The procedure to deploy the connector can be divided into the following stages:
Preinstallation information is divided across the following sections:
This section contains the following topics:
Section 2.1.1.1, "Files and Directories on the Installation Media"
Section 2.1.1.2, "Determining the Release Number of the Connector"
Section 2.1.1.3, "Creating a Backup of the Existing Common.jar File"
Table 2-1 lists the files and directories on the installation media.
Table 2-1 Files and Directories on the Installation Media
File in the Installation Media Directory | Description |
---|---|
config/ebsUMQuery.properties |
This file contains SQL queries that are used for target resource reconciliation. |
config/ebsUMLookupQuery.properties |
This file contains SQL queries that are used for lookup field synchronization. |
Files in the configuration directory Oracle_EBS_User-Management-CI.xml Oracle_EBS_User-HRMS-Management-CI.xml Oracle_EBS_User-TCA-Management-CI.xml |
This directory contains the configuration files that are used by the Connector Installer during installation of each connector. |
lib/EBSUM.jar |
This JAR file contains the class files that are used during reconciliation and provisioning operations. During connector installation, this file is copied to the following location:
|
lib/EBSCommon.jar |
This JAR file contains utility classes that support provisioning and reconciliation operations. During connector installation, this file is copied to the following location:
|
lib/Common.jar |
This JAR file contains classes that are used by all release 9.1.0 connectors. During connector installation, this file is copied to the following location:
|
Files in the resources directory |
Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied to the following location:
Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages. |
scripts/script1/OIM.bat scripts/script1/OIM.sh |
This file contains commands to run the SQL scripts for creating a target system user and granting the required rights to the user. See Section 2.1.2.1, "Creating a Target System User Account for Connector Operations" for more information about this user. |
scripts/script1/OIM_FND_GLOBAL.pck |
This is the customized apps.fnd_global package. |
scripts/script1/OIM_FND_USER_PKG.pck |
This is the customized apps.fnd_user package. |
scripts/script1/OIM_EMPLOYEE_WRAPPER.pck |
This is a customized wrapper package for creating and updating employee records. |
scripts/script1/OIM_TCA_WRAPPER.pck |
This is a customized wrapper package for creating and updating party records. |
scripts/script1/OimUser.sql scripts/script1/OimUserGrants.sql scripts/script1/OimUserSynonyms.sql script/script1/OimUserAppstablesSynonyms.sql |
These file contains the SQL scripts to create a target system user account in a new tablespace, grant the required rights to the user, and create synonyms of various database objects to be used by the connector. See Section 2.1.2.1, "Creating a Target System User Account for Connector Operations" for more information about this user. |
scripts/script1/WL_LOCAL_SYNCH_PKG.pck |
This is the customized version of the apps.wf_local_synch package. It is used for role management. |
scripts/script1/EXECUTE ON APPS.UMX_ACCESS_ROLES_PVT |
This is a customized wrapper package for updating user roles. |
scripts/script1/EXECUTE ON APPS.FND_USER_RESP_GROUPS_API |
This is a customized wrapper package for updating user responsibilities. |
scripts/script2/ . . . |
This directory contains copies of the files in the scripts/script1 directory. You use the contents of either the script1 or script2 directory depending on the target system release that you are using. Section 2.1.2.1, "Creating a Target System User Account for Connector Operations" provides more details. |
test/config/config_um_prov.properties |
This properties file contains data that is used by the testing utility. See Section 5.1, "Running Test Cases" for more information. |
test/config/config_um_prov_fileOption.properties |
This properties file contains data that is used by the testing utility. See Section 5.1, "Running Test Cases" for more information. |
test/config/log.properties |
This file contains properties that you use to enable log4j logging. |
test/scripts/OracleEbiz.bat test/scripts/OracleEbiz.sh |
This file is used to run the testing utility. |
xml/Oracle-eBusinessSuite-Main-ConnectorConfig.xml |
This XML file contains configuration information about the User Management connector. The Connector Installer uses this XML file to create connector components that are used for both direct and request-based user account creation. |
xml/Oracle-eBusinessSuite-HRMS-Main-ConnectorConfig.xml |
This XML file contains configuration information about the User Management with HR Foundation connector. The Connector Installer uses this XML file to create connector components that are used for both direct and request-based creation of user records and person records. |
xml/Oracle-eBusinessSuite-TCA-Main-ConnectorConfig.xml |
This XML file contains configuration information about the User Management with TCA Foundation connector. The Connector Installer uses this XML file to create connector components that are used for both request-based creation of user records and TCA party records. |
xml/Oracle-eBusinessSuite-HRMS-RequestApproval-ConnectorConfig.xml |
This XML file is used for request-based entitlement provisioning in the User Management with HR Foundation connector. |
xml/Oracle-eBusinessSuite-RequestApproval-ConnectorConfig.xml |
This XML file is used for request-based entitlement provisioning in the User Management connector. |
xml/Oracle-eBusinessSuite-TCA-RequestApproval-ConnectorConfig.xml |
This XML file is used for request-based entitlement provisioning in the User Management with TCA Foundation connector. |
documentation/javadocs |
This directory contains information about the Java APIs used by the connector. |
You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:
In a temporary directory, extract the contents of the connector JAR file that is in the OIM_HOME/xellerate/JavaTasks directory.
For 11.1.x and 11.1.2.x server, download Connector JAR file from OIM database using DownloadJars utility.
Open the Manifest.mf file in a text editor. The Manifest.mf file is one of the files bundled inside the connector JAR file.
In the Manifest.mf file, the release number of the connector is displayed as the value of the Version property.
The Common.jar file is in the deployment package of each 9.1.x release of the connector. With each new release, code corresponding to that particular release is added to the existing code in this file. For example, the Common.jar file shipped with Connector Y on 12-July contains:
Code specific to Connector Y
Code included in the Common.jar files shipped with all other 9.1.x release of the connectors that were released before 12-July
If you have installed a release 9.1.x connector that was released after the current release of the Oracle E-Business User Management connector, back up the existing Common.jar file, install the Oracle E-Business User Management connector, and then restore the Common.jar file. The steps to perform this procedure are as follows:
Caution:
If you do not perform this procedure, then your release 9.1.x connectors might not work.Determine the release date of your existing release 9.1.x connector as follows:
Extract the contents of the following file in a temporary directory:
OIM_HOME/xellerate/JavaTasks/Common.jar
Note:
On Oracle Identity Manager releases 11.1.x and 11.1.2.x or later, use the Oracle Identity Manager Download JARs utility to download the Common.jar file from the database, and then extract the contents of this file into a temporary directory.See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) for instructions about using the Download JARs utility.
Open the Manifest.mf file in a text editor.
Note down the Build Date and Build Version values.
Determine the Build Date and Build Version values of the current release of the Oracle E-Business User Management connector as follows:
On the installation media for the connector, extract the contents of the lib/Common.jar and then open the Manifest.mf file in a text editor.
Note down the Build Date and Build Version values.
If the Build Date and Build Version values for the Oracle E-Business User Management connector are less than the Build Date and Build Version values for the connector that is installed, then:
If you are using Oracle Identity Manager release 9.1.0.x, then:
Copy the OIM_HOME/xellerate/JavaTasks/Common.jar to a temporary location.
After you perform the procedure described in Section 2.2, "Installation" overwrite the new Common.jar file in the OIM_HOME/xellerate/JavaTasks directory with the Common.jar file that you backed up in the preceding step.
If you are using Oracle Identity Manager release 11.1.x, then run the Oracle Identity Manager Upload JARs utility to post the Common.jar file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you run this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1
as the value of the JAR type.
See Also:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about the Upload JARs utilityPreinstallation on the target system involves performing the procedure described in the following sections:
Section 2.1.2.1, "Creating a Target System User Account for Connector Operations"
Section 2.1.2.3, "Setting the Employee Number Creation Mode"
Note:
You must have DBA privileges to grant the required permissions to the target system user account.You must have Oracle Database Client installed on the computer on which you perform the procedure described in this section. The Oracle Database Client release must be the same as the database release. In addition, if Oracle Database Client is not installed on the database host computer, then the tnsnames.ora file on the Oracle Database Client host must contain an entry for the SID of the database.
Oracle Identity Manager requires a target system user account to access the target system during connector operations. You provide the credentials of this user account while performing the procedure described in Section 2.3.3.6, "Configuring the IT Resource."
To create a target system user account for connector operations:
From the installation media, copy one of the following directories to a temporary directory on either the target system host computer or a computer on which the Oracle Database Client has been installed:
See Also:
Section 2.1.1.1, "Files and Directories on the Installation Media" for information about the contents of the scripts directoryscripts/script1
The scripts in this directory create wrapper packages in the APPS schema. These wrapper packages are used for connector provisioning operations.
scripts/script2
The scripts in this directory create wrapper packages in the schema of the user that you are creating. These wrapper packages are used for connector provisioning operations.
