2 Deploying the Password Synchronization Module

This guide covers two scenarios:

• Upgrading an existing instance of the password synchronization module to the current version, which is Revision D

  To implement this option, follow the instructions provided in Chapter 3.

• Installing and configuring Revision D of the password synchronization module

  To implement this option, follow the instructions provided in this chapter.

Deploying the password synchronization module involves completing the following general procedures:

• Step 1: Preparing to Install the Password Synchronization Module

• Step 2: Enabling Password Policies for Active Directory

• Step 3: Installing the Password Synchronization Module

• Step 4: Performing Postinstallation Steps for the Password Synchronization Module

• Step 5: Configuring the Password Synchronization Module

Step 1: Preparing to Install the Password Synchronization Module

To prepare for installation, first verify that the following deployment requirements are met:

• An instance of Oracle Identity Manager release 8.5.3 or later is installed, running, and visible to the computer hosting the Active Directory domain controller on which you want to install the password synchronization module.

  See Also:

  Depending on the application server that you use, refer to one of the following guides:

  • Oracle Identity Manager Installation and Upgrade Guide for JBoss

  • Oracle Identity Manager Installation and Upgrade Guide for WebLogic

  • Oracle Identity Manager Installation and Upgrade Guide for WebSphere

• If the Oracle Identity Manager server to which Active Directory will connect is hosted by an IBM WebSphere application server, then you must install on the computer where you are installing the password synchronization module an instance of the IBM WebSphere Application Client that is compatible with the installed version of the IBM WebSphere application server.

  Note:

  This step does not apply if the application server hosting the Oracle Identity Manager server to which Active Directory will connect is either JBoss Application Server or BEA WebLogic.

• The computer on which you are installing the password synchronization module meets the requirements listed in the following table.

Item	Requirement
Microsoft Active Directory	Active Directory Server
Host operating system	Any one of the following: Microsoft Windows 2000, Server Edition with SP4 Microsoft Windows Server 2003

Note:

You must install a separate instance of the password synchronization module on each Active Directory domain controller for which you require password synchronization to the user account stores managed by Oracle Identity Manager.

The installation files for the password synchronization module are compressed in the following ZIP file on the installation media:

Directory Servers\Microsoft Active Directory\Microsoft Active Directory Password Sync Rev 4.4.0.zip

After verifying the deployment requirements, copy the ZIP file to a temporary directory on the Oracle Identity Manager server. Extract the contents of the ZIP file into this directory.

See Also:

Refer to the "Files and Directories That Comprise the Password Synchronization Module" section for more information about these files.

Step 2: Enabling Password Policies for Active Directory

To activate password policies for Active Directory:

1. On the computer hosting the Active Directory domain controller on which you are installing the password synchronization module, start the Domain Security Policy application.

   To do this, on the Microsoft Windows computer, click the Start menu, Programs, Administrative Tools, and Domain Security Policy.

2. If you are using Microsoft Active Directory 2003, then directly proceed to the next step.

   If you are using Microsoft Active Directory 2000, then select Window Settings on the left pane of the Domain Security Policy application window and then proceed to the next step.

3. Select Security Settings, select Account Policies, and then click Password Policy. The Security Policy Setting dialog box is displayed.

4. In the Security Policy Setting dialog box, select Define this policy setting, select Enabled, and then click OK.

Step 3: Installing the Password Synchronization Module

To install the password synchronization module:

1. On the computer hosting the Active Directory domain controller where you are installing the password synchronization module:

   1. Open Microsoft Windows Explorer.

   2. Navigate to the temporary directory into which you extract the contents of the installation media ZIP file.

   3. Double-click the setup_ad.exe file to start the installer.

2. Read the text on the Welcome page, and then click Next.

3. On the Target Directory page, you can either accept the default installation directory or specify the path to the directory in which you want install the module. For example, you can specify a path similar to the following:

   C:\OracleProvisioningAD

   Alternatively, you can use the Browse button to navigate to the installation directory.

4. Click Next.

   The installer creates a directory named adsynch inside the installation directory that you specify. Then, it copies the password synchronization module components into the adsynch directory and creates certain directories inside the adsynch directory.

   Note:

   From this point onward, this guide refers to the directory user_specified_install_directory\adsynch as ADSYNC_HOME.

5. On the Application Server page, specify the application server that is hosting the Oracle Identity Manager server to which the Active Directory domain controller will connect. Then, click Next.

   Note:

   If you specify IBM WebSphere as the application server, then perform the next step. Otherwise, directly proceed to Step 7.

6. On the WebSphere Directory page, specify the path to the directory where the IBM WebSphere Application Client is installed, on the computer where you are installing the module. Then, click Next.

