JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Analytics System Integrator's Guide 11g Release 1
search filter icon
search icon

Document Information

Preface

1.  Integrating With Oracle Identity Manager, Preferred Method

2.  Integrating With Oracle Identity Manager, Deprecated Method

Introduction

Overview

Understanding Terminology in Oracle Identity Analytics and Oracle Identity Manager

To Configure Oracle Identity Analytics and Oracle Identity Manager to Work Together (Deprecated Integration Method)

Step 1: Enable Oracle Identity Manager as a Provisioning Server Option

Step 2: Copy the Required .jar Files

Step 3: Designate Oracle Identity Manager as the Provisioning Server

Step 4: Enable Real-Time Updates from Oracle Identity Analytics to Oracle Identity Manager

Populating Oracle Identity Analytics With User Information From Oracle Identity Manager

Use Case 1: Importing Global Users From Oracle Identity Manager Into Oracle Identity Analytics

To Import Users From Oracle Identity Manager Into Oracle Identity Analytics

Use Case 2: Importing Resource Metadata From Oracle Identity Manager Into Oracle Identity Analytics

To Import Resource Metadata From Identity Manager Into Oracle Identity Analytics

Use Case 3: Importing Resources From Identity Manager Into Oracle Identity Analytics

To Import Resources From Identity Manager Into Oracle Identity Analytics

Use Case 4: Importing Roles From Identity Manager Into Oracle Identity Analytics

To Import Role From Identity Manager Into Oracle Identity Analytics

Populating Oracle Identity Manager With Roles Information From Oracle Identity Analytics

Use Case 1: Exporting Roles From Oracle Identity Analytics to Identity Manager

To Export Roles to Identity Manager

Understanding Closed Loop Compliance

To Configure Resources in Oracle Identity Analytics for Remediation

To Configure Certifications in Oracle Identity Analytics for Remediation

3.  Integrating With Oracle Waveset (Sun Identity Manager)

4.  Integrating With Other Provisioning Servers

5.  Authenticating With LDAP

6.  Integrating With Intellitactics Security Manager

7.  Configuring Oracle Identity Analytics For Web Access Control

8.  Customizing The Oracle Identity Analytics User Interface

A.  Oracle Waveset Sample Workflows

To Configure Oracle Identity Analytics and Oracle Identity Manager to Work Together (Deprecated Integration Method)

Before You Begin -

  1. In Oracle Identity Analytics add Oracle Identity Manager as a provisioning server option. ("Sun Identity Manager" and "File" are the default options.)

    See Step 1: Enable Oracle Identity Manager as a Provisioning Server Option

  2. Copy the required Oracle Identity Manager API JAR files to Oracle Identity Analytics.

    See Step 2: Copy the Required .jar Files

  3. In Oracle Identity Analytics, designate Oracle Identity Manager as the provisioning server. Establish a connection by entering authentication details.

    See Step 3: Designate Oracle Identity Manager as the Provisioning Server

  4. To send real time changes from Oracle Identity Analytics to Oracle Identity Manager, change the Oracle Identity Analytics configuration files related to workflows.

Step 1: Enable Oracle Identity Manager as a Provisioning Server Option

In the Oracle Identity Analytics user interface, the Administration > Configuration > Provisioning Servers tab displays "file" and "sun" as the available options. To display Oracle Identity Manager as a supported provisioning server, edit iam-context.xml in the RBACX_Home/WEB-INF folder as follows.

Uncomment the oracle key entry in the iamSolutions property map lines in iam-context.xml:

<bean id="rbacxIAMService" parent="baseTransactionProxy">
<property name="target">
<bean class="com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl" parent="baseServiceSupport">
<property name="iamSolutions">
<map>
<entry key="sun">
<ref local="waveset"/>
</entry>
<!--entry key="ca">
<ref local="eTrust"/>
</entry-->
<!--entry key="ibm">
<ref local="tim"/>
</entry-->
<entry key="oracle">
<ref local="oim"/>
</entry>
<entry key="file">
<ref local="file"/>
</entry>
</map>
</property>

and the second change to this file is to uncomment the bean definition:

<bean id="oim" class="com.vaau.rbacx.iam.oracle.OIMIAMSolution" parent="abstractIAMSolution">