To determine whether to copy the scripts in the script1 or the script2 directory:
If you are using the User Management connector, then run the following queries:
SELECT text FROM user_source WHERE name = 'FND_USER_PKG' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%'; SELECT text FROM user_source WHERE name = 'FND_GLOBAL' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%'; SELECT text FROM user_source WHERE name = 'WF_LOCAL_SYNCH' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%'; SELECT text FROM user_source WHERE name = 'UMX_ACCESS_ROLES_PVT' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%'; SELECT text FROM user_source WHERE name = 'FND_USER_RESP_GROUPS_API' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%';
If you are using the User Management with HR Foundation connector, then run the following queries:
SELECT text FROM user_source WHERE name = 'OIM_EMPLOYEE_WRAPPER' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%';
If you are using the User Management with TCA Foundation connector, then run the following queries:
SELECT text FROM user_source WHERE name = 'OIM_TCA_WRAPPER' AND type = 'PACKAGE' AND UPPER(text) LIKE '%AUTHID%';
If any of the queries that you run returns a row containing the text AUTHID CURRENT_USER
, then use the script1 directory. Otherwise, use either the script1 or the script2 directory.
On the computer where you copy the scripts directory, verify that there is a TNS entry in the tnsnames.ora file for the target system database.
Depending on the host platform, run either the OIM.sh or OIM.bat file.
When you run the script, you are prompted for the following information:
ORACLE_HOME path
This prompt is displayed only if the ORACLE_HOME environment variable has not been set on the computer on which you are running the script.
Enter the system user name
Enter the login (user name) of a DBA account with the privileges to create and configure a new target system user.
Enter the name of the database
Enter the connection string or service name given in the tnsnames.ora file to connect to the target system database.
Enter the name of the tablespace to be created
Enter a name for the tablespace to be created for the user.
Enter the name of the datafile to be created
Enter a name for the datafile to be created for the user.
Enter the path for the datafile to be created
Enter the path where the datafile must be created. The path is relative to the repository of the directory in which the target system is installed. If you do not enter a value at this prompt, then the default directory is created.
Enter New database Username to be created
Enter a user name for the target system account that you want to create.
Enter the New user password
Enter a password for the target system account that you want to create.
Connecting with newly created database user
Enter the connection string or service name that you provided earlier.
At the end of the operation, a log file (OIM_APPS_USER.log) is created in the scripts directory. If the user is successfully created, then a message to this effect is recorded in the log file.
During the account creation process, the following privileges are granted:
Additional Privileges Granted to the Account for the User Management with HR Foundation Connector
Additional Privileges Granted to the Account for the User Management with TCA Foundation Connector
Privileges Granted to the Account for All 3 Connectors
The following privileges are granted to the new database user account for all 3 connectors:
EXECUTE ON APPS.WF_LOCAL_SYNCH
EXECUTE ON APPS.FND_USER_PKG
EXECUTE ON APPS.FND_API
EXECUTE ON APPS.FND_GLOBAL
EXECUTE ON APPS.UMX_ACCESS_ROLES_PVT
EXECUTE ON APPS.FND_USER_RESP_GROUPS_API
SELECT ON APPS.FND_APPLICATION
SELECT ON APPS.FND_RESPONSIBILITY
SELECT ON APPS.FND_RESPONSIBILITY_TL
SELECT ON APPS.FND_RESPONSIBILITY_VL
SELECT ON APPS.FND_USER_RESP_GROUPS_DIRECT
SELECT ON APPS. PER_ALL_PEOPLE_F
SELECT ON APPS.FND_APPLICATION_TL
SELECT ON APPS.WF_LOCAL_USER_ROLES
SELECT ON APPS.WF_USER_ROLES
SELECT ON APPS.WF_LOCAL_ROLES
SELECT, UPDATE ON APPS.FND_USER
SELECT ON APPS.FND_SECURITY_GROUPS
SELECT ON APPS.FND_SECURITY_GROUPS_TL
EXECUTE ON APPS.OIM_FND_USER_PKG
EXECUTE ON APPS.OIM_FND_GLOBAL
EXECUTE ON APPS.WF_LOCAL_SYNCH_PKG
EXECUTE ON APPS.OIM_UMX_ACCESS_ROLES_PVT
EXECUTE ON APPS.OIM_FND_USER_RESP_GROUPS_API
Additional Privileges Granted to the Account for the User Management with HR Foundation Connector
In addition to the privileges listed in the "Privileges Granted to the Account for All 3 Connectors" section, the following privileges are granted to the account for the User Management with HR Foundation connector:
EXECUTE ON APPS.HR_EMPLOYEE_API
EXECUTE ON APPS.HR_PERSON_API
SELECT ON APPS.PER_ALL_ASSIGNMENTS_F
SELECT ON APPS.PER_PEOPLE_F
SELECT ON APPS.PER_PERSON_TYPES
SELECT ON APPS.PER_PERIODS_OF_SERVICE
Additional Privileges Granted to the Account for the User Management with TCA Foundation Connector
In addition to the privileges listed in the "Privileges Granted to the Account for All 3 Connectors" section, the following privileges are granted to the account for the User Management with TCA Foundation connector:
EXECUTE ON APPS.FND_OID_USERS
EXECUTE ON APPS.FND_OID_UTIL
SELECT, UPDATE ON APPS.HZ_PARTIES
SELECT, UPDATE ON APPS.HZ_PERSON_PROFILES
REVOKE SELECT ON APPS.PER_ALL_PEOPLE_F
The following custom wrapper packages are used during the Person Create and Update operations:
OIM_EMPLOYEE_WRAPPER
OIM_TCA_WRAPPER
OIM_UMX_ACCESS_ROLES_PVT.pck wrapper package is used during the Revoke Role operation.
If you plan to use the APPS account for reconciliation, provisioning, and revoke role operations, then:
Note:
Do not perform these steps if you plan to use the account described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations".Copy the packages from the scripts directory on the installation media into a directory on the target system host computer.
Log in to the database as the APPS user.
Run the following commands at the SQL prompt:
Note:
See Section 2.1.1.1, "Files and Directories on the Installation Media" for information about the location of the packages containing these SQL scripts.@<DIRECTORY_PATH_WHERE_THE_PACKAGES_ARE_SAVED>/OIM_EMPLOYEE_WRAPPER.pck @<DIRECTORY_PATH_WHERE_THE_PACKAGES_ARE_SAVED>/OIM_TCA_WRAPPER.pck @<DIRECTORY_PATH_WHERE_THE_PACKAGES_ARE_SAVED>/OIM_UMX_ACCESS_ROLES_PVT.pck
Note:
Perform the procedure described in this section only if you plan to use the User Management with HR Foundation connector.If you plan to use the User Management with HR Foundation connector, then the target system must be configured to manual mode for generating employee numbers. By default, employee numbers are automatically generated. To set the employee number generation mode to manual:
Log in to the target system.
Select the Oracle E-Business HRMS responsibility. For example: Human Resource Vision Enterprise.
Navigate to Workstructures > Organization > Description.
Search for and select the business group,
Click Others.
Select Business Group Info from the list of values.
Open the flexfield to view the setting for employee number generation
Set the value of Employee Number Generation to Manual.
Click OK.
Installing the connector on Oracle Identity Manager release 9.1.0 or later involves the following procedures:
Note:
You can perform these procedures to install each connector, in any order.Note:
In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.
Direct provisioning is automatically enabled after you run the Connector Installer. If required, you can enable request-based provisioning in the connector. See Section 2.3.3.9, "Enabling Request-Based Provisioning" if you want to use the request-based provisioning feature for this target system.
To run the Connector Installer:
Copy the contents of the connector installation media directory into the following directory:
Note:
In an Oracle Identity Manager cluster, perform this step on each node of the cluster.For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/ConnectorDefaultDirectory
For Oracle Identity Manager releases 11.1.x and 11.1.2.x or later: OIM_HOME/server/ConnectorDefaultDirectory
Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of the following guide:
For Oracle Identity Manager release 9.1.0.x:
Oracle Identity Manager Administrative and User Console Guide
For Oracle Identity Manager releases 11.1.x and 11.1.2.x or later:
Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 9.1.0.x:
Click Deployment Management, and then click Install Connector.
For Oracle Identity Manager release 11.1.x:
On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Install Connector.
For Oracle Identity Manager release 11.1.2.x or later:
Log in to Oracle Identity System Administration by using the user account described in the "Creating the User Account for Installing Connectors" section Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
In the left pane, under System Management, click Manage Connector.
