Oracle® Identity Manager Connector Guide for Database Tables Release 9.0.1 Part Number B31115-01 |
|
|
View PDF |
Deploying the connector involves the following steps:
This chapter also discusses the following postdeployment steps:
The following table lists the deployment requirements for the connector.
In addition to the requirements mentioned in the preceding table, you must ensure that the following requirements are addressed:
JDBC connectivity is available to the target database.
The target database application schema is analyzed and the corresponding XML file is available according to the IT resource definition.
The JDBC driver and Xerces classes are available in the Oracle Identity Manager classpath.
For secure connectivity to the target database, the required configuration has been performed on the database server.
For successful provisioning and reconciliation, you must analyze and configure the schema of the target application according to the configuration XML file. The configuration file is validated against the XML schema for database applications. Therefore, it is recommended that you review the schema before creating the XML file.
The configuration XML file can be divided into the following sections:
This section is used to identify the target application. The purpose of this section is to provide information that simplifies maintenance of the configuration file.
Section | Description | Attributes |
---|---|---|
Database |
Name of the database | name |
target_app_name |
Name of the application | None |
target_app_ver |
Version of the application | None |
target_app_provider |
Vendor or provider of the application | None |
This section contains information that is used to configure the database connection properties.
See Also:
"Security Considerations"This section is used to keep track of the configuration files modification history.
This section is divided into operations. Each operation is further divided into one or more tasks. The number of tasks in an operation depends on the number of tables involved in the operation. Tasks are divided into columns depending on the target application table.
The following table explains the organization of the database_adapter
section.
Description of the Section | Description of the Attributes | Possible Values of the Attributes |
---|---|---|
operation
Each operation is linked with an Oracle Identity Manager connector. |
name
Type of Oracle Identity Manager operation |
create, update, delete, reconcileCreateUpdate, or reconcileDelete |
task
Each operation is divided into one or more tasks. The number of tasks in an operation depends on the number of tables involved in the operation. |
table_name
Name of the table on which the task is going to operate |
Any valid table name |
xeltask_type
Type of task in the database |
insert, update, delete, or select |
|
column
It is a representation of a single column in the target application table. |
col_name
Name of the column |
Any valid column name |
data_type
Data type |
VARCHAR, VARCHAR2, CHAR, LONGVARCHAR, REAL, DOUBLE, NUMERIC, DECIMAL, FLOAT, DATE, TIME, TIMESTAMP, NULL, BOOLEAN, OTHER, or INTEGER |
|
data_typ_size
Data type size |
20 |
|
col_info
Table indexing and relation to other tables |
primary or secondary |
|
required
Specifies whether or not the value of this column can be NULL |
true or false |
|
col_type
Data source for the column to be used while creating a user |
xellerate, default, substitute, or interface
|
|
xel_data_source
If If If |
<mapped attributes name>/"E"/ SYSDATE | |
encrypt
Specifies whether or not this data must be encrypted |
true or false |
|
reconcile
Specifies whether or not this field can be reconciled |
true or false |
|
encryption_impl
Encryption method implementation class that provides this operation |
Any fully qualified class name | |
look_up_group
Grouping of lookup fields |
logic_operator
Used to connect two lookup groups with an operator |
AND or OR |
record_lookup_key
This tag is used to collect the information required to identify a particular record in a table. Note that multiple lookup keys can be used to identify a record in a table. |
logic_operator
Used to connect two record lookup keys (column) with an operator in a group |
AND or OR |
comparison_operator
Operator used to compare the data with the given data for the column |
<
|
|
table_name
Name of the table |
Any table name | |
col_name
Name of the column |
Any column name | |
data_type
Data type |
VARCHAR, VARCHAR2, CHAR, LONGVARCHAR, REAL, DOUBLE, NUMERIC, DECIMAL, FLOAT, DATE, TIME, TIMESTAMP, NULL, BOOLEAN, OTHER, or INTEGER |
|
data_typ_size
Data type size |
20 |
|
col_info
Table indexing and relation to other tables |
primary or secondary |
|
required
Specifies whether or not the value of this column can be NULL |
true or false |
|
col_type
In addition, the following tag is applicable here:
This tag holds the common column to match for select query. |
Xellerate and Default |
|
xel_data_source
In addition to the description in the |
<mapped attributes name> /"E"/ SYSDATE |
Consider the following target database tables in Oracle Database.
