Oracle® Identity Manager Connector Guide for Database User Management Release 9.0.2 Part Number B32153-01 |
|
|
View PDF |
Deploying the connector involves the following steps:
If you want to configure the connector for multiple installations of Database User Management, then perform the following procedure:
The following table lists the deployment requirements for the connector.
Item | Requirement |
---|---|
Oracle Identity Manager | Oracle Identity Manager release 8.5.3 or later |
Target systems | The target system can be any one of the following:
|
External code | The external code consists of the following files:
Note: These ZIP and JAR files are available in the corresponding database installation directories. |
Target system user account | Depending on the target system, the required user account is one of the following:
You provide the credentials of this user account while performing the procedure in the "Defining IT Resources" section. |
All of the required configuration information (such as tablespace name, default database, user name, and password) is provided in the form of parameters that are used by Oracle Identity Manager. This information is required to perform the procedure described in the "Defining IT Resources" section.
The following sections provide configuration instructions that are specific to the target system database:
You configure IBM DB2 UDB by ensuring that:
Authentication on IBM DB2 UDB is done through the operating system. Therefore, the user that you want to provision must exist in the security system of the operating system.
For example, if you want to provision the domain, then the target (IBM DB2 UDB server) must exist on the domain server and the user that you want to provision must exist in the domain.
For databases or services that you want to provision, you must enter the relevant lookup codes, corresponding to the databases or services that already exist on the target systems, in the UD_Lookup.DB_Dbnames
lookup definition.
For tablespaces that you want to provision, you must enter the relevant lookup codes, corresponding to the tablespaces that already exist on the target systems, in the UD_Lookup.DB_Tablespacenames
lookup definition.
For schemas that you want to provision, you must enter the relevant lookup codes, corresponding to the schemas that already exist on the target systems, in the UD_Lookup.DB_Schemas
lookup definition.
After you configure the IBM DB2 UDB installation, proceed to the "Step 3: Copying the Connector Files" section.
You configure Microsoft SQL Server by ensuring that:
The target database in which users are supposed to be created exists in the target Microsoft SQL Server installation.
The Microsoft SQL Server user account that is used to create users has DBA privileges. For example, sa/sa.
For Microsoft SQL Server 2005, the TCP/IP connection configuration is enabled.
To enable the TCP/IP connection configuration:
Open the Microsoft SQL Server Configuration Manager.
Click SQL Server 2005 Network Configuration.
Click Protocols for MSSQLSERVER.
In the right frame, right-click TCP/IP and then click Enable.
After you configure the Microsoft SQL Server installation, proceed to the "Step 3: Copying the Connector Files" section.
You configure Oracle Database by ensuring that:
The service name that is used to create users exists in the target Oracle Database installation.
There is sufficient space in the database to store provisioned users.
The Oracle Database user account that is used to create users has DBA privileges. For example, sys
as sysdba/sys
or system/manager
.
After you configure the Oracle Database installation, proceed to the "Step 3: Copying the Connector Files" section.
You configure Sybase by ensuring that:
The target database in which users are supposed to be created exists in the target Sybase ASE installation.
The following scripts are run on the target Sybase database:
procGrantAllToUser.sql
procRevokeAllFromUser.sql
Refer to the "Step 3: Copying the Connector Files" section for instructions to copy these files from the installation media ZIP file to the OIM_home
\xellerate\XLIntegrations\DatabaseAccess\scripts
directory.
The connector files to be copied and the directories to which you must copy them are given in the following table.
