Skip Headers
Oracle® Identity Manager Connector Guide for Microsoft Active Directory User Management
Release 11.1.1

E20347-10
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Deploying the Connector

The procedure to deploy the connector can be divided into the following stages:

Note:

Some of the procedures described in this chapter are meant to be performed on the target system. The minimum permissions required to perform these procedures depends on the target system that you are using:

2.1 Preinstallation

Preinstallation information is divided across the following sections:

2.1.1 Preinstallation on Oracle Identity Manager

This section contains the following topic:

2.1.1.1 Files and Directories On the Installation Media

The contents of the connector installation media directory are described in Table 2-1.

Table 2-1 Files and Directories On the Installation Media

File in the Installation Media Directory Description

bundle/ActiveDirectory.Connector-1.1.0.6380.zip

This ZIP file contains the connector bundle.

configuration/ActiveDirectory-CI.xml

This XML file contains configuration information that is used during the connector installation process.

Files in the dataset directory

ModifyResourceADUser.xml

ProvisionResourceADUser.xml

ModifyResourceADLDSUser.xml

ProvisionResourceADLDSUser.xml

Note: The dataset XML files are applicable only if you are using Oracle Identity Manager release 11.1.1.x.

These XML files specify the information to be submitted by the requester during a request-based provisioning operation. You import these XML files into Oracle Identity Manager MDS by using the Oracle Identity Manager MDS Import utility.

owglue/ActiveDirectoryConnector-idmglue-1.0.12.zip

This ZIP file contains Oracle Waveset metadata for the Microsoft Active Directory User Management connector.

Note: This ZIP file is not required for the Microsoft Active Directory User Management connector that is used with Oracle Identity Manager.

Files in the resources directory

Each of these resource bundles contains language-specific information that is used by the connector. During connector installation, these resource bundles are copied to the Oracle Identity Manager database.

Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages.

upgrade/PostUpgradeScript.sql

This file is used during the connector upgrade procedure. This SQL script updates the object GUID in the older version of the connector to match the format of object GUID in the current version of the connector.

xml/ActiveDirectory-ConnectorConfig.xml

This XML file contains definitions for the following connector components:

  • Resource objects

  • IT resource types

  • IT resource instance

  • Process forms

  • Process tasks and adapters

  • Process definition

  • Prepopulate rules

  • Lookup definitions

  • Reconciliation rules

  • Scheduled tasks

xml/ActiveDirectory-Datasets.xml

xml/ActiveDirectoryLDS-Datasets.xml

Note: The dataset XML files are applicable only if you are using Oracle Identity Manager release 11.1.1.x.

These XML files contain the dataset related definitions for the create and modify user provisioning operations. These files are used if you want to enable request-based provisioning. You import these XML files into Oracle Identity Manager by using the Deployment Manager.


2.1.2 Preinstallation on the Target System

Preinstallation on the target system involves performing the following procedures:

2.1.2.1 Creating a Target System User Account for Connector Operations

Oracle Identity Manager requires a target system user account to access the target system during reconciliation and provisioning operations. You provide the credentials of this user account while performing the procedure described in Section 2.2.1.2, "Configuring the IT Resource for the Target System."

In Microsoft Active Directory

Depending on the target system version you are using, you can use a Microsoft Windows 2003 Server or Microsoft Windows 2008 Server (Domain Controller) administrator account. Alternatively, you can create a user account and assign the minimum required rights to the user account.

To create the Microsoft Active Directory user account for connector operations:

See Also:

Microsoft Active Directory documentation for detailed information about performing this procedure

  1. Create a group (for example, OIMGroup) on the target system. While creating the group, select Security Group as the group type and Global or Universal as the group scope.

    Note:

    In a parent-child domain setup, create the group in the parent domain.

  2. Make this group a member of the Account Operators group.

  3. Assign all read permissions to this group. If there are multiple child domains in the forest, then log in to each child domain and add the above group to the Account Operators group of each child domain.

    Note:

    You assign read permissions on the Security tab of the Properties dialog box for the user account. This tab is displayed only in Advanced Features view. To switch to this view, select Advanced Features from the View menu on the Microsoft Active Directory console.

  4. Create a user (for example, OIMUser) on the target system. In a parent-child domain setup, create the user in the parent domain.

  5. Make the user a member of the group (for example, OIMGroup) created in Step 1.

In Microsoft AD LDS

To create the Microsoft AD LDS user account for connector operations:

See Also:

Microsoft AD LDS documentation for detailed information about these steps

  1. Create a user account in Microsoft AD LDS.

  2. Set a password for the user account.

  3. Enable the user account by setting the msDS-UserAccountDisabled field to false.

  4. Enter a value in the userPrincipalName field.

    The value that you provide must be in the user_name@domain_name format, for example, OIMuser@mydomain.com.

  5. Add the distinguished name of the user to the Administrators group.

Note:

To create the user account for connector operations in a standalone Microsoft ADLDS instance:

  1. Create a user account in the standalone computer.

  2. Add the newly created user to the ADLDS Administrators group[CN=Administrators,CN=Roles,DC=X].

2.1.2.2 Assigning Permissions to Perform Delete User Reconciliation Runs

In order to enable the user account that you created in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations" to retrieve information about deleted user accounts during delete reconciliation runs, you must assign permissions to the deleted objects container (CN=DeletedObjects) in the target system as follows:

Note:

In a forest environment, if you are performing reconciliation by using the Global Catalog Server, then perform the procedure described in this section on all child domains.

  1. Log in to the target system as an administrator.

  2. In a terminal window, run the following command:

    Note:

    If your target system is installed on Microsoft Windows Server 2003, then in a terminal window, change to the C:\WINDOWS\ADAM directory and then run the command.

    dsacls DELETED_OBJ_DN /takeownership
    

    In this command, replace DELETED_OBJ_DN with the distinguished name of the deleted directory object.

    Sample value:

    dsacls "CN=Deleted Objects,DC=mydomain,dc=com" /takeownership
    
  3. In a terminal window, run the following command to grant a user or group permissions to perform successful runs of the delete user reconciliation scheduled job:

    dsacls DELETED_OBJ_DN /G USER_OR_GROUP:PERMISSION
    

    In this command, replace:

    • DELETED_OBJ_DN with the distinguished name of the deleted directory object.

    • USER_OR_GROUP with name of the user or group to which you want to assign permissions

    • PERMISSION with the permissions to grant.

    Sample value:

    dsacls "CN=Delet ed Objects,DC=mydomain,dc=com" /G ROOT3\OIMUser:LCRP
    

2.1.2.3 Delegating Control for Organizational Units and Custom Object Classes

By default, user accounts that belong to the Account Operators group can manage only user and group objects. To manage organizational units or custom object classes, you must assign the necessary permissions to a user account. In other words, you must delegate complete control for an organizational unit or custom object class to a user or group object. In addition, you need these permissions to successfully perform provisioning of custom object classes.

This is achieved by using the Delegation of Control Wizard. An example for managing organizational units is creating organizational units.

To delegate control for an organizational unit or custom object class to a user account:

Note:

In a parent-child deployment environment or forest topology, perform this procedure on all the child domains.

  1. In the Active Directory Users and Computers window, in the navigation tree, right-click the organizational unit whose control you want to delegate, and then click Delegate Control.

    The Delegation of Control Wizard is displayed.

    Note:

    If you want to delegate control for all organization units under the root context, then delegate control at the root context level.

  2. On the Welcome to the Delegation of Control Wizard page, click Next.

  3. On the Users or Groups page, to select either a user or group to whom you want to delegate control:

    1. Click Add.

    2. In the Select Users, Computers, or Groups dialog box, enter a user or group name. For example, enter OIMUser.

    3. Click Check Names.

    4. Click OK to close the dialog box.

  4. Click Next.

  5. On the Tasks to Delegate page, select the Create a custom task to delegate option, and then click Next.

  6. On the Active Directory Object Type page, select Only the following objects in the folder, and then select Organization Unit Objects. If you are delegating control for custom object classes, then select the custom object class for which you want to delegate control.

  7. Select the Create selected objects in the folder and Delete selected objects in the folder options, and then click Next.

  8. On the Permissions page:

    • For Organizational Units, select Full Control, click Next, and then click Finish.

    • For custom object classes, select the required permissions, click Next, and then click Finish.

2.1.3 Installing and Configuring the Connector Server

You deploy the Active Directory User Management connector remotely in the Connector Server. A connector server is a Microsoft Windows application that enables remote execution of an Identity Connector.

Connector servers are available in two implementations:

  • As a .Net implementation that is used by Identity Connectors implemented in .Net

  • As a Java Connector Server implementation that is used by Java-based Identity Connectors

The Active Directory User Management connector is implemented in .Net, so you must deploy this connector to a .Net framework-based Connector Server.

Use the following steps to install and configure the Connector Server:

Note:

Before you deploy the Connector Server ensure the following items:

  • You have installed Microsoft .NET Framework 3.5 or later on the same computer where you are installing the Connector Server.

  • If you are using Microsoft .NET Framework 3.5, then apply the following patch to prevent a memory leak issue:

    http://support.microsoft.com/kb/981575

  1. Download the Connector Server package (a zip file) from the Oracle Technology Network.

  2. Extract the contents of the Connector Server package and locate the ServiceInstall-version.msi file.

  3. Install the Connector Server by running the ServiceInstall-version.msi file and following the wizard. The wizard takes you through the installation process step-by-step. After completion, the .NET Connector Server is registered as a Windows service.

  4. Start the Microsoft Services Console.

  5. If the .NET Connector Server is running, stop it by stopping the Windows service.

  6. To set a custom key for the .NET Connector Server, use the /setkey command-line argument, as follows:

    1. Change to the directory where the .NET Connector Server was installed. The default directory is:

      C:\Program Files\Identity Connectors\Connector Server

    2. Run the following command:

      ConnectorServer.exe /setkey NEW_KEY
      

      In this command, NEW_KEY is the value for the new key. This key is required by any client that connects to this .NET Connector Server.

