15 Understanding ICF Best Practices and FAQs

This chapter enlists the best practices and Frequently Asked Questions (FAQ) on ICF. The list is discussed in the following sections:

15.1 Best Practices for ICF

The following are the best practices that you need to follow while using ICF:

  • Use common Scheduled tasks, and ICFProvisioningManager.

  • Keep IT Resource parameters count to minimum, IT Resource should contain connectivity related parameters only, the rest needs to be in the Main Connector Configuration Lookup.

  • Scheduled Tasks

    • Use the scheduled tasks provided with ICF Integration project, from the following directory path:

      iam/iam-product/features/icf-intg/src/main/xml

    • Stick with the parameters on the standard scheduled task.

    • If your connector requires custom task parameters, add them to your Main Connector Configuration Lookup, for example, Lookup.CONNECTOR_NAME.Configuration. Internally, these parameters are part of your Connector bundle configuration class (CONNECTOR_NAME.Configuration).

  • Logging in ICF Connectors:

    ICF Integration for Oracle Identity Manager logs all the input/output parameters of all calls to ICF Connector interfaces. You must ensue that the following points are taken care while logging:

    • If required, you can enhance the logging with in-depth logging messages.

    • You must not log messages that involves password information or sensitive data.

    • In case you encounter ConnectorException error, then you must wrap the target specific exception, and provide any additional details.

    • Turn on Logging for ICF Common by switching on logging for oracle.iam.connectors.icfcommon.

  • Connector Load Balancer

    • In order to use SSL-encrypted communication between Oracle Identity Manager and connector servers, you need to copy the SSL keystore on all connector server nodes, and maintain its consistency if SSL key changes.

    • Connector server uses a proprietary (non-HTTP) protocol, and SSL encryption. The load balancer needs to cope with this. However, some software load balancers support HTTP-only protocols.

    • All connector server nodes under the load balancer should contain the same set of bundles, as installed in Oracle Identity Manager.

15.2 FAQs on ICF

The following are the FAQs on ICF:

  • Why lookup reconciliation data contains tilda (~)?

    Tilda (~) notation in lookup reconciliation is to separate Lookups for different IT Resources. In the following example, Key will be a programmatic key, whereas Value will be a user-friendly display name:

    Lookup Key: <IT Resource Key>~<Lookup key>

    Lookup Value: <IT Resource Name>~<Lookup value>

  • What is bulk attribute update and how to set it up?

    Bulk attribute update in OIM means that all the changed attributes will be sent to the connector in one batch, instead of updating each attribute individually (default option).

    In order to enable your connector for bulk attribute update, make sure:

    • all your attributes have their respective process tasks for individual update, typically named as, ATTRIBUTE_NAME updated.

    • you have an extra process task named, UD_FORM_NAME updated. This task will be used for bulk upload.

  • Search-based versus sync-based reconciliation: when to use what?

    It is based on the capabilities of connector/target resource. Most connectors support search, some of them (LDAP) support sync operation too. Where available, sync-based reconciliation is preferred due to higher efficiency.

    Sync-based reconciliation is more efficient than search-based reconciliation because, it can process both additions/removals in one run. With search-based reconciliation, you need to run search reconciliation first and then run search delete reconciliation, which is double the effort.

  • How to configure Connector Pooling?

    See Release 11.1.1.5.0 version of the Connector documentation for information about Connector Pooling and its configuration.

  • How to use Groovy to extend connector functionality?

    In order to have an extendable connector, you need to implement ScriptOnConnector or ScriptOnResource ICF APIs. Connectors support various scripting languages, based on target resource capabilities. You must always refer the connector documentation to understand the scripting languages for a given connector. See Chapter 14, "Configuring ICF Connectors" for more information about how to customize the connector.

    Note:

    Groovy scripting may or may not be supported for all connectors.

  • What are the basic requirements (such as memory, disk space, CPU, and so on) for Connector Server?

    The connector server can run in any Java 1.5, or 6 environment. The requirements are same as of those of Java and Oracle Identity Manager.

    See Release 11.1.1.5.0 version of the Connector documentation for the supported versions of JDK and Oracle Identity Manager.

  • Does one connector server version support all ICF Connector versions?

    Connector Server version equals ICF version. ICF is backward compatible with previously released connector versions.

  • How to troubleshoot connector server related issues?

    Set up log level to FINEST in logging configuration file of the Connector Server. If the default port 8759 is taken, than set a different port number in the Connector Server configuration.

  • When to deploy connector on Connector Server and when to deploy connector locally into Oracle Identity Manager.

    Only .NET connectors require Connectors Server, others can be deployed directly into Oracle Identity Manager.

    Advantages:

    Increased security, as only one open port is needed for Connector server.

    Disadvantages:

    Increased overhead of communication between Oracle Identity Manager and Connector Server.