22 Installing and Configuring a Remote Manager

This chapter describes the configuration of Oracle Identity Manager and installation of the Remote Manager. It contains the following topics:

• Overview of Oracle Identity Manager Configuration

• Configuring Oracle Identity Manager to Reference JAR and Class Files

• Installing the Remote Manager

• Creating and Testing a Remote Manager IT Resource

• Updating xlconfig.xml file to Change the Port for Remote Manager

• Configuring the Remote Manager by Using Your Own Certificate

22.1 Overview of Oracle Identity Manager Configuration

To construct adapter tasks, ensure that Oracle Identity Manager has access to the target API JAR files and third-party applications to which you want to connect.

When your adapter uses Java tasks, you must configure Oracle Identity Manager to find the appropriate Java APIs. To do this, you must place the .jar files that contain these APIs into the JavaTasks subdirectory of the OIM_HOME folder path, such as C:\oracle\Xellerate\JavaTasks. Then, you can access the Java classes associated with these Java APIs and use them in the Java task you are creating.

Sometimes, instead of directly communicating with the third-party system, Oracle Identity Manager must use an Oracle Identity Manager component that acts like a proxy. This component is known as Remote Manager.

The Remote Manager is used for:

• Invoking nonremotable APIs through Oracle Identity Manager

• Invoking APIs that do not support Secure Sockets Layer (SSL) over secure connections

The procedures in the following sections show you how to:

• Configure Oracle Identity Manager to reference JAR and class files for Java tasks.

• Configure the Remote Manager.

See Also:

"Creating a Java Task" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about Java tasks

22.2 Configuring Oracle Identity Manager to Reference JAR and Class Files

To configure Oracle Identity Manager to reference JAR and class files:

1. Open the JavaTasks subdirectory, which can be found within the OIM_HOME folder path. For example, C:\oracle\Xellerate\JavaTasks.

2. Place the JAR file or files into this subdirectory. You can then use these files to create Java tasks within an adapter without restarting the server.

22.3 Installing the Remote Manager

To configure the Remote Manager for the application server that you use, follow the instructions described in Oracle Identity Manager installation guide.

22.4 Creating and Testing a Remote Manager IT Resource

This section describes the tasks for creating and testing a Remote Manager IT Resource. It contains the following topics:

• Adding the Trust Relation

• To Create and Test a Remote Manager IT Resource

Remote Manager is an Oracle Identity Manager component that acts like a proxy in directly communicating with a third-party system. The Remote Manager is used to invoke nonremotable APIs through Oracle Identity Manager that support Secure Sockets Layer (SSL) over secure connections.

After installing the Remote Manager and establishing the trust relation between the Oracle Identity Manager Server and the Remote Manager (trusting the certificate), you can create an IT Resource for the Remote Manager and then test it.

22.4.1 Adding the Trust Relation

After installing the Remote Manager, you can ensure that the certificate is trusted between the application server and the Remote Manager. To do so, first open the Remote Manager form in the Administration folder of Oracle Identity Manager Design Console. The Remote Manager form shows all Remote Managers that are connected but not necessarily "trusted".

Perform the following steps to ensure that the trust relation between the application server and the Remote Manager is established through the certificate. In this procedure, the JBoss Application Server is used as an example. The keytool utility is used to import/export the certificates.

1. Using a command prompt, open the XLREMOTE_HOME directory and use the keytool utility to list the certificate fingerprints.

2. Enter the command:

   $JAVA_HOME/jre/bin/keytool -list -keystore ./config/default-keystore.jks
   

   Note:

   The Oracle Identity Manager keystore is .xlkeystore. It is called default-keystore.jks. It is stored in $DOMAIN_HOME/config/fmwconfig/.

   For the remote manager, the keystore is stored in $XLREMOTE_HOME/config/ directory. The keystore name is default-keystore.jks.