Note: The directory paths given in the first column of this table correspond to the location of the connector files in the following ZIP file on the installation media:Database Servers\Database User Management\Database Rev 3.2.0.zip Refer to the "Files and Directories That Comprise the Connector" section for more information about these files. |
File in the Installation Media Directory | Destination Directory |
---|---|
Files in the xml directory |
OIM_home\xellerate\XLIntegrations\DatabaseAccess\xml
|
lib\xliDatabaseAccess.jar |
OIM_home\xellerate\JavaTasks OIM_home\xellerate\ScheduleTask |
Files in the scripts directory |
OIM_home\xellerate\XLIntegrations\DatabaseAccess\scripts
|
Files in the resources directory |
OIM_home\xellerate\connectorResources
|
docs\B32153_01.pdf |
OIM_home\xellerate\docs\DatabaseAccess
|
Note: While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy theconnectorResources directory and the JAR files to the corresponding directories on each node of the cluster. |
This section discusses the following topics:
Note: In a clustered environment, you must perform this step on each node of the cluster. |
Deploying the Microsoft Active Directory Connector If IBM DB2 UDB Is Used
Clearing Content Related to Connector Resource Bundles from the Server Cache
Note: Perform this step only if the target system is IBM DB2 UDB. |
IBM DB2 UDB installed on a Microsoft Windows server does not support the creation of user accounts. Instead, it uses operating system users. It assigns the required privileges to a Microsoft Windows user to convert the user into a complete IBM DB2 UDB user. After a user account is created in Microsoft Windows, it can be assigned the relevant privileges in IBM DB2 UDB.
Therefore, if you want to use the Database User Management connector to provision accounts in IBM DB2 UDB, then you must first deploy the connector for Microsoft Active Directory in the following directory:
OIM_home\xellerate\XLIntegrations\ActiveDirectory
See Also: Oracle Identity Manager Connector Guide for Microsoft Active Directory |
Changing to the required input locale involves installing the required fonts and setting the required input locale.
To set the required input locale:
Note: Depending on the operating system used, you may need to perform this procedure differently. |
Open Control Panel.
Double-click Regional Options.
On the Input Locales tab of the Regional Options dialog box, add the input locale that you want to use and then switch to the input locale.
Whenever you add a new resource bundle file in the OIM_home
\xellerate\connectorResources
directory or make a change in an existing resource bundle file, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, change to the OIM_home
\xellerate\bin
directory.
Enter one of the following commands:
Note: You must perform Step 1 before you perform this step. If you run the command as follows, then an exception is thrown:OIM_home\xellerate\bin\batch_file_name |
On Microsoft Windows:
PurgeCache.bat ConnectorResourceBundle
On UNIX:
PurgeCache.sh ConnectorResourceBundle
In this command, ConnectorResourceBundle
is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:
OIM_home\xellerate\config\xlConfig.xml
Note: You can ignore the exception that is thrown when you perform Step 2. |
The location of the external code files depends on the database of the target database system. The following sections provide information that is specific to the target system database:
For connectors used with IBM DB2 UDB, copy the db2java.zip
file from the DB2_HOME
\IBM\SQLLIB\java
directory into the OIM_home
\xellerate\ThirdParty
directory and into one of the following directories:
For JBoss Application Server:
Copy the db2java.zip
file into the JBOSS_HOME
\server\default\lib
directory, and then restart the server. Here, JBOSS_HOME
is the directory in which JBoss Application Server is installed.
For BEA WebLogic:
Copy the db2java.zip
file into the OIM_home
\xellerate\ThirdParty
directory. Make an entry for the classes12.zip
file in the CLASSPATH mentioned in the BEA_HOME
\user_projects\domains\domain_name\xlStartWLS.bat
file, and then restart the server. Here, BEA_HOME
is the directory in which BEA WebLogic is installed.
For IBM WebSphere:
Copy the db2java.zip
file into the WEBSPHERE_HOME
\AppServer\lib
directory, and then restart the server.
After you copy the external code files, proceed to the "Step 6: Importing the Connector XML Files" section.
For connectors used with Microsoft SQL Server 2000, the external JAR files required are the JDBC driver files: mssqlserver.jar,
msbase.jar,
and msutil.jar.
To obtain these files, first download Microsoft SQL Server 2000 Driver for JDBC Service Pack 3 from the Microsoft Web site.
For connectors used with Microsoft SQL Server 2005, the external JAR file required is the sqljdbc.jar
JDBC driver file.