The Connector List list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
You can select one of the following options:
For the User Management connector:
Oracle EBS User Management RELEASE_NUMBER
For the User Management with HR Foundation connector:
Oracle EBS HR Foundation User Management RELEASE_NUMBER
For the User Management with TCA Foundation connector:
Oracle EBS TCA Foundation User Management RELEASE_NUMBER
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select the connector that you want to install.
Click Load. The following screenshot shows this page:
To start the installation process, click Continue.
The following tasks are performed in sequence:
Configuration of connector libraries
Import of the connector Target Resource user configuration XML file (by using the Deployment Manager).
Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. The following screenshot shows this page for Oracle Identity Manager release 9.1.0.x:
In addition, a list of steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed
Note:
At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Section 2.3.3.3, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.The prerequisites for this connector are also described later in this guide.
Configuring the IT resource for the connector
Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.
Configuring the scheduled tasks that are created when you installed the connector
Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-1.
Installing the Connector in an Oracle Identity Manager Cluster
While installing Oracle Identity Manager in a cluster, you must copy all the JAR files and the contents of the connectorResources
directory into the corresponding directories on each node of the cluster. See Section 2.1.1.1, "Files and Directories on the Installation Media" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.
After you run the Connector Installer, you must manually copy the files listed in Table 2-2.
Note:
If a particular destination directory does not exist on the Oracle Identity Manager host computer, then create it.Table 2-2 Files to Be Copied to the Oracle Identity Manager Host Computer
Files on the Installation Media | Destination Directory on the Oracle Identity Manager Release 9.1.0.x Host Computer | Destination Directory on the Oracle Identity Manager releases 11.1.x and 11.1.2.x Host Computer |
---|---|---|
Files in the config directory |
OIM_HOME/xellerate/XLintegrations/EBSUM/config |
OIM_HOME/server/XLintegrations/EBSUM/config |
Files in the test/config directory |
OIM_HOME/xellerate/XLintegrations/EBSUM/config |
OIM_HOME/server/XLintegrations/EBSUM/config |
Files in the test/scripts directory |
OIM_HOME/xellerate/XLintegrations/EBSUM/scripts |
OIM_HOME/server/XLintegrations/EBSUM/scripts |
Postinstallation steps are divided across the following sections:
This section discusses the following procedures:
Note:
The ALL USERS group has INSERT, UPDATE, and DELETE permissions on the UD_EBS_USER, UD_EBS_RESP, UD_EBS_RLS, UD_EBSH_USR, UD_EBSH_RSP, UD_EBST_RLS, UD_EBST_USR, UD_EBST_RSP, and UD_EBST_RLS process forms. This is required to enable the following process:During SoD validation of an entitlement request, data first moves from a dummy object form to a dummy process form. From there, data is sent to the SoD engine for validation. If the request clears the SoD validation, then data is moved from the dummy process form to the actual process form. Because the data is moved to the actual process forms through APIs, the ALL USERS group must have INSERT, UPDATE, and DELETE permissions on the three process forms.
If you are using Oracle Identity Manager release 9.1.0.x, then see the "Configuring Oracle Application Access Controls Governor" section in the "Segregation of Duties (SoD) in Oracle Identity Manager" chapter in Oracle Identity Manager Tools Reference for information about this procedure.
If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x or later, then see the "Configuring Oracle Application Access Controls Governor" section of the "Configuring SoD Validation" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about this procedure.
The TopologyName IT resource parameter holds the name of the combination of the following elements that you want to use for SoD validation of entitlement provisioning operations:
Oracle Identity Manager installation
Oracle Applications Access Controls Governor installation
Oracle E-Business Suite installation
The value that you specify for the TopologyName parameter must be the same as the value of the topologyName element in the SILConfig.xml file. For Oracle Identity Manager releases 11.1.x and 11.1.2.x or later, if you are using default SIL registration, then specify sodoaacg
as the value of the topologyName parameter.
See one of the following for more information about this element:
For Oracle Identity Manager release 9.1.0.x, the "Segregation of Duties (SoD) in Oracle Identity Manager" chapter in Oracle Identity Manager Tools Reference.
For Oracle Identity Manager releases 11.1.x and 11.1.2.x or later, the "Configuring SoD Validation" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
See Section 2.3.3.6, "Configuring the IT Resource" section for information about specifying values for parameters of the IT resource.
This section describes the procedures to disable and enable SoD.
To disable SoD:
Note:
The SoD feature is disabled by default. Perform the following procedure only if the SoD feature is currently enabled and you want to disable it.Log in to one of the following consoles:
If you are using Oracle Identity Manager release 9.1.0.x, then log in to the Design Console.
If you are using Oracle Identity Manager release 11.1.x, then log in to the Administrative and User Console.
If you are using Oracle Identity Manager release 11.1.2.x or later, then log in to the System Administration console.
Set the XL.SoDCheckRequired system property to FALSE as follows:
For Oracle Identity Manager release 9.1.0.x:
Expand Administration, and then double-click System Configuration.
Search for and open the XL.SoDCheckRequired system property.
Set the value of the system property to FALSE
. The following screenshot shows this page:
Note:
You need not change the values of the XL.SIL.Home.Dir and Triggers Synchronous SoD checks offline system properties.Click the Save icon.
For Oracle Identity Manager releases 11.1.x:
On the Welcome page, click Advanced in the upper-right corner of the page.
On Welcome to Identity Manager Advanced Administration page, in the System Management section, click Search System Properties.
On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired
, which is the name of the system property as the search criterion.
In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.
On the System Property Detail page, in the Value field, enter FALSE
.
Click Save to save the changes made.
A message confirming that the system property has been modified is displayed.
For Oracle Identity Manager releases 11.1.2.x:
In the left pane, under System Management, click System Configuration. The Advanced Administration is displayed with the System Configuration section in the System Management tab is active.
On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired
, which is the name of the system property as the search criterion.
In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.
On the System Property Detail page, in the Value field, enter FALSE
.
Click Save to save the changes made.
A message confirming that the system property has been modified is displayed.
If you are going to perform the procedure described in Section 2.3.3.9, "Enabling Request-Based Provisioning", then for all approval process definitions, the human approval tasks must be made unconditional as follows:
Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the approval-type process definition for the connector that you are using. See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for information about the connector objects.
On the Task tab, search for the Manager Approval task.
Make this task unconditional by deselecting the Conditional check box. See the following screenshot:
Save the changes to the process definition.
Restart Oracle Identity Manager.
To enable SoD:
Note:
If you are enabling SoD for the first time, then see one of the following documents for detailed information:Oracle Identity Manager release 9.1.0.x:
Oracle Identity Manager Readme for Release 9.1.0.2
Oracle Identity Manager releases 11.1.x and 11.1.2.x:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager
Log in to one of the following consoles:
If you are using Oracle Identity Manager release 9.1.0.x, then log in to the Design Console.
If you are using Oracle Identity Manager release 11.1.x, then log in to the Administrative and User Console.
If you are using Oracle Identity Manager release 11.1.2.x, then log in to the System Administration console.
Set the XL.SoDCheckRequired system property to TRUE as follows:
For Oracle Identity Manager release 9.1.0.x:
Expand Administration, and then double-click System Configuration.
Search for and open the XL.SoDCheckRequired system property.
Set the value of the system property to TRUE
. The following screenshot shows this page:
Note:
You need not change the values of the XL.SIL.Home.Dir and Triggers Synchronous SoD checks offline system properties.Click the Save icon.
For Oracle Identity Manager releases 11.1.x:
On the Welcome page, click Advanced in the upper-right corner of the page.
On Welcome to Identity Manager Advanced Administration page, in the System Management section, click Search System Properties.
On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired
, which is the name of the system property as the search criterion.
In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.
On the System Property Detail page, in the Value field, enter FALSE
.
Click Save to save the changes made.
A message confirming that the system property has been modified is displayed.
For Oracle Identity Manager releases 11.1.2.x or later:
In the left pane, under System Management, click System Configuration. The Advanced Administration is displayed with the System Configuration section in the System Management tab is active.
On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired
, which is the name of the system property as the search criterion.
In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.
On the System Property Detail page, in the Value field, enter FALSE
.
Click Save to save the changes made.
A message confirming that the system property has been modified is displayed.
If you are using Oracle Identity Manager release 9.1.0.x, then:
In the Design Console, expand Administration, and then double-click System Configuration.
Search for and open the XL.SIL.Home.Dir system property.
Verify that the value of this system property is set to the full path and name of the SIL_HOME directory. Here, SIL_HOME is the directory in which you have copied the SIL XML files.