  7. Check the settings in the .NET Connector Server configuration file (ConnectorServer.exe.config). These settings are in the element named AppSettings. For example:

    <add key="connectorserver.port" value="8759" />
    <add key="connectorserver.usessl" value="false" />
    <add key="connectorserver.certificatestorename" value="ConnectorServerSSLCertificate" />
    <add key="connectorserver.ifaddress" value="0.0.0.0" />
    

    The most common settings you might want to change are:

    • Port number: To change the port, set connectorserver.port to a value other than 8759.

    • SSL settings: To use SSL, set connectorserver.usessl to true and then set connectorserver.certificatestorename to your certificate store name.

    • Listening socket bind: To change the listening socket bind, set connectorserver.ifaddress to an address other than 0.0.0.0.

    • Trace settings: To set trace settings, see Section 2.1.4, "Enabling Logging."

  8. Save the following configuration information from the .NET Connector Server installation. This information must be specified while configuring the IT resource for the Connector Server:

    • Host name or IP address

    • Connector Server port

    • Connector Server key values

    • Whether SSL is enabled

  9. When you are finished configuring the .NET Connector Server, restart it by restarting the Windows service. Alternatively, you can also restart the .NET Connector Server using the following command:

    ConnectorServer.exe /run
    

See Also:

Section 2.3.3.4, "Configuring SSL Between Oracle Identity Manager and Connector Server" for information about configuring SSL between Oracle Identity Manager and Connector Server

2.1.4 Enabling Logging

The Active Directory User Management connector uses the built-in logging mechanism of the .NET framework. Logging for the Active Directory User Management connector is not integrated with Oracle Identity Manager. The log level is set in the .NET Connector Server configuration file (ConnectorServer.exe.config).

To enable logging for the Active Directory User Management connector:

  1. Go to the directory where the ConnectorServer.exe.config file is installed. The default directory is C:\Program Files\Identity Connectors\Connector Server.

    The ConnectorServer.exe.config file must be present in this directory.

  2. In the ConnectorServer.exe.config file, add the lines shown in bold text:

    <system.diagnostics>
      <trace autoflush="true" indentsize="4">
        <listeners>
          <remove name="Default" />
          <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\connectorserver2.log" traceOutputOptions="DateTime">
            <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" />
          </add>
        </listeners>
      </trace>
      <switches>
        <add name="ActiveDirectorySwitch" value="4" />
      </switches>
    </system.diagnostics>
    

    The value="4" sets the log level to Verbose. This value can be set as follows:

    Table 2-2 Log Levels

    Value Log Level

    value="4" or value="Verbose"

    Verbose level. Most granular.

    value="3" or value="Information"

    Information level.

    value="2" or value="Warning"

    Warning level.

    value="1" or value="Error"

    Error level.

    value="0"

    No logging.


    However, remember that the logging level has a direct effect on the performance of the .NET Connector Server.

  3. After you make the configuration change, stop and then restart the .NET Connector Server service. Or, you can also restart the .NET Connector Server using the following command:

    ConnectorServer.exe /run
    

2.1.4.1 Configuring Log File Rotation

Information about events that occur during the course of reconciliation and provisioning operations are stored in a log file. As you use the connector over a period time, the amount of information written to a log file increases. If no rotation is performed, then log files become huge.

To avoid such a scenario, perform the procedure described in this section to configure rotation of the log file.

To configure rotation of a log file on a daily basis:

  1. Log in to the computer that is hosting the Connector Server.

  2. Stop the Connector Server.

  3. Back up the ConnectorServer.exe.config file. The default location of this file is C:\Program Files\Identity Connectors\Connector Server.

  4. In a text editor, open the ConnectorServer.exe.config file for editing.

  5. Search for the <listeners> and </listeners> elements and replace the text between these elements with the following:

    <remove name="Default" />
    <add name="FileLog" type="Microsoft.VisualBasic.Logging.FileLogTraceListener,Microsoft.VisualBasic,Version=8.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
    initializeData="FileLogWriter"
    traceOutputOptions="DateTime"
    BaseFileName="ConnectorServerDaily"
    Location="Custom"
    CustomLocation="C:\ConnectorServerLog\"
    LogFileCreationSchedule="Daily">
    <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information"/>
    </add>
    
  6. Save the file and close it.

  7. Start the Connector Server.

See Also:

The following URL for more information about configuring log file rotation:

http://msdn.microsoft.com/en-us/library/microsoft.visualbasic.logging.filelogtracelistener.aspx

2.2 Installation

You must install the Active Directory User Management connector in Oracle Identity Manager and in the Connector Server, as described in the following sections:

2.2.1 Installing the Connector in Oracle Identity Manager

Installation on Oracle Identity Manager consists of the following procedures:

2.2.1.1 Running the Connector Installer

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Administrative and User Console.

To run the Connector Installer:

  1. Copy the contents of the connector installation media directory into the following directory:

    OIM_HOME/server/ConnectorDefaultDirectory

  2. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

  3. In the Manage Connector page, click Install.

  4. From the Connector List list, select ActiveDirectory RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.

    If you have copied the installation files into a different directory, then:

    1. In the Alternative Directory field, enter the full path and name of that directory.

    2. To repopulate the list of connectors in the Connector List list, click Refresh.

    3. From the Connector List list, select ActiveDirectory RELEASE_NUMBER.

  5. Click Load.

  6. To start the installation process, click Continue.

    The following tasks are performed, in sequence:

    1. Configuration of connector libraries

    2. Import of the connector XML files (by using the Deployment Manager)

    3. Compilation of adapters

    On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure is displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:

    • Retry the installation by clicking Retry.

    • Cancel the installation and begin again from Step 1.

  7. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of steps that you must perform after the installation is displayed. These steps are as follows:

    1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Section 2.3.1.3, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.

      There are no prerequisites for some predefined connectors.

    2. Configuring the IT resource for the connector

      The procedure to configure the IT resource is described later in this guide.

    3. Configuring the scheduled jobs

      The procedure to configure these scheduled jobs is described later in this guide.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-1.

2.2.1.2 Configuring the IT Resource for the Target System

The IT resource for the target system is created during connector installation. This IT resource contains connection information about the target system. Oracle Identity Manager uses this information during reconciliation and provisioning.

You must specify values for the parameters of the Active Directory IT resource as follows:

  1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 11.1.1.x:

      Log in to the Administrative and User Console

    • For Oracle Identity Manager release 11.1.2.x:

      Log in to Oracle Identity System Administration

  2. If you are using Oracle Identity Manager release 11.1.1.x, then:

    1. On the Welcome page, click Advanced in the upper-right corner of the page.

    2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.

  3. If you are using Oracle Identity Manager release 11.1.2.x, then in the left pane, under Configuration, click IT Resource.

  4. In the IT Resource Name field on the Manage IT Resource page, enter Active Directory and then click Search. Figure 2-1 shows the Manage IT Resource page.

    Figure 2-1 Manage IT Resource Page

    Description of Figure 2-1 follows
    Description of "Figure 2-1 Manage IT Resource Page"

  5. Click the edit icon corresponding to the Active Directory IT resource.

  6. From the list at the top of the page, select Details and Parameters.

  7. Specify values for the parameters of the Active Directory IT resource. Figure 2-2 shows the Edit IT Resource Details and Parameters page.

    Figure 2-2 Edit IT Resource Details and Parameters Page for the Active Directory IT Resource

    Description of Figure 2-2 follows
    Description of "Figure 2-2 Edit IT Resource Details and Parameters Page for the Active Directory IT Resource"

    Table 2-3 describes each parameter of the Active Directory IT resource.

    Table 2-3 Parameters of the Active Directory IT Resource for the Target System

    Parameter Description

    ADLDSPort

    Enter the number of the port at which Microsoft AD LDS is listening.

    Sample value: 50001

    Note: Do not enter a value for this parameter if you are using Microsoft Active Directory as the target system.

    BDCHostNames

    Enter the host name of the backup domain controller to which Oracle Identity Manager must switch to if the primary domain controller becomes unavailable.

    Sample value: mydc1;mydc2;mydc3

    Note: Multiple backup domain controllers must be separated by semicolon (;).

    Configuration Lookup

    This parameter holds the name of the lookup definition that stores configuration information used during reconciliation and provisioning.

    If you have configured your target system as a target resource, then enter Lookup.Configuration.ActiveDirectory.

    If you have configured your target system as a trusted source, then enter Lookup.Configuration.ActiveDirectory.Trusted.

    Default value: Lookup.Configuration.ActiveDirectory

    Connector Server Name

    Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Section 2.2.2.2, "Configuring the IT Resource for the Connector Server."

    Note: Enter a value for this parameter only if you have deployed the Active Directory User Management connector in the Connector Server.

    Default value: Active Directory Connector Server

    Container

    Enter the fully qualified domain name of the user container into or from which users must be provisioned or reconciled into Oracle Identity Manager, respectively.

    Sample value: DC=example,DC=com

    DirectoryAdminName

    Enter the user name of account that you create by performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations."

    Enter the value for this parameter in the following format:

    DOMAIN_NAME\USER_NAME

    Sample value: mydomain\admin

    Note: If you are using AD LDS as the target system and this machine belongs to a workgroup, enter the username of the account created in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations."

    Enter a value for this parameter in the following format:

    USER_NAME

    Sample value: admin

    DirectoryAdminPassword

    Enter the password of the user account that you create by performing the procedure described in Section 2.1.2.1, "Creating a Target System User Account for Connector Operations."

    DomainName

    Enter the domain name for the Microsoft Active Directory domain controller on which the connector is being installed.

    Sample value: example.com

    Note: This is a mandatory parameter if you are using Microsoft Active Directory as the target system.

    isADLDS

    Enter yes to specify that the target system is Microsoft AD LDS.

    Enter no to specify that the target system is Microsoft Active Directory.

    LDAPHostName

    Enter the host name, IP address, or domain name of the Microsoft Windows computer (target system host computer) on which Microsoft Active Directory is installed.

    Note: If you do not specify a value for this parameter and the BDCHostNames parameter (discussed earlier in this table), then a serverless bind is used. The connector leverages ADSI for determining the domain controller in the domain and then creates the directory entry. Therefore, all interactions with the target system are not specific to a domain controller.

    To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.

