parameter

    While creating the connector, to specify a value for the Connection Properties parameter, enter a comma-separated combination of the values for the Connection Properties parameter described in Section 2.3.3.5.2, "Only Data Encryption and Integrity Is Configured" and Section 2.3.3.5.3, "Only SSL Communication Is Configured". For example:

    oracle.net.encryption_client=REQUIRED,oracle.net.encryption_types_client=(3DES168),oracle.net.crypto_checksum_client=REQUESTED,oracle.net.crypto_checksum_types_client=(MD5),javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStoreType=JKS,javax.net.ssl.trustStorePassword=STORE_PASSWORD
    

    As shown in the following example, for the encryption_types and crypto_checksum_types properties, you can select any of the values recorded in the sqlnet.ora file. When you specify this value, replace STORE_LOCATION with the full path and name of the certificate store, and replace STORE_PASSWORD with the password of the certificate store.

2.3.3.6 Configuring the IT Resource

The IT resource is automatically created when you run the Connector Installer. You must specify values for the parameters of the IT resource as follows:

Note:

A predefined IT resource is created when you run the Connector Installer:

For the User Management connector: EBS-APPS12

For the User Management with HR Foundation connector: EBSHF-APPS12

For the User Management with TCA Foundation with connector: EBSTCAF-APPS12

If you do not want to use this IT resource, then you must create a different IT resource of the eBusiness Suite UM IT resource type.

You must use the Administrative and User Console to configure the IT resource. Values set for the connection pooling parameters will not take effect if you use the Design Console to configure the IT resource.

  1. Log in to the Administrative and User Console.

  2. If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage IT Resource.

  3. If you are using Oracle Identity Manager release 11.1.x, then:

    • On the Welcome to Oracle Identity Manager Self Service page, click Advanced.

    • On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration section, click Manage IT Resource.

  4. If you are using Oracle Identity Manager release 11.1.2.x, then:

  5. In the IT Resource Name field on the Manage IT Resource page, enter EBS-APPS12 and then click Search.

  6. Click the edit icon for the IT resource. The following screenshot shows this page:

    Surrounding text describes it_res_search_res_5.gif.
  7. From the list at the top of the page, select Parameters. The following screenshot shows this page:

    Surrounding text describes it_res_sel_param_6.gif.
  8. Specify values for the parameters of the IT resource. Table 2-6 describes each parameter.

    Note:

    The ALL USERS group has READ permission on the default IT resource. This is to ensure that end users can select the IT resource during request-based provisioning. If you create another IT resource, then you must assign the READ permission for the ALL USERS group on the IT resource.

    Table 2-6 IT Resource Parameters

    Parameter Description

    Admin ID

    Enter the user name of the target system account to be used for provisioning operations.

    You create this account by performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations".

    Default value: apps

    Admin Password

    Enter the password of the target system account specified by the Admin ID parameter.

    Connection Properties

    Specify the connection properties for the target system database.

    See Section 2.3.3.5, "Determining Values for the JDBC URL and Connection Properties Parameters" for detailed information.

    Connection Retries

    Enter the number of consecutive attempts to be made at establishing a connection with the target system.

    Default value: 3

    Connection Timeout

    Enter the time in milliseconds within which the target system is expected to respond to a connection attempt.

    For a particular connection attempt, if the target system does not respond within the time interval specified by the Connection Timeout parameter, then it is assumed that the connection attempt has failed.

    Default value: 1200

    Context Application Name

    An application context is a set of elements associated with an artifact in Oracle E-Business Suite. The context implements user preferences and access control on the artifact. The Context Application Name, Context Responsibility Name, and Context User ID parameters define the context that is used for connector operations.

    For the Context Application Name parameter, enter the name of the application to which this user belongs.

    Default value: 0

    Context Responsibility Name

    Enter the responsibility assigned to the user in whose context connector operations are performed on the target system.

    Default value: 0

    Context User ID

    Enter the user ID of the user in whose context connector operations are performed on the target system.

    Default value: 0

    Enable Revoked User

    Enter yes if you want revoked resources to be enabled when the user name of the revoked resources are used to provision resources. Otherwise, enter no.