If you are going to perform the procedure described in Section 2.3.3.9, "Enabling Request-Based Provisioning", then for all approval process definitions, the human approval tasks must be made conditional as follows:
On the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the approval-type process definition for the connector that you are using. See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for information about the connector objects.
On the Task tab, search for the Manager Approval task.
Make this task conditional by selecting the Conditional check box. See the following screenshot:
Save the changes to the process definition.
Restart Oracle Identity Manager.
To secure communication between Oracle Database and Oracle Identity Manager, you can perform either one or both of the following procedures:
Note:
To perform the procedures described in this section, you must have the permissions required to modify the TNS listener configuration file.Section 2.3.2.1, "Configuring Data Encryption and Integrity in Oracle Database"
Section 2.3.2.2, "Configuring SSL Communication in Oracle Database"
See Oracle Database Advanced Security Administrator's Guide for information about configuring data encryption and integrity.
To enable SSL communication between Oracle Database and Oracle Identity Manager:
See Oracle Database Advanced Security Administrator's Guide for information about enabling SSL communication between Oracle Database and Oracle Identity Manager.
Export the certificate on the Oracle Database host computer.
Copy the certificate to Oracle Identity Manager.
Import the certificate into the JVM certificate store of the application server on which Oracle Identity Manager is running.
To import the certificate into the certificate store, run the following command:
keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
In this command:
Replace FILE_LOCATION
with the full path and name of the certificate file.
Replace ALIAS
with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD
with a password for the certificate store.
Replace TRUSTSTORE_LOCATION
with one of the certificate store paths given in Table 2-3. This table shows the location of the certificate store for each of the supported application servers.
Note:
In an Oracle Identity Manager cluster, you must import the file into the certificate store on each node of the cluster.Table 2-3 Certificate Store Locations
Application Server | Certificate Store Location |
---|---|
Oracle WebLogic Server |
|
IBM WebSphere Application Server |
|
JBoss Application Server |
JAVA_HOME/jre/lib/security/cacerts |
Oracle Application Server |
ORACLE_HOME/jdk/jre/lib/security/cacerts |
Configuring Oracle Identity Manager involves performing the following procedures:
Section 2.3.3.2, "Configuring Oracle Identity Manager 11.1.2 or Later"
Section 2.3.3.3, "Clearing Content Related to Connector Resource Bundles from the Server Cache"
Section 2.3.3.5, "Determining Values for the JDBC URL and Connection Properties Parameters"
Note:
Perform the procedure described in this section only if your Oracle Identity Manager installation is running on Microsoft SQL Server.In this connector, the child forms of a resource implement the dependent lookup feature of Oracle Identity Manager. By default, the queries for synchronization of lookup field values from the target system are based on Oracle Database SQL. If your Oracle Identity Manager installation is running on Microsoft SQL Server, then you must modify the lookup queries for synchronization of lookup definitions as follows:
On the Design Console, expand Development Tools and double-click Form Designer.
Search for and open the process form for the connector that you are using.
Click Create New Version to create a version of the process form. Then, enter a version name and click the Save icon.
Go to the Properties tab.
Select the properties of the attribute according to your requirement.
Modify the Lookup Query property for the field. Existing and new values are listed in Table 2-4. The following screenshot shows this page:
Click the Save icon.
Click Make Version Active to activate the new version of the process form.
Create a new version of the parent form for the child form you modified and make that version active.
See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for information about the process forms.
Table 2-4 Queries for Lookup Field Synchronization
Field Name | Oracle Database Version of the Query | Microsoft SQL Server Version of the Query |
---|---|---|
User Management connector |
||
UD_EBS_RLO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_UO_EBS_ITRES$', '~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_UO_EBS_ITRES$' + '~' , lkv_encoded)>0 |
UD_EBS_RLO_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBS_RLO_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBS_RLS_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_USER_EBS_ITRES$', '~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_USER_EBS_ITRES$' + '~' , lkv_encoded)>0 |
UD_EBS_RLS_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLS_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBS_RLS_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBS_RSO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_UO_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_UO_EBS_ITRES$' + '~' , lkv_encoded)>0 |
UD_EBS_RSO_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBS_RSO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBS_RSO_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBS_RSO_SEC_GROUP |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBS_UO_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBS_UO_EBS_ITRES$' + '~' , lkv_encoded)>0 |
UD_EBS_RESP_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_USER_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_USER_EBS_ITRES$' + '~' , lkv_encoded)>0 |
UD_EBS_RESP_SEC_GROUP |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBS_USER_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBS_USER_EBS_ITRES$' + '~' , lkv_encoded)>0 |
UD_EBS_RESP_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBS_RESP_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBS_RESP_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBS_RLCO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLPO_EBS_INST$', '~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_RLPO_EBS_INST$' + '~' ,lkv_encoded)>0 |
UD_EBS_RLCO_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLCO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBS_RLCO_APP_NAME$' + '~',lkv_encoded)>0 |
UD_EBS_RLCP_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLPP_EBS_INST$', '~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_RLPP_EBS_INST$' + '~',lkv_encoded)>0 |
UD_EBS_RLCP_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBS_RLCP_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBS_RLCP_APP_NAME$' + '~' ,lkv_encoded)>0 |
UD_EBS_RSCO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_RSPO_EBS_INST$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_RSPO_EBS_INST$' + '~' , lkv_encoded)>0 |
UD_EBS_RSCO_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBS_RSCO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBS_RSCO_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBS_RSCP_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBS_RSPP_EBS_INST$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBS_RSPP_EBS_INST$' + '~' , lkv_encoded)>0 |
UD_EBS_RSCP_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBS_RSCP_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBS_RSCP_APP_NAME$' + '~' , lkv_encoded)>0 |
User Management with HR Foundation connector |
||
UD_EBSH_RLO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBSH_UO_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBSH_UO_EBS_ITRES$' + '~', lkv_encoded)>0 |
UD_EBSH_RLO_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBSH_RLO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBSH_RLO_APP_NAME$' + '~',lkv_encoded) |
UD_EBSH_RLS_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBSH_USR_EBS_ITRES$', '~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBSH_USR_EBS_ITRES$' + '~', lkv_encoded)>0 |
UD_EBSH_RLS_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBSH_RLS_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBSH_RLS_APP_NAME$' + '~', lkv_encoded)>0 |
UD_EBSH_RSO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBSH_UO_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBSH_UO_EBS_ITRES$' + '~' ,lkv_encoded)>0 |
UD_EBSH_RSO_SEC_GROUP |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBSH_UO_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBSH_UO_EBS_ITRES$' + '~' ,lkv_encoded)>0 |
UD_EBSH_RSO_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBSH_RSO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBSH_RSO_APP_NAME$' + '~', lkv_encoded)>0 |
UD_EBSH_RSP_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBSH_USR_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBSH_USR_EBS_ITRES$' + '~' ,lkv_encoded) |
UD_EBSH_RSP_SEC_GROUP |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBSH_USR_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBSH_USR_EBS_ITRES$' + '~' ,lkv_encoded) |
UD_EBSH_RSP_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBSH_RESP_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBSH_RESP_APP_NAME$' + '~' ,lkv_encoded) |
UD_EBH_RLCO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBH_RLPO_EBS_INST$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBH_RLPO_EBS_INST$' + '~' , lkv_encoded)>0 |
UD_EBH_RLCO_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBH_RLCO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBH_RLCO_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBH_RLCP_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBH_RLPP_EBS_INST$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBH_RLPP_EBS_INST$' + '~' , lkv_encoded)>0 |
UD_EBH_RLCP_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBH_RLCP_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBH_RLCP_APP_NAME$' + '~', lkv_encoded)>0 |
UD_EBH_RSCO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBH_RSPO_EBS_INST $','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data. UD_EBH_RSPO_EBS_INST $' + '~' , lkv_encoded)>0 |
UD_EBH_RSCO _RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data. UD_EBH_RSPO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data. UD_EBH_RSPO_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBH_RSCP_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBH_RSPP_EBS_INST$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBH_RSPP_EBS_INST$' + '~' , lkv_encoded)>0 |
UD_EBH_RSCP_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBH_RSCP_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBH_RSCP_APP_NAME$' + '~' , lkv_encoded)>0 |
User Management with TCA Foundation connector |
||
UD_EBST_RLO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBST_UO_EBS_ITRES$', '~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBST_UO_EBS_ITRES$' + '~', lkv_encoded)>0 |