    Sample values:

    w2khost

    172.20.55.120

    example.com

    SyncDomainController

    Enter the name of the domain controller from which user accounts must be reconciled.

    Note: The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set to no. If no value is specified for the SyncDomainController parameter and the SearchChildDomains lookup entry is set to no, then the connector automatically finds a domain controller for the target system and reconciles users from it.

    Sample value: mynewdc

    SyncGlobalCatalogServer

    Enter the host on which the global catalog server is located.

    Note: The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set to yes. If no value is specified for the SyncGlobalCatalogServer parameter and the SearchChildDomains lookup entry is set to yes, then the connector automatically finds a global catalog server for the target system, and then reconciles user accounts from the domain controller on which the global catalog server is running.

    It is strongly recommended to provide a value for this parameter if you have set the SearchChildDomains lookup entry to yes.

    Sample value: myglobalcatalogdc

    UseSSL

    Enter yes if the target system has been configured for SSL. This enables secure communication between the Connector Server and target system. Otherwise, enter no.

    Default value: no

    Note:

    • For resetting user password during provisioning operations, the communication with the target system must be secure. The default communication between the .NET Connector Server and Microsoft Active Directory is secure. Therefore, even if you set the value of this parameter to no, it is possible to reset user passwords during provisioning operations because the default communication is secure. See Section 2.3.3, "Configuring SSL for Microsoft Active Directory and Microsoft AD LDS" for information about configuring SSL.

    • The default communication between the .NET Connector Server and Microsoft AD LDS is not secure. Therefore, for enabling password reset provisioning operations, you must set the value of this parameter to yes to secure communication with Microsoft AD LDS. See Section 2.3.3.3, "Configuring SSL Between Connector Server and Microsoft AD LDS" for more information about configuring SSL.


  8. To save the values, click Update.

2.2.2 Installing the Connector in the Connector Server

Installation in the Connector Server consists of the following procedures:

2.2.2.1 Copying and Extracting the Connector Bundle to the Connector Server

To copy and extract the connector bundle to the Connector Server:

  1. Stop the Connector Server.

    Note:

    You can download the necessary Connector Server from the Oracle Technology Network web page.

  2. From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-1.1.0.6380.zip file to the CONNECTOR_SERVER_HOME directory.

  3. Start the Connector Server for the connector bundle to be picked up by the Connector Server.

2.2.2.2 Configuring the IT Resource for the Connector Server

Note:

A predefined IT resource for the Connector Server by the name Active Directory Connector Server is available after connector installation. The parameters of the predefined IT resource is the same as the parameters described in Table 2-4.

In addition to configuring the Active Directory IT resource, you must configure the IT resource for the Connector Server as follows:

  1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

    • For Oracle Identity Manager release 11.1.1.x:

      Log in to the Administrative and User Console

    • For Oracle Identity Manager release 11.1.2.x:

      Log in to Oracle Identity System Administration

  2. If you are using Oracle Identity Manager release 11.1.1.x, then:

    1. On the Welcome page, click Advanced in the upper-right corner of the page.

    2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.

  3. If you are using Oracle Identity Manager release 11.1.2.x, then in the left pane, under Configuration, click IT Resource.

  4. In the IT Resource Name field on the Manage IT Resource page, enter Active Directory Connector Server and then click Search.

  5. Click the edit icon corresponding to the Active Directory Connector Server IT resource.

  6. From the list at the top of the page, select Details and Parameters.

  7. Specify values for the parameters of the Active Directory Connector Server IT resource, as described in Table 2-4.

    Table 2-4 Parameters of the Active Directory Connector Server IT Resource

    Parameter Description

    Host

    Enter the host name or IP address of the computer hosting the connector server.

    Sample value: myhost.com

    Key

    Enter the key for the connector server.

    Port

    Enter the number of the port at which the connector server is listening.

    Default value: 8759

    Timeout

    Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Manager times out.

    Sample value: 0

    A value of 0 means that the connection never times out.

    UseSSL

    Enter true to specify that you will configure SSL between Oracle Identity Manager and the Connector Server. Otherwise, enter false.

    Default value: false

    Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL between Oracle Identity Manager and Connector Server, see Section 2.3.3.4, "Configuring SSL Between Oracle Identity Manager and Connector Server."


  8. Click Update to save the values.

2.3 Postinstallation

Postinstallation steps are divided across the following sections:

2.3.1 Postinstallation on Oracle Identity Manager

Configuring Oracle Identity Manager involves performing the following procedures:

2.3.1.1 Configuring Oracle Identity Manager 11.1.2 or Later

If you are using Oracle Identity Manager release 11.1.2 or later, you must create additional metadata such as a UI form and an application instance. In addition, you must run entitlement and catalog synchronization jobs. These procedures are described in the following sections:

2.3.1.1.1 Creating and Activating a Sandbox

Create and activate a sandbox as follows. For detailed instructions, see the "Managing Sandboxes" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

  1. Log in to Oracle Identity System Administration.

  2. In the upper right corner of the page, click the Sandboxes link.

    The Manage Sandboxes page is displayed.

  3. On the toolbar, click Create Sandbox.

  4. In the Create Sandbox dialog box, enter values for the following fields:

    • Sandbox Name: Enter a name for the sandbox.

    • Sandbox Description: Enter a description of the sandbox.

  5. Click Save and Close.

  6. Click OK on the confirmation message that is displayed.

    The sandbox is created and displayed in the Available Sandboxes section of the Manage Sandboxes page.

  7. From the table showing the available sandboxes in the Manage Sandboxes page, select the newly created sandbox that you want to activate.

  8. On the toolbar, click Activate Sandbox.

    The sandbox is activated.

2.3.1.1.2 Creating a New UI Form

Create a new UI form as follows. For detailed instructions, see the "Managing Forms" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

  1. In the left pane, under Configuration, click Form Designer. The Form Designer page is displayed.

  2. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Form page is displayed.

  3. On the Create Form page, enter values for the following UI fields:

    • Resource Type: Select the resource object that you want to associate the form with. For example, AD User.

    • Form Name: Enter a name for the form.

  4. Click Create.

    A message is displayed stating that the form is created.

2.3.1.1.3 Creating an Application Instance

Create an application instance as follows. For detailed instructions, see the "Managing Application Instances" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

  1. In the left pane of the System Administration console, under Configuration, click Application Instances. The Application Instances page is displayed.

  2. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.

  3. Specify values for the following fields:

    • Name: The name of the application instance.

    • Display Name: The display name of the application instance.

    • Description: A description of the application instance.

    • Resource Object: The resource object name. Click the search icon next to this field to search for and select AD User.

    • IT Resource Instance: The IT resource instance name. Click the search icon next to this field to search for and select Active Directory.

    • Form: Select the form name (created in Section 2.3.1.1.2, "Creating a New UI Form").

  4. Click Save. The application instance is created.

  5. Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See the "Managing Organizations Associated With Application Instances" section in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed instructions.

2.3.1.1.4 Publishing a Sandbox

To publish the sandbox that you created in Section 2.3.1.1.1, "Creating and Activating a Sandbox":

  1. Close all the open tabs and pages.

  2. In the upper right corner of the page, click the Sandboxes link.

    The Manage Sandboxes page is displayed.

  3. From the table showing the available sandboxes in the Manage Sandboxes page, select the sandbox that you created in Section 2.3.1.1.1, "Creating and Activating a Sandbox."

  4. On the toolbar, click Publish Sandbox. A message is displayed asking for confirmation.

  5. Click Yes to confirm. The sandbox is published and the customizations it contained are merged with the main line.

2.3.1.1.5 Harvesting Entitlements and Sync Catalog

To harvest entitlements and sync catalog:

  1. Run the scheduled jobs for lookup field synchronization listed in Section 3.2, "Scheduled Jobs for Lookup Field Synchronization."

  2. Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table. See the "Predefined Scheduled Tasks" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about this scheduled job.

  3. Run the Catalog Synchronization Job scheduled job. See the "Predefined Scheduled Tasks" section in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about this scheduled job.

2.3.1.2 Localizing Field Labels in UI Forms

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x and you want to localize UI form field labels.

To localize field label that you add to in UI forms:

  1. Log in to Oracle Enterprise Manager.

  2. In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.

  3. In the right pane, from the Application Deployment list, select MDS Configuration.

  4. On the MDS Configuration page, click Export and save the archive to the local computer.

  5. Extract the contents of the archive, and open one of the following files in a text editor:

    • For Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):

      SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf

    • For releases prior to Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):

      SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf

  6. Edit the BizEditorBundle.xlf file in the following manner:

    1. Search for the following text:

      <file source-language="en"  
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      
    2. Replace with the following text:

      <file source-language="en" target-language="LANG_CODE"
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      

      In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

      <file source-language="en" target-language="ja"
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      
    3. Search for the application instance code. This procedure shows a sample edit for Microsoft Active Directory application instance. The original code is:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.<Field_Name>__c_description']}">
      <source><Field_Label></source>
      <target/>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.<UI_Form_NaME>EO.<Field_Name>__c_LABEL">
      <source><Field_Label></source>
      <target/>
      </trans-unit>
      

      The sample edit of the code is as follows:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ADUSER_FULLNAME__c_description']}">
      <source>Full Name</source>
      <target/>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.ad11EO.UD_ADUSER_FULLNAME__c_LABEL">
      <source>Full Name</source>
      <target/>
      </trans-unit>
      
    4. Open the resource file from the connector package, for example ActiveDirectoryIdC_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_ADUSER_FULLNAME=\u6C0F\u540D.

    5. Replace the original code shown in Step 6.c with the following:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}">
      <source>< Field_Label></source>
      <target>global.udf.<UD_<Field_Name></target>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL">
      <source><Field_Label></source>
      <target><global.udf.UD_Field_Name></target>
      </trans-unit>
      

      As an example, the code for Full Name is as follows:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ADUSER_FULLNAME__c_description']}">
      <source>Full Name</source>
      <target>\u6C0F\u540D</target>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.ad11EO.UD_ADUSER_FULLNAME__c_LABEL">
      <source>Full Name</source>
      <target>\u6C0F\u540D</target>
      </trans-unit>
      
    6. Repeat Steps 6.a through 6.d for all attributes of the process form.

    7. Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

      Sample file name: BizEditorBundle_ja.xlf.

