2 Deploying the Connector

The procedure to deploy the connector can be divided into the following stages:

• Section 2.1, "Preinstallation"

• Section 2.2, "Installation"

• Section 2.3, "Postinstallation"

• Section 2.4, "Upgrading the Connector"

• Section 2.5, "Postcloning Steps"

Note:

Some of the procedures described in this chapter are meant to be performed on the target system. The minimum permissions required to perform these procedures depends on the target system that you are using:

• If the target system is Microsoft Active Directory, then the permissions required are those assigned to members of the Domain Admins group.

• If the target system is Microsoft AD LDS, then the permissions required are those assigned to members of the Administrators group.

2.1 Preinstallation

Preinstallation information is divided across the following sections:

• Section 2.1.1, "Preinstallation on Oracle Identity Manager"

• Section 2.1.2, "Preinstallation on the Target System"

• Section 2.1.3, "Installing and Configuring the Connector Server"

• Section 2.1.4, "Enabling Logging"

2.1.1 Preinstallation on Oracle Identity Manager

This section contains the following topic:

2.1.1.1 Files and Directories On the Installation Media

The contents of the connector installation media directory are described in Table 2-1.

Table 2-1 Files and Directories On the Installation Media

File in the Installation Media Directory	Description
bundle/ActiveDirectory.Connector-1.1.0.6380.zip	This ZIP file contains the connector bundle.
configuration/ActiveDirectory-CI.xml	This XML file contains configuration information that is used during the connector installation process.
Files in the dataset directory ModifyResourceADUser.xml ProvisionResourceADUser.xml ModifyResourceADLDSUser.xml ProvisionResourceADLDSUser.xml	These XML files specify the information to be submitted by the requester during a request-based provisioning operation. You import these XML files into Oracle Identity Manager MDS by using the Oracle Identity Manager MDS Import utility.
owglue/ActiveDirectoryConnector-idmglue-1.0.12.zip	This ZIP file contains Oracle Waveset metadata for the Microsoft Active Directory User Management connector. Note: This ZIP file is not required for the Microsoft Active Directory User Management connector that is used with Oracle Identity Manager.
Files in the resources directory	Each of these resource bundles contains language-specific information that is used by the connector. During connector installation, these resource bundles are copied to the Oracle Identity Manager database. Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages.
upgrade/PostUpgradeScript.sql	This file is used during the connector upgrade procedure. This SQL script updates the object GUID in the older version of the connector to match the format of object GUID in the current version of the connector.
xml/ActiveDirectory-ConnectorConfig.xml	This XML file contains definitions for the following connector components: Resource objects IT resource types IT resource instance Process forms Process tasks and adapters Process definition Prepopulate rules Lookup definitions Reconciliation rules Scheduled tasks
xml/ActiveDirectory-Datasets.xml xml/ActiveDirectoryLDS-Datasets.xml	These XML files contain the dataset related definitions for the create and modify user provisioning operations. These files are used if you want to enable request-based provisioning. You import these XML files into Oracle Identity Manager by using the Deployment Manager.

2.1.2 Preinstallation on the Target System

Preinstallation on the target system involves performing the following procedure:

2.1.2.1 Creating a Target System User Account for Connector Operations

Oracle Identity Manager requires a target system user account to access the target system during reconciliation and provisioning operations. You provide the credentials of this user account while performing the procedure described in Section 2.2.1.2, "Configuring the IT Resource for the Target System."

In Microsoft Active Directory

Depending on the target system version you are using, you can use a Microsoft Windows 2003 Server or Microsoft Windows 2008 Server (Domain Controller) administrator account. Alternatively, you can create a user account and assign the minimum required rights to the user account.

To create the Microsoft Active Directory user account for connector operations:

See Also:

Microsoft Active Directory documentation for detailed information about performing this procedure

1. Create a group (for example, OIMGroup) on the target system. While creating the group, select Security Group as the group type and as Global or Universal as the group scope.

2. Make this group a member of the Account Operators group.

3. Assign all read permissions to this group.

   Note:

   You assign read permissions on the Security tab of the Properties dialog box for the user account. This tab is displayed only in Advanced Features view. To switch to this view, select Advanced Features from the View menu on the Microsoft Active Directory console.

4. Create a user (for example, OIMUser) on the target system.

5. Make the user a member of the group (for example, OIMGroup) created in Step 1.

In Microsoft AD LDS

To create the Microsoft AD LDS user account for connector operations:

See Also:

Microsoft AD LDS documentation for detailed information about these steps

1. Create a user account in Microsoft AD LDS

2. Set a password for the user account.

3. Enable the user account by setting the msDS-UserAccountDisabled field to false.

4. Enter a value in the userPrincipalName field.

   The value that you provide must be in the user_name@domain_name format, for example, OIMuser@mydomain.com.

5. Add the distinguished name of the user to the Administrators group.

2.1.3 Installing and Configuring the Connector Server

You deploy the Active Directory User Management connector remotely in the Connector Server. A connector server is a Microsoft Windows application that enables remote execution of an Identity Connector.

Connector servers are available in two implementations:

• As a .Net implementation that is used by Identity Connectors implemented in .Net

• As a Java Connector Server implementation that is used by Java-based Identity Connectors

The Active Directory User Management connector is implemented in .Net, so you must deploy this connector to a .Net framework-based Connector Server.

Use the following steps to install and configure the Connector Server:

Note:

Before you deploy the Connector Server, ensure that you have installed .NET Framework 3.5 or above on the same computer where you are installing the Connector Server.

If you are using .NET Framework 3.5, then you must install the following patch:

http://support.microsoft.com/kb/981575

1. Download the Connector Server package (a zip file) from the Oracle Technology Network.

2. Extract the contents of the Connector Server package and locate the ServiceInstall-version.msi file.

3. Install the Connector Server by running the ServiceInstall-version.msi file and following the wizard. The wizard takes you through the installation process step-by-step. After completion, the .NET Connector Server is registered as a Windows service.

4. Start the Microsoft Services Console.

5. If the .NET Connector Server is running, stop it by stopping the Windows service.

6. To set a custom key for the .NET Connector Server, use the /setkey command-line argument, as follows:

   1. Change to the directory where the .NET Connector Server was installed. The default directory is:

      C:\Program Files\Identity Connectors\Connector Server

   2. Run the following command:

      ConnectorServer.exe /setkey NEW_KEY
      

      In this command, NEW_KEY is the value for the new key. This key is required by any client that connects to this .NET Connector Server.