UD_EBST_RLO_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBST_RLO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBST_RLO_APP_NAME$' + '~' ,lkv_encoded) |
UD_EBST_RLS_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBST_USR_EBS_ITRES$', '~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBST_USR_EBS_ITRES$' + '~' , lkv_encoded)>0 |
UD_EBST_RLS_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBST_RLS_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBST_RLS_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBST_RSO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBST_UO_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBST_UO_EBS_ITRES$' + '~', lkv_encoded)>0 |
UD_EBST_RSO_SEC_GROUP |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBST_UO_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBST_UO_EBS_ITRES$' + '~', lkv_encoded)>0 |
UD_EBST_RSO_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBST_RSO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBST_RSO_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBST_RSP_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBST_USR_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBST_USR_EBS_ITRES$' + '~' , lkv_encoded)>0 |
UD_EBST_RSP_SEC_GROUP |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and instr(lkv_encoded,concat('$Form data.UD_EBST_USR_EBS_ITRES$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.SecurityGroup' and CHARINDEX('$Form data.UD_EBST_USR_EBS_ITRES$' + '~' , lkv_encoded)>0 |
UD_EBST_RSP_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBST_RSP_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBST_RSP_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBT_RLCO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBT_RLPO_EBS_INST$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBT_RLPO_EBS_INST$' + '~' , lkv_encoded)>0 |
UD_EBT_RLCO_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBT_RLCO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBT_RLCO_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBT_RLCP_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBT_RLPP_EBS_INST$', '~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv, lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBT_RLPP_EBS_INST$' + '~' , lkv_encoded)>0 |
UD_EBT_RLCP_ROLE_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and instr(lkv_encoded,concat('$Form data.UD_EBT_RLCP_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.UMX.Roles' and CHARINDEX('$Form data.UD_EBT_RLCP_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBT_RSCO_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBT_RSPO_EBS_INST$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBT_RSPO_EBS_INST$' + '~' , lkv_encoded)>0 |
UD_EBT_RSCO_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBT_RSCO_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBT_RSCO_APP_NAME$' + '~' , lkv_encoded)>0 |
UD_EBT_RSCP_APP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and instr(lkv_encoded,concat('$Form data.UD_EBT_RSPP_EBS_INST$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Application' and CHARINDEX('$Form data.UD_EBT_RSPP_EBS_INST$' + '~' , lkv_encoded)>0 |
UD_EBT_RSCP_RESP_NAME |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and instr(lkv_encoded,concat('$Form data.UD_EBT_RSCP_APP_NAME$','~'))>0 |
select lkv_encoded,lkv_decoded from lkv lkv,lku lku where lkv.lku_key=lku.lku_key and lku_type_string_key='Lookup.EBS.Responsibility' and CHARINDEX('$Form data.UD_EBT_RSCP_APP_NAME$' + '~' , lkv_encoded)>0 |
If you are using Oracle Identity Manager release 11.1.2.x or later, you must create additional metadata such as a UI form and an application instance. In addition, you must run entitlement and catalog synchronization jobs. These procedures are described in the following sections:
Section 2.3.3.2.5, "Harvesting Entitlements and Sync Catalog"
Section 2.3.3.2.6, "Updating an Existing Application Instance with a New Form"
Create and activate a sandbox as follows. For detailed instructions, see the "Managing Sandboxes" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
On the upper navigation bar, click Sandboxes. The Manage Sandboxes page is displayed.
On the toolbar, click Create Sandbox. The Create Sandbox dialog box is displayed.
In the Sandbox Name field, enter a name for the sandbox. This is a mandatory field.
In the Sandbox Description field, enter a description of the sandbox. This is an optional field.
Click Save and Close. A message is displayed with the sandbox name and creation label.
Click OK. The sandbox is displayed in the Available Sandboxes section of the Manage Sandboxes page.
Select the sandbox that you created.
From the table showing the available sandboxes in the Manage Sandboxes page, select the newly created sandbox that you want to activate.
On the toolbar, click Activate Sandbox.
The sandbox is activated.
Create a new UI form as follows. For detailed instructions, see the "Managing Forms" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
In the left pane, under Configuration, click Form Designer.
Under Search Results, click Create.
Select the resource type for which you want to create the form, for example, eBusiness User.
Enter a form name and click Create.
Note:
While creating a new UI form, the form type should be Parent Form + Child Tables (Master/Detail).
Ensure that you select the Generate Entitlement Forms check box.
Create an application instance as follows. For detailed instructions, see the "Managing Application Instances" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
In the System Administration page, under Configuration in the left pane, click Application Instances.
Under Search Results, click Create.
Enter appropriate values for the fields displayed on the Attributes form and click Save.
In the Form drop-down list, select the newly created form and click Apply.
Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See the "Managing Organizations Associated With Application Instances" section in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed instructions.
To publish the sandbox that you created in Section 2.3.3.2.1, "Creating and Activating a Sandbox.":
Close all the open tabs and pages.
From the table showing the available sandboxes in the Manage Sandboxes page, select the sandbox that you created in Section 2.3.3.2.1, "Creating and Activating a Sandbox."
On the toolbar, click Publish Sandbox. A message is displayed asking for confirmation.
Click Yes to confirm. The sandbox is published and the customizations it contained are merged with the main line.
To harvest entitlements and sync catalog:
Run the scheduled jobs for lookup field synchronization.
Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table. See the "Predefined Scheduled Tasks" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about this scheduled job.
Run the Catalog Synchronization Job scheduled job. See the "Predefined Scheduled Tasks" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about this scheduled job.
For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:
Create a sandbox and activate it as described in Section 2.3.3.2.1, "Creating and Activating a Sandbox."
Create a new UI form for the resource as described in Section 2.3.3.2.2, "Creating a New UI Form."
Open the existing application instance.
In the Form field, select the new UI form that you created.
Save the application instance.
Publish the sandbox as described in Section 2.3.3.2.4, "Publishing a Sandbox."
Note:
In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME/xellerate/connectorResources directory for Oracle Identity Manager release 9.1.0.x and Oracle Identity Manager database for Oracle Identity Manager releases 11.1.x and 11.1.2.x or later. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then switch to the OIM_HOME/xellerate/bin directory.
If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x or later, then switch to the OIM_HOME/server/bin directory.
Note:
You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:For Oracle Identity Manager release 9.1.0.x:
OIM_HOME/xellerate/bin/SCRIPT_FILE_NAME
For Oracle Identity Manager releases 11.1.x and 11.1.2.x or later:
OIM_HOME/server/bin/SCRIPT_FILE_NAME
Enter one of the following commands:
For Oracle Identity Manager release 9.1.0.x:
On Microsoft Windows: PurgeCache.bat ConnectorResourceBundle
On UNIX: PurgeCache.sh ConnectorResourceBundle
Note:
You can ignore the exception that is thrown when you perform Step 2. This exception is different from the one mentioned in Step 1.In this command, ConnectorResourceBundle
is one of the content categories that you can delete from the server cache. See the following file for information about the other content categories:
OIM_HOME/xellerate/config/xlconfig.xml
For Oracle Identity Manager releases 11.1.x and 11.1.2.x:
On Microsoft Windows: PurgeCache.bat All
On UNIX: PurgeCache.sh All
When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:
t3://OIM_HOST_NAME:OIM_PORT_NUMBER
In this format:
Replace OIM_HOST_NAME
with the host name or IP address of the Oracle Identity Manager host computer.
Replace OIM_PORT_NUMBER
with the port on which Oracle Identity Manager is listening.
See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.
Depending on the Oracle Identity Manager release you are using, perform instructions in one of the following sections:
Section 2.3.3.4.1, "Enabling Logging on Oracle Identity Manager Release 9.1.0.x"
Section 2.3.3.4.2, "Enabling Logging on Oracle Identity Manager Releases 11.1.x and 11.1.2.x"
Note:
In an Oracle Identity Manager cluster, you must perform this procedure on each node of the cluster. Then, restart each node.When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of messages that highlight the progress of the application at a coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that might allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level and the log file path depend on the application server that you use:
IBM WebSphere Application Server
To enable logging:
Add the following line in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.OIMCP.EBSUM=log_level
In this line, replace log_level
with the log level that you want to set.
For example:
log4j.logger.OIMCP.EBSUM=INFO
After you enable logging, log information is written to the following file:
WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/SystemOut.log
JBoss Application Server
To enable logging:
In the JBOSS_HOME/server/default/conf/jboss-log4j.xml file, add the following lines if they are not already present in the file:
<category name="ADAPTER.OIMCP.EBSUM">
<priority value="log_level"/>
</category>
In the second XML code line, replace log_level
with the log level that you want to set. For example:
<category name="ADAPTER.OIMCP.EBSUM"> <priority value="INFO"/> </category>
After you enable logging, log information is written to the following file:
JBOSS_HOME/server/default/log/server.log
Oracle Application Server
To enable logging:
Add the following line in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.OIMCP.EBSUM=log_level
In this line, replace log_level
with the log level that you want to set.