  7. Repackage the ZIP file and import it into MDS.

    See Also:

    The "Deploying and Undeploying Customizations" chapter in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager, for more information about exporting and importing metadata files

  8. Log out of and log in to Oracle Identity Manager.

2.3.1.3 Clearing Content Related to Connector Resource Bundles from the Server Cache

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

  1. In a command window, switch to the OIM_HOME/server/bin directory.

    Note:

    You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:

    OIM_HOME/server/bin/SCRIPT_FILE_NAME
    
  2. Enter one of the following commands:

    Note:

    You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.

    For example, the following commands purge Metadata entries from the server cache:

    PurgeCache.bat MetaData

    PurgeCache.sh MetaData

    On Microsoft Windows: PurgeCache.bat All

    On UNIX: PurgeCache.sh All

    When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:

    t3://OIM_HOST_NAME:OIM_PORT_NUMBER
    

    In this format:

    • Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.

    • Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

    See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

2.3.1.4 Setting Up the Lookup Definition for Connection Pooling

By default, this connector uses the ICF connection pooling. Table 2-5 lists the connection pooling properties, their description, and default values set in ICF:

Table 2-5 Connection Pooling Properties

Property Description

Pool Max Idle

Maximum number of idle objects in a pool.

Default value: 10

Pool Max Size

Maximum number of connections that the pool can create.

Default value: 10

Pool Max Wait

Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation.

Default value: 150000

Pool Min Evict Idle Time

Minimum time, in milliseconds, the connector must wait before evicting an idle object.

Default value: 120000

Pool Min Idle

Minimum number of idle objects in a pool.

Default value: 1


If you want to modify the connection pooling properties to use values that suit requirements in your environment, then:

  1. Log in to the Design Console.

  2. Expand Administration, and then double-click Lookup Definition.

  3. Search for and open one of the following lookup definitions:

    For the trusted source mode: Lookup.Configuration.ActiveDirectory.Trusted

    For target resource mode: Lookup.Configuration.ActiveDirectory

  4. On the Lookup Code Information tab, click Add.

    A new row is added.

  5. In the Code Key column of the new row, enter Pool Max Idle.

  6. In the Decode column of the new row, enter a value corresponding to the Pool Max Idle property.

  7. Repeat Steps 4 through 6 for adding each of the connection pooling properties listed in Table 2-5.

  8. Click the Save icon.

2.3.1.5 Setting Up the Lookup Definition for the Ignore Event API

You can add the 'Ignore Event Disabled' entry to the Configuration lookup definition (Lookup.Configuration.ActiveDirectory.Trusted and Lookup.Configuration.ActiveDirectory for trusted source and target resource modes, respectively) to specify whether reconciliation events must be created for target system records that already exist in Oracle Identity Manager.

If you set the value of the Ignore Event Disabled entry to true, then reconciliation events are created for all records being fetched from the target system, irrespective of their presence in Oracle Identity Manager. If you set the value of this entry to false, then reconciliation events for target system records that are already present in Oracle Identity Manager are not created.

To add the 'Ignore Event Disabled' entry:

  1. Log in to the Design Console.

  2. Expand Administration, and then double-click Lookup Definition.

  3. Search for and open one of the following lookup definitions:

    For the trusted source mode: Lookup.Configuration.ActiveDirectory.Trusted

    For target resource mode: Lookup.Configuration.ActiveDirectory

  4. On the Lookup Code Information tab, click Add.

    A new row is added.

  5. In the Code Key column of the new row, enter Ignore Event Disabled.

  6. In the Decode column of the new row, depending on your requirement, enter true or false.

  7. Click the Save icon.

2.3.1.6 Configuring the Connector for the Microsoft AD LDS Target System

Note:

Perform the procedure described in this section only if you are using AD LDS as the target system.

Before you start using the connector with the AD LDS target system, you must perform the following procedure:

  1. Log in to the Design Console.

  2. Expand Administration, and then double-click Lookup Definition.

  3. Modify the Lookup.ActiveDirectory.UM.Configuration lookup definition as follows:

    1. Search for and open the Lookup.ActiveDirectory.UM.Configuration lookup definition.

    2. Change the Lookup.ActiveDirectory.UM.ProvAttrMap Decode value to Lookup.ActiveDirectoryLDS.UM.ProvAttrMap.

    3. Change the Lookup.ActiveDirectory.UM.ReconAttrMap Decode value to Lookup.ActiveDirectoryLDS.UM.ReconAttrMap.

  4. Modify the Lookup.ActiveDirectory.GM.Configuration lookup definition as follows:

    1. Search for and open the Lookup.ActiveDirectory.GM.Configuration lookup definition.

    2. Change the Lookup.ActiveDirectory.GM.ProvAttrMap Decode value to Lookup.ActiveDirectoryLDS.GM.ProvAttrMap.

    3. Change the Lookup.ActiveDirectory.GM.ReconAttrMap Decode value to Lookup.ActiveDirectoryLDS.GM.ReconAttrMap.

  5. Modify the Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition as follows:

    1. Search for and open the Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition.

    2. Change the Lookup.ActiveDirectory.UM.Configuration.Trusted Decode value to Lookup.ActiveDirectoryLDS.UM.Configuration.Trusted.

  6. If you have configured the target system as a target resource, then from the Lookup.ActiveDirectory.UM.ProvAttrMap and Lookup.ActiveDirectory.UM.ReconAttrMap lookup definitions, remove entries specific to terminal services fields. For example, the Terminal Home Directory and Terminal Profile Path entries.

  7. Click the Save icon.

  8. Remove the process form fields and process tasks that are specific to terminal services fields.

2.3.1.7 Configuring Oracle Identity Manager for Request-Based Provisioning

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.1.x.

In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.

The following are features of request-based provisioning:

  • A user can be provisioned only one resource (account) on the target system.

    Note:

    Direct provisioning allows the provisioning of multiple Microsoft Active Directory accounts on the target system.

  • Direct provisioning cannot be used if you enable request-based provisioning.

To configure request-based provisioning, perform the following procedures:

2.3.1.7.1 Copying Predefined Request Datasets

A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation. The following is the list of predefined request datasets available in the dataset directory on the installation media:

For Microsoft Active Directory:

  • ProvisionResourceADUser.xml

  • ModifyResourceADUser.xml

For Microsoft AD LDS:

  • ProvisionResourceADLDSUser.xml

  • ModifyResourceADLDSUser.xml

Copy these files from the installation media to any directory on the Oracle Identity Manager host computer. It is recommended that you create a directory structure as follows:

/custom/connector/RESOURCE_NAME

For example:

E:\MyDatasets\custom\connector\AD

Note:

Until you complete the procedure to configure request-based provisioning, ensure that there are no other files or directories inside the parent directory in which you create the directory structure. In the preceding example, ensure that there are no other files or directories inside the E:\MyDatasets directory.

The directory structure to which you copy the dataset files is the MDS location into which these files are imported after you run the Oracle Identity Manager MDS Import utility. The procedure to import dataset files is described in the next section.

Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information on modifying request datasets.

2.3.1.7.2 Importing Request Datasets

There are two ways of importing request datasets:

Note:

Request Datasets imported either into MDS or by using Deployment Manager are same.

Importing Request Datasets into MDS

All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.

To import a request dataset definition into MDS:

  1. Ensure that you have set the environment for running the MDS Import utility. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about setting up the environment for MDS utilities.

  2. In a command window, change to the OIM_HOME\server\bin directory.

  3. Run one of the following commands:

    • On Microsoft Windows

      weblogicImportMetadata.bat
      
    • On UNIX

      weblogicImportMetadata.sh
      
  4. When prompted, enter the following values:

    • Please enter your username [weblogic]

      Enter the username used to log in to WebLogic server

      Sample value: WL_User

    • Please enter your password [weblogic]

      Enter the password used to log in to WebLogic server

    • Please enter your server URL [t3://localhost:7001]

      Enter the URL of the application server in the following format:

      t3://HOST_NAME_IP_ADDRESS:PORT

      In this format, replace:

      • HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed.

      • PORT with the port on which Oracle Identity Manager is listening.

    The request dataset is imported into MDS.

Importing Request Datasets Using Deployment Manager

The request datasets (predefined or generated) can also be imported by using the Deployment Manager (DM). The predefined request datasets are stored in the xml directory on the installation media.

To import a request dataset definition by using the Deployment Manager:

  1. Log in to the Oracle Identity Manager Administrative and User Console.

  2. On the Welcome page, click Advanced in the upper-right corner of the page.

  3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Import Deployment Manager File. A dialog box for opening files is displayed.

  4. Depending on the target system that you are using, locate and open one of the following files, which is located in the xml directory of the installation media:

    For AD: ActiveDirectory-Datasets.xml

    For AD LDS: ActiveDirectoryLDS-Datasets.xml

    Details of this XML file are shown on the File Preview page.

  5. Click Add File. The Substitutions page is displayed.

  6. Click Next. The Confirmation page is displayed.

  7. Click Import.

  8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

The request datasets are imported into MDS.

2.3.1.7.3 Enabling the Auto Save Form Feature

To enable the Auto Save Form feature:

  1. Log in to the Design Console.

  2. Expand Process Management, and then double-click Process Definition.

  3. Search for and open the AD User process definition.

  4. Select the Auto Save Form check box.

  5. Click the Save icon.

2.3.1.7.4 Running the PurgeCache Utility

Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Section 2.3.1.3, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.

The procedure to configure request-based provisioning ends with this step.

2.3.1.8 Configuring the Connector for Provisioning Organizations

Note:

Perform the procedure described in this section if you intend to provision organizations to a root DN.

Before you provision organizations to a root DN, you must add the DN to the Lookup.ActiveDirectory.OrganizationalUnits lookup definition as follows:

  1. Log in to the Design Console.

  2. Expand Administration and then double-click Lookup Definition.

  3. Search for and open the Lookup.ActiveDirectory.OrganizationalUnits lookup definition.

  4. Add an entry for the root DN. The following are sample values for the Code Key and Decode values:

    Sample 1:

    Code Key: 150~DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

    Decode: SamAD~DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

    Sample 2:

    Code Key:

    Decode:

  5. Click Save.

2.3.2 Postinstallation on the Target System

Postinstallation on the target system consists of the following procedure.