3. Enter the default password for xellerate keystore: KEYSTORE_PASSWORD

   Your keystore contains 1 entry

   xell, Jan 7, 2005, keyEntry,

   Certificate fingerprint (MD5):

   B0:F2:33:C8:69:E4:25:A3:CB:59:E8:51:27:EE:5C:52

   The certificate fingerprint is marked in bold. Compare this to the list of certificates in the keystore.

4. Perform the procedure described in the "Trusting the Remote Manager Certificate" section in the installation guide.

   Tip:

   If a create user operation from Oracle Identity Administration with the IT resource set to use SSL fails, then import the certificate in jrocket cacerts and Demotrust.jks, and then create the user. To do so, configure SSL by using the following commands:

   1. To import the certificate in jdk, run the following command:

      keytool -import -keystore ORACLE_HOME/cacerts -file CERTIFICATE_PATH/CERTIFICATE_NAME -storepass changeit

      For example:

      keytool import -keystore /home/testoc4j/OIM091231/jrockit_160_14_R27.6.5-32/jre/lib/security/cacerts -alias adcert14thjan

   2. To import the certificate in DemoTrust.jks, which is in the WEBLOGIC_SERVER/server/lib directory, run the following command:

      keytool -import -keystore WEBLOGIC_SERVER/server/lib/DemoTrust.jks -file CERTIFICATE_PATH -storepass DemoTrustKeyStorePassPhrase

      For example:

      keytool -import -keystore /home/testoc4j/OIM091231/wlserver_10.3/server/lib/DemoTrust.jks -file /home/testoc4j/OIM091231/adcert.cer -storepass DemoTrustKeyStorePassPhrase

22.4.2 To Create and Test a Remote Manager IT Resource

To create and test a Remote Manager IT resource, perform the following steps:

Note:

Remote Manager does not support non-SSL communication. By default, one-way SSL communication is supported. If you want to enable two-way SSL communication, then change the value of the <RMSecurity><ClientAuth> property to True in the following file:

$REMOTE_MANAGER/config/xlconfig.xml

1. In Oracle Identity Manager Design Console, open the Resource Object form.

2. Create a resource object. In this example, the following parameters are set:

   • The name is MyObj

   • The option, Order for User is enabled

   • The Type is Application

   • The following check boxes are available:

     • Allowed Multiple

     • Auto Save

     • Self Request Allowed

     • Allow All

     • Auto Launch

3. Create an IT resource type for the resource object. Open the IT Resource Type Definition form. In this example, the following parameters are set:

   • Server Type: MyObjServer.

     Note:

     While defining the IT Resource Type parameter in Oracle Identity Manager Design Console, you can specify which fields will be encrypted.

4. Create an IT resource for the Remote Manager. In this example, the following parameters are set:

   • The name of the IT Resource is remote.

   • The name of the Type is Remote Manager.

     Ensure that the IT resource has the proper URL and service name, and that the Remote Manager is installed at the location indicated by the URL.

   • Note:

     Check to see if the name itself is not present in the URL. For example, the Remote Manager is composed of the service name and URL, as follows:

     service name: RManager url: rmi://w2kevandanwkstn:12346

5. Create an instance of the MyObjServer IT Resource Type created previously. Open the IT Resource Information Form. In the Remote Manager field, ensure that the Remote Manager created in Step 4 (remote) is selected.

6. After saving the information in the IT Resources Information form, you can provide any additional details required for that IT resource. In this example, the user name and password are entered.

7. Create a JAR file for the following code:

   package testme;
   import java.io.PrintStream;
   public class test
   {
       public test ()
       {
       }
       public static int addme(int i, int j)
       {
        /*6*/System.out.println(i + "+" + j + "=" + (i + j));
        /*7*/return i + j;
        }
        public static void main(String args[])
        {
         /*  11*/addme(5, 10);
        }
   }
   

   This code will be run on the Remote Manager.

8. Copy the JAR file into the XLREMOTE_HOME/JavaTasks and OIM_HOME/JavaTasks directories.

9. Create an adapter that will be run in the Remote Manager. Open the Adapter Factory form. In this example, the following parameters are set:

   • The Adapter Name is remotetest.