For example:
log4j.logger.OIMCP.EBSUM=INFO
After you enable logging, log information is written to the following file:
OC4J_HOME/opmn/logs/default_group~home~default_group~1.log
Oracle WebLogic Server
To enable logging:
Add the following line in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.OIMCP.EBSUM=log_level
In this line, replace log_level
with the log level that you want to set.
For example:
log4j.logger.OIMCP.EBSUM=INFO
After you enable logging, log information is displayed on the server console.
Note:
In an Oracle Identity Manager cluster, you must perform this procedure on each node of the cluster. Then, restart each node.Oracle Identity Manager releases 11.1.x and 11.1.2.x or later uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
SEVERE.intValue()+100
This level enables logging of information about fatal errors.
SEVERE
This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.
WARNING
This level enables logging of information about potentially harmful situations.
INFO
This level enables logging of messages that highlight the progress of the application.
CONFIG
This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
These log levels are mapped to ODL message type and level combinations as shown in Table 2-5.
Table 2-5 Log Levels and ODL Message Type:Level Combinations
Log Level | ODL Message Type:Level |
---|---|
SEVERE.intValue()+100 |
INCIDENT_ERROR:1 |
SEVERE |
ERROR:1 |
WARNING |
WARNING:1 |
INFO |
NOTIFICATION:1 |
CONFIG |
NOTIFICATION:16 |
FINE |
TRACE:1 |
FINER |
TRACE:16 |
FINEST |
TRACE:32 |
The configuration file for OJDL is logging.xml, which is located at the following path:
DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml
Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.
To enable logging in Oracle WebLogic Server:
Edit the logging.xml file as follows:
Add the following blocks in the file:
<log_handler name='ebs-um-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='[FILE_NAME]'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="OIMCP.EBSUM" level="[LOG_LEVEL]" useParentHandlers="false">
<handler name="ebs-um-handler"/>
<handler name="console-handler"/>
</logger>
Replace both occurrences of [LOG_LEVEL]
with the ODL message type and level combination that you require. Table 2-5 lists the supported message type and level combinations.
Similarly, replace [FILE_NAME]
with the full path and name of the log file in which you want log messages to be recorded.
The following blocks show sample values for [LOG_LEVEL]
and [FILE_NAME]
:
<log_handler name='ebs-um-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler> <logger name="OIMCP.EBSUM" level="NOTIFICATION:1" useParentHandlers="false"> <handler name="ebs-um-handler"/> <handler name="console-handler"/> </logger>
With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1
level are recorded in the specified file.
Save and close the file.
Set the following environment variable to redirect the server logs to a file:
For Microsoft Windows:
set WLS_REDIRECT_LOG=FILENAME
For UNIX:
export WLS_REDIRECT_LOG=FILENAME
Replace FILENAME with the location and name of the file to which you want to redirect the output.
Restart the application server.
This section discusses the JDBC URL and Connection Properties parameters. You apply the information in this section while performing the procedure described in Section 2.3.3.6, "Configuring the IT Resource".
The values that you specify for the JDBC URL and Connection Properties parameters depend on the security measures that you have implemented:
Section 2.3.3.5.2, "Only Data Encryption and Integrity Is Configured"
Section 2.3.3.5.4, "Both Data Encryption and Integrity and SSL Communication Are Configured"
The following are the supported JDBC URL formats:
Multiple database instances support one service (Oracle RAC)
JDBC URL format:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=HOST1_NAME.DOMAIN)(PORT=PORT1_NUMBER))(ADDRESS=(PROTOCOL=TCP)(HOST=HOST2_NAME.DOMAIN)(PORT=PORT2_NUMBER))(ADDRESS=(PROTOCOL=TCP)(HOST=HOST3_NAME.DOMAIN)(PORT=PORT3_NUMBER)) . . . (ADDRESS=(PROTOCOL=TCP)(HOST=HOSTn_NAME.DOMAIN)(PORT=PORTn_NUMBER))(CONNECT_DATA=(SERVICE_NAME=ORACLE_DATABASE_SERVICE_NAME)))
Sample value:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST= host1.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host2.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host3.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host4.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME= srvce1)))
One database instance supports one service
JDBC URL format:
jdbc:oracle:thin:@HOST_NAME.DOMAIN:PORT_NUMBER:ORACLE_DATABASE_SERVICE_NAME
Sample value:
jdbc:oracle:thin:@host1.example:1521:srvce1
One database instance supports multiple services (for Oracle Database 10g and later)
JDBC URL format:
jdbc:oracle:thin:@//HOST_NAME.DOMAIN:PORT_NUMBER/ORACLE_DATABASE_SERVICE_NAME
Sample value:
jdbc:oracle:thin:@host1.example.com:1521/srvce1
If you have configured only data encryption and integrity, then enter the following values:
JDBC URL parameter
While creating the connector, the value that you specify for the JDBC URL parameter must be in the following format:
jdbc:oracle:thin:@TARGET_HOST_NAME_or_IP_ADDRESS:PORT_NUM:sid
The following is a sample value for the JDBC URL parameter:
jdbc:oracle:thin:@ten.mydomain.com:1521:cust_db
Connection Properties parameter
After you configure data encryption and integrity, the connection properties are recorded in the sqlnet.ora file. The value that you must specify for the Connection Properties parameter is explained by the following sample scenario:
See Also:
Oracle Database Advanced Security Administrator's Guide for information about the sqlnet.ora fileSuppose the following entries are recorded in the sqlnet.ora file:
SQLNET.ENCRYPTION_SERVER=REQUIRED SQLNET.ENCRYPTION_TYPES_SERVER=(3DES168, DES40, DES, 3DES112) SQLNET.CRYPTO_CHECKSUM_SERVER=REQUESTED SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1,MD5)
While creating the connector, you must specify the following as the value of the Connection Properties parameter:
Note:
The property-value pairs must be separated by commas.
As shown in the following example, for the encryption_types
and crypto_checksum_types
properties, you can select any of the values recorded in the sqlnet.ora file.
oracle.net.encryption_client=REQUIRED,oracle.net.encryption_types_client=(3DES168),oracle.net.crypto_checksum_client=REQUESTED,oracle.net.crypto_checksum_types_client=(MD5)
After you configure SSL communication, the database URL is recorded in the tnsnames.ora file. See Oracle Database Net Services Reference for detailed information about the tnsnames.ora file.
The following are sample formats of the contents of the tnsnames.ora file. In these formats, DESCRIPTION
contains the connection descriptor, ADDRESS
contains the protocol address, and CONNECT_DATA
contains the database service identification information.
Sample Format 1:
NET_SERVICE_NAME= (DESCRIPTION= (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME)))
Sample Format 2:
NET_SERVICE_NAME= (DESCRIPTION_LIST= (DESCRIPTION= (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME))) (DESCRIPTION= (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME))))
Sample Format 3:
NET_SERVICE_NAME= (DESCRIPTION= (ADDRESS_LIST= (LOAD_BALANCE=on) (FAILOVER=off) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))) (ADDRESS_LIST= (LOAD_BALANCE=off) (FAILOVER=on) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME)))
If you have configured only SSL communication and imported the certificate that you create on the target system host computer into the JVM certificate store of Oracle Identity Manager, then enter the following values:
JDBC URL parameter
While creating the connector, the value that you specify for the JDBC URL parameter must be derived from the value of NET_SERVICE_NAME
in the tnsnames.ora file. For example:
Note:
As shown in this example, you must include only the(ADDRESS=(PROTOCOL=TCPS)(HOST=
HOST_NAME
)(PORT=2484))
element because you are configuring SSL. You need not include other (ADDRESS=(
PROTOCOL_ADDRESS_INFORMATION
))
elements.jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))
Connection Properties parameter
Whether or not you need to specify a value for the Connection Properties parameter depends on the certificate store into which you import the certificate:
If you import the certificate into the certificate store of the JVM that Oracle Identity Manager is using, then you need not specify a value for the Connection Properties parameter.
If you import the certificate into any other certificate store, then while creating the connector, specify a value for the Connection Properties parameter in the following format:
javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStoreType=JKS,javax.net.ssl.trustStorePassword=STORE_PASSWORD
When you specify this value, replace STORE_LOCATION
with the full path and name of the certificate store, and replace STORE_PASSWORD
with the password of the certificate store.