2.3.2.1 Enabling or Disabling Password Policies in Microsoft Active Directory

In Microsoft Active Directory, the "Passwords must meet complexity requirements" policy setting is used to enable or disable password policies.

The procedure that you must perform depends on whether or not you want to achieve either or both of the following objectives:

  • Enable password policies

  • Configure SSL between Oracle Identity Manager and the target system

    Note:

    The procedure to configure SSL is discussed later in this guide.

If you configure SSL and you want to enable both the default Microsoft Windows password policy and a custom password policy, then you must enable the "Passwords must meet complexity requirements" policy setting.

To enable or disable the "Passwords must meet complexity requirements" policy setting:

Note:

If you install Microsoft ADAM in a domain controller then it acquires all the policies of Microsoft Active Directory installed in the same domain controller. If you install Microsoft ADAM in a workgroup, then the local system policies are applied.

  1. On the Microsoft Windows computer hosting the target system, click the Start menu, Programs, Administrative Tools, and Domain Security Policy.

  2. Select Security Settings, expand Account Policies, and then click Password Policy.

  3. Double-click Passwords must meet complexity requirements.

  4. In the Password Must Meet Complexity Requirements Properties dialog box, select Define this policy setting and then select:

    • Enabled, if you want to enable password policies

    • Disable, if you do not want to disable password policies

  5. Click OK.

  6. Restart the target system.

2.3.3 Configuring SSL for Microsoft Active Directory and Microsoft AD LDS

This section discusses the following topics to configure SSL communication between Oracle Identity Manager and the target system:

Note:

  • In this section, Microsoft ADAM and Microsoft AD LDS have both been referred to as Microsoft AD LDS. Therefore, if you are using Microsoft Windows Server 2003 as the target system, then you must consider the term Microsoft AD LDS as Microsoft ADAM while performing the instructions described in this section. Wherever needed, instructions specific to both Microsoft ADAM and Microsoft AD LDS have been called out separately.

  • If you are using Microsoft AD LDS, then you must configure SSL for all connector operations to work as expected.

2.3.3.1 Prerequisites

Public key certificates are used for determining the identity and authenticity of clients in software security systems. Certificate Services create and manage public key certificates. This ensures that organizations have a reliable and secure way to create, manage, and distribute these certificates.

Before you configure SSL, depending on the target system that you are using, you must install certificate services by performing the procedure described in one of the following sections:

2.3.3.1.1 Installing Certificate Services on Windows Server 2003

To install Certificate Services on the computer where Active Directory or ADAM is installed:

Note:

  • You must perform the procedure described in this section on the computer hosting the target system.

  • Before you begin installing Certificate Services, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.

  1. Insert the operating system installation media into the CD-ROM or DVD drive.

  2. Click Start, Settings, and Control Panel.

  3. Double-click Add/Remove Programs.

  4. In the left pane of the Add or Remove Programs window, click Add/Remove Windows Components.

  5. In the Windows Components Wizard, select Certificate Services, and then click Next. Figure 2-3 shows the Windows Components page.

    Figure 2-3 Windows Components Page

    Description of Figure 2-3 follows
    Description of "Figure 2-3 Windows Components Page"

  6. On the CA Type page, select one of the following options, and then click Next:

    • Enterprise root CA

      Select this option if the computer on which the Connector Server is installed belongs to the domain and its domain name is same as the domain name of the target system computer.

    • Stand-alone root CA

      Select this option if the Microsoft ADAM target system is installed on a stand-alone computer.

    Figure 2-4 is a screenshot of the CA type page in which the Enterprise root CA option is selected.

  7. On the CA Identifying Information page, enter values for the following fields to identify the CA, and then click Next:

    1. Common name for this CA

      Name used to identify the CA object created in Active Directory.

      Sample value: Administrator

    2. Distinguished name suffix

      DN suffix that will be appended to the common name. The final distinguished name of the CA can be seen in the Preview of distinguished Name field.

      Sample value: CN=Users,DC=sample,DC=com

    3. Validity Period

      Length of the time the CA will be valid.

      Default value: 5 Years

    Depending on the values that you enter in the Common name for this CA and Distinguished name suffix fields, the distinguished name is displayed in the Preview of distinguished name field.

    Figure 2-5 is a screenshot of the CA Identifying Information page.

    Figure 2-5 CA Identifying Information Page

    Description of Figure 2-5 follows
    Description of "Figure 2-5 CA Identifying Information Page"

  8. On the Certificate Database Settings page, enter the locations of the certificate database and database log in the following fields, and then click Next:

    • Certificate database

    • Certificate database log

  9. In the Microsoft Certificate Services dialog box, click Yes to confirm that you want to stop Internet Information Services (IIS). Note that this dialog box will appear only if IIS is already running. IIS must be stopped before the certificate services component can be installed.

    On the Configuring Components page, a progress indicator displaying the status of configuration is displayed.

  10. In the Microsoft Certificate Services dialog box, click Yes to confirm that you want to enable Active Server Pages. Figure 2-6 shows the Microsoft Certificate Services dialog box.

    Figure 2-6 Microsoft Certificate Services Dialog Box

    Description of Figure 2-6 follows
    Description of "Figure 2-6 Microsoft Certificate Services Dialog Box"

  11. After the configuration is complete, a message that you have successfully completed the Windows Components Wizard is displayed. Click Finish to close the wizard.

2.3.3.1.2 Installing Active Directory Certificate Services on Windows Server 2008

Before you proceed with installing Active Directory Certificate Services (AD CS), you must ensure that Internet Information Services (IIS) is installed on the target system host computer. In addition, on the computer on which the Connector Server is running, you must add features using the Server Manager console as follows:

  1. Click Start, click Administrative Tools, and then click Server Manager. Alternatively, click Start, and then click Control Panel. In the Control Panel window, double-click Administrative Tools and then click Server Manager.

  2. In the Server Manager window, in the left pane, click Features.

  3. In the right pane, in the upper right hand corner of the page, click Add Features.

    The Add Features page is displayed.

  4. On the Select Features page, select the following features and then click Next:

    • Remote Server Administration Tools

    • Role Administration Tools

    • Active Directory Certificate Services Tools

    • AD DS and AD LDS Tools

  5. On the Confirm Installation Selections page, review the information displayed, and then click Install.

    The progress of the installation is displayed on the Installation Progress page.

  6. On the Installation Results page, a message confirming that the installation was successful is displayed. Click Close.

To install Active Directory Certificate Services (AD CS) on Windows Server 2008:

Note:

Before you begin installing AD CS, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.

  1. Click Start, click Administrative Tools, and then click Server Manager. Alternatively, click Start, and then click Control Panel. In the Control Panel window, double-click Administrative Tools and then click Server Manager.

  2. In the Server Manager window, in the left pane, click Roles.

  3. In the right pane, under the Roles Summary section, click Add Roles.

    The Add Roles Wizard is displayed.

  4. On the Select Server Roles page, in the Roles section, select Active Directory Certificate Services, and then click Next. Figure 2-7 shows the Select Server Roles page.

    Figure 2-7 Select Server Roles Page

    Description of Figure 2-7 follows
    Description of "Figure 2-7 Select Server Roles Page"

  5. On the Select Role Services page, in the Role Services section, select Certificate Authority and Certificate Authority Web Enrollment, and then click Next. Figure 2-8 shows the Select Role Services page.

    Figure 2-8 Select Role Services Page

    Description of Figure 2-8 follows
    Description of "Figure 2-8 Select Role Services Page"

  6. On the Specify Setup Type page, select one of the following options:

    • Enterprise: Select this option if the computer on which Connector Server is installed belongs to the domain and the domain name is same as the target system computer domain.

    • Standalone: Select this option if the target system is installed on a standalone computer.

  7. Click Next.

  8. On the Specify CA Type page, select Root CA, and then click Next.

  9. On the Set Up Private Key page, select Create a new private key, and then click Next.

  10. On the Configure Cryptography for CA page, from the Select a cryptographic service provider (CSP) list, select RSA# Microsoft Software Key Storage Provider, and then click Next. Figure 2-9 shows the Configure Cryptography for CA page.

    Figure 2-9 Configure Cryptography for CA Page

    Description of Figure 2-9 follows
    Description of "Figure 2-9 Configure Cryptography for CA Page"

  11. On the Configure CA Name page, enter one of the following details:

    • If the computer on which the target system is installed is in a domain, then enter values for both the Common name for this CA and Distinguished name suffix fields.

    • If the target system machine is installed on a standalone computer then enter a value only for the Common name for this CA field.

    Figure 2-10 is a screenshot of the Configure CA Name page when the computer on which the target system is installed is in a domain.

    Figure 2-10 Configure CA Name Page

    Description of Figure 2-10 follows
    Description of "Figure 2-10 Configure CA Name Page"

  12. Click Next.

  13. On the Set Validity Period page, specify the validity period, and then click Next.

  14. On the Configure Certificate Database page, the values for the Certificate database location and Certificate database log location fields are already displayed. You can accept the default values or change them. However, make a note of these locations.

  15. Click Next.

  16. On the Confirm Installation Selections page, review the information displayed, and then click Install.

    Figure 2-11 shows the Confirm Installation Selections page.

    Figure 2-11 Confirm Installation Services Page

    Description of Figure 2-11 follows
    Description of "Figure 2-11 Confirm Installation Services Page"

  17. On the Installation Results page, a message confirming that the installation was successful is displayed. Click Close.

2.3.3.2 Configuring SSL Between Connector Server and Microsoft Active Directory

Note:

  • To configure SSL, the computer hosting the target system and the computer on which the Connector Server is running must be in the same domain.

  • The procedure described in Step 1 of this section must be performed on the computer hosting the target system.