    When you perform a Revoke Account provisioning operation on an OIM User, the account of that user on the target system is disabled. If the Enable Revoked User parameter is set to yes and if you perform a Create Account provisioning operation for the same OIM User, then the account that was previously disabled on the target system is enabled. While performing the provisioning operation, you must specify the same User Name value as the one assigned to the account the first time. Field values that you provide during the Create Account operation are used to overwrite existing field values of the Oracle E-Business Suite account.

    Default value: yes

    JDBC URL

    Specify the JDBC URL for the target system database.

    See Section 2.3.3.5, "Determining Values for the JDBC URL and Connection Properties Parameters" for detailed information.

    Manage HR Record

    If you have installed the connector in the User Management with HR Foundation connector, then set this parameter to yes. Otherwise, set the value to no.

    Note: If you are using the User Management with TCA Foundation connector, then do not set a value for this parameter.

    Minimum Password Length

    Enter the minimum number of characters that the password must contain.

    Note: If the minimum password length has been set on the target system, then the value of the Minimum Password Length IT resource parameter and minimum password length on the target system must be the same.

    Default value: 1

    Retry Interval

    Enter the interval in milliseconds between consecutive attempts at establishing a connection with the target system.

    Default value: 10000

    SSL Enabled

    Enter yes if you plan to configure SSL to secure communication between Oracle Identity Manager and the target system. Otherwise, enter no.

    Default value: no

    SSO Enabled

    Enter yes if the target system is SSO enabled. Otherwise, enter no.

    Default value: no

    SSO IT Resource

    This is the name of the IT resource created for the LDAP-based system.

    See Section 2.3.3.7, "SSO IT Resource" for information related to SSO IT Resource.

    SSO Identifier

    Enter the name of the attribute that uniquely identifies a user throughout all the systems on the organization. This attribute need not be the same as the attribute specified in the SSO Login Attribute parameter.

    For Oracle Internet Directory: orclGUID

    For Microsoft Active Directory: objectGUID

    For Sun Java System Directory: nsUniqueID

    During a Create User provisioning operation, the connector takes the SSO Identifier value of the user from the LDAP-based system and populates it in the USER_GUID field of the target system.

    SSO Login Attribute

    Enter the name of the LDAP system user attribute that stores the user ID of users.

    For Oracle Internet Directory: uid

    For Microsoft Active Directory: sAMAccountName

    For Sun Java System Directory: uid

    Sun Java System Directory and OID both use different attributes to store the user ID of users. You can specify the name of the attribute as the value of the SSO Login Attribute parameter.

    Statement Timeout

    Enter the time in milliseconds within which a query run on the target system is expected to return results.

    If the results of a query are not returned within the specified time, then it is assumed that the connection with the target system has failed. The connector then attempts to reestablish a connection with the target system.

    Default value: 1200

    Manage TCA Record

    If you have installed the connector in the User Management with TCA Foundation connector, then set this parameter to yes. Otherwise, set the value to no.

    Note: If you are using the User Management with HR Foundation connector, then do not set a value for this parameter.

    TopologyName

    If you have installed the OAACG SIL provider, then enter the value of the Topology element in the SILConfig.xml file. See the SoD documentation for more information.

    Default value: None

    Configuration Lookup Name

    This parameter holds the name of the lookup definition that stores configuration information for connector operations. Depending on the connector that you are using, the value is one of the following:

    • For the User Management connector: Lookup.EBS.UM.Configuration

    • For the User Management with HR Foundation connector: Lookup.EBS.UMHRMS.Configuration

    • For the User Management with TCA Foundation connector: Lookup.EBS.UMTCA.Configuration

    You must not change the value of this parameter. However, if you create a copy of this lookup definition, then you can enter the name of the newly created lookup definition as the value of the Configuration Lookup Name parameter.

    Connection Pooling Parameters

     

    Abandoned connection timeout

    Time (in seconds) after which a connection must be automatically closed if it is not returned to the pool

    Note: You must set this parameter to a value that is high enough to accommodate processes that take a long time to complete (for example, full reconciliation).