If both data encryption and integrity and SSL communication are configured, then:
JDBC URL parameter
While creating the connector, to specify a value for the JDBC URL parameter, enter a comma-separated combination of the values for the JDBC URL parameter described in Section 2.3.3.5.2, "Only Data Encryption and Integrity Is Configured" and Section 2.3.3.5.3, "Only SSL Communication Is Configured". For example:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))
Connection Properties parameter
While creating the connector, to specify a value for the Connection Properties parameter, enter a comma-separated combination of the values for the Connection Properties parameter described in Section 2.3.3.5.2, "Only Data Encryption and Integrity Is Configured" and Section 2.3.3.5.3, "Only SSL Communication Is Configured". For example:
oracle.net.encryption_client=REQUIRED,oracle.net.encryption_types_client=(3DES168),oracle.net.crypto_checksum_client=REQUESTED,oracle.net.crypto_checksum_types_client=(MD5),javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStoreType=JKS,javax.net.ssl.trustStorePassword=STORE_PASSWORD
As shown in the following example, for the encryption_types
and crypto_checksum_types
properties, you can select any of the values recorded in the sqlnet.ora file. When you specify this value, replace STORE_LOCATION
with the full path and name of the certificate store, and replace STORE_PASSWORD
with the password of the certificate store.
The IT resource is automatically created when you run the Connector Installer. You must specify values for the parameters of the IT resource as follows:
Note:
A predefined IT resource is created when you run the Connector Installer:
For the User Management connector: EBS-APPS12
For the User Management with HR Foundation connector: EBSHF-APPS12
For the User Management with TCA Foundation with connector: EBSTCAF-APPS12
If you do not want to use this IT resource, then you must create a different IT resource of the eBusiness Suite UM IT resource type.
You must use the Administrative and User Console to configure the IT resource. Values set for the connection pooling parameters will not take effect if you use the Design Console to configure the IT resource.
Log in to the Administrative and User Console.
If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.x, then:
On the Welcome to Oracle Identity Manager Self Service page, click Advanced.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration section, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x or later, then:
Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see the "Managing Sandboxes" section of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
In the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter EBS-APPS12
and then click Search.
Click the edit icon for the IT resource. The following screenshot shows this page:
From the list at the top of the page, select Parameters. The following screenshot shows this page:
Specify values for the parameters of the IT resource. Table 2-6 describes each parameter.
Note:
The ALL USERS group has READ permission on the default IT resource. This is to ensure that end users can select the IT resource during request-based provisioning. If you create another IT resource, then you must assign the READ permission for the ALL USERS group on the IT resource.Table 2-6 IT Resource Parameters
Parameter | Description |
---|---|
Admin ID |
Enter the user name of the target system account to be used for provisioning operations. You create this account by performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations". Default value: |
Admin Password |
Enter the password of the target system account specified by the Admin ID parameter. |
Connection Properties |
Specify the connection properties for the target system database. See Section 2.3.3.5, "Determining Values for the JDBC URL and Connection Properties Parameters" for detailed information. |
Connection Retries |
Enter the number of consecutive attempts to be made at establishing a connection with the target system. Default value: |
Connection Timeout |
Enter the time in milliseconds within which the target system is expected to respond to a connection attempt. For a particular connection attempt, if the target system does not respond within the time interval specified by the Connection Timeout parameter, then it is assumed that the connection attempt has failed. Default value: |
Context Application Name |
An application context is a set of elements associated with an artifact in Oracle E-Business Suite. The context implements user preferences and access control on the artifact. The Context Application Name, Context Responsibility Name, and Context User ID parameters define the context that is used for connector operations. For the Context Application Name parameter, enter the name of the application to which this user belongs. Default value: |
Context Responsibility Name |
Enter the responsibility assigned to the user in whose context connector operations are performed on the target system. Default value: |
Context User ID |
Enter the user ID of the user in whose context connector operations are performed on the target system. Default value: |
Enable Revoked User |
Enter When you perform a Revoke Account provisioning operation on an OIM User, the account of that user on the target system is disabled. If the Enable Revoked User parameter is set to Default value: |
JDBC URL |
Specify the JDBC URL for the target system database. See Section 2.3.3.5, "Determining Values for the JDBC URL and Connection Properties Parameters" for detailed information. |
Manage HR Record |
If you have installed the connector in the User Management with HR Foundation connector, then set this parameter to Note: If you are using the User Management with TCA Foundation connector, then do not set a value for this parameter. |
Minimum Password Length |
Enter the minimum number of characters that the password must contain. Note: If the minimum password length has been set on the target system, then the value of the Minimum Password Length IT resource parameter and minimum password length on the target system must be the same. Default value: |
Retry Interval |
Enter the interval in milliseconds between consecutive attempts at establishing a connection with Default value: 10000 |
SSL Enabled |
Enter Default value: |
SSO Enabled |
Enter Default value: |
SSO IT Resource |
This is the name of the IT resource created for the LDAP-based system. See Section 2.3.3.7, "SSO IT Resource" for information related to SSO IT Resource. |
SSO Identifier |
Enter the name of the attribute that uniquely identifies a user throughout all the systems on the organization. This attribute need not be the same as the attribute specified in the SSO Login Attribute parameter. For Oracle Internet Directory: For Microsoft Active Directory: For Sun Java System Directory: During a Create User provisioning operation, the connector takes the SSO Identifier value of the user from the LDAP-based system and populates it in the USER_GUID field of the target system. |
SSO Login Attribute |
Enter the name of the LDAP system user attribute that stores the user ID of users. For Oracle Internet Directory: For Microsoft Active Directory: For Sun Java System Directory: Sun Java System Directory and OID both use different attributes to store the user ID of users. You can specify the name of the attribute as the value of the SSO Login Attribute parameter. |
Statement Timeout |
Enter the time in milliseconds within which a query run on the target system is expected to return results. If the results of a query are not returned within the specified time, then it is assumed that the connection with the target system has failed. The connector then attempts to reestablish a connection with the target system. Default value: |
Manage TCA Record |
If you have installed the connector in the User Management with TCA Foundation connector, then set this parameter to Note: If you are using the User Management with HR Foundation connector, then do not set a value for this parameter. |
TopologyName |
If you have installed the OAACG SIL provider, then enter the value of the Topology element in the SILConfig.xml file. See the SoD documentation for more information. Default value: |
Configuration Lookup Name |
This parameter holds the name of the lookup definition that stores configuration information for connector operations. Depending on the connector that you are using, the value is one of the following:
You must not change the value of this parameter. However, if you create a copy of this lookup definition, then you can enter the name of the newly created lookup definition as the value of the Configuration Lookup Name parameter. |
Connection Pooling Parameters |
|
Abandoned connection timeout |
Time (in seconds) after which a connection must be automatically closed if it is not returned to the pool Note: You must set this parameter to a value that is high enough to accommodate processes that take a long time to complete (for example, full reconciliation). Default value: |
Connection wait timeout |
Maximum time (in seconds) for which the connector must wait for a connection to be available Default value: 60 |
Inactive connection timeout |
Time (in seconds) of inactivity after which a connection must be dropped and replaced by a new connection in the pool Default value: 600 |
Initial pool size |
Number of connections that must be established when the connection pool is initialized The pool is initialized when it receives the first connection request from a connector. Default value: 1 Sample value: 3 |
Max pool size |
Maximum number of connections that must be established in the pool at any point of time This number includes the connections that have been borrowed from the pool. Default value: 100 Sample value: 30 |
Min pool size |
Minimum number of connections that must be in the pool at any point of time This number includes the connections that have been borrowed from the pool. Default value: 5 |
Validate connection on borrow |
Specifies whether or not a connection must be validated before it is lent by the pool The value can be Default value: |
Timeout check interval |
Time interval (in seconds) at which the other timeouts specified by the other parameters must be checked Default value: 30 |
Pool preference |
Preferred connection pooling implementation Value: Note: Do not change this value of this parameter. |
Connection pooling supported |
Enter Default value: |
Target supports only one connection |
Indicates whether the target system can support one or more connections at a time Value: Note: Do not change the value of this parameter. |
ResourceConnection class definition |
Implementation of the ResourceConnection class Value: Note: Do not change the value of this parameter. The value in this parameter is used only when the Connection pooling supported IT resource parameter is set to |
Native connection pool class definition |
Wrapper to the native pool mechanism that implements the GenericPool Note: Do not specify a value for this parameter. |
Pool excluded fields |
Comma-separated list of IT parameters whose change must not trigger a refresh of the connector pool Value: Configuration Lookup Name,Manage TCA Record,Enable Revoked User,Statement Timeout,Context User ID,Context Application Name,Context Responsibility Name,TopologyName,SSO Enabled,SSO Identifier,SSO Login Attribute,SSO IT Resource,Manage HR Record Note: Do not change the value of this parameter unless you are adding or deleting a parameter from the IT resource. You must ensure that the total length of the list does not exceed 2000 characters. If you are adding a parameter to the IT resource, then that parameter name must be added to the above list with a comma separator. If you are deleting a parameter from the IT resource, then that parameter must be removed from the list if it exists in the list. You must restart Oracle Identity Manager for changes that you make to this parameter to take effect. |
To save the values, click Save.