7. Check the settings in the .NET Connector Server configuration file (ConnectorServer.exe.config). These settings are in the element named AppSettings. For example:

   <add key="connectorserver.port" value="8759" />
   <add key="connectorserver.usessl" value="false" />
   <add key="connectorserver.certificatestorename" value="ConnectorServerSSLCertificate" />
   <add key="connectorserver.ifaddress" value="0.0.0.0" />
   

   The most common settings you might want to change are:

   • Port number: To change the port, set connectorserver.port to a value other than 8759.

   • SSL settings: To use SSL, set connectorserver.usessl to true and then set connectorserver.certificatestorename to your certificate store name.

   • Listening socket bind: To change the listening socket bind, set connectorserver.ifaddress to an address other than 0.0.0.0.

   • Trace settings: To set trace settings, see Section 2.1.4, "Enabling Logging."

8. Save the following configuration information from the .NET Connector Server installation. This information must be specified while configuring the IT resource for the Connector Server:

   • Host name or IP address

   • Connector Server port

   • Connector Server key values

   • Whether SSL is enabled

9. When you are finished configuring the .NET Connector Server, restart it by restarting the Windows service. Alternatively, you can also restart the .NET Connector Server using the following command:

   ConnectorServer.exe /run
   

See Also:

Section 2.3.3.4, "Configuring SSL Between Oracle Identity Manager and Connector Server" for information about configuring SSL between Oracle Identity Manager and Connector Server

2.1.4 Enabling Logging

The Active Directory User Management connector uses the built-in logging mechanism of the .NET framework. Logging for the Active Directory User Management connector is not integrated with Oracle Identity Manager. The log level is set in the .NET Connector Server configuration file (ConnectorServer.exe.config).

To enable logging for the Active Directory User Management connector:

1. Go to the directory where the ConnectorServer.exe.config file is installed. The default directory is C:\Program Files\Identity Connectors\Connector Server.

   The ConnectorServer.exe.config file must be present in this directory.

2. In the ConnectorServer.exe.config file, add the lines shown in bold text:

   <system.diagnostics>
     <trace autoflush="true" indentsize="4">
       <listeners>
         <remove name="Default" />
         <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\connectorserver2.log" traceOutputOptions="DateTime">
           <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" />
         </add>
       </listeners>
     </trace>
     <switches>
       <add name="ActiveDirectorySwitch" value="4" />
     </switches>
   </system.diagnostics>
   

   The value="4" sets the log level to Verbose. This value can be set as follows:

   Table 2-2 Log Levels

   Value	Log Level
   value="4" or value="Verbose"	Verbose level. Most granular.
   value="3" or value="Information"	Information level.
   value="2" or value="Warning"	Warning level.
   value="1" or value="Error"	Error level.
   value="0"	No logging.

   
   

   However, remember that the logging level has a direct effect on the performance of the .NET Connector Server.

3. After you make the configuration change, stop and then restart the .NET Connector Server service. Or, you can also restart the .NET Connector Server using the following command:

   ConnectorServer.exe /run
   

2.1.4.1 Configuring Log File Rotation

Information about events that occur during the course of reconciliation and provisioning operations are stored in a log file. As you use the connector over a period time, the amount of information written to a log file increases. If no rotation is performed, then log files become huge.

To avoid such a scenario, perform the procedure described in this section to configure rotation of the log file.

To configure rotation of a log file on a daily basis:

1. Log in to the computer that is hosting the Connector Server.

2. Stop the Connector Server.

3. Back up the ConnectorServer.exe.config file. The default location of this file is C:\Program Files\Identity Connectors\Connector Server.

4. In a text editor, open the ConnectorServer.exe.config file for editing.

5. Search for the <listeners> and </listeners> elements and replace the text between these elements with the following:

   <remove name="Default" />
   <add name="FileLog"type="Microsoft.VisualBasic.Logging.FileLogTraceListener,Microsoft.VisualBasic,Version=8.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
   initializeData="FileLogWriter"
   traceOutputOptions="DateTime"
   BaseFileName="ConnectorServerDaily"
   Location="Custom"
   CustomLocation="C:\ConnectorServerLog\"
   LogFileCreationSchedule="Daily">
   <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information"/>
   </add>
   

6. Save the file and close it.

7. Start the Connector Server.

See Also:

The following URL for more information about configuring log file rotation:

http://msdn.microsoft.com/en-us/library/microsoft.visualbasic.logging.filelogtracelistener.aspx

2.2 Installation

You must install the Active Directory User Management connector in Oracle Identity Manager and in the Connector Server, as described in the following sections:

• Section 2.2.1, "Installing the Connector in Oracle Identity Manager"

• Section 2.2.2, "Installing the Connector in the Connector Server"

2.2.1 Installing the Connector in Oracle Identity Manager

Installation on Oracle Identity Manager consists of the following procedures:

• Section 2.2.1.1, "Running the Connector Installer"

• Section 2.2.1.2, "Configuring the IT Resource for the Target System"

2.2.1.1 Running the Connector Installer

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Administrative and User Console.

To run the Connector Installer:

1. Copy the contents of the connector installation media directory into the following directory:

   Note:

   In an Oracle Identity Manager cluster, perform this step on each node of the cluster.

   OIM_HOME/server/ConnectorDefaultDirectory

2. Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

3. On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.

4. In the Manage Connector page, click Install.

5. From the Connector List list, select ActiveDirectory RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.

   If you have copied the installation files into a different directory, then:

   1. In the Alternative Directory field, enter the full path and name of that directory.

   2. To repopulate the list of connectors in the Connector List list, click Refresh.

   3. From the Connector List list, select ActiveDirectory RELEASE_NUMBER.

6. Click Load.

7. To start the installation process, click Continue.

   The following tasks are performed, in sequence:

   1. Configuration of connector libraries

   2. Import of the connector XML files (by using the Deployment Manager)

   3. Compilation of adapters

   On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure is displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:

   • Retry the installation by clicking Retry.

   • Cancel the installation and begin again from Step 0.

8. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of steps that you must perform after the installation is displayed. These steps are as follows:

   1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Section 2.3.1.1, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.

      There are no prerequisites for some predefined connectors.

   2. Configuring the IT resource for the connector

      The procedure to configure the IT resource is described later in this guide.

   3. Configuring the scheduled jobs

      The procedure to configure these scheduled jobs is described later in this guide.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-1.

2.2.1.2 Configuring the IT Resource for the Target System

The IT resource for the target system is created during connector installation. This IT resource contains connection information about the target system. Oracle Identity Manager uses this information during reconciliation and provisioning.