To configure SSL between Connector Server and Microsoft Active Directory:

  1. Ensure that Microsoft Active Directory is SSL enabled. In other words, the computer hosting Microsoft Active Directory must have LDAP over SSL (LDAPS) enabled. To enable LDAPS, request a certificate as follows:

    1. Depending on whether you are using Microsoft Windows Server 2003 or 2008, perform one of the following steps:

      • If you are using Microsoft Windows Server 2003, then:

        (i) Click Administrative Tools, and then click Active Directory Users and Computers. Alternatively, click Start, and then click Control Panel. In the Control Panel window, double-click Administrative Tools and then click Active Directory Users and Computers.

        (ii) In the Active Directory Users and Computers console, in the left pane, right-click the root domain, and select Properties.

        The ROOT_DOMAIN_NAME Properties dialog box is displayed. For example, if the root domain is acme.com, then the acme.com Properties dialog box is displayed.

        (iii) On the Group Policy tab, select Default Domain Policy, and then click Edit.

        The Group Policy Object Editor window is displayed.

        (iv) In the left pane, expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.

        Figure 2-12 is a screenshot of the Group Policy Editor window is displayed.

        Figure 2-12 Group Policy Object Editor Window

        Description of Figure 2-12 follows
        Description of "Figure 2-12 Group Policy Object Editor Window"

      • If you are using Microsoft Windows 2008, then:

        (i) Click Start, click Administrative Tools, and then click Group Policy Management. Alternatively, click Start, and then click Control Panel. In the Control Panel window, double-click Administrative Tools and then click Group Policy Management.

        (ii) In the Group Policy Management window, in the left pane, right-click Default Domain Policy, and then click Edit.

        The Group Policy Management Editor window is displayed. Figure 2-13 shows the Group Policy Management Editor window.

        Figure 2-13 Group Policy Management Editor Window

        Description of Figure 2-13 follows
        Description of "Figure 2-13 Group Policy Management Editor Window"

        (iii) In the left pane, expand Computer Configuration, Policies, Windows Settings, Security Settings, and Public Key Policies.

    2. Right-click Automatic Certificate Request Settings, and then select New and Automatic Certificate Request. The Automatic Certificate Request Setup Wizard is started.

    3. On the Welcome to Automatic Certificate Request Setup Wizard page, click Next to continue.

    4. On the Certificate Template page, select one of the following templates:

      • Domain Controller

        Select this template if the Connector Server is running on the domain controller.

      • Computer

        Select this template if the Connector Server is a part of any other domain computer.

    5. Click Next.

    6. On the Completing the Automatic Certificate Request Setup Wizard page, the certificate template that you selected is listed, and then click Finish. Figure 2-14 shows the Completing the Automatic Certificate Request Setup Wizard page.

      Figure 2-14 Completing the Automatic Certificate Request Setup Wizard Page

      Description of Figure 2-14 follows
      Description of "Figure 2-14 Completing the Automatic Certificate Request Setup Wizard Page"

    7. While performing Step 1.d, if you selected Domain Controller, then restart the target system host computer. If you selected Computer, then restart the computer on which the Connector Server is running.

    The certificate is created and LDAPS is enabled on port 636. You can use an LDAP browser utility to verify that LDAPS is working.

    Note:

    Ensure that the certificate created is accessible for the user that is specified in the target system IT Resource for managing Microsoft Active Directory.

  2. Set the value of the UseSSL parameter of the target system IT resource to yes. Note that this step must be performed in Oracle Identity Manager.

2.3.3.3 Configuring SSL Between Connector Server and Microsoft AD LDS

To configure SSL between Connector Server and Microsoft AD LDS:

  1. Ensure that Microsoft ADAM is SSL enabled. In other words, generate the certificate in Microsoft ADAM. To do so, see the "Generating the Certificate in Microsoft AD LDS" for more information.

  2. Set the value of the UseSSL parameter of the target system IT resource to yes.

Generating the Certificate in Microsoft AD LDS

Note:

Before you begin generating the certificate, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.

To generate the certificate in Microsoft AD LDS, perform the following procedures:

2.3.3.3.1 Requesting the Certificate

This section describes two scenarios in which you request for the certificate and their procedure:

Note:

The procedure described in this section can be performed either on the computer on which the Connector Server is running or the computer hosting the target system.

Scenario 1

Microsoft AD LDS is installed in the domain and the Connector Server is either in the same domain controller or is a part of any computer in the domain.

To request for the certificate in this scenario:

  1. Open Microsoft Active Directory Certificate Services in one of the following ways:

    • Use one of the following URLs to directly open Microsoft Active Directory Certificate Services:

      For accessing the URL on the computer on which Connector Server is running:

      http://DOMAIN_CONTROLLER_HOST/certsrv

      For accessing the URL on the domain controller computer:

      http://localhost/certsrv

      Figure 2-15 shows the Welcome page of Microsoft Active Directory Certificate Services.

      Figure 2-15 Microsoft Active Directory Certificate Services Welcome Page

      Description of Figure 2-15 follows
      Description of "Figure 2-15 Microsoft Active Directory Certificate Services Welcome Page"

    • On the target system host computer:

      1. Open Internet Information Services (IIS) Manager in one of the following ways:

        Open IIS Manager by using the command prompt:

        Open a command prompt, type inetmgr, and then click OK.

        Open IIS Manager by using Administrative Tools:

        Open Control Panel, double-click Administrative Tools, and then double-click IIS Service.

      2. If you are using Microsoft ADAM as the target system, then:

        (i) In the Internet Information Services (IIS) Manager window, expand Web Sites, and then expand Default Web Site.

        (ii) Right-click CertSrv, and then select Browse.

      3. If you are using Microsoft AD LDS as the target system, then:

        (i) In the Internet Information Services (IIS) Manager window, expand Sites, and then expand Default Web Site.

        (ii) Right-click CertSrv, select Manage Application, and then select Browse.

  2. On the welcome page of the Microsoft Active Directory Certificate Services window, click Request a certificate.

  3. On the Request a Certificate page, click advanced certificate request.

  4. On the Advanced Certificate Request page, click Create and submit a request to this CA.

  5. On the Advanced Certificate Request page, perform the following actions:

    Note:

    There are instructions for only some of the fields on this page. For the remaining fields, you can enter values according to your requirements.

    • If you are using Microsoft ADAM, then in the Key Options region, select Store certificate in local computer certificate store.

    • In the Additional Options region, select PCKS10 as the request format.

    • In the Friendly Name field, enter the FQDN of the target system host computer. For example, enter hk128.corp.example.com.

    Figure 2-16 shows the Advanced Certificate Request page.

    Figure 2-16 Advanced Certificate Request Page in Scenario 1

    Description of Figure 2-16 follows
    Description of "Figure 2-16 Advanced Certificate Request Page in Scenario 1"

  6. Click Submit.

  7. When a message asking you to confirm that you want to request a certificate is displayed, click Yes.

Scenario 2

Standalone AD LDS is installed where the Connector Server is on same computer or is a part of any computer in the domain.

To request for the certificate in this scenario:

  1. Open Microsoft Active Directory Certificate Services in one of the following ways:

    • Use one of the following URLs to directly open Microsoft Active Directory Certificate Services:

      For accessing the URL on the computer on which Connector Server is running:

      http://STANDALONE_AD_LDS_HOST/certsrv

      For accessing the URL on the computer on which the standalone AD LDS is installed:

      http://localhost/certsrv

    • On the target system host computer:

      1. Open Internet Information Services (IIS) Manager in one of the following ways:

        Open IIS Manager by using the command prompt:

        Open a command prompt, type inetmgr, and then click OK.

        Open IIS Manager by using Administrative Tools:

        Open Control Panel, double-click Administrative Tools, and then double-click IIS Service.

      2. In the Internet Information Services (IIS) Manager window, expand Sites, and then expand Default Web Site.

      3. Right-click CertSrv, select Manage Application, and then select Browse.

  2. On the Welcome page of the Microsoft Active Directory Certificate Services window, click Request a certificate.

  3. On the Request a Certificate page, click advanced certificate request.

  4. On the Advanced Certificate Request page, click Create and submit a request to this CA.

  5. On the Advanced Certificate Request page, perform the following actions:

    Note:

    There are instructions for only some of the fields on this page. For the remaining fields, you can enter values according to your requirements.

    • In the Name field, enter the fully qualified domain name (FQDN) of the target system host computer. For example, enter hk128.corp.example.com.

      Note:

      On your target system installation, if a value is already selected in this field, then you need not change it.

      You need not enter values in the remaining fields of the Identifying Information region.

    • If you are using Microsoft ADAM, then in the Key Options region, from the CSP list, select Microsoft RSA SChannel Cryptographic Provider.

    • In the Additional Options region, select PCKS10 as the request format.

    • In the Friendly Name field, enter the FQDN of the target system host computer. For example, enter hk128.corp.example.com.

    Figure 2-17 shows the Advanced Certificate Request page.

    Figure 2-17 Advanced Certificate Request Page in Scenario 2

    Description of Figure 2-17 follows
    Description of "Figure 2-17 Advanced Certificate Request Page in Scenario 2"

  6. Click Submit.

  7. When a message asking you to confirm that you want to request a certificate is displayed, click Yes.

2.3.3.3.2 Issuing the Certificate

To issue the certificate:

  1. On the target system host computer, open Control Panel.

  2. Double-click Administrative Tools, and then double-click Certification Authority.

  3. In the certsvr window, in the left pane, click Pending Requests.

    The request that you created earlier (in Section 2.3.3.3.1, "Requesting the Certificate") is displayed in the right pane. Figure 2-18 shows the certsrv window.

    Figure 2-18 certsrv Window

    Description of Figure 2-18 follows
    Description of "Figure 2-18 certsrv Window"

  4. Right-click the request, select All Tasks, and then select Issue.

  5. Open the Issued Certificates folder.

    The certificate is displayed in the right pane.

  6. Open Internet Information Services (IIS) Manager.

  7. Depending on whether you are using ADAM or AD LDS, perform one of the following steps:

    • For ADAM

      1. Expand Web Sites, and then expand Default Web Site.

      2. Right-click CertSrv, and then select Browse.

    • For AD LDS

      1. Expand Sites, and then expand Default Web Site.

      2. Right-click CertSrv, select Manage Application, and then select Browse.

  8. In the Microsoft Active Directory Certificate Services window, on the Welcome page, click View the status of a pending certificate request.