Additional Configuration Step for Connection Pooling
If you are using Oracle Identity Manager release 9.1.0.x that is running on Oracle Application Server, then edit the opmn.xml file as follows:
Open the following file in a text editor:
OAS_HOME/opmn/conf/opmn.xml
Search for the following block of lines:
<process-type id="home" module-id="OC4J" status="enabled"> <module-data> <category id="start-parameters">
After this block of lines, add the following line:
<data id="oc4j-options" value="-userThreads"/>
Save and close the file.
Restart the server.
Perform the procedure mentioned below to set the value of SSO IT Resource field to LDAP System:
Create a new IT Resource type, named for example LDAP system, with the following fields:
Server Address
Port
Root DN
Admin Id
Admin Password
Note:
Click the encrypted check box hereSSL
You can provide default values or populate values as mentioned in the following step.
Create a new IT Resource, named for example LDAP system with the following field values:
Server Address: Host name or IP address of the machine where LDAP is running
Port: LDAP port
Root DN: DN of the container under which users are stored in LDAP
Admin Id: DN to bind to LDAP
Admin Password: Password of the DN to bind to LDAP
SSL: True or False
Modify EBS-APPS12
IT resource, and set the value of field SSO IT Resource to be LDAP System.
Note:
If you want to configure the request-based provisioning feature of the connector on Oracle Identity Manager releases 11.1.x and 11.1.2.x, then skip this section.The Auto Save Form option is meant for request-based provisioning in Oracle Identity Manager release 9.1.0.x. When you deploy the connector, this option is enabled by default. However, Oracle Identity Manager releases 11.1.x and 11.1.2.x does not use object forms. If you are using Oracle Identity Manager releases 11.1.x and 11.1.2.x, then disable the Auto Save Form option as follows:
Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the process definition for the connector that you are using:
See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for a listing of the process definitions for each connector.
Deselect the Auto Save Form check box.
Click the Save icon.
In request-based provisioning, an end user creates a request for a resource or entitlement by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource or entitlement on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.
The following are features of request-based provisioning:
A user can be provisioned only one resource (account) on the target system.
Note:
Direct provisioning allows the provisioning of multiple Oracle E-Business Suite accounts on the target system.Direct provisioning cannot be used if you enable request-based provisioning.
Depending on the Oracle Identity Manager release that you are using, perform the procedure described in one of the following sections:
When you run the Connector Installer, the request-based provisioning of accounts is automatically enabled. If you also want to enable request-based provisioning of entitlements, then perform the procedure described in this section.
This section covers the following topics:
Prerequisites
You must run Oracle Identity Manager in INFO mode when you import the XML file for request-based provisioning. If Oracle Identity Manager is running in DEBUG mode when you import the XML file, then the import operation does not work correctly.
Before you perform this procedure, set your browser to use JRE version 1.6.0_07. If you try to import the XML file with your browser set to any other JRE version, then the browser stops responding.
To enable request-based provisioning of entitlements:
Note:
Before you perform this procedure, set your browser to use JRE version 1.6.0_07. If you try to import the XML file with your browser set to any other JRE version, then the browser stops responding.Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for opening files is displayed.
Locate and open one of the following XML files:
For the User Management connector: Oracle-eBusinessSuite-RequestApproval-ConnectorConfig.xml
For the User Management with HR Foundation connector: Oracle-eBusinessSuite-HRMS-RequestApproval-ConnectorConfig.xml
For the User Management with TCA Foundation connector: Oracle-eBusinessSuite-TCA-RequestApproval-ConnectorConfig.xml
Details of the XML file that you select are shown on the File Preview page. The following screenshot shows this page:
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click View Selections.
At this stage, the Deployment Manager Import page should not show an error. See the following screenshot:
Click Import.
In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.
To suppress the Standard Approval process definition:
Note:
The Standard Approval process is common to all resource objects. If you enable request-based provisioning, then you must suppress this process definition.On the Design Console, expand Process Management and double-click Process Definition.
Search for and open the Standard Approval process definition.
On the Tasks tab, double-click the Approve task.
On the Integration tab of the Editing Task dialog box, click Add. The following screenshot shows this page:
In the Handler Selection dialog box:
Select System.
Select the tcCompleteTask handler.
Click the Save icon, and then close the dialog box.
In the Editing Task dialog box, click the Save icon and close the dialog box.
Click the Save icon to save changes made to the process definition.
To enable request-based provisioning, perform the following procedures:
Copying Predefined Request Datasets
A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation. The following is the list of predefined request datasets available in the DataSets directory on the installation media:
ProvisionResource_eBusinessSuiteUser.xml
ProvisionResource_eBusinessSuiteUser_HRFoundation.xml
ProvisionResource_eBusinessSuiteUser_TCAFoundation.xml
ModifyProvisionedResource_eBusinessSuiteUser.xml
ModifyProvisionedResource_eBusinessSuiteUser_HRFoundation.xml
ModifyProvisionedResource_eBusinessSuiteUser_TCAFoundation.xml
Copy the files from the DataSets directory on the installation media to the OIM_HOME/DataSet/file directory.
Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information on modifying request datasets.
Importing Request Datasets into MDS
Note:
In an Oracle Identity Manager cluster, perform this step on each node of the cluster.All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.
To import a request dataset definition into the MDS:
Ensure that you have set the environment for running the MDS Import utility. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about setting up the environment for MDS utilities.
In a command window, change to the OIM_HOME/server/bin directory.
Run one of the following commands:
On Microsoft Windows
weblogicImportMetadata.bat
On UNIX
weblogicImportMetadata.sh
When prompted, enter values for the following:
Please enter your username [weblogic]
Enter the username used to log in to the Oracle WebLogic Server
Sample value: WL_User
Please enter your password [weblogic]
Enter the password used to log in to the Oracle WebLogic Server
Please enter your server URL [t3://localhost:7001]
Enter the URL of the application server in the following format:
t3://
HOST_NAME_IP_ADDRESS
:
PORT
In this format, replace:
HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed.
PORT with the port on which Oracle Identity Manager is listening.
The request dataset is imported into MDS.
Enabling the Auto Save Form Feature
To enable the Auto Save Form feature:
Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the process definition for the connector that you are using:
See Section 4.9, "Configuring the Connector for Multiple Installations of the Target System" for a listing of the process definitions for each connector.
Select the Auto Save Form check box.
Click the Save icon.
Running the PurgeCache Utility
Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Section 2.3.3.3, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.
The procedure to enable request-based provisioning ends with this step.
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.To localize field label that you add to in UI forms:
Publish the sandbox containing application instance form that is supposed to be localized.
Export the MDS file, "/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf". In this file, you can see message keys and messages to be localized. sessiondef.oracle.iam.ui.runtime.form.model.testAppInstance.entity.testAppInstanceEO.UD_TES8393_ACCOUNTID__c_LABEL
See Also:
"Deploying and Undeploying Customizations" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager, for more information about exporting metadata filesExport the file to localize, for example, for German: /xliffBundles/oracle/iam/ui/runtime/BizEditorBundle_de.xlf
Note:
This file may not exist in MDS. If it does not exist, create a new one, but path must be the same.Provide localization for messages in German, follow the same format as in the file exported in step 2.
See Also:
Oracle Fusion Applications Extensibility Guide for more information about translating resource bundles from metadata services metadata repositoryImport /xliffBundles/oracle/iam/ui/runtime/BizEditorBundle_de.xlf back to MDS.
Logout and relogin.
You can clone this connector by setting new names for some of the objects that comprise the connector. The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.
See Also:
The "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about cloning connectors and the steps mentioned in this sectionAfter a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes:
Adapter Tasks
Ensure that all the cloned Oracle E-Business Suite adapter literal variables are referring to the current process form fields. If not, reference the adapter literal variables by correcting them and build the adapter again.
Lookup Definition
Verify the lookup entries in all lookup definitions to ensure that the code keys of the lookup definition are referring to the appropriate cloned form fields. If not, reference the code keys to the appropriate fields of the cloned form.
You can perform child form related operations by performing the following steps:
On the Design Console, expand Development Tools and double-click Form Designer.
Search for and open the process form for the connector that you are using.
Click Create New Version to create a version of cloned child forms.
For example, UD_EBS_RESP and UD_EBS_RLS.
Go to the Properties tab.
Select Lookup Query from the list to modify the lookup name and column name.
Click the Save icon.
Click Make Version Active to activate the new version of the process form.