You must specify values for the parameters of the Active Directory IT resource as follows:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. On the Welcome page, click Advanced in the upper-right corner of the page.

3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter Active Directory and then click Search. Figure 2-1 shows the Manage IT Resource page.

   Figure 2-1 Manage IT Resource Page

   
   Description of "Figure 2-1 Manage IT Resource Page"
   
   

5. Click the edit icon corresponding to the Active Directory IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Specify values for the parameters of the Active Directory IT resource. Figure 2-2 shows the Edit IT Resource Details and Parameters page.

   Figure 2-2 Edit IT Resource Details and Parameters Page for the Active Directory IT Resource

   
   Description of "Figure 2-2 Edit IT Resource Details and Parameters Page for the Active Directory IT Resource"
   
   

   Table 2-3 describes each parameter of the Active Directory IT resource.

   Table 2-3 Parameters of the Active Directory IT Resource for the Target System

   Parameter	Description
   ADLDSPort	Enter the number of the port at which Microsoft AD LDS is listening. Sample value: 50001 Note: Do not enter a value for this parameter if you are using Microsoft Active Directory as the target system.
   BDCHostNames	Enter the host name of the backup domain controller to which Oracle Identity Manager must switch to if the primary domain controller becomes unavailable. Sample value: mydc1;mydc2;mydc3 Note: Multiple backup domain controllers must be separated by semicolon (;).
   Configuration Lookup	This parameter holds the name of the lookup definition that stores configuration information used during reconciliation and provisioning. If you have configured your target system as a target resource, then enter Lookup.Configuration.ActiveDirectory. If you have configured your target system as a trusted source, then enter Lookup.Configuration.ActiveDirectory.Trusted. Default value: Lookup.Configuration.ActiveDirectory
   Connector Server Name	Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Section 2.2.2.2, "Configuring the IT Resource for the Connector Server." Note: Enter a value for this parameter only if you have deployed the Active Directory User Management connector in the Connector Server. Default value: Active Directory Connector Server
   Container	Enter the fully qualified domain name of the user container into or from which users must be provisioned or reconciled into Oracle Identity Manager, respectively. Sample value: DC=example,DC=com
   DirectoryAdminName	Enter the user name of account that you create by performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations." Enter the value for this parameter in the following format: DOMAIN_NAME\USER_NAME Sample value: mydomain\admin
   DirectoryAdminPassword	Enter the password of the user account that you create by performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations."
   DomainName	Enter the domain name for the Microsoft Active Directory domain controller on which the connector is being installed. Sample value: example.com Note: This is a mandatory parameter if you are using Microsoft Active Directory as the target system.
   isADLDS	Enter yes to specify that the target system is Microsoft AD LDS. Enter no to specify that the target system is Microsoft Active Directory.
   LDAPHostName	Enter the host name, IP address, or domain name of the Microsoft Windows computer (target system host computer) on which Microsoft Active Directory is installed. Note: If you do not specify a value for this parameter and the BDCHostNames parameter (discussed earlier in this table), then a serverless bind is used. The connector leverages ADSI for determining the domain controller in the domain and then creates the directory entry. Therefore, all interactions with the target system are not specific to a domain controller. To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field. Sample values: w2khost 172.20.55.120 example.com
   SyncDomainController	Enter the name of the domain controller from which user accounts must be reconciled. Note: The value specified in this parameter is used if the value of the SearchChildDomains parameter is set to no. If no value is specified for the SyncDomainController parameter and the SearchChildDomains parameter is set to no, then the connector automatically finds a domain controller for the target system and reconciles users from it. Sample value: mynewdc
   SyncGlobalCatalogServer	Enter the host on which the global catalog server is located. Note: The value specified in this parameter is used if the value of the SearchChildDomains parameter is set to yes. If no value is specified for the SyncGlobalCatalogServer parameter and the SearchChildDomains parameter is set to yes, then the connector automatically finds a global catalog server for the target system, and then reconciles user accounts from the domain controller on which the global catalog server is running. It is strongly recommended to provide a value for this parameter if you have set the SearchChildDomains parameter to yes. Sample value: myglobalcatalogdc
   UseSSL	Enter yes if the target system has been configured for SSL. This enables secure communication between the Connector Server and target system. Otherwise, enter no. Default value: no Note: For resetting user password during provisioning operations, the communication with the target system must be secure. The default communication between the .NET Connector Server and Microsoft Active Directory is secure. Therefore, even if you set the value of this parameter to no, it is possible to reset user passwords during provisioning operations because the default communication is secure. See Section 2.3.3, "Configuring SSL for Microsoft Active Directory and Microsoft AD LDS" for information about configuring SSL. The default communication between the .NET Connector Server and Microsoft AD LDS is not secure. Therefore, for enabling password reset provisioning operations, you must set the value of this parameter to yes to secure communication with Microsoft AD LDS. See Section 2.3.3.3, "Configuring SSL Between Connector Server and Microsoft AD LDS" for more information about configuring SSL.

   
   

8. To save the values, click Update.

2.2.2 Installing the Connector in the Connector Server

Installation in the Connector Server consists of the following procedures:

• Section 2.2.2.1, "Copying and Extracting the Connector Bundle to the Connector Server"

• Section 2.2.2.2, "Configuring the IT Resource for the Connector Server"

2.2.2.1 Copying and Extracting the Connector Bundle to the Connector Server

To copy and extract the connector bundle to the Connector Server:

1. Stop the Connector Server.

   Note:

   You can download the necessary Connector Server from the Oracle Technology Network web page.

2. From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-1.1.0.6380.zip file to the CONNECTOR_SERVER_HOME directory.

3. Start the Connector Server for the connector bundle to be picked up by the Connector Server.

2.2.2.2 Configuring the IT Resource for the Connector Server

Note:

A predefined IT resource for the Connector Server by the name Active Directory Connector Server is available after connector installation. The parameters of the predefined IT resource is the same as the parameters described in Table 2-4.

In addition to configuring the Active Directory IT resource, you must configure the IT resource for the Connector Server as follows:

1. Log in to the Administrative and User Console.

2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced.

3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter Active Directory Connector Server and then click Search.

5. Click the edit icon corresponding to the Active Directory Connector Server IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Specify values for the parameters of the Active Directory Connector Server IT resource, as described in Table 2-4.