You must copy the required JAR files into the following directory:
OIM_home\xellerate\ThirdParty
In addition, depending on the application server that you use, perform the steps described in one of the following sections:
Copy the JDBC driver files into the JBOSS_HOME
\server\default\lib
directory, and then restart the server. Here, JBOSS_HOME
is the directory in which JBoss is installed.
After you copy the external code files, proceed to the "Step 6: Importing the Connector XML Files" section.
If you are using BEA WebLogic as the application server, then edit the xlStartWLS.cmd
file to specify the location of the JDBC driver files. To do this:
Open the xlStartWLS.cmd
file in a text editor.
This file is in the following directory:
WEBLOGIC_HOME\user_projects\domains\DOMAIN_NAME\
In this directory path, WEBLOGIC_HOME
is the BEA WebLogic home directory, and DOMAIN_NAME
is the name of the domain.
Add the following lines in the xlStartWLS.cmd
file:
SET SQL_DB_ACCESS_INT_JARS=OIM_home\xellerate\ThirdParty\mssqlserver.jar; OIM_home\xellerate\ThirdParty\msbase.jar; OIM_home\xellerate\ThirdParty\msutil.jar;
Append the following text to the start of the set classpath
command:
%SQL_DB_ACCESS_INT_JARS%;
After you copy the external code files, proceed to the "Step 6: Importing the Connector XML Files" section.
Copy the JDBC driver files to the WEBSPHERE_HOME
\AppServer\lib\ext
directory.
After you copy the external code files, proceed to the "Step 6: Importing the Connector XML Files" section.
If the connector is used with Oracle8i Database, Oracle9i Database, or Oracle Database 10g, then the required external JAR file is classes12.jar.
The classes12.jar
file is available in the Oracle Database installation at, for example, the following path:
oracle_home\ora92\jdbc\lib\
In this directory path, oracle_home
is the location where Oracle Database is installed. For example, C:\Oracle.
You must copy the classes12.jar
file (or classes12.zip
file) into the OIM_home
\xellerate\ThirdParty
directory and into one of the following directories:
For JBoss Application Server:
Copy the classes12.zip
file into the JBOSS_HOME
\server\default\lib
directory, and then restart the server. Here, JBOSS_HOME
is the directory in which JBoss Application Server is installed.
For BEA WebLogic:
Copy the classes12.zip
file into the OIM_home
\xellerate\ThirdParty
directory. Make an entry for the classes12.zip
file in the CLASSPATH mentioned in the BEA_HOME
\user_projects\domains\
domain_name
\xlStartWLS.bat
file, and then restart the server. Here, BEA_HOME
is the directory in which BEA WebLogic is installed.
For IBM WebSphere:
Copy the classes12.zip
file into the WEBSPHERE_HOME
\AppServer\lib
directory, and then restart the server.
After you copy the external code files, proceed to the "Step 6: Importing the Connector XML Files" section.
For connectors used with Sybase ASE, copy the jconn2.jar
file from the SYBASE_HOME
\jConnect-5_5\classes
directory into the OIM_home
\xellerate\ThirdParty
directory.
To import the connector XML files into Oracle Identity Manager:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the xliDBAccessLogin_DM.xml
file, which is in the OIM_home
\xellerate\XLIntegrations\DatabaseAccess\xml
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the OracleITResource
IT resource is displayed. If this is the IT resource corresponding to the database that you are using, then perform the next step. Otherwise, click Next until the Provide IT Resource Instance Data page for the IT resource of the database that you are using is displayed.
Depending on the database that you are using, specify values for the parameters of the IT resource. Refer to the appropriate table in the "Defining IT Resources" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the Database
IT resource type is displayed.
Click Skip to specify that you do not want to define a new IT resource. The Confirmation page is displayed.
See Also: If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions. |
Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. Remove these nodes by right-clicking each node and then selecting Remove.