MDL2_USER_PROF
Field Name | Type and Length | Comments | Required/Optional |
---|---|---|---|
USR_ID |
VARCHAR(20) |
Primary Key | Required |
USR_FIRST_NAME |
VARCHAR(60) |
None | Required |
USR_LAST_NAME |
VARCHAR(60) |
None | Required |
USR_PASSWORD |
VARCHAR(40) |
None | Required |
USR_STATUS |
VARCHAR(5) |
Default value is true |
Required |
USR_LAST_UPDATE |
DATE |
SYSDATE |
Required |
MDL2_USER_ADDN_DET
Field Name | Type and Length | Comments | Required/Optional |
---|---|---|---|
USR_ID |
VARCHAR(20) |
Foreign Key | Required |
USR_GROUP |
VARCHAR(50) |
None | Optional |
USR_ROLE |
VARCHAR(50) |
None | Optional |
USR_TITLE |
VARCHAR(50) |
None | Optional |
USR_DEPT |
VARCHAR(50) |
None | Optional |
USR_EMAIL |
VARCHAR(60) |
None | Optional |
USR_COMM_LANG |
VARCHAR(50) |
None | Optional |
USR_LOGON_LANG |
VARCHAR(50) |
None | Optional |
USR_TEL_NO |
VARCHAR(15) |
None | Optional |
USR_TIME_ZONE |
VARCHAR(50) |
None | Optional |
USR_DATE_FMT |
VARCHAR(50) |
None | Optional |
USR_DEC_NTN |
VARCHAR(50) |
None | Optional |
USR_LAST_UPDATE |
DATE |
SYSDATE |
Required |
Sample configurations discussed in the following sections are based on the structure of these two tables:
To create a user, the configuration XML must contain the table name, column names, and properties of each column. This is illustrated in the following sample XML code.
<operation name="create"> <task table_name="XELUSER1.MDL2_USER_PROF" xeltask_type="insert"> <column col_name="USR_ID" data_type="VARCHAR2" data_typ_size="20" col_info="primary" required="true" col_type="xellerate" xel_data_source="xel_usr_id" /> <column col_name="USR_FIRST_NAME" data_type="VARCHAR2" data_typ_size="60" required="true" col_type="xellerate" xel_data_source="xel_usr_first_name" /> <column col_name="USR_LAST_NAME" data_type="VARCHAR2" data_typ_size="60" required="true" col_type="xellerate" xel_data_source="xel_usr_last_name" /> <column col_name="USR_PASSWORD" data_type="VARCHAR2" data_typ_size="40" required="true" col_type="xellerate" xel_data_source="xel_usr_password" encrypt="false" reconcile="false" encryption_impl= "com.thortech.xl.integration.dbadapter.security.EncryptionSu pportImpl" /> <column col_name="USR_LAST_UPDATE" data_type="DATE" data_typ_size="60" required="true" col_type="substitute" xel_data_source="sysdate" /> </task> <task table_name="XELUSER1.MDL2_USER_ADDN_DET" xeltask_type="insert"> <column col_name="USR_ID" data_type="VARCHAR2" data_typ_size="20" col_info="primary" required="true" col_type="xellerate" xel_data_source="xel_usr_id" /> <column col_name="USR_GROUP" data_type="VARCHAR2" data_typ_size="50" required="true" col_type="xellerate" xel_data_source="xel_usr_group" /> <column col_name="USR_ROLE" data_type="VARCHAR2" data_typ_size="50" required="false" col_type="xellerate" xel_data_source="xel_usr_role" /> <column col_name="USR_TITLE" data_type="VARCHAR2" data_typ_size="50" required="false" col_type="xellerate" xel_data_source="xel_usr_title" /> <column col_name="USR_DEPT" data_type="VARCHAR2" data_typ_size="50" required="false" col_type="xellerate" xel_data_source="xel_usr_dept" /> <column col_name="USR_EMAIL" data_type="VARCHAR2" data_typ_size="60" required="false" col_type="xellerate" xel_data_source="xel_usr_email" /> <column col_name="USR_COMM_LANG" data_type="VARCHAR2" data_typ_size="50" required="false" col_type="xellerate" xel_data_source="xel_usr_comm_lang" /> <column