   Table 2-4 Parameters of the Active Directory Connector Server IT Resource

   Parameter	Description
   Host	Enter the host name or IP address of the computer hosting the connector server. Sample value: myhost.com
   Key	Enter the key for the connector server.
   Port	Enter the number of the port at which the connector server is listening. Default value: 8759
   Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Manager times out. Sample value: 0 A value of 0 means that the connection never times out.
   UseSSL	Enter true to specify that you will configure SSL between Oracle Identity Manager and the Connector Server. Otherwise, enter false. Default value: false Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL between Oracle Identity Manager and Connector Server, see Section 2.3.3.4, "Configuring SSL Between Oracle Identity Manager and Connector Server."

   
   

8. Click Update to save the values.

2.3 Postinstallation

Postinstallation steps are divided across the following sections:

• Section 2.3.1, "Postinstallation on Oracle Identity Manager"

• Section 2.3.2, "Postinstallation on the Target System"

• Section 2.3.3, "Configuring SSL for Microsoft Active Directory and Microsoft AD LDS"

2.3.1 Postinstallation on Oracle Identity Manager

Configuring Oracle Identity Manager involves performing the following procedures:

• Section 2.3.1.1, "Clearing Content Related to Connector Resource Bundles from the Server Cache"

• Section 2.3.1.2, "Setting up the Lookup Definition for Connection Pooling"

• Section 2.3.1.3, "Configuring the Connector for the Microsoft AD LDS Target System"

• Section 2.3.1.4, "Configuring Oracle Identity Manager for Request-Based Provisioning"

• Section 2.3.1.5, "Configuring the Connector for Provisioning Organizations"

2.3.1.1 Clearing Content Related to Connector Resource Bundles from the Server Cache

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, switch to the OIM_HOME/server/bin directory.

   Note:

   You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:

   OIM_HOME/server/bin/SCRIPT_FILE_NAME
   

2. Enter one of the following commands:

   Note:

   You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.

   For example, the following commands purge Metadata entries from the server cache:

   PurgeCache.bat MetaData

   PurgeCache.sh MetaData

   On Microsoft Windows: PurgeCache.bat All

   On UNIX: PurgeCache.sh All

   When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:

   t3://OIM_HOST_NAME:OIM_PORT_NUMBER
   

   In this format:

   • Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.

   • Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

   See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

2.3.1.2 Setting up the Lookup Definition for Connection Pooling

By default, this connector uses the ICF connection pooling. Table 2-5 lists the connection pooling properties, their description, and default values set in ICF:

Table 2-5 Connection Pooling Properties

Property	Description
Pool Max Idle	Maximum number of idle objects in a pool. Default value: 10
Pool Max Size	Maximum number of connections that the pool can create. Default value: 10
Pool Max Wait	Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: 150000
Pool Min Evict Idle Time	Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: 120000
Pool Min Idle	Minimum number of idle objects in a pool. Default value: 1

If you want to modify the connection pooling properties to use values that suit requirements in your environment, then:

1. Log in to the Design Console.

2. Expand Administration, and then double-click Lookup Definition.

3. Search for and open one of the following lookup definitions:

   For the trusted source mode: Lookup.Configuration.ActiveDirectory.Trusted

   For target resource mode: Lookup.Configuration.ActiveDirectory

4. On the Lookup Code Information tab, click Add.

   A new row is added.

5. In the Code Key column of the new row, enter Pool Max Idle.

6. In the Decode column of the new row, enter a value corresponding to the Pool Max Idle property.

7. Repeat Steps 4 through 6 for adding each of the connection pooling properties listed in Table 2-5.

8. Click the Save icon.

2.3.1.3 Configuring the Connector for the Microsoft AD LDS Target System

Note:

Perform the procedure described in this section only if you are using AD LDS as the target system.

Before you start using the connector with the AD LDS target system, you must perform the following procedure:

1. Log in to the Design Console.

2. Expand Administration, and then double-click Lookup Definition.

3. Modify the Lookup.ActiveDirectory.UM.Configuration lookup definition as follows:

   1. Search for and open the Lookup.ActiveDirectory.UM.Configuration lookup definition.

   2. Change the Lookup.ActiveDirectory.UM.ProvAttrMap Decode value to Lookup.ActiveDirectoryLDS.UM.ProvAttrMap.

   3. Change the Lookup.ActiveDirectory.UM.ReconAttrMap Decode value to Lookup.ActiveDirectoryLDS.UM.ReconAttrMap.

4. Modify the Lookup.ActiveDirectory.GM.Configuration lookup definition as follows:

   1. Search for and open the Lookup.ActiveDirectory.GM.Configuration lookup definition.

   2. Change the Lookup.ActiveDirectory.GM.ProvAttrMap Decode value to Lookup.ActiveDirectoryLDS.GM.ProvAttrMap.

   3. Change the Lookup.ActiveDirectory.GM.ReconAttrMap Decode value to Lookup.ActiveDirectoryLDS.GM.ReconAttrMap.

5. Modify the Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition as follows:

   1. Search for and open the Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition.

   2. Change the Lookup.ActiveDirectory.UM.Configuration.Trusted Decode value to Lookup.ActiveDirectoryLDS.UM.Configuration.Trusted.

6. If you have configured the target system as a target resource, then from the Lookup.ActiveDirectory.UM.ProvAttrMap and Lookup.ActiveDirectory.UM.ReconAttrMap lookup definitions, remove entries specific to terminal services fields. For example, the Terminal Home Directory and Terminal Profile Path entries.

7. Click the Save icon.

8. Remove the process form fields and process tasks that are specific to terminal services fields.

2.3.1.4 Configuring Oracle Identity Manager for Request-Based Provisioning

In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.

The following are features of request-based provisioning:

• A user can be provisioned only one resource (account) on the target system.

  Note:

  Direct provisioning allows the provisioning of multiple Microsoft Active Directory accounts on the target system.

• Direct provisioning cannot be used if you enable request-based provisioning.

To configure request-based provisioning, perform the following procedures:

• Section 2.3.1.4.1, "Copying Predefined Request Datasets"

• Section 2.3.1.4.2, "Importing Request Datasets"

• Section 2.3.1.4.3, "Enabling the Auto Save Form Feature"

• Section 2.3.1.4.4, "Running the PurgeCache Utility"

2.3.1.4.1 Copying Predefined Request Datasets

A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation. The following is the list of predefined request datasets available in the dataset directory on the installation media:

For Microsoft Active Directory:

• ProvisionResourceADUser.xml

• ModifyResourceADUser.xml

For Microsoft AD LDS:

• ProvisionResourceADLDSUser.xml

• ModifyResourceADLDSUser.xml

Copy these files from the installation media to any directory on the Oracle Identity Manager host computer. It is recommended that you create a directory structure as follows:

/custom/connector/RESOURCE_NAME

For example:

E:\MyDatasets\custom\connector\AD

Note:

Until you complete the procedure to configure request-based provisioning, ensure that there are no other files or directories inside the parent directory in which you create the directory structure. In the preceding example, ensure that there are no other files or directories inside the E:\MyDatasets directory.