    Default value: 600

    Connection wait timeout

    Maximum time (in seconds) for which the connector must wait for a connection to be available

    Default value: 60

    Inactive connection timeout

    Time (in seconds) of inactivity after which a connection must be dropped and replaced by a new connection in the pool

    Default value: 600

    Initial pool size

    Number of connections that must be established when the connection pool is initialized

    The pool is initialized when it receives the first connection request from a connector.

    Default value: 1

    Sample value: 3

    Max pool size

    Maximum number of connections that must be established in the pool at any point of time

    This number includes the connections that have been borrowed from the pool.

    Default value: 100

    Sample value: 30

    Min pool size

    Minimum number of connections that must be in the pool at any point of time

    This number includes the connections that have been borrowed from the pool.

    Default value: 5

    Validate connection on borrow

    Specifies whether or not a connection must be validated before it is lent by the pool

    The value can be true or false. It is recommended that you set the value to true.

    Default value: false

    Timeout check interval

    Time interval (in seconds) at which the other timeouts specified by the other parameters must be checked

    Default value: 30

    Pool preference

    Preferred connection pooling implementation

    Value: Default

    Note: Do not change this value of this parameter.

    Connection pooling supported

    Enter true if you want to enable connection pooling for this target system installation. Otherwise, enter false.

    Default value: false

    Target supports only one connection

    Indicates whether the target system can support one or more connections at a time

    Value: false

    Note: Do not change the value of this parameter.

    ResourceConnection class definition

    Implementation of the ResourceConnection class

    Value: oracle.iam.connectors.ebs.common.vo.EBSResourceConnectionImpl

    Note: Do not change the value of this parameter.

    Native connection pool class definition

    Wrapper to the native pool mechanism that implements the GenericPool

    Note: Do not specify a value for this parameter.

    Pool excluded fields

    Comma-separated list of IT parameters whose change must not trigger a refresh of the connector pool

    Value: Configuration Lookup Name,Manage TCA Record,Enable Revoked User,Statement Timeout,Context User ID,Context Application Name,Context Responsibility Name,TopologyName,SSO Enabled,SSO Identifier,SSO Login Attribute,SSO IT Resource,Manage HR Record

    Note:

    Do not change the value of this parameter unless you are adding or deleting a parameter from the IT resource. You must ensure that the total length of the list does not exceed 2000 characters. If you are adding a parameter to the IT resource, then that parameter name must be added to the above list with a comma separator. If you are deleting a parameter from the IT resource, then that parameter must be removed from the list if it exists in the list.

    You must restart Oracle Identity Manager for changes that you make to this parameter to take effect.


  9. To save the values, click Save.

Additional Configuration Step for Connection Pooling

If you are using Oracle Identity Manager release 9.1.0.x that is running on Oracle Application Server, then edit the opmn.xml file as follows:

  1. Open the following file in a text editor:

    OAS_HOME/opmn/conf/opmn.xml

  2. Search for the following block of lines:

    <process-type id="home" module-id="OC4J" status="enabled">
    <module-data>
    <category id="start-parameters">
    
  3. After this block of lines, add the following line:

    <data id="oc4j-options" value="-userThreads"/>
    
  4. Save and close the file.

  5. Restart the server.

2.3.3.7 SSO IT Resource

Perform the procedure mentioned below to set the value of SSO IT Resource field to LDAP System:

  1. Create a new IT Resource type, named for example LDAP system, with the following fields:

    • Server Address

    • Port

    • Root DN

    • Admin ID

    • Admin Password

      Note:

      Click the encrypted check box here

    • SSL

    You can provide default values or populate values as mentioned in the following step.

  2. Create a new IT Resource, named for example LDAP system with the following field values:

    • Server Address: Host name or IP address of the machine where LDAP is running

    • Port: LDAP port

    • Root DN: DN of the container under which users are stored in LDAP

    • Admin ID: DN to bind to LDAP

    • Admin Password: Password of the DN to bind to LDAP

    • SSL: True or False

  3. Modify EBS-APPS12 IT resource, and set the value of field SSO IT Resource to be LDAP System.

2.3.3.8 Disabling the Auto Save Form Feature on Oracle Identity Manager Releases 11.1.x and 11.1.2.x

Note:

If you want to configure the request-based provisioning feature of the connector on Oracle Identity Manager releases 11.1.x and 11.1.2.x, then skip this section.