  9. Click the link for the certificate request.

  10. If the Connector Server is running on the domain controller, then in the Certificate Issues page, click Install this certificate.

  11. If the Connector Server is running on a computer that belongs to the domain, then in the Certificate Issues page, first click Install this CA certificate, and then click Install this certificate. Figure 2-19 shows the Certificate Issued page.

    Figure 2-19 Certificate Issued Page

    Description of Figure 2-19 follows
    Description of "Figure 2-19 Certificate Issued Page"

  12. Save the certificate and then import it into Trusted Root Certification Authorities as follows:

    Note:

    The procedure described in this step must be performed on the computer running the Connector Server.

    1. In the left pane, expand Certificates (Local Computer).

    2. Expand Trusted Root Certification Authority.

    3. Right-click Certificates, click All Tasks, and then click Import. Figure 2-20shows the Console window.

      Figure 2-20 Console Window

      Description of Figure 2-20 follows
      Description of "Figure 2-20 Console Window"

  13. When a message asking you to confirm that you want to add the certificate is displayed, click Yes.

    In the Certificate Installed page of the Microsoft Active Directory Certificate Services window, a message saying that the certificate has been successfully installed is displayed.

2.3.3.3.3 Adding the Certificate to the Personal Store of the Microsoft AD LDS Service

To add the certificate to the personal store of the Microsoft AD LDS service:

  1. On the target system host computer, use the Run dialog box to run the command for opening the Microsoft Management Console:

    mmc

  2. In the Microsoft Management Console, from the File menu, select Add/Remove Snap-in.

  3. On the Standalone tab of the Add/Remove Snap-in dialog box, click Add.

  4. From the list of available snap-ins, select Certificates, click Add, and then click OK. Figure 2-21 shows the Add or Remove Snap-ins dialog box.

    Figure 2-21 Add or Remove Snap-ins Dialog Box

    Description of Figure 2-21 follows
    Description of "Figure 2-21 Add or Remove Snap-ins Dialog Box"

  5. In the Certificates snap-in dialog box, select Service account, and then click Next.

  6. In the Select Computer dialog box, select Local computer and then click Next.

  7. From the Service account list in the Certificates snap-in dialog box, select the Microsoft AD LDS service instance and then click Finish.

  8. In the Certificates snap-in dialog box, select My user account and then click Finish.

  9. In the Certificates snap-in dialog box, select Computer account and then click Next.

  10. In the Select Computer dialog box, select Local computer and then click Finish.

  11. Click Close, and then click OK.

  12. In the left pane of the Microsoft Management Console window, expand Certificates - Current User, expand Personal, and then select Certificates. shows the Microsoft Management Console window.

    Figure 2-22 Microsoft Management Console Window

    Description of Figure 2-22 follows
    Description of "Figure 2-22 Microsoft Management Console Window"

  13. In the right pane, right-click the certificate that you have added and copy it. Note that you can copy the certificate by right-clicking it and then selecting Copy.

    The name of this certificate is the FQDN of the host computer.

  14. Paste the certificate into the following folders:

    • Personal folder under the Certificates - Service (AD LDS_INSTANCE_NAME) on Local Computer folder

    • Personal folder under the Certificates - Current User folder

  15. To save the changes that you have made to the Microsoft Management Console, from the File menu, select Save.

2.3.3.3.4 Assigning Permissions to the Certificate Key

To assign the required permissions to the folder containing the certificate key:

  1. In Microsoft Windows Explorer, navigate to the MachineKeys folder. The path to this folder is similar to the following:

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

  2. Right-click the MachineKeys folder, and then select Properties.

  3. In the Permissions for MachineKeys dialog box, use the Add button to add the following groups and users:

    • Administrators

    • Everyone

    • NETWORK SERVICE

    • The user name of the account used to install Microsoft ADAM

    • SYSTEM

  4. In the Permissions for Everyone section, select Full Control. Figure 2-23 shows the Permissions for MachineKeys dialog box.

    Figure 2-23 Permissions for MachineKeys Dialog Box

    Description of Figure 2-23 follows
    Description of "Figure 2-23 Permissions for MachineKeys Dialog Box"

  5. Click Apply, and then click OK.

  6. In Microsoft Windows Explorer, expand the MachineKeys folder and select the certificate key. The time stamp for this certificate key is the date and time at which you created the certificate.

    Note:

    Refresh the folder if the certificate key that you created is not displayed.

  7. Right-click the key, and select Properties.

  8. In the Permissions for MachineKeys dialog box, use the Add button to add the following groups and users:

    • Administrators

    • Everyone

    • NETWORK SERVICE

    • The user name of the account used to install Microsoft ADAM

    • SYSTEM

  9. In the Permissions for Everyone section, select Full Control.

  10. Click Apply, and then click OK.

2.3.3.3.5 Restarting the Microsoft AS LDS Instance

To restart the Microsoft AD LDS instance:

  1. Open Control Panel.

  2. Double-click Administrative Tools, and then select Services.

  3. In the Services window, right-click the Microsoft AD LDS instance and then select Restart.

2.3.3.3.6 Testing the Certificate

To test the certificate:

  1. To open the AD LDS Tools Command Prompt window on the target system host computer, click Start, Programs, ADAM, and ADAM Tools Command Prompt.

  2. In the AD LDS Tools Command Prompt window, enter ldp and then press Enter.

  3. From the Connection menu of the LDAPS dialog box, select Connect.

  4. In the Connect dialog box:

    • In the Server field, enter the FQDN of the target system host computer.

    • In the Port field, enter the SSL port number.

    • Select SSL.

  5. Click OK.

  6. If SSL has been successfully configured, then status messages about the connection are displayed on the right pane of the LDAPS window.

2.3.3.4 Configuring SSL Between Oracle Identity Manager and Connector Server

The following sections provide information about configuring SSL between Oracle Identity manager and Connector Server:

2.3.3.4.1 Exporting the Certificate

Note:

Perform the procedure described in this section on the computer hosting the connector server.

To export the certificate:

  1. Click Start and then Run.

  2. Enter the following command, and then click OK:

    mmc

    The Microsoft Management Console is displayed.

  3. From the File menu, select Add/ Remove Snap-in.

  4. In the Add or Remove Snap-ins dialog box, select Certificates from the available snap-ins list, and then click Add.

  5. In the Certificates snap-in dialog box, select Computer account, and then click Next.

  6. In the Select Computer dialog box, select Local computer, and then click Finish.

  7. In the Add or Remove Snap-ins dialog box, click OK.

  8. In the left pane of the Console Root window, expand Certificates (Local Computer), expand Personal, and then select Certificates.

    All requested certificates are displayed in the right pane.

  9. Right-click the new certificate (requested and issued in sections Section 2.3.3.3.1, "Requesting the Certificate" and Section 2.3.3.3.2, "Issuing the Certificate"), select All Tasks, and then click Export.

    The Certificate Export Wizard is displayed.

  10. On the Welcome to the Certificate Export Wizard page, click Next.

  11. On the Export Private Key page, select No, do not export the private key option, and then click Next.

  12. On the Export File Format page, select Base-64 encoded X.509(.CER) and click Next. shows the Export File Format page.

    Figure 2-24 Export File Format Page

    Description of Figure 2-24 follows
    Description of "Figure 2-24 Export File Format Page"

  13. On the File to Export page, in the File name field, enter the name and location to which the certificate must be exported for example, (C:\ADSSLCer), and then click Next.

  14. On the Completing the Certificate Export Wizard page, click Finish.

    A dialog box with message that the export was successful is displayed.

  15. Click OK.

2.3.3.4.2 Configuring the Connector Server for SSL

Note:

Perform the procedure described in this section on the computer hosting the connector server.

The following is the procedure to configure the Connector Server for SSL:

  1. Create a certificate store and add the certificate created in Section 2.3.3.4.1, "Exporting the Certificate" to the store. To do so:

    In a command window, enter the following:

    C:\>certutil -f -addstore sslstore C:\ADSSLCer.cer

    This command creates a new certificate store with the name 'sslstore' and adds the certificate ADSSLCer.cer to this store.

    Note:

    • Ensure that the certificate store with the name mentioned in the preceding command does not already exist. In other words, the certificate store mentioned in the ConnectorServer.exe.Config file must have only one certificate. If there are more that one certificates, then the Connector Server will not start.

      Run the following command to view the number of certificates present in the certificate store:

      C:\>certutil -viewstore STORE_NAME

    • If the certificate has been exported with a private key (for example, .pfx file), then you must import it into the certificate store named 'sslstore' by using the MMC console.

    Figure 2-25 shows the Command Prompt window.

    Figure 2-25 Command Prompt

    Description of Figure 2-25 follows
    Description of "Figure 2-25 Command Prompt"

  2. Navigate to the location where Connector Server is installed and locate the Connector Server\ConnectorServer.exe.Config file.

  3. In a text editor, open the ConnectorServer.exe.Config file for editing:

  4. Change the values of the following lines:

    From:

    <add key="connectorserver.usessl" value="false" />

    <add key="connectorserver.certificatestorename" value="ConnectorServerSSLCertificate" />

    To:

    <add key="connectorserver.usessl" value="true" />

    <add key="connectorserver.certificatestorename" value="sslstore" />

  5. Restart the Connector Server.

2.3.3.4.3 Configuring Oracle Identity Manager for SSL

The following is the procedure to configure Oracle Identity Manager for SSL:

  1. Copy the certificate generated in Section 2.3.3.4.1, "Exporting the Certificate" to the computer on which Oracle Identity Manager is running.

  2. Import the target system certificate into the JDK used by Oracle Identity Manager (running on Oracle WebLogic Application Server) by running the following command:

    keytool -import -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD

    In this command:

    • MY_CACERTS is the full path and name of the certificate store (the default is cacerts).

    • CERT_FILE_NAME is the full path and name of the certificate file.

    • PASSWORD is the password of the keystore.