The directory structure to which you copy the dataset files is the MDS location into which these files are imported after you run the Oracle Identity Manager MDS Import utility. The procedure to import dataset files is described in the next section.

Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information on modifying request datasets.

2.3.1.4.2 Importing Request Datasets

There are two ways of importing request datasets:

• "Importing Request Datasets into MDS"

• "Importing Request Datasets Using Deployment Manager"

Note:

Request Datasets imported either into MDS or by using Deployment Manager are same.

Importing Request Datasets into MDS

All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.

To import a request dataset definition into MDS:

1. Ensure that you have set the environment for running the MDS Import utility. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about setting up the environment for MDS utilities.

2. In a command window, change to the OIM_HOME\server\bin directory.

3. Run one of the following commands:

   • On Microsoft Windows

     weblogicImportMetadata.bat
     

   • On UNIX

     weblogicImportMetadata.sh
     

4. When prompted, enter the following values:

   • Please enter your username [weblogic]

     Enter the username used to log in to WebLogic server

     Sample value: WL_User

   • Please enter your password [weblogic]

     Enter the password used to log in to WebLogic server

   • Please enter your server URL [t3://localhost:7001]

     Enter the URL of the application server in the following format:

     t3://HOST_NAME_IP_ADDRESS:PORT

     In this format, replace:

     • HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed.

     • PORT with the port on which Oracle Identity Manager is listening.

   The request dataset is imported into MDS.

Importing Request Datasets Using Deployment Manager

The request datasets (predefined or generated) can also be imported by using the Deployment Manager (DM). The predefined request datasets are stored in the xml directory on the installation media.

To import a request dataset definition by using the Deployment Manager:

1. Log in to the Oracle Identity Manager Administrative and User Console.

2. On the Welcome page, click Advanced in the upper-right corner of the page.

3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Import Deployment Manager File. A dialog box for opening files is displayed.

4. Depending on the target system that you are using, locate and open one of the following files, which is located in the xml directory of the installation media:

   For AD: ActiveDirectory-Datasets.xml

   For AD LDS: ActiveDirectoryLDS-Datasets.xml

   Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Import.

8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

The request datasets are imported into MDS.

2.3.1.4.3 Enabling the Auto Save Form Feature

To enable the Auto Save Form feature:

1. Log in to the Design Console.

2. Expand Process Management, and then double-click Process Definition.

3. Search for and open the AD User process definition.

4. Select the Auto Save Form check box.

5. Click the Save icon.

2.3.1.4.4 Running the PurgeCache Utility

Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Section 2.3.1.1, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.

The procedure to configure request-based provisioning ends with this step.

2.3.1.5 Configuring the Connector for Provisioning Organizations

Note:

Perform the procedure described in this section if you intend to provision organizations to a root DN.

Before you provision organizations to a root DN, you must add the DN to the Lookup.ActiveDirectory.OrganizationalUnits lookup definition as follows:

1. Log in to the Design Console.

2. Expand Administration and then double-click Lookup Definition.

3. Search for and open the Lookup.ActiveDirectory.OrganizationalUnits lookup definition.

4. Add an entry for the root DN. The following are sample values for the Code Key and Decode values:

   Sample 1:

   Code Key: 150~DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

   Decode: SamAD~DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

   Sample 2:

   Code Key:

   Decode:

5. Click Save.

2.3.2 Postinstallation on the Target System

Postinstallation on the target system consists of the following procedure.

2.3.2.1 Enabling or Disabling Password Policies in Microsoft Active Directory

In Microsoft Active Directory, the "Passwords must meet complexity requirements" policy setting is used to enable or disable password policies.

The procedure that you must perform depends on whether or not you want to achieve either or both of the following objectives:

• Enable password policies

• Configure SSL between Oracle Identity Manager and the target system

  Note:

  The procedure to configure SSL is discussed later in this guide.

If you configure SSL and you want to enable both the default Microsoft Windows password policy and a custom password policy, then you must enable the "Passwords must meet complexity requirements" policy setting.

To enable or disable the "Passwords must meet complexity requirements" policy setting:

Note:

If you install Microsoft ADAM in a domain controller then it acquires all the policies of Microsoft Active Directory installed in the same domain controller. If you install Microsoft ADAM in a workgroup, then the local system policies are applied.

1. On the Microsoft Windows computer hosting the target system, click the Start menu, Programs, Administrative Tools, and Domain Security Policy.

2. Select Security Settings, expand Account Policies, and then click Password Policy.

3. Double-click Passwords must meet complexity requirements.

4. In the Password Must Meet Complexity Requirements Properties dialog box, select Define this policy setting and then select:

   • Enabled, if you want to enable password policies

   • Disable, if you do not want to disable password policies

5. Click OK.

6. Restart the target system.

2.3.3 Configuring SSL for Microsoft Active Directory and Microsoft AD LDS

This section discusses the following topics to configure SSL communication between Oracle Identity Manager and the target system:

• Section 2.3.3.1, "Prerequisites"

• Section 2.3.3.2, "Configuring SSL Between Connector Server and Microsoft Active Directory"

• Section 2.3.3.3, "Configuring SSL Between Connector Server and Microsoft AD LDS"

• Section 2.3.3.4, "Configuring SSL Between Oracle Identity Manager and Connector Server"

2.3.3.1 Prerequisites

Before you configure SSL, you must perform the procedure described in the following section:

2.3.3.1.1 Installing Certificate Services

To install Certificate Services on the target system host computer:

Note:

Before you begin installing Certificate Services, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.

1. Insert the operating system installation media into the CD-ROM or DVD drive.

2. Click Start, Settings, and Control Panel.

3. Double-click Add/Remove Programs.

4. Click Add/Remove Windows Components.

5. Select Certificate Services.

6. In the Windows Components Wizard, follow the instructions to start Certificate Services.

   Note:

   While providing input to the wizard, select Enterprise root CA as the CA type. This is required for adding a policy with the Domain Controller template, which is a step that you perform in the next procedure.