The Auto Save Form option is meant for request-based provisioning in Oracle Identity Manager release 9.1.0.x. When you deploy the connector, this option is enabled by default. However, Oracle Identity Manager releases 11.1.x and 11.1.2.x does not use object forms. If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x, then disable the Auto Save Form option as follows:

  1. Log in to the Design Console.

  2. Expand Process Management, and then double-click Process Definition.

  3. Search for and open the process definition for the connector that you are using:

    See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for a listing of the process definitions for each connector.

  4. Deselect the Auto Save Form check box.

  5. Click the Save icon.

2.3.3.9 Enabling Request-Based Provisioning

In request-based provisioning, an end user creates a request for a resource or entitlement by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource or entitlement on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.

The following are features of request-based provisioning:

  • A user can be provisioned only one resource (account) on the target system.

    Note:

    Direct provisioning allows the provisioning of multiple Oracle E-Business Suite accounts on the target system.

  • Direct provisioning cannot be used if you enable request-based provisioning.

Depending on the Oracle Identity Manager release that you are using, perform the procedure described in one of the following sections:

2.3.3.9.1 Enabling Request-Based Provisioning on Oracle Identity Manager Release 9.1.0.x

When you run the Connector Installer, the request-based provisioning of accounts is automatically enabled. If you also want to enable request-based provisioning of entitlements, then perform the procedure described in this section.

This section covers the following topics:

Prerequisites

You must run Oracle Identity Manager in INFO mode when you import the XML file for request-based provisioning. If Oracle Identity Manager is running in DEBUG mode when you import the XML file, then the import operation does not work correctly.

Before you perform this procedure, set your browser to use JRE version 1.6.0_07. If you try to import the XML file with your browser set to any other JRE version, then the browser stops responding.

To enable request-based provisioning of entitlements:

Note:

Before you perform this procedure, set your browser to use JRE version 1.6.0_07. If you try to import the XML file with your browser set to any other JRE version, then the browser stops responding.

  1. Open the Oracle Identity Manager Administrative and User Console.

  2. Click the Deployment Management link on the left navigation bar.

  3. Click the Import link under Deployment Management. A dialog box for opening files is displayed.

  4. Locate and open one of the following XML files:

    • For the User Management connector: Oracle-eBusinessSuite-RequestApproval-ConnectorConfig.xml

    • For the User Management with HR Foundation connector: Oracle-eBusinessSuite-HRMS-RequestApproval-ConnectorConfig.xml

    • For the User Management with TCA Foundation connector: Oracle-eBusinessSuite-TCA-RequestApproval-ConnectorConfig.xml

    Details of the XML file that you select are shown on the File Preview page. The following screenshot shows this page:

    Surrounding text describes enable_reqprov_4.gif.
  5. Click Add File. The Substitutions page is displayed.

  6. Click Next. The Confirmation page is displayed.

  7. Click View Selections.

    At this stage, the Deployment Manager Import page should not show an error. See the following screenshot:

    Surrounding text describes enable_reqprov_8.gif.
  8. Click Import.

    In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

To suppress the Standard Approval process definition:

Note:

The Standard Approval process is common to all resource objects. If you enable request-based provisioning, then you must suppress this process definition.

  1. On the Design Console, expand Process Management and double-click Process Definition.

  2. Search for and open the Standard Approval process definition.

  3. On the Tasks tab, double-click the Approve task.

  4. On the Integration tab of the Editing Task dialog box, click Add. The following screenshot shows this page:

    Surrounding text describes std_appr_4.gif.
  5. In the Handler Selection dialog box:

    Select System.

    Select the tcCompleteTask handler.

    Click the Save icon, and then close the dialog box.