col_name="USR_LOGON_LANG" data_type="VARCHAR2" data_typ_size="50" required="false" col_type="xellerate" xel_data_source="xel_usr_logon_lang" /> <column col_name="USR_TEL_NO" data_type="VARCHAR2" data_typ_size="15" required="false" col_type="xellerate" xel_data_source="xel_usr_tel_no" /> <column col_name="USR_TIME_ZONE" data_type="VARCHAR2" data_typ_size="50" required="false" col_type="xellerate" xel_data_source="xel_usr_time_zone" /> <column col_name="USR_DATE_FMT" data_type="VARCHAR2" data_typ_size="50" required="false" col_type="xellerate" xel_data_source="xel_usr_date_fmt" /> <column col_name="USR_DEC_NTN" data_type="VARCHAR2" data_typ_size="50" required="false" col_type="xellerate" xel_data_source="xel_usr_dec_ntn" /> <column col_name="USR_LAST_UPDATE" data_type="DATE" data_typ_size="60" required="true" col_type="substitute" xel_data_source="sysdate"/> </task> </operation>
The update operation requires lookup information for identifying the user and properties of the columns that are to be updated. This is illustrated in the following sample XML code.
<operation name="update" xel_data_source="xel_usr_dept"> <task table_name="XELUSER1.MDL2_USER_ADDN_DET" xeltask_type="update"> <column col_name="USR_DEPT" data_type="VARCHAR2" data_typ_size="50" required="true" col_type="xellerate" xel_data_source="xel_usr_dept" /> <column col_name="USR_LAST_UPDATE" data_type="DATE" data_typ_size="60" required="true" col_type="substitute" xel_data_source="sysdate" /> <look_up_group logic_operator="NA"> <record_lookup_key table_name="XELUSER1.MDL2_USER_ADDN_DET" logic_operator="NA" comparison_operator="=" col_name="USR_ID" data_type="VARCHAR2" data_typ_size="20" required="true" col_type="xellerate" xel_data_source="xel_usr_id"/> </look_up_group> </task> </operation>
The update password operation works the same way as the update user operation. In addition, it performs data encryption if the encrypt
attribute is set to true
. In such a situation, the Java class corresponding to the EncriptionSupportInf
implementation class name from the encryption_impl
attribute is loaded and used for data encryption before it is updated into the database.
This is illustrated in the following sample XML code.
<operation name="update" xel_data_source="xel_usr_password"> <task table_name="XELUSER1.MDL1_USER_PROF" xeltask_type="update"> <column col_name="USR_PASSWORD" data_type="VARCHAR2" data_typ_size="40" required="true" col_type="xellerate" xel_data_source="xel_usr_password" encrypt="true" reconcile="false" encryption_impl= "com.thortech.xl.integration.dbadapter.security.EncryptionSu pportImpl" /> <column col_name="USR_LAST_UPDATE" data_type="DATE" data_typ_size="60" required="true" col_type="substitute" xel_data_source="sysdate" /> <look_up_group logic_operator="NA"> <record_lookup_key table_name="XELUSER1.MDL1_USER_PROF" logic_operator="NA" comparison_operator="=" col_name="USR_ID" data_type="VARCHAR2" data_typ_size="20" required="true" col_type="xellerate" xel_data_source="xel_usr_id"/> </look_up_group> </task> </operation>
The delete operation requires only lookup information to find the user. Column information is used to find the user in the table. The following is sample configuration XML code based on the structure of the MDL2_USER_PROF
and MDL2_USER_ADDN_DET
tables.
The lookup_up_group
tags are used to group lookup conditions provided in record_lookup_key.