7. On the JRE page, specify the JRE option that you want to use with the module. The following choices are available:

   • JRE bundled with Oracle Identity Manager

   • An existing JRE 1.4.2 installation on the computer where you are installing the password synchronization module. The following table lists the appropriate JRE version for the supported application servers.

   Application Server	Required JRE	Comments
   JBoss Application Server	Sun JRE 1.4.2_09 or later	However, all versions of Sun JRE 1.5 are not supported.
   BEA WebLogic	Sun JRE 1.4.2_09 or later	However, all versions of Sun JRE 1.5 are not supported.
   IBM WebSphere	IBM JRE 1.4.2_x	Available as part of the IBM WebSphere Application Client installation

   
   

   For an existing JRE installation, you must specify the path to the installation. Then, click Next.

8. On the System Administration page, specify the account name and password required to log in to the Oracle Identity Manager server.

   The default account for login is xelsysadm.

   After specifying the required information, click Next.

9. On the Application Server Configuration page, specify the following:

   • The host name of the application server hosting Oracle Identity Manager

   • The naming port associated with the application server. The following table lists the default naming ports for the supported application servers.

     Application Server	Default Naming Port
     JBoss Application Server	1099
     BEA WebLogic	7001
     IBM WebSphere	2809

     
     

   If the application server for Oracle Identity Manager uses a nondefault naming port, then use that port number and consult your system administrator for additional guidance.

   After you specify the required information, click Next.

10. On the Summary page, verify that the installation directory for the module, which you specify on the Target Directory page, is correctly displayed.

    If you need to change the installation directory, click Back until you reach the Target Directory page, make the required corrections, and then proceed through the installation sequence again.

    When the installation directory is displayed correctly, click Install.

11. The Complete page displays the following message to indicate successful installation:

    The Oracle Identity Manager Installer has successfully installed Oracle Identity Manager AD Password Synchronization.

    Click Finish to close the installer.

12. Restart the computer.

Files Copied During the Password Synchronization Module Installation

The following table lists the installation locations for the key components of the password synchronization module.

File	Description
Windows_System32_Directory\Adsync.dll	This file is registered as a listener for password changes to the Active Directory Domain controller. Whenever an Active Directory password is changed, it calls the Change Password script named ChangePassword.cmd.
ADSYNC_HOME\config\xlconfig.xml	This file contains all the user-configurable settings for the password synchronization module. Users can edit this file after installing the module. For details, see the "Step 5: Configuring the Password Synchronization Module" section.
ADSYNC_HOME\lib\xliADSync.jar	This JAR file contains the class files required by the Change Password script.
ADSYNC_HOME\ChangePassword.cmd	This script, which is called by adsync.dll in response to a password change, uses the correct classpath and command-line parameters to call the ChangePassword class, which is in the xliADSync.jar file.
ADSYNC_HOME\wsChangePassowrd.cmd	This is the version of the Change Password script that is used by IBM WebSphere.
ADSYNC_HOME\lib\xliADSync.ear	This file contains the class files required by the version of the Change Password script used by IBM WebSphere.

Step 4: Performing Postinstallation Steps for the Password Synchronization Module

Perform the following postinstallation steps:

1. On the computer on which Oracle Identity Manager is installed:

   1. Navigate to the root installation directory for Oracle Identity Manager.

   2. Copy the following files from the ext directory to the ADSYNC_HOME\ext directory on the computer where you installed the password synchronization module:

      javagroups-all.jar (or jgroups-all.jar)

      oscache-2.0.2-22Jan04.jar (or oscache.jar)

   3. Copy the javagroups-all.jar or jgroups-all.jar file (whichever of these files exists in the \ext directory) to the ADSYNC_HOME\ext directory on the computer where you installed the password synchronization module.

   4. Copy the oscache-2.0.2-22Jan04.jar or oscache.jar file (whichever of these files exists in the \ext directory under the root installation directory of Oracle Identity Manager) to the ADSYNC_HOME\ext directory on the computer where you installed the password synchronization module.

2. Determine the file appropriate for the particular application server hosting your Oracle Identity Manager server, and copy this file from the computer hosting Oracle Identity Manager to the appropriate directory on the computer where you installed the password synchronization module.

   The following table lists the application server-specific file that should be copied as well as the destination to which the file should be copied.

   Application Server	File to Be Copied
   JBoss Application Server	jbossall-client.jar
   BEA WebLogic	weblogic.jar

   
   

3. Copy the JAR files from the XLCLIENT_HOME\lib directory on the computer hosting the Oracle Identity Manager Design Console to the ADSYNC_HOME\lib directory on the computer where you install the password synchronization module.