   • The Adapter Type is Process Task.

     For this example, you can create three variables for this adapter (based on example code in the .jar file). Click Add. The Java code takes two integers as arguments and the IT resource as the third variable.

10. In the first variable, the following parameters are set:

11. • The Variable name is var1.

    • The Variable type is Integer.

    • The Map To option is set to Resolve at Run time.

12. Create the second variable in the same way you did the first. The following parameters are set:

    • The Variable name is var2.

    • The Variable type is Integer.

    • The Map To option is set to Resolve at Run time.

13. Create the third variable for IT Resource. The parameters are set as follows:

    • The Variable name is ITRes.

    • The Variable type is ITResource.

    • The Map To option is set to Resolve at Run time.

    • The Resource Type is MyObjServer.

      Note:

      The Resource Type field must be the same "ITResource Type" created in Step 5 and not Remote Manager.

14. Add a New Remote Java Task. In the Adapter Factory Form, click Add. Ensure that the Functional Task option is active. Select the Remote option. Click Continue.

15. The Object Instance Selection dialog box is displayed. Create a new Object Instance. Ensure that the New Object Instance option is active. Click Continue.

16. The Remote window is displayed. In this example, the following parameters are set:

    • The Task Name is remote.

    • The API Source references the .jar file in the JavaTask folder.

    • The Application API is Testme.test.

    • The Constructor is set to 0 public testme.test ().

    • The Method is set to testme.test.addme (int, int).

      After clicking Save, the IT Resource is automatically added as an argument. The Application Method Parameters are ready for mapping.

17. Begin mapping the parameters by highlighting the first item in the Parameter Data Mapping list. This output parameter is an integer. The following mapping is set:

    • Map To: Adapter Variables

    • Name: Return variable

18. Click Set.

19. Highlight the second parameter to map. This input parameter is an integer. The following mapping is set:

    • Map: Adapter Variables

    • Name: var1

20. Click Set.

21. Select the third parameter to map. This input parameter is an integer. The following mapping is set:

    • Map To: Adapter Variables

    • Name: var2

22. Click Set.

23. Select the final parameter to map. Map this ITResource to the variable passed as input to the adapter. The following mapping is set:

    • Map To: Adapter Variables

    • Name: ITRes

24. Click Set.

25. Click Set. Then click Save. The Adapter Factory form is displayed.

26. Compile the adapter by clicking Build.

To invoke the adapter, you can create a provisioning process that calls this adapter as one task. To do this:

1. Open the Process Definition Form. In this example, the following parameters are set:

   • The Name field is MyObjProv

   • The Type field is Provisioning

   • The Object name is MyObj

     The following check boxes are available:

     • Default Process

     • Auto Pre-populate

     • Auto Save Form

2. Click the Save icon. The provisioning tasks automatically appear in the Tasks tab.

3. Click Add to create a new task. In this example, the parameters are set:

   • The Task Name field is Call Remote Adapter.

   • The Task Description field explains the task's function.

4. Click the Save icon. Then click the Integration tab. Next, click Add to add an adapter to this task. The Handler Type window is displayed.

5. Enable the Adapter option and select the adapter to be executed.

6. Click the Save icon. In the Integration tab, the adapter name appears in the Name field. The Status field shows that the Mapping is incomplete. The Adapter Variables pane shows the variables are not mapped.

7. Select the first variable, Adapter return value, then click Map. The Edit Data Mapping for Variable window is displayed. The parameters are set to:

   • Data Type: Object

   • Map To: Response Code

8. Select the second variable, var1 then click Map. The Edit Data Mapping for Variable window appears. The parameters are set to:

   • Data Type: Integer

   • Map To: Literal

   • Qualifier: Integer

   • Literal Value: 10

9. Select the third variable, var2, then click Map. The Edit Data Mapping for Variable window is displayed. The parameters are set to:

   • Data Type: set to Integer

   • Map To: Literal

   • Qualifier: Integer

   • Literal Value: 20

10. Select the fourth variable, ITRes, and then click Map. The Edit Data Mapping for Variable window is displayed. The parameters are set to:

    • Data Type: IT Resource (MyObjServer)

    • Map To: IT Resource

    • Qualifier: MyObjServerInstance

11. Click the Responses tab of the Editing Task window. Click Add to add the possible responses from the adapter. In this example, the only possible response is 30. Set Description to Completed and Status to C.