  6. In the Editing Task dialog box, click the Save icon and close the dialog box.

  7. Click the Save icon to save changes made to the process definition.

2.3.3.9.2 Enabling Request-Based Provisioning on Oracle Identity Manager Releases 11.1.x and 11.1.2.x:

To enable request-based provisioning, perform the following procedures:

Copying Predefined Request Datasets

A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation. The following is the list of predefined request datasets available in the DataSets directory on the installation media:

  • ProvisionResource_eBusinessSuiteUser.xml

  • ProvisionResource_eBusinessSuiteUser_HRFoundation.xml

  • ProvisionResource_eBusinessSuiteUser_TCAFoundation.xml

  • ModifyProvisionedResource_eBusinessSuiteUser.xml

  • ModifyProvisionedResource_eBusinessSuiteUser_HRFoundation.xml

  • ModifyProvisionedResource_eBusinessSuiteUser_TCAFoundation.xml

Copy the files from the DataSets directory on the installation media to the OIM_HOME/DataSet/file directory.

Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information on modifying request datasets.

Importing Request Datasets into MDS

Note:

In an Oracle Identity Manager cluster, perform this step on each node of the cluster.

All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.

To import a request dataset definition into the MDS:

  1. Ensure that you have set the environment for running the MDS Import utility. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about setting up the environment for MDS utilities.

  2. In a command window, change to the OIM_HOME/server/bin directory.

  3. Run one of the following commands:

    • On Microsoft Windows

      weblogicImportMetadata.bat
      
    • On UNIX

      weblogicImportMetadata.sh
      
  4. When prompted, enter values for the following:

    • Please enter your username [weblogic]

      Enter the username used to log in to the Oracle WebLogic Server

      Sample value: WL_User

    • Please enter your password [weblogic]

      Enter the password used to log in to the Oracle WebLogic Server

    • Please enter your server URL [t3://localhost:7001]

      Enter the URL of the application server in the following format:

      t3://HOST_NAME_IP_ADDRESS:PORT

      In this format, replace:

      • HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed.

      • PORT with the port on which Oracle Identity Manager is listening.

    The request dataset is imported into MDS.

Enabling the Auto Save Form Feature

To enable the Auto Save Form feature:

  1. Log in to the Design Console.

  2. Expand Process Management, and then double-click Process Definition.

  3. Search for and open the process definition for the connector that you are using:

    See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for a listing of the process definitions for each connector.

  4. Select the Auto Save Form check box.

  5. Click the Save icon.

Running the PurgeCache Utility

Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Section 2.3.3.3, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.

The procedure to enable request-based provisioning ends with this step.

2.3.4 Localizing Field Labels in UI Forms

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x and you want to localize UI form field labels.

To localize field label that you add to in UI forms:

  1. Publish the sandbox containing application instance form that is supposed to be localized.

  2. Export the MDS file, "/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf". In this file, you can see message keys and messages to be localized. sessiondef.oracle.iam.ui.runtime.form.model.testAppInstance.entity.testAppInstanceEO.UD_TES8393_ACCOUNTID__c_LABEL

    See Also:

    "Deploying and Undeploying Customizations" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager, for more information about exporting metadata files

  3. Export the file to localize, for example, for German: /xliffBundles/oracle/iam/ui/runtime/BizEditorBundle_de.xlf

    Note:

    This file may not exist in MDS. If it does not exist, create a new one, but path must be the same.

  4. Provide localization for messages in German, follow the same format as in the file exported in step 2.

    See Also:

    Oracle Fusion Applications Extensibility Guide for more information about translating resource bundles from metadata services metadata repository

  5. Import /xliffBundles/oracle/iam/ui/runtime/BizEditorBundle_de.xlf back to MDS.

  6. Logout and relogin.

2.4 Postcloning Steps

You can clone this connector by setting new names for some of the objects that comprise the connector. The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.

See Also:

The "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about cloning connectors and the steps mentioned in this section

After a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes:

You can perform child form related operations by performing the following steps:

  1. On the Design Console, expand Development Tools and double-click Form Designer.

  2. Search for and open the process form for the connector that you are using.

  3. Click Create New Version to create a version of cloned child forms.

    For example, UD_EBS_RESP and UD_EBS_RLS.

  4. Go to the Properties tab.

  5. Select Lookup Query from the list to modify the lookup name and column name.

  6. Click the Save icon.

  7. Click Make Version Active to activate the new version of the process form.