4. If you plan to run Oracle Identity Manager on a clustered application server, then:

   1. Establish a trust relationship between the computer hosting Oracle Identity Manager and the computer hosting the Active Directory domain controller on which you install the password synchronization module.

   2. Add the host name of the computer hosting Oracle Identity Manager to the hosts file of the computer hosting the Active Directory domain controller on which you install the password synchronization module.

   3. Edit the xlconfig.xml file associated with the password synchronization module you install. This file is located in the ADSYNC_HOME\config directory.

      In the xlconfig.xml file, change the <java.naming.provider.url> tag to the value stored in the tag in the xlconfig.xml file associated with the instance of the Design Console that you have previously installed as part of the Oracle Identity Manager deployment.

      Each instance of the xlconfig.xml file is in the config directory. This directory is in the root installation directory for the component with which the configuration file is associated. For example, the path of the xlconfig.xml file associated with the password synchronization module is as follows:

      ADSYNC_HOME\config\
      
      

      After you update the value of the <java.naming.provider.url> tag in the xlconfig.xml file associated with the password synchronization module, save and close the file.

Step 5: Configuring the Password Synchronization Module

After you complete installation of the password synchronization module, you can configure it by editing the xlconfig.xml file, which is located in the ADSYNC_HOME\config directory.

To configure the parameters in the xlconfig.xml file, first open the file by using any plain-text editor. The following table lists the elements you can configure within the <ADsync> tag in the xlconfig.xml file.

Tag Within the <ADSync> Tag	Description
<UserMatch> </UserMatch>	The MatchingMethod parameter specifies how Oracle Identity Manager matches an Oracle Identity Manager user to the Active Directory ID passed to the adsync.dll file. The first of the following three options is the default. Use it when all the login IDs in Oracle Identity Manager match all the Active Directory user IDs. When the login IDs in Oracle Identity Manager and the Active Directory IDs do not match, then use one of the remaining options. UserID: The Active Directory user ID matches the Oracle Identity Manager user login. UDF: The Active Directory user ID matches the UDF specified in the FieldName attribute of the Oracle Identity Manager Users form. ResourceField: The Active Directory user ID matches the fieldname field on the process form of the Oracle Identity Manager user to whom a resource object specified by the ResourceObject field is provisioned.
<Result> </Result>	This optional configuration element specifies where the result of the password change operation must be logged (apart from the adsync.log file). Values for the following parameters are provided as tags within the <Result> tag: UpdateUDF: Set to True or False to update a status field in the Users form. FieldName: Specify a field name when the UpdateUDF tag is set to True. For example, FieldName can be USR_UDF_STATUS. FailureValue: This string goes into the status field if the password reset operation fails. SuccessValue: This string goes into the status field if the password reset operation succeeds. AppendTimeStamp: Set this to True or False to append a timestamp to the string in the status field.

The following example provides a listing of the original (default) contents of the <ADSync> tag:

<ADSync>
  <!-- 
  The Login section provides information about how the utility is authenticated.
  If UseSignature is true, the username is used for authentication, using the
  signature-based login. The key in the "PrivateKey" alias will be used.
  If UseSignature is false, the username and password are used for
  authentication.
  -->
  <Login>
   <UseSignature>false</UseSignature>
   <Username>xelsysadm</Username>
   <Password encrypted="true">tPzEM127PIQxO64w2g7wgw==</Password>
  </Login>
  <!-- 
  The Active Directory name should match an Oracle Identity Manager user name.
  If the MatchingMethod is UserID, the Active Directory user name is assumed to be
  the Oracle Identity Manager user name.
  For UDF, FieldName must contain the name of the User Defined field that
  contains the active directory user ID.
  For ResourceField, Process Forms of those Users who have ResourceObject
  specified will be searched to find the suitable user. This can be used if
  active directory is provisioned as an account, but not a trusted source.
  -->
  <UserMatch>
   <!-- UserID, UDF and ResourceField -->
   <MatchingMethod>UserID</MatchingMethod>
   <FieldName>UD_ADUSER_LOGIN</FieldName>
   <ResourceObject>AD User</ResourceObject>
  </UserMatch>
  <!-- 
  If required, a UDF field can be updated with the result of the operation and
  Timestamp so that additional workflow can be started.
  -->
  <Result>
   <UpdateUDF>false</UpdateUDF>
   <FieldName>USR_UDF_ADPWDRES</FieldName>
   <SuccessValue>SUCCESS</SuccessValue>
   <FailureValue>FAIL</FailureValue>
   <AppendTimeStamp>true</AppendTimeStamp>
  </Result>
</ADSync>

After you make the required changes to the user-configurable tags in the xlconfig.xml file, save and close the file.