<property name="metadataManager" ref="metadataManager"/>

<property name = "namespaceMap">
<map>
<!-- This mapping fetches the attributes from
the appropriate object form ( AD User). This
mapping clarifies that, for the "AD Server"
resource type, attributes are imported from
the "AD User" Object form in OIM -->
<entry key = "AD Server">
<value>AD User</value>
</entry>
</map>
</property>
<property name="resourceFieldMap">
<map>
<!-- This mapping identifies the field that is the
ITResourceLookupField for each resource type.
(Oracle Identity Manager "IT resources" map to
resources in Oracle Identity Analytics.) From the mapping
for the "AD Server" resource type field, we
define that the "UD_ADUSER_AD" column field
corresponds to the ITResource Entry. -->
<entry key="AD Server">
<value>UD_ADUSER_AD</value>
</entry>
</map>
</property>

<property name="accountIdentifierMap">
<map>
<entry key="AD Server">
<value>UD_ADUSER_UID</value>
</entry>
</map>
</property>
<property name = "secPolicyMap">
<map>
<entry key = "RACF Account">
<value>Server,Group</value>
</entry>
</map>
</property>
<property name="maxStaleDays">
<value>${com.vaau.rbacx.iam.oracle.maxStaleDays}</value>
</property>
<property name = "excludeFlag" >
<value>${com.vaau.rbacx.iam.oracle.excludeFlag}</value>
</property>

<property name = 'roleDao'>
<ref bean="roleDao"/>
</property>
<property name = "policyManager">
<ref bean = "policyManager"/>
</property>
<property name="userProperties">
<map>
<entry key = "userName">
<value>Users.User ID</value>
</entry>
<entry key = "firstName">
<value>Users.First Name</value>
</entry>
<entry key = "lastName">
<value>Users.Last Name</value>
</entry>
<entry key = "middleName">
<value>Users.Middle Name</value>
</entry>
<entry key = "manager">
<value>Users.Manager Login</value>
</entry>
<entry key = "primaryEmail">
<value>Users.Email</value>
</entry>
<entry key = "employeeType">
<value>Users.Role</value>
</entry>
<entry key = "startDate">
<value>Users.Start Date</value>
</entry>
<entry key = "endDate">
<value>Users.End Date</value>
</entry>
<entry key = "createDate">
<value>Users.Provisioned Date</value>
</entry>
</map>
</property>
<property name = "customProperties">
<list>
<value>Users.Email</value>
<value>Organizations.Organization Name</value>
<value>USR_UDF_LOCATION</value>
<value>Users.Deprovisioning Date</value>
<value>Users.Xellerate Type</value>
<value>Users.Identity</value>
<value>Users.Lock User</value>
<value>Users.Disable User</value>
<value>Users.Role</value>
</list>
</property>
</bean>

Step 2: Copy the Required .jar Files

  1. Copy the following Oracle Identity Manager Java API JAR files (located here: $OIM_HOME/xellerate/lib/.jar) to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:

    • wlXLSecurityProviders.jar

    • xlAPI.jar

    • xlAuthentication.jar

    • xlCache.jar

    • xlCrypto.jar

    • xlDataObjectBeans.jar

    • xlDataObjects.jar

    • xlLogger.jar

    • xlScheduler.jar

    • xlUtils.xls

    • xLVO.jar

  2. Copy the following Oracle Identity Manager Java API JAR file (located in the client/ext folder) to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:

    • iam-platform-utils.jar

  3. Copy the following JAR files if you are deploying to a JBoss or WebLogic application server:

    • If deploying to a JBoss application server, copy jbossall-client.jar

    • If deploying to a WebLogic application server, copy oim_design_consolexlclientextwlfullclient.jar

      Note - The wlfullclient.jar is only required if Oracle Identity Analytics and Oracle Identity Manager are on different WebLogic domains. This JAR file allows client applications, such as Oracle Identity Analytics, to communicate with the WebLogic Server over the T3 protocol. If you deploy OIA and OIM to the same WebLogic domain, skip this step, otherwise you may receive an error similar to the following:

      Caused By: java.lang.LinkageError: loader constraint violation: loader (instance of weblogic/utils/classloaders/ChangeAwareClassLoader) previously initiated loading for a different type with name "javax/xml/namespace/QName"