2.3.3.2 Configuring SSL Between Connector Server and Microsoft Active Directory

To configure SSL between Connector Server and Microsoft Active Directory:

1. Ensure that Microsoft Active Directory is SSL enabled. In other words, the computer hosting Microsoft Active Directory must have LDAP over SSL (LDAPS) enabled. To enable LDAPS:

   1. On the Active Directory Users and Computers console, right-click the domain node, and select Properties.

   2. Click the Group Policy tab.

   3. Select Default Domain Policy.

   4. Click Edit.

   5. Click Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.

   6. Right-click Automatic Certificate Request Settings, and then select New and Automatic Certificate Request. A wizard is started.

   7. Use the wizard to add a policy with the Domain Controller template.

   At the end of this procedure, the certificate is created and LDAPS is enabled on port 636. You can use an LDAP browser utility to verify that LDAPS is working.

   Note:

   • While performing the procedure described in Section 2.2.1.2, "Configuring the IT Resource for the Target System," you specify the port number as the value of the Port Number parameter.

   • Ensure that the certificate created is accessible for the user that is specified in the target system IT Resource for managing Microsoft Active Directory.

2. Set the value of the UseSSL parameter of the target system IT resource to yes.

2.3.3.3 Configuring SSL Between Connector Server and Microsoft AD LDS

To configure SSL between Connector Server and Microsoft AD LDS:

1. Ensure that Microsoft AD LDS is SSL enabled. In other words, generate the certificate in Microsoft AD LDS. To do so, see the "Generating the Certificate in Microsoft AD LDS" for more information.

2. Set the value of the UseSSL parameter of the target system IT resource to yes.

Generating the Certificate in Microsoft AD LDS

Note:

Before you begin generating the certificate, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.

To generate the certificate in Microsoft AD LDS, perform the following procedures:

• Section 2.3.3.3.1, "Submitting a Request for the Certificate"

• Section 2.3.3.3.2, "Issuing the Certificate"

• Section 2.3.3.3.3, "Adding the Certificate to the Personal Store of the Microsoft ADAM Service"

• Section 2.3.3.3.4, "Assigning Permissions to the Certificate Key"

• Section 2.3.3.3.5, "Restarting the Microsoft ADAM Instance"

• Section 2.3.3.3.6, "Testing the Certificate"

2.3.3.3.1 Submitting a Request for the Certificate

To submit a request for the certificate:

1. On the target system host computer, open Internet Information Services (IIS) Manager.

   You can use one of the following methods to open Internet Information Services (IIS) Manager:

   • Use the following URL:

     http://localhost/certsrv

   • Open Control Panel, double-click Administrative Tools, and then double-click IIS Service.

2. Expand Web Sites, and then expand Default Web Site.

3. Right-click CertSrv, and then select Browse.

4. Click Request a certificate.

5. Click Advanced certificate request.

6. Click Create and submit a request to this CA.

7. On the Advanced Certificate Request page, perform the following actions:

   Note:

   There are instructions for only some of the fields on this page. For the remaining fields, you can enter values according to your requirements.

   • In the Name field, enter the fully qualified domain name (FQDN) of the target system host computer. For example, enter hk128.corp.example.com.

     Note:

     On your target system installation, if a value is already selected in this field, then you need not change it.

     You need not enter values in the remaining fields of the Identifying Information region.

   • Select Store certificate in local computer certificate store.

   • Select PCKS10 as the format.

   • In the Friendly name field, enter the FQDN of the target system host computer. For example, enter hk128.corp.example.com.

8. Click Submit.

9. When a message asking you to confirm that you want to request a certificate is displayed, click Yes.

2.3.3.3.2 Issuing the Certificate

To issue the certificate:

1. On the target system host computer, open Control Panel.

2. Double-click Administrative Tools, and then double-click Certification Authority.

3. In the Certification Authority window, expand Administrator and then open Pending Requests.

   The request that you created earlier is displayed on the right pane.

4. Right-click the request, select All Tasks, and then select Issue.

5. Open the Issued Certificates folder.

   The certificate is displayed on the right pane.

6. Open Internet Information Services (IIS) Manager.

7. Expand Web Sites, and then expand Default Web Site.

8. Right-click CertSrv, and then select Browse.

9. Click View the status of pending certificate request.

10. Click the link for the certificate request.

11. Click Install this certificate.

12. When a message asking you to confirm that you want to add the certificate is displayed, click Yes.

    A message saying that the certificate has been successfully installed is displayed.

2.3.3.3.3 Adding the Certificate to the Personal Store of the Microsoft ADAM Service

To add the certificate to the personal store of the Microsoft ADAM service:

1. On the target system host computer, use the Run dialog box to run the command for opening the Microsoft Management Console:

   mmc

2. On the Microsoft Management Console, click File and then select Add/Remove Snap-in.

3. On the Standalone tab of the Add/Remove Snap-in dialog box, click Add.

4. From the list of snap-ins, select Certificates and then click Add.

5. In the Certificates snap-in dialog box, select Service account.

6. In the Select Computer dialog box, select Local computer and then click Next.

7. From the Service account list in the Certificates snap-in dialog box, select the Microsoft ADAM service instance and then click Finish.

8. In the Certificates snap-in dialog box, select My user account and then click Finish.

9. In the Certificates snap-in dialog box, select Computer account and then click Next.

10. In the Select Computer dialog box, select Local computer and then click Finish.

11. Click Close, and then click OK.

12. In the Microsoft Management Console window, expand Certificates - Local Computer, expand Personal, and then open Certificates.

13. Right-click the certificate that you have added and copy it.

    The name of this certificate is the FQDN of the host computer.

14. Paste the certificate into the following folders:

    • Personal folder under the Certificates - Service (ADAM_INSTANCE_NAME) on Local Computer folder

    • Personal folder under the Certificates - Current User folder

15. To save the changes that you have made to the Microsoft Management Console, click File and then select Save.

2.3.3.3.4 Assigning Permissions to the Certificate Key

To assign the required permissions to the folder containing the certificate key:

1. In Microsoft Windows Explorer, navigate to the MachineKeys folder. The path to this folder is similar to the following:

   C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

2. Right-click the MachineKeys folder, and then select Properties.

3. Use the Add button to add the following groups and users:

   • Administrators

   • Everyone

   • NETWORK SERVICE

   • The user name of the account used to install Microsoft ADAM

   • SYSTEM

4. From the Permissions list, select Full Control.

5. Click Apply, and then click OK.

6. In Microsoft Windows Explorer, expand the MachineKeys folder and select the certificate key. The time stamp for this certificate key is the date and time at which you created the certificate.