Note:
There are two tasks to delete the user record from both tables. It is important to run the task related to the secondary table before the primary table task. If the order is not correct, then a referential integrity exception is thrown.<operation name="delete"> <task table_name="XELUSER1.MDL2_USER_PROF" xeltask_type="delete"> <look_up_group logic_operator="NA"> <record_lookup_key logic_operator="NA" comparison_operator="=" col_name="USR_ID" data_type="VARCHAR2" data_typ_size="20" required="true" col_type="xellerate" xel_data_source="xel_usr_ id"/> </look_up_group> </task> <task table_name="XELUSER1.MDL1_USER_PROF" xeltask_type="delete"> <look_up_group logic_operator="NA"> <record_lookup_key logic_operator="NA" comparison_operator="=" col_name="USR_ID" data_type="VARCHAR2" data_typ_size="20" required="true" col_type="xellerate" xel_data_source="xel_usr_ id"/> </look_up_group> </task> </operation>
The connector files to be copied and the directories to which you must copy them are given in the following table.
Note:
The directory paths given in the first column of this table correspond to the location of the connector files in the following ZIP file on the installation media:Database Servers\Database Application Table\Database Application Table Rev 2.1.1.zip
Refer to "Files and Directories That Comprise the Connector" for more information about these files.
Copy the following files to the xellerate_home
\xellerate\ext
directory:
classes12.zip
(for Oracle Database) or jconn2.jar
(for Sybase)
xerces.jar
To import the connector XML file into Oracle Identity Manager:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the DBTablesresadp.xml
file, which is in the xellerate_home
\xellerate\XLIntegrations\xml\Xellerate Config
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the Oracle
IT resource is displayed.
Specify values for the parameters of the Oracle
IT resource. Use the table given in the "Defining IT Resources" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the Database
IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. You must remove these nodes. To do this, right-click each such node and then select Remove.
Click Import. The connector file is imported into Oracle Identity Manager.
After you import the connector XML file, proceed to the "Step 5: Configuring Reconciliation" section.
You must specify values for the Oracle
IT resource parameters listed in the following table.
Parameter Name | Parameter Description |
---|---|
Database User ID |
Database user ID on the target database
Sample value: |
Database Password |
Database user password on the target database
Sample value: |
Database URL |
JDBC URL for the target database
Sample value: |
Database Driver |
JDBC driver class
Sample value: |
Application Name |
Target application name
Sample value: |
Configuration XML Path |
Database connector configuration XML file path |
Reconciliation Timestamp |
Variable to store last create/update reconciliation time. This value is updated by the reconciliation adapter. You need not manually provide any data. |
After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.
Configuring reconciliation involves creating the reconciliation scheduled task.
To create this scheduled task:
Expand the Xellerate Administration folder.
Select Task Scheduler.
Click Find. The details of the predefined scheduled task are displayed.
Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager should attempt to complete the task before assigning the ERROR
status to the task.
Ensure that the Disabled and Stop Execution check boxes are cleared.
In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.
In the Interval region, set the following schedule parameters:
To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.
If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.
To set the task to run only once, select the Once option.
Provide values for the attributes of the scheduled task. Refer to the appropriate table in the "Specifying Values for the Scheduled Task Attributes"section for information about the values to be specified.
See Also:
Oracle Identity Manager Design Console Guide for information about adding and removing task attributesClick Save. The scheduled task is created. The INACTIVE
status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.
After you define the scheduled task, proceed to the "Step 6: Compiling Adapters" section.
You must specify values for the following attributes of the reconciliation scheduled task.
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.Attribute | Description |
---|---|
resource |
Name of the IT resource for which the reconciliation process is to be run |
application |
Name of the target database application that should be reconciled |
objectName |
Resource object name of the connector |
After you specify values for these scheduled task attributes, go to Step 10 of the procedure to create scheduled tasks.
The following adapters are imported into Oracle Identity Manager when you import the XML connector file. You must compile these adapters before you can use them to provision accounts on the target system.
DBRES Create User
DBRES Update First Name
DBRES Update Last Name
DBRES Update Password
DBRES Update Status
DBRES Update Title
DBRES Update Department
DBRES Update Email
DBRES Update Communication Language
DBRES Update Logon Language
DBRES Update Time Zone
DBRES Update Date Format
DBRES Update Telephone Number
DBRES Update Decimal Notation
DBRES Delete User
To compile adapters by using the Adapter Manager form:
Open the Adapter Manager form.
To compile all the adapters that you import into the current database, select the Compile All option.