Click Import. The connector file is imported into Oracle Identity Manager.
Perform the same procedure to import the xliDBAccessUser_DM.xml
and xliDBAccessScheduleTask_DM.xml
files. These files are in the OIM_home
\xellerate\XLIntegrations\DatabaseAccess\xml\
directory.
Note: Ensure that you import the connector XML files in the specified order. |
After you import the connector XML files, proceed to the "Step 7: Configuring Reconciliation" section.
This section provides IT resource parameter values for the following databases:
You must specify values for the Oracle
IT resource parameters listed in the following table.
Parameter | Description |
---|---|
DataBaseType |
Type of database
Value: |
DatabaseName |
Name of the target database on which the users are created
Sample value: |
Driver |
JDBC driver class
Value: |
URL |
JDBC URL for the target database
Value: Sample value: |
UserID |
User name of the DBA login that is used to create users
Value: |
Password |
Password of the DBA login that is used to create users
Value: |
Target Locale: Country |
Country code
Default value: Note: You must specify the value in uppercase. |
Target Locale: Language |
Language code
Default value: Note: You must specify the value in lowercase. |
After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.
You must specify values for the Microsoft SQL Server
IT resource parameters listed in the following table.
Parameter | Description |
---|---|
DataBaseType |
Type of RDBMS
Value: |
DatabaseName |
Name of the target database in which users are created
Sample value: |
Driver |
For Microsoft SQL Server 2000
JDBC driver class: com.microsoft.jdbc.sqlserver.SQLServerDriver For Microsoft SQL Server 2005 JDBC driver class: com.microsoft.sqlserver.jdbc.SQLServerDriver |
URL |
For Microsoft SQL Server 2000
JDBC URL for the target database Value: jdbc:microsoft:sqlserver://Target_Host:1433;DatabaseName=DatabaseName Sample value: jdbc:microsoft:sqlserver://192.168.49.64:1433;DatabaseName=XELL Note: Use the IP address, not the computer name or host name in this URL. For Microsoft SQL Server 2005 JDBC URL for the target database Value: jdbc:sqlserver://serverName;instanceName:portNumber;property=value[;property=value] Sample value: jdbc:sqlserver://123.12.23.321:1433;database=master Note: Use the IP address, not the computer name or host name in this URL. |
UserID |
User name of the DBA login that is used to create users
Value: |
Password |
Password of the DBA login that is used to create users
Value: |
Target Locale: Country |
Country code
Default value: Note: You must specify the value in uppercase. |
Target Locale: Language |
Language code
Default value: Note: You must specify the value in lowercase. |
After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.
You must specify values for the Sybase Server
IT resource parameters listed in the following table.
Parameter | Description |
---|---|
DataBaseType |
Type of RDBMS
Value: |
DatabaseName |
Name of the target database in which users are created
Sample value: |
Driver |
JDBC driver class
Value: com.sybase.jdbc2.jdbc.SybDriver |
URL |
JDBC URL for the target database
Value: jdbc:sybase:Tds:Target_Host:5000/DatabaseName Sample value: jdbc:sybase:Tds:integnt:5000/master |
UserID |
User name of the DBA login that is used to create users
Value: |
Password |
Password of the DBA login that is used to create users
Value: |
Target Locale: Country |
Country code
Default value: Note: You must specify the value in uppercase. |
Target Locale: Language |
Language code
Default value: Note: You must specify the value in lowercase. |
After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.
You must specify values for the IBM DB2 UDB
IT resource parameters listed in the following table.
Parameter | Description |
---|---|
DataBaseType |
Type of RDBMS
Value: |
DatabaseName |
Not required |
Driver |
JDBC driver class
Value: COM.ibm.db2.jdbc.net.DB2Driver |
URL |
The JDBC URL for the target database
Value: jdbc:db2://Target_Host:6789/DatabaseName Sample value: jdbc:db2://10.1.1.127:6789/TESTDB Note: Use the IP address, not the computer name or host name. |
UserID |
User name of the DB login used to create users
Value: |
Password |
Not needed |
Target Locale: Country |
Country code
Default value: Note: You must specify the value in uppercase. |
Target Locale: Language |
Language code
Default value: Note: You must specify the value in lowercase. |
After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.