   Note:

   Refresh the folder if the certificate key that you created is not displayed.

7. Right-click the key, and select Properties.

8. Use the Add button to add the following groups and users:

   • Administrators

   • Everyone

   • NETWORK SERVICE

   • The user name of the account used to install Microsoft ADAM

   • SYSTEM

9. From the Permissions list, select Full Control.

10. Click Apply, and then click OK.

2.3.3.3.5 Restarting the Microsoft ADAM Instance

To restart the Microsoft ADAM instance:

1. Open Control Panel.

2. Double-click Administrative Tools, and then select Services.

3. In the Services window, right-click the Microsoft ADAM instance and then select Restart.

2.3.3.3.6 Testing the Certificate

To test the certificate:

1. To open the ADAM Tools Command Prompt window on the target system host computer, click Start, Programs, ADAM, and ADAM Tools Command Prompt.

2. In the ADAM Tools Command Prompt window, enter ldp and then press Enter.

3. From the Connection menu of the LDAPS dialog box, select Connect.

4. In the Connect dialog box:

   • In the Server field, enter the FQDN of the target system host computer.

   • In the Port field, enter the SSL port number.

   • Select SSL.

5. Click OK.

6. If SSL has been successfully configured, then status messages about the connection are displayed on the right pane of the LDAPS window.

2.3.3.4 Configuring SSL Between Oracle Identity Manager and Connector Server

The following sections provide information about configuring SSL between Oracle Identity manager and Connector Server:

• Section 2.3.3.4.1, "Exporting the Certificate"

• Section 2.3.3.4.2, "Configuring the Connector Server for SSL"

• Section 2.3.3.4.3, "Configuring Oracle Identity Manager for SSL"

2.3.3.4.1 Exporting the Certificate

Note:

Perform the procedure described in this section on the computer hosting Oracle Identity Manager.

To export the certificate:

1. Click Start and then Run.

2. Enter the following command, and then click OK:

   mmc

   The Microsoft Management Console is displayed.

3. In the Console Root window, on the left pane, expand (Certificates - Local Computer), Personal, and then Certificates.

4. Right-click Certificates, select All Tasks, and then click Export.

5. In the wizard that is displayed, select all default values to create a certificate file (.cer). Ensure to specify a file name (for example, C:\ADSSLCer) in the wizard, and then click Finish.

2.3.3.4.2 Configuring the Connector Server for SSL

The following is the procedure to configure the Connector Server for SSL:

1. Create a certificate store and add the certificate created in Section 2.3.3.4.1, "Exporting the Certificate" to the store. To do so:

2. In a command window, enter the following:

   C:\>certutil -f -addstore sslstore C:\ADSSLCer.cer

   This command creates a new certificate store with the name 'sslstore' and adds the certificate ADSSLCer.cer to this store.

   Note:

   Ensure that the certificate store with the name mentioned in the preceding command does not already exist. In other words, the certificate store mentioned in the ConnectorServer.exe.Config file must have only one certificate. If there are more that one certificates, then the Connector Server will not start.

   Run the following command to view the number of certificates present in the certificate store:

   C:\>certutil -viewstore STORE_NAME

3. Navigate to the location where Connector Server is installed and locate the Connector Server\ConnectorServer.exe.Config file.

4. In a text editor, open the ConnectorServer.exe.Config file for editing:

5. Change the values of the following lines:

   From:

   <add key="connectorserver.usessl" value="false" />

   <add key="connectorserver.certificatestorename" value="ConnectorServerSSLCertificate" />

   To:

   <add key="connectorserver.usessl" value="true" />

   <add key="connectorserver.certificatestorename" value="sslstore" />

6. Restart the Connector Server.

2.3.3.4.3 Configuring Oracle Identity Manager for SSL

The following is the procedure to configure Oracle Identity Manager for SSL:

1. Copy the certificate generated in Step 1 of Section 2.3.3.4.2, "Configuring the Connector Server for SSL" to the computer on which Oracle Identity Manager is running.

2. Import the target system certificate into the JDK used by Oracle Identity Manager by running the following command:

   keytool -import -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD

   In this command:

   • MY_CACERTS is the full path and name of the certificate store (the default is cacerts).

   • CERT_FILE_NAME is the full path and name of the certificate file.

   • PASSWORD is the password of the keystore.

   The following is a sample command:

   keytool -import -keystore /home/testoc4j/OIM/jrockit_160_14_R27.6.5-32/jre/lib/security/cacerts -file /home/ADSSLCer.cer -storepass changeit

3. Import the target system certificate into Oracle WebLogic keystore by running the following command:

   keytool -import -keystore WEBLOGIC_HOME/server/lib/DemoTrust.jks -file CERT_FILE_NAME -storepass PASSWORD

   In this command:

   • CERT_FILE_NAME is the full path and name of the certificate file.

   • PASSWORD is the password of the keystore.

   The following is a sample command:

   keytool -import -keystore WEBLOGIC_HOME/server/lib/DemoTrust.jks -file /home/ADSSLCer.cer -storepass DemoTrustKeyStorePassPhrase

4. Set the value of the UseSSL parameter of the Connector Server IT resource to true.

2.4 Upgrading the Connector

If you have already deployed an earlier release of this connector, then upgrade the connector to the current release 11.1.1.5.0. The following sections discuss the procedure to upgrade the connector:

Note:

• Upgrade of the connector from release 9.1.x to 11.1.1.5.0 is supported.

• Before you perform the upgrade procedure, it is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.

• As a best practice, first perform the upgrade procedure in a test environment.

• Section 2.4.1, "Preupgrade Steps"

• Section 2.4.2, "Upgrade Steps"

• Section 2.4.3, "Postupgrade Steps"

2.4.1 Preupgrade Steps

Perform the following preupgrade steps:

1. Perform a reconciliation run to fetch all latest updates to Oracle Identity Manager.

2. Perform the preupgrade procedure documented in the "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

3. On the target system, obtain the maximum value of the uSNChanged attribute as follows:

   1. If you are using the connector across multiple domains, then on the domain controller on which the Global Catalog Server is running, navigate to RootDSE, and then look for the RootDSE properties.

   2. If you are using the connector in a single domain, then on the domain controller used for reconciliation, navigate to RootDSE, and then look for the RootDSE properties.

   3. In the RootDSE properties dialog box, search for the highestCommittedUSN attribute, and note down its value. The use of this value is described later in this chapter. Figure 2-3 shows the RootDSE properties dialog box in which the highestCommittedUSN attribute is displayed.