To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select the Compile Selected option.
Click Start. Oracle Identity Manager compiles the adapters that you specify.
To view detailed information about an adapter:
Highlight the adapter in the Adapter Manager form.
Double-click the row header of the adapter, or right-click the adapter.
Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.
This section outlines security considerations that you must address when working with this connector. The following topics are discussed in this section:
It is possible to establish secure JDBC connectivity with the target database by including the appropriate configuration in the configuration XML file and enabling the database server. Note that the security configuration differs with respect to the target database.
Configuration for Oracle Database
The following is the security configuration for Oracle Database:
<target_database> <database name="Oracle"> <properties> <encryption_nego_level impl_class_name="oracle.net.encryption_ client" value ="REQUESTED"/> <encryption_algorithm impl_class_name="oracle.net.encryption_ client" value="DES40"/> <crypto_seed impl_class_name="oracle.net.crypto_seed" value="xelsysadmin_seed"/> <crypto_checksum_level impl_class_name="oracle.net.crypto_checksum_client" value="REQUIRED"/> <crypto_checksum_client impl_class_name="oracle.net.crypto_checksum_types_client" value="MD5"/> </properties> </database </target_database>
This configuration contains the security properties to be provided to the JDBC driver for establishing a secure connection to Oracle Database. Note that if these parameters are not provided, then a nonsecure JDBC connection is established to the target database.
The following are the permitted values for each configuration parameter mentioned earlier.
Properties | Possible Values |
---|---|
encryption_nego_level |
REJECTED, ACCEPTED, REQUESTED, or REQUIRED |
encryption_algorithm |
RC4_256, RC4_128, RC4_56, RC4_40, AES256, AES192, AES128, 3DES168, 3DES112, DES, or DES40 |
crypto_seed |
Encryption Seed |
crypto_checksum_level |
REJECTED, ACCEPTED, REQUESTED, or REQUIRED |
crypto_checksum_client |
MD5 or SHA1 |
The following is the security configuration for Sybase:
<target_database> <database name="Sybase"> <properties> <cipher_suites impl_class_name="CIPHER_SUITES_1" value="SSL_DH_anon_EXPORT_WITH_RC4_40_MD5"/> </properties> </database> </target_database>
The possible values for cipher suite are as follows:
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
You can implement third-party encryption and decryption algorithms when you use this connector. The connector exposes the EncryptionSupportIntf
interface, which must be implemented by the target database developer and made available in the Oracle Identity Manager classpath.
While configuring the encryption for a column, the fully qualified class name must be provided. Before updating the data in the database, the connector encrypts the data. If reconciliation of the encrypted password is possible, then the decryption method is used to retrieve the actual password and to reconcile the password to Oracle Identity Manager.
The following table provides solutions to some commonly encountered issues associated with this connector.
Problem Description | Returned Error Code | Solution |
---|---|---|
Oracle Identity Manager cannot establish a connection to the target database. | DATABASE CONNECTION FAILED |
|
DATABASE DRIVER NOT LOADED |
Ensure that the database driver is available in the Oracle Identity Manager classpath. | |
A provisioning operation fails with an error code other than those described in the following rows. | CONFIGURATION ERROR |
|
DATA SIZE MISMATCH |
Ensure that the data size of the user profile attributes in the XML file adheres to the process form limitations. | |
MANDATORY FIELD MISSING |
|
|
DATABASE OPERATION FAILED |
|
|
Create User provisioning operation fails | USER ALREADY EXISTS |
Check if the target database table already has a record with the same user ID (or a combination of whichever primary key fields exist for the table). |
Create User or Reset Password provisioning operation fails | ENCRYPTION INTERFACE MISSING |
Check if password encryption is set to true in the configuration XML file.
Ensure that the encryption interface implementation class is available in the Oracle Identity Manager classpath. |
ENCRYPT/DECRYPT ERROR |
This error occurs if an exception is thrown from the encryption implementation class.
|
|
Update Any User Profile Attribute, Delete a User, or Revoke a Provisioned Resource Object from a User provisioning operation fails | USER DOES NOT EXIST |
Check if the record for the user for whom the provisioning operation is attempted exists in the target database tables. |