12. Click the Task to Object Status Mapping tab. In the Completed category, set Object Status to Provisioned.

13. At this point, you are ready to directly provision a user with the newly created resource to test the execution of the remote task. However, you must first ensure that the Remote Manager is running. Open the Remote Manager Form and verify that the service is available.

14. Start the Oracle Identity Manager Administrative and User Console and login as Administrator. Navigate to Users, Manage and select a user to provision this resource (MyObj). The User Detail page appears with the selected user. In the View Additional Details About This User pull-down option, select Resource Profile.

15. The User Detail, Resource Profile page is displayed. Click Provision New Resource and select the newly created resource (MyObj).

16. The Provision Resource to User wizard is displayed. Click Continue to complete the provisioning process.

17. Continue with the provisioning process until you come to the Resource Successfully Provisioned page is displayed.

18. Check the Remote Manager log file to see if the code is executed. The Remote Manager log file is located in the OIM_HOME/xlremote/log directory. The last line in the log should be similar to the following:

    DONE5+10=15
    

    The preceding line shows that the two input integers are added to equal 15. This indicates that the code executed correctly and that the resource object was provisioned.

22.5 Updating xlconfig.xml file to Change the Port for Remote Manager

To update the xlconfig.xml file and start the remote manager on a new port as opposed to what was set during installation:

1. Access xlconfig.xml from the following path:

   ORACLE_HOME/remote_manager/config/xlconfig.xml

2. Edit the following tags:

   1. ListenPort under RMSecurity for Remote Manager SSL Listen port.

   2. RMIRegistryPort under RMSecurity for RMI Registry.

3. Change the port numbers.

4. Restart the remote manager.

Note:

• You need not perform this procedure during installation. This is required, in case you need to change ports while using the product.

• You must change the port number in the IT resource pointing to the remote manager.

22.6 Configuring the Remote Manager by Using Your Own Certificate

To configure the Remote Manager by using your own certificate on the Remote Manager server:

Note:

Perform the procedure given in this section only if you want to use your own certificate instead of the default Oracle Identity Manager certificates. Otherwise, skip this section.

1. Generate a new custom keystore and certificate. Note the password (new_keystore_pwd) that you use for the new keystore.

2. Copy the new keystore to the OIM_RM_HOME/config/ directory.

3. In a text editor, open the OIM_RM_HOME/config/xlconfig.xml file.

4. Locate the <RMSecurity> tag and change the value in the <Location> and <Password> tags as follows:

   • If you are using the IBM JRE, then change the values to:

     <KeyStore>
         <Location>new_keystore_name</Location>
         <Password encrypted="false">new_keystore_pwd</Password>
         <Type>JKS</Type>
         <Provider>com.ibm.crypto.provider.IBMJCE</Provider>
     </KeyStore>
     

   • For all other JREs, change the values to:

     <KeyStore>
         <Location>new_keystore_name</Location>
         <Password encrypted="false">new_keystore_pwd</Password>
         <Type>JKS</Type>
         <Provider>sun.security.provider.Sun</Provider>
     </KeyStore>
     

5. Restart the Remote Manager server, and open the xlconfig.xml file to ensure that the password for the new keystore is encrypted.

To configure the Remote Manager by using your own certificate on Oracle Identity Manager:

1. Export the certificate from the newly created keystore on Remote Manager server.

2. Copy the new certificate file to the OIM_DOMAIN_HOME/config/fmwconfig/ directory.

3. Import certificate into default-keystore.jks.

4. Check if the connection between Remote Manager and Oracle Identity Manager is established.