      If wlfullclient.jar is not present in Oracle Identity Manager, follow these steps to generate it:

      1. Type cd <WLS-HOME>/server/lib, where <WLS-HOME> is the base WebLogic installation directory

      2. Type java -jar wljarbuilder.jar

      3. Copy the wlfullclient.jar file to the $RBACX_HOME/WEB-INF/lib folder

  4. Copy the following 11g Oracle Identity Manager Java API JAR files to Oracle Identity Analytics:

    1. Copy $OIM_HOME/server/client/oimclient.jar to $OIA-HOME/WEB-INF/lib

      Note - If this JAR file is not present, you will receive the following exception during

      integrated operations: java.lang.NoClassDefFoundError:oracle/iam/platform/OIMClient at Thor.API.tcUtilityFactory.<init>(tcUtilityFactory.java:154) at com.vaau.rbacx.iam.oracle.OIMIAMSolution. getUtilityFactory(OIMIAMSolution.java:2595) at com.vaau.rbacx.iam.oracle.OIMIAMSolution.readUsers(OIMIAMSolution.java)

    2. Copy the OIM 11g logger JAR file, xlLogger10g.jar, to $OIA-HOME/WEB-INF/lib

      Note - If this JAR file is not present, you will receive the following error during integrated operations:

      Caused by: java.lang.NoClassDefFoundError: com/thortech/util/logging/Logger at Thor.API.tcUtilityFactory.<clinit>(tcUtilityFactory.java:80) at com.vaau.rbacx.iam.oracle.OIMIAMSolution. getUtilityFactory(OIMIAMSolution.java:2595) at com.vaau.rbacx.iam.oracle.OIMIAMSolution.readUsers(OIMIAMSolution.java:770) at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl. importUsers(RbacxIAMServiceImpl.java:119)

Step 3: Designate Oracle Identity Manager as the Provisioning Server

  1. Log in to Oracle Identity Analytics.

  2. Choose Administration > Configuration.

  3. Click Provisioning Servers.

  4. Click New Provisioning Server Connection.

    The New Provisioning Server Connection wizard asks you to choose the type of provisioning server connection that you want to create.

  5. From the Type of Provisioning Server Connection drop-down menu, select Oracle and click Next.

  6. Complete the form:

    • Server Name - Type the connection object name.

    • Xellerate Home - Type the path to the config file in OIM. (example: C:oraclexellerate)

    • Login Config - Type the path to the authentication configuration ( auth.config ) file. (example: C:oraclexellerateconfigauth.conf)

    • Provider URL - Type the provider URL. The format for this field is as follows:

      • WebLogic -

        t3://host:7001

      • JBoss -

        jnp://host:1099 (The default port number in a clustered environment is 1100.)

      • WebSphere -

        corbaloc:iiop:host:2809

    • Initial Context Factory - Enter the name of the environment property for specifying the initial context factory. The default values are as follows:

      • WebLogic -

        weblogic.jndi.WLInitialContextFactory

      • JBoss -

        org.jnp.interfaces.NamingContextFactory

      • WebSphere -

        com.ibm.websphere.naming.WsnInitialContextFactory

    • User Name - Enter the OIM user name. (example: xelsysadm)

    • Password - Enter the OIM password.

Step 4: Enable Real-Time Updates from Oracle Identity Analytics to Oracle Identity Manager

To send real-time changes from Oracle Identity Analytics to Oracle Identity Manager, change the configuration files related to workflows.

For example, the following code snippet has to be enabled in role-creation-workflow.xml during the "Finish" step ( step 6):

<!--<function name="exportIAMRoleFunction" type="spring">
<arg name="bean.name">exportIAMRoleFunction</arg>
<arg name="iamConnectionName"/>
</function>-->

This becomes the following:

<function name="exportIAMRoleFunction" type="spring">
<arg name="bean.name">exportIAMRoleFunction</arg>
<arg name="iamConnectionName">OIMConnectionObjectName</arg>
</function>

NoteOIMConnectionObjectName is the name of the connection object you define in Step 2. Similar changes have to be made for all role related workflows: role-modification-workflow.xml, role-user-membership-workflow.xml, role-user-membership-activation-workflow.xml