      Figure 2-3 RootDSE Properties Dialog Box

      
      Description of "Figure 2-3 RootDSE Properties Dialog Box"
      
      

4. Define the source connector (an earlier release of the connector that must be upgraded) in Oracle Identity Manager. You define the source connector to update the Deployment Manager XML file with all customization changes made to the connector. See the "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information.

2.4.2 Upgrade Steps

Depending on the environment in which you are upgrading the connector, perform one of the following steps:

• Development Environment

  Perform the upgrade procedure by using the wizard mode.

• Staging or Production Environment

  Perform the upgrade procedure by using the silent mode. In the silent mode, use the silent.xml file that is exported from the development environment.

See the "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about the wizard and silent modes.

2.4.3 Postupgrade Steps

Perform the following procedure:

1. Perform the postupgrade procedure documented in the "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

2. Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation. To do so:

   1. In a text editor, open the fvc.properties file located in the OIM_DC_HOME directory and include the following entries:

      ResourceObject;AD User
      FormName;UD_ADUSER
      FromVersion;SPECIFY_THE_VERSION_OF_THE_FORM_USED_BY_USER_ACCOUNTS_CREATED_BY_USING_THE_SOURCE_CONNECTOR
      ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
      ParentParent;UD_ADUSER_AD;UD_ADUSER_SERVER
      

   2. Run the FVC utility. This utility is copied into the following directory when you install the design console:

      For Microsoft Windows:

      OIM_DC_HOME/fvcutil.bat

      For UNIX:

      OIM_DC_HOME/fvcutil.sh

      When you run this utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, and the logger level and log file location.

      See Also:

      The "Using the Form Version Control Utility" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about the FVC utility

3. Run the PostUpgradeScript.sql script as follows:

   1. Connect to the Oracle Identity Manager database by using the OIM User credentials.

   2. Run the PostUpgradeScript.sql located in the ConnectorDefaultDir/AD_PACKAGE/upgrade directory.

4. Deploy the Connector Server. See Section 2.1.3, "Installing and Configuring the Connector Server" and Section 2.2.2, "Installing the Connector in the Connector Server" for more information.

5. Re-configure the IT resource of the source connector (an earlier release of the connector that must be upgraded). See Section 2.2.1.2, "Configuring the IT Resource for the Target System" for information about configuring the IT resource.

6. Configure the latest token value of the scheduled job as follows:

   The following scheduled jobs contain the Latest Token attribute:

   Active Directory User Target Recon

   Active Directory User Trusted Recon

   Active Directory Group Recon

   Active Directory Organization Recon

   After upgrading the connector, you can perform either full reconciliation or incremental reconciliation. To perform incremental reconciliation, specify the value of the highestCommittedUSN attribute (noted in Section 2.4.1, "Preupgrade Steps") as the value of the Latest Token attribute. This ensures that records created or modified since the last reconciliation run (the one that you performed in Section 2.4.1, "Preupgrade Steps") are fetched into Oracle Identity Manager. From the next reconciliation run onward, the reconciliation engine automatically enters a value for the Latest Token attribute.

   See Section 3.3.1, "Full Reconciliation and Incremental Reconciliation" for more information about performing full or incremental reconciliation.

7. Configure the sync token value of the scheduled job as follows:

   The following scheduled jobs contain the Sync Token attribute:

   Active Directory User Target Delete Recon

   Active Directory User Trusted Delete Recon

   Active Directory Group Delete Recon

   After upgrading the connector, you can perform either full delete reconciliation or incremental delete reconciliation. To perform full delete reconciliation, you must not specify any value for the Sync Token attribute of the scheduled job. To perform incremental delete reconciliation, you must specify the value of the Sync Token attribute in the following format:

   <String>0|{uSNChanged}|{True/False}|{DOMAIN_CONTROLLER}</String>

   In this format, replace:

   • {uSNChanged} with the value of the highestCommittedUSN attribute noted in Section 2.4.1, "Preupgrade Steps."

   • {True/False} with one of the following values:

     • True if the Global Catalog Server is used during delete reconciliation runs

     • False if the Global Catalog Server is not used during delete reconciliation runs

   • {DOMAIN_CONTROLLER} with the name of the domain controller on which you located RootDSE while performing the procedure described in Section 2.4.1, "Preupgrade Steps."

   See the Section 3.3.4.2, "Scheduled Jobs for Reconciliation of Deleted User Records" and Section 3.3.4.4, "Scheduled Job for Reconciliation of Deleted Groups" sections for more information about delete reconciliation.

2.5 Postcloning Steps

You can clone the Microsoft Active Directory User Management connector by setting new names for some of the objects that comprise the connector. The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.

See Also:

The "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about cloning connectors and the steps mentioned in this section

After a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes:

• IT Resource

  The cloned connector has its own set of IT resources. You must configure both the cloned IT resources, Active Directory and Connector Server, and provide the reference of the cloned Connector Server IT Resource in the cloned Active Directory IT resource. Ensure you use the configuration lookup definition of the cloned connector.

• Scheduled Task

  The values of the Resource Object Name and IT Resource scheduled task attributes in the cloned connector refer to the values of the base connector. Therefore, these values (values of the Resource Object Name and IT resource scheduled task attributes that refer to the base connector) must be replaced with the new cloned connector artifacts.

• Lookup Definition

  No change is required to be made in any of the cloned lookup definitions. All cloned lookup definitions contain proper lookup entries.

• Process Tasks

  After cloning, you notice that all event handlers attached to the process tasks are the cloned ones. Therefore, no changes are required for process tasks in parent forms. This is because the adapter mappings for all process tasks related to parent forms are updated with cloned artifacts.

  However, the mapping of the childTableName adapter variable must be updated for all process tasks that are associated with the cloned AD IDC Child Table Update adapter. The following predefined process tasks are associated with the AD IDC Child Table Update adapter:

  • Group membership delete

  • Group membership Insert

  • Group membership update

  • Object classes delete

  • Object classes Insert

  • Object classes update

• Localization Properties

  You must update the resource bundle of a user locale with new names of the process form attributes for proper translations after cloning the connector. You can modify the properties file of your locale in the resources directory of the connector bundle.

  For example, the process form attributes are referenced in the Japanese properties file, ActiveDirectoryIdC_ja.properties, as global.udf.UD_ADUSER_FULLNAME. During cloning, if you change the process form name from UD_ADUSER to UD_ADUSER1, then you must update the process form attributes to global.udf.UD_ADUSER1_FULLNAME.