Configuring reconciliation involves performing the following tasks:
To create the reconciliation scheduled tasks:
Open the Oracle Identity Manager Design Console.
Expand the Xellerate Administration folder.
Select Task Scheduler.
Click Find. The details of the predefined scheduled task are displayed.
Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the ERROR
status to the task.
Ensure that the Disabled and Stop Execution check boxes are not selected.
In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.
In the Interval region, set the following schedule parameters:
To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.
If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.
To set the task to run only once, select the Once option.
Provide values for the attributes of the scheduled task. These attributes are described in the following table.
Note: Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change. |
Attribute | Description | Sample Value |
---|---|---|
Server |
Name of the IT resource | OracleITResource |
Target System Login Recon - Resource Object name |
Name of the target system parent resource object | Database Access (Login) |
Target System User Recon - Resource Object name |
Name of the target system child resource object | Database Access (User) |
Trusted Source Recon - Resource Object name |
Name of the trusted source resource object | For trusted source reconciliation:
For nontrusted reconciliation:
|
DB2DBName |
Name of the IBM DB2 UDB target database from where data is reconciled
This attribute is required only for IBM DB2 UDB databases. |
TESTDB |
See Also: Oracle Identity Manager Design Console Guide for information about adding and removing task attributes |
Click Save. The scheduled task is created. The INACTIVE
status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.
If you are using Oracle Identity Manager release 9.0.1, then you must perform the following procedure to enable reconciliation:
See Also: Oracle Identity Manager Design Console Guide |
Open the Process Definition form for the Database Access (Login)
User. This form is in the Process Management folder.
Note: You must also perform this procedure for theDatabase Access (User) User. |
Click the Reconciliation Field Mappings tab.
For each field that is of the IT resource type:
Double-click the field to open the Edit Reconciliation Field Mapping window for that field.
Deselect Key Field for Reconciliation Matching.
The following adapters are imported into Oracle Identity Manager when you import the connector XML file:
DB Revoke Role
DB Modify Password
DB Modify Login
DB Enable login
DB Disable login
adpDBDELETETABLESPACE
DB Delete Login
DB Create Login
DB Add TableSpace
DB Add Schema
DB Add Role
DB Delete TableSpace
DB Prepopulate UserLogin
DB Update Group
DB EnableSybaseUser
DB DisableSybaseUser
DB Delete User
DB Create User
DB Prepopulate UserLogin
You must compile these adapters before you can use them to provision accounts on the target system.
To compile adapters by using the Adapter Manager form:
Open the Adapter Manager form.
To compile all the adapters that you import into the current database, select Compile All.
To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.
Note: Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have anOK compilation status. |
Click Start. Oracle Identity Manager compiles the selected adapters.
If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_home
\xellerate\Adapter
directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes. Then, restart each node.
To view detailed information about an adapter:
Highlight the adapter in the Adapter Manager form.
Double-click the row header of the adapter, or right-click the adapter.
Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.
Note: Perform this procedure only if you want to configure the connector for multiple installations of Database User Management. Refer to Oracle Identity Manager Design Console Guide for detailed instructions on performing each step of this procedure. |
To configure the connector for multiple installations of the target system:
Create and configure one IT resource for each target system installation.
The IT Resources form is in the Resource Management folder. An IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same resource type.
Configure reconciliation for each target system installation. Refer to the "Step 7: Configuring Reconciliation" section for instructions. Note that you only need to modify the attributes that are used to specify the IT resource and to specify whether or not the target system installation is to be set up as a trusted source.
You can designate either a single or multiple installations of Database User Management as the trusted source.
If required, modify the fields to be reconciled for the Xellerate User resource object.
When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the Database User Management installation to which you want to provision the user.