    The following is a sample command:

    keytool -import -keystore /home/testoc4j/OIM/jrockit_160_14_R27.6.5-32/jre/lib/security/cacerts -file /home/ADSSLCer.cer -storepass changeit

  3. Import the target system certificate into the keystore of the application server by running the following command:

    keytool -import -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD

    In this command:

    • MY_CACERTS is the full path and name of the certificate store (the default is WEBLOGIC_HOME/server/lib/DemoTrust.jks)

    • CERT_FILE_NAME is the full path and name of the certificate file.

    • PASSWORD is the password of the keystore.

    The following is a sample command:

    keytool -import -keystore WEBLOGIC_HOME/server/lib/DemoTrust.jks -file /home/ADSSLCer.cer -storepass DemoTrustKeyStorePassPhrase

  4. Set the value of the UseSSL parameter of the Connector Server IT resource to true.

2.4 Upgrading the Connector

If you have already deployed an earlier release of this connector, then upgrade the connector to the current release. The following sections discuss the procedure to upgrade the connector:

Note:

  • Upgrade of the connector from release 9.1.x to 11.1.1.x. is supported.

  • Before you perform the upgrade procedure, it is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.

  • As a best practice, first perform the upgrade procedure in a test environment.

2.4.1 Preupgrade Steps

Perform the following preupgrade steps:

  1. Perform a reconciliation run to fetch all latest updates to Oracle Identity Manager.

  2. Perform the preupgrade procedure documented in the "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

  3. On the target system, obtain the maximum value of the uSNChanged attribute as follows:

    1. If you are using the connector across multiple domains, then on the domain controller on which the Global Catalog Server is running, navigate to RootDSE, and then look for the RootDSE properties.

    2. If you are using the connector in a single domain, then on the domain controller used for reconciliation, navigate to RootDSE, and then look for the RootDSE properties.

    3. In the RootDSE properties dialog box, search for the highestCommittedUSN attribute, and note down its value. The use of this value is described later in this chapter. Figure 2-26 shows the RootDSE properties dialog box in which the highestCommittedUSN attribute is displayed.

      Figure 2-26 RootDSE Properties Dialog Box

      Description of Figure 2-26 follows
      Description of "Figure 2-26 RootDSE Properties Dialog Box"

  4. Define the source connector (an earlier release of the connector that must be upgraded) in Oracle Identity Manager. You define the source connector to update the Deployment Manager XML file with all customization changes made to the connector. See the "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information.

2.4.2 Upgrade Steps

Depending on the environment in which you are upgrading the connector, perform one of the following steps:

  • Development Environment

    Perform the upgrade procedure by using the wizard mode.

  • Staging or Production Environment

    Perform the upgrade procedure by using the silent mode. In the silent mode, use the silent.xml file that is exported from the development environment.

See the "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about the wizard and silent modes.

2.4.3 Postupgrade Steps

Perform the following procedure:

  1. Perform the postupgrade procedure documented in the "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

  2. If you are using Oracle Identity Manager release 11.1.2.x, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:

    1. Log in to Oracle Identity System Administration.

    2. Create and activate a sandbox. See Section 2.3.1.1.1, "Creating and Activating a Sandbox" for more information.

    3. Create a new UI form to view the upgraded fields. See Section 2.3.1.1.2, "Creating a New UI Form" for more information about creating a UI form.

    4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 2.c), and then save the application instance.

    5. Publish the sandbox. See Section 2.3.1.1.4, "Publishing a Sandbox" for more information.

  3. If you are using Oracle Identity Manager release 11.1.2.x and you are upgrading from release 11.1.1.5.0 to 11.1.1.6.0, then perform the following procedure to remove the auxiliary class child form (from the AD User form) that is retained after upgrade:

    1. Create a new version of the upgraded AD User form.

    2. Delete the UD_ADUSRCLS child form, and make the version active.

    3. Run the FVC utility using this newly created form. See Step 4 for detailed information on running FVC utility.

  4. Run the Form Version Control (FVC) utility to manage user data changes on a form after an upgrade operation. To do so:

    1. In a text editor, open the fvc.properties file located in the OIM_DC_HOME directory and include the following entries:

      ResourceObject;AD User
      FormName;UD_ADUSER
      FromVersion;SPECIFY_THE_VERSION_OF_THE_FORM_USED_BY_USER_ACCOUNTS_CREATED_BY_USING_THE_SOURCE_CONNECTOR
      ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
      ParentParent;UD_ADUSER_AD;UD_ADUSER_SERVER
      

      Note:

      To determine values for the FromVersion and ToVersion attributes:

      1. Log in to the Design Console.

      2. Expand Development Tools and then double-click Form Designer.

      3. Search for and open the form whose version you are trying to determine. For example, UD_ADUSER.

      4. In the Version Information region, search for and note down the value of the Active Version field, for example, initial version. This is the value of the ToVersion attribute.

      5. In the Operations region, click the Current Version list, and note down the second highest value in the list, for example Immediate Version. This is the value of the FromVersion attribute.

      In the fvc.properties file, you might want to specify the process form name too. To verify whether you are specifying the correct process form associated with the resource object:

      1. Log in to the Design Console.

      2. Expand Process Management and then double-click Process Definition.

      3. Search for and open the process form associated with the resource object.

      4. In the Form Assignment region, note down the value of the Table Name field. This value is name of the process form that is linked to the process definition and resource object.

    2. Run the FVC utility. This utility is copied into the following directory when you install the design console:

      For Microsoft Windows:

      OIM_DC_HOME/fvcutil.bat

      For UNIX:

      OIM_DC_HOME/fvcutil.sh

      When you run this utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, and the logger level and log file location.

  5. To manage AD Group form changes after an upgrade operation, run the FVC utility by performing the instructions in step 4.a and 4.b with the following difference:

    While perform Step 4.a, replace the entry added in Step 4.a with the following:

    ResourceObject;AD Group
    FormName;UD_ADGRP
    FromVersion;SPECIFY_THE_VERSION_OF_THE_FORM_USED_BY_USER_ACCOUNTS_CREATED_BY_USING_THE_SOURCE_CONNECTOR
    ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
    ParentParent;UD_ADGRP_ADSERVER;UD_ADGRP_SERVER
    
  6. To manage AD Organization Unit form changes after an upgrade operation, run the FVC utility by performing the instructions in step 4.a and 4.b with the following difference:

    While perform Step 4.a, replace the entry added in Step 4.a with the following:

    ResourceObject;AD Organizational Unit
    FormName;UD_OU
    FromVersion;SPECIFY_THE_VERSION_OF_THE_FORM_USED_BY_USER_ACCOUNTS_CREATED_BY_USING_THE_SOURCE_CONNECTOR
    ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
    ParentParent;UD_OU_AD;UD_OU_SERVER
    
  7. If you are upgrading the connector from release 11.1.1.5.0 to 11.1.1.6.0, then run the PostUpgradeScript.sql script as follows:

    Note:

    • Skip performing this step if you upgrading the connector directly from release 9.1.x to 11.1.1.6.0.

    • If you first performed an upgrade from release 9.1.x to 11.1.1.5.0, and then are upgrading from release 11.1.1.5.0 to 11.1.1.6.0, then in the PostUpgradeScript.sql file, replace "ADOU" with "OU", and then run the script.

    1. Connect to the Oracle Identity Manager database by using the OIM User credentials.

    2. Run the PostUpgradeScript.sql located in the ConnectorDefaultDir/AD_PACKAGE/upgrade directory.

  8. Deploy the Connector Server. See Section 2.1.3, "Installing and Configuring the Connector Server" and Section 2.2.2, "Installing the Connector in the Connector Server" for more information.

  9. Re-configure the IT resource of the source connector (an earlier release of the connector that must be upgraded). See Section 2.2.1.2, "Configuring the IT Resource for the Target System" for information about configuring the IT resource.

  10. Configure the latest token value of the scheduled job as follows:

    The following scheduled jobs contain the Latest Token attribute:

    Active Directory User Target Recon

    Active Directory User Trusted Recon

    Active Directory Group Recon

    Active Directory Organization Recon

    After upgrading the connector, you can perform either full reconciliation or incremental reconciliation. To perform incremental reconciliation, specify the value of the highestCommittedUSN attribute (noted in Section 2.4.1, "Preupgrade Steps") as the value of the Latest Token attribute. This ensures that records created or modified since the last reconciliation run (the one that you performed in Section 2.4.1, "Preupgrade Steps") are fetched into Oracle Identity Manager. From the next reconciliation run onward, the reconciliation engine automatically enters a value for the Latest Token attribute.

    See Section 3.3.1, "Full Reconciliation and Incremental Reconciliation" for more information about performing full or incremental reconciliation.

  11. Configure the sync token value of the scheduled job as follows:

    The following scheduled jobs contain the Sync Token attribute:

    Active Directory User Target Delete Recon

    Active Directory User Trusted Delete Recon

    Active Directory Group Delete Recon

    After upgrading the connector, you can perform either full delete reconciliation or incremental delete reconciliation. To perform full delete reconciliation, you must not specify any value for the Sync Token attribute of the scheduled job. To perform incremental delete reconciliation, you must specify the value of the Sync Token attribute in the following format:

    <String>0|{uSNChanged}|{True/False}|{DOMAIN_CONTROLLER}</String>

    In this format, replace:

    • {uSNChanged} with the value of the highestCommittedUSN attribute noted in Section 2.4.1, "Preupgrade Steps."

    • {True/False} with one of the following values:

      • True if the Global Catalog Server is used during delete reconciliation runs

      • False if the Global Catalog Server is not used during delete reconciliation runs

    • {DOMAIN_CONTROLLER} with the name of the domain controller on which you located RootDSE while performing the procedure described in Section 2.4.1, "Preupgrade Steps."

    See the Section 3.3.4.2, "Scheduled Jobs for Reconciliation of Deleted User Records"and Section 3.3.4.4, "Scheduled Job for Reconciliation of Deleted Groups" sections for more information about delete reconciliation.

2.5 Postcloning Steps

You can clone the Microsoft Active Directory User Management connector by setting new names for some of the objects that comprise the connector. The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.

See Also:

The "Managing Connector Lifecycle" chapter of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for detailed information about cloning connectors and the steps mentioned in this section

After a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes: