Oracle® Identity Manager Connector Guide for IBM Lotus Notes and Domino Release 9.0.4 Part Number E10157-01 |
|
|
View PDF |
Deploying the connector involves the following steps:
The following table lists the deployment requirements for the connector.
Item | Requirement |
---|---|
Oracle Identity Manager | Oracle Identity Manager release 8.5.3 or later |
Target systems | IBM Lotus Notes and Domino Server 6.5 -7.0.2 |
External code |
NCSO.jar Notes.jarRefer to the "Step 3: Copying the Connector Files and External Code Files" section for more information about these files. |
Target system user account | Domino Server administrator
You must ensure that full administrative access has been assigned to this administrator account. In other words, this administrator must belong to the Full Access Administrator list. You provide the credentials of this user account while performing the procedure in the "Defining IT Resources" section. If this user account is not assigned the specified privileges, then the following error message is displayed when Oracle Identity Manager tries to exchange data with the target system:
|
Configuring the target system involves performing the following steps:
When you disable a user account in IBM Lotus Notes and Domino, that user automatically becomes a member of a Deny Access group. When you reenable the user account, the user is removed from the Deny Access group. The same process is followed when you disable a user account through Oracle Identity Manager. For the Disable User operation to work, there must be at least one Deny Access group in the target system.
If there is no Deny Access group on the IBM Lotus Notes and Domino installation, then you must create one as follows:
Log in to the Lotus Notes client as the administrator.
On the People & Groups tab, click the Groups folder on the left pane.
Click Add Group.
On the New Group tab, provide the following values:
Group name: Specify a name for the group, for example, noaccess
.
Group type: Select Multi-purpose.
Click Save & Close.
On the Configuration tab, click All Server Documents on the left pane.
On the right pane, double-click the row for the server that you are using.
Open the Security tab.
In the Server Access section, double-click Not Access Server.
In the Select Names dialog box, use the Add button to add the group that you create in Step 4 and then click OK.
Click Save & Close.
The Deny Access group that you create can be viewed by performing Steps 6 through 9.
While performing the procedure described in the "Defining IT Resources" section, you specify the name of the Deny Access group (for example, noaccess
) that you create in Step 4 as the value of the DenyAccessGroupName
IT resource parameter.
Note:
If you do not want to support encrypted e-mail on the target system, then you can skip this section.When you create a user account in IBM Lotus Notes and Domino, an ID file is automatically generated for the user account. This ID file holds the encryption key for the user, and it is automatically used when encrypted e-mail is sent or received.
If an administrator changes the user's password in Oracle Identity Manager, then a new ID file is created. This new ID file cannot be used to open existing sent and received encrypted e-mail. From this point onward, existing encrypted e-mail becomes inaccessible.
To avoid this situation, you must:
Configure an agent on IBM Lotus Notes and Domino that modifies existing ID files when the password is updated. This section describes the procedure to perform this step.
Set the value of the isAgentInstalled
IT resource parameter to Yes
to indicate that an agent has been configured on IBM Lotus Notes and Domino. This parameter is described in the "Defining IT Resources" section.
To configure the agent on IBM Lotus Notes and Domino:
Log in to the Domino Admin client.
From the File menu, select Database and then select Open.
From the Server list in the Open Database dialog box, select the name of the Domino server.
In the FileName field, enter names.nsf
and then click Open.
From the View menu, select Agents.
Click New Agent.
In the first tab of the Agent dialog box (indicated by a bulb icon), enter the following values:
Name: Enter changePassword
.
Comment: Enter Change password of the ID file
.
Target: Select All documents in database.
In the second tab of the Agent dialog box (indicated by a key icon), Select Allow restricted operations from the Set runtime security level list.
Close the dialog box.
On the changePassword-Agent tab, select LotusScript from the second list.
From the menu on the Objects pane, select the [Options] method.
Open the following file on in the installation media directory:
script/lotusagent.txt
Copy the LotusScript code from the lotusagent.txt
file to the right pane of the Lotus Notes client window.
Click Save.
You specify the credentials of a Lotus Notes administrator account in the IT resource definition. After you configure the agent on IBM Lotus Notes and Domino, you must ensure that this Lotus Notes administrator account has the permissions required to update the ID files as follows:
Log in to the Domino Admin client.
From the File menu, select Database and then select Access Control.
In the Access Control List dialog box, select Manager from the Access list and then select the Delete documents check box.
Click OK.
The following fields have been added on the user process form:
ID File Name
In releases prior to the 9.0.3.1 release of the connector, when you create a user account through Oracle Identity Manager, the ID file name is created according to the following format:
FirstNameLastName.id
For example, if you create an account for user John Doe, then the ID file name is as follows:
JohnDoe.id
From the 9.0.3.1 release onward, you can now use the ID File Name field to specify a name for the ID file while creating a user account.
Old Password
The Old Password field stores the latest password of the user in encrypted form. The value of this field is changed automatically during Create Password and Update Password provisioning operations.
Note:
After reconciliation, for user accounts for which the password has been changed on the target system, the users must manually enter the new password in this field on Oracle Identity Manager.You must ensure that the Domino IIOP (DIIOP) task is running.
To do this, open the IBM Lotus Notes and Domino console and run the Load DIIOP command.
If the DIIOP task were not running, then it is started after you run the command. If it were running, then a message that the task has already been started is displayed.
The connector files to be copied and the directories to which you must copy them are given in the following table.
Note:
The directory paths given in the first column of this table correspond to the location of the connector files in the following directory on the installation media:Collaboration and Messaging Applications/IBM Lotus Notes Domino
Refer to the "Files and Directories That Comprise the Connector" section for more information about these files.
After you copy the connector files, copy the following files into the java_installation
/jre/lib/ext
directory:
NCSO.jar
(from the lotus_home
/lotus/Domino/Data/domino/java
directory)
Notes.jar
(from the lotus_home
/lotus/Domino directory
)
Here, java_installation
is the JDK directory used for Oracle Identity Manager and lotus_home
is the directory in which IBM Lotus Notes and Domino is installed.
Note:
While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy theconnectorResources
directory and all the JAR files mentioned in this section to the corresponding directories on each node of the cluster.Configuring the Oracle Identity Manager server involves the following procedures:
Note:
In a clustered environment, you must perform this step on each node of the cluster.Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.
You may require the assistance of the system administrator to change to the required input locale.
While performing the instructions described in the "Step 3: Copying the Connector Files and External Code Files" section, you copy files from the resources
directory on the installation media into the OIM_home
/xellerate/connectorResources
directory. Whenever you add a new resource bundle in the connectorResources
directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, change to the OIM_home
/xellerate/bin
directory.
Note:
You must perform Step 1 before you perform Step 2. If you run the command described in Step 2 as follows, then an exception is thrown:OIM_home\xellerate\bin\batch_file_name
Enter one of the following commands:
On Microsoft Windows:
PurgeCache.bat ConnectorResourceBundle
On UNIX:
PurgeCache.sh ConnectorResourceBundle
Note:
You can ignore the exception that is thrown when you perform Step 2.In this command, ConnectorResourceBundle
is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:
OIM_home/xellerate/config/xlConfig.xml
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may still allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level depends on the application server that you use:
BEA WebLogic
To enable logging:
Add the following line in the OIM_home
/xellerate/config/log.properties
file:
log4j.logger.Adapter.LotusNotes=log_level
In this line, replace log_level
with the log level that you want to set.
For example:
log4j.logger.Adapter.LotusNotes=INFO
After you enable logging, log information is written to the following file:
WebLogic_home/user_projects/domains/domain_name/server_name/server_name.log
IBM WebSphere
To enable logging:
Add the following line in the OIM_home
/xellerate/config/log.properties
file:
log4j.logger.Adapter.LotusNotes=log_level
In this line, replace log_level
with the log level that you want to set.
For example:
log4j.logger.Adapter.LotusNotes=INFO
After you enable logging, log information is written to the following file:
WebSphere_home/AppServer/logs/server_name/startServer.log
JBoss Application Server
To enable logging:
In the JBoss_home
/server/default/conf/log4j.xml
file, locate the following lines:
<category name="Adapter.LotusNotes">
<priority value="log_level"/>
</category>
In the second XML code line, replace log_level
with the log level that you want to set. For example:
<category name="Adapter.LotusNotes"> <priority value="INFO"/> </category>
After you enable logging, log information is written to the following file:
JBoss_home/server/default/log/server.log
OC4J
To enable logging:
Add the following line in the OIM_home
/xellerate/config/log.properties
file:
log4j.logger.Adapter.LotusNotes=log_level
In this line, replace log_level
with the log level that you want to set.
For example:
log4j.logger.Adapter.LotusNotes=INFO
After you enable logging, log information is written to the following file:
OC4J_home/opmn/logs/default_group~home~default_group~1.log
To import the connector XML file into Oracle Identity Manager:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the xlLotusNotesConnector.xml
file, which is in the OIM_home
/xlclient
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the LotusNotes
IT resource is displayed.
Specify values for the parameters of the LotusNotes
IT resource. Refer to the table in the "Defining IT Resources" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the Lotus Notes
IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. These nodes represent Oracle Identity Manager entities that are redundant. Before you import the connector XML file, you must remove these entities by right-clicking each node and then selecting Remove.
Click Import. The connector XML file is imported into Oracle Identity Manager.
After you import the connector XML file, proceed to the "Step 6: Configuring SSL" section.
You must specify values for the LotusNotes
IT resource parameters listed in the following table.
Parameter | Description |
---|---|
AddBook |
Specifies whether or not the server entry in the Domino Directory is updated when the ID file is created
The value can be Domino Directory is the database that contains user personal documents, connection documents, server documents, and cross-certification files. This directory is also known as the public address book or |
Admin |
User ID of the IBM Lotus Notes and Domino server administrator
This administrator must belong to the Full Access Administrator list on IBM Lotus Notes and Domino. |
AdminPwd |
Password of the administrator |
certifierOU |
Specifies the OU of the certifier to be used when creating user accounts
If you use a certifier on the target system, then you must specify the certifier OU value. If you do not have a certifier on the target system, then leave this parameter field empty. If there are multiple certifiers on the target system, then you must create one IT resource of the See Also: The "certifierOU IT Resource Parameter" section for more information about this parameter. Sample value: |
CertPath |
Complete file specification of the certifier ID to be used when creating certifier ID files
Sample value: |
CertPwd |
Password of the certifier ID file |
CreateMailIDFile |
Specifies whether or not a mail database is created with the ID file when calling the Register New User function of IBM Lotus Notes and Domino
The value can be |
Host |
Host name or IP address of the IBM Lotus Notes and Domino server |
Port |
TCP/IP port at which the IBM Lotus Notes and Domino server is listening
The default value is 63148. |
IDFilePath |
Path for storing the ID files |
IDType |
Type of ID files to be created
The value can be The default is |
MailDBPath |
Mail file path |
MailOwnerAccess |
Mail database ACL setting for the owner
The value can be one of the following:
The default value is |
MailQuotaLimit |
Maximum size of the user's e-mail database, in megabytes
The default value is |
MailQuotaWarning |
Size, in megabytes, at which the user's mail database issues a warning that the size limit may be exceeded
The default value is |
MailServer |
Canonical name of the server containing the user's mail file |
MailSystem |
User's mail system
The value can be any one of the following:
The default value is |
MailTemplateName |
Name of the template for the design of the mail file |
PasswordLength |
Minimum number of characters that can be used in the password
The value can be any number. The default minimum length is 5 characters. |
RegLog |
Name of the log file to be used when creating IDs |
RegServer |
Name of the server to use when creating IDs and performing other registration functions |
StoreAddBook |
Indicates whether or not the ID file is stored in the Domino Directory of the server
The value can be |
SyncInternetPassword |
Specifies whether or not the user can use the same password for both local client-based access and Web-based access to IBM Lotus Notes and Domino
The value can be |
LastReconciliationTimeStamp |
For the first reconciliation run, this parameter does not hold any value. From the second time onward, this parameter stores the time at which the last reconciliation run was completed.
The default value is |
IsSecure |
Specifies whether or not the SSL feature is enabled
The value can be Note: It is recommended that you enable SSL to secure communication with the target system. |
DenyAccessGroupName |
Name of the group for users whose accounts have been disabled
Note: If there is no Deny Access group on the IBM Lotus Notes and Domino installation, then you must create one by following the procedure described in the "Creating a Deny Access Group" section. |
triggerAdminP |
Specifies whether or not the Trigger AdminP feature is enabled
The value can be |
isAgentInstalled |
Specify Yes as the value of this parameter if you want to enable support for encrypted e-mail on the target system. Otherwise, specify No .
See Also: The "Enabling Modification of ID Files" section for more information about this parameter. |
TrustedTimeStamp |
This parameter is used for trusted source reconciliation.
Starting with the first reconciliation run, this parameter stores the time-stamp value at which the reconciliation run ends. The default value is |
NonTrustedTimeStamp |
This parameter is used for nontrusted source reconciliation.
Starting with the first reconciliation run, this parameter stores the time-stamp value at which the reconciliation run ends. The default value is |
Max Retries |
Number of times that the Lotus Notes Connector should retry connecting to the target server if the connection fails
The default value is |
Delay |
Delay (in milliseconds) before the connector attempts to retry connecting to the target system, in case the connection fails
The default value is |
After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.
certifierOU IT Resource Parameter
In releases prior to the 9.0.3.1 release of this connector, the following problem is observed while creating a user account on the target system through Oracle Identity Manager:
Suppose you specify the following values while creating a user account directly on Lotus Notes:
FirstName: John
LastName: Doe
When the user account is created, a Distinguished Name (DN) similar to the following is assigned to the user:
CN=John Doe/OU=testcertou/O=test/C=US
In this sample DN, testcertou
is the OU of the certifier for the user account that is created.
Suppose you specify the following values while creating a user account on Lotus Notes through Oracle Identity Manager:
FirstName: Jane
LastName: Doe
While creating the user account through Oracle Identity Manager, you can specify an OU for the user account on the process form. Suppose you specify testuserou
as the user's OU on the process form. Then, a Distinguished Name (DN) similar to the following is assigned to the user:
CN=Jane Doe/OU=testuserou/OU=testcertou/O=test/C=US
This DN is invalid because it contains two OU attributes. If you try to search for and update this user, then the User Not Found error is thrown.
To resolve this problem, from the 9.0.3.1 release onward, the certifierOU
parameter has been added to the Lotus Notes IT resource type. You use this parameter to specify the OU of a certifier on the target system.
Note:
If there are multiple certifiers on the target system, then you must create one IT resource (of the IT Lotus Notes IT resource type) for each certifier. Refer to Oracle Identity Manager Design Console Guide for information about creating IT resources.If you specify a value for the certifierOU
parameter, then the user OU value that you specify on the process form is ignored during the creation of a DN for a new user account. If you do not specify a value for the certifierOU
parameter, then the user OU value that you specify on the process form is used in the DN. This feature ensures that only one OU value is included in the DN.
Caution:
If you specify a value for thecertifierOU
IT resource parameter, then user records for which the certifier OU value in the DN does not match the certifierOU
parameter value are not reconciled. This is because the user DN is used to match records in the target system and Oracle Identity Manager, and a difference in the certifier OU value would lead to a mismatch in DN values. The following example illustrates this type of scenario:
Suppose a user account on Lotus Notes has the following DN:
CN=John Doe/OU=testcertou/O=test/C=US
If testcertou
has not been assigned as the value of the certifierOU
parameter for any of the IT resources created on this Oracle Identity Manager installation, then the records of this user cannot be reconciled into Oracle Identity Manager.
Note:
This is an optional step of the deployment procedure. For more information about this procedure, refer tohttp://www-128.ibm.com/developerworks/lotus/library/ls-Java_access_2/
To set up SSL connectivity between Oracle Identity Manager and the IBM Lotus Notes and Domino server:
Ensure that the DIIOP and HTTP tasks are running on the IBM Lotus Notes and Domino server for SSL communication.
Note:
If you have already performed the procedure described in the "Step 2: Configuring the Target System" section, then the DIIOP task is already running.On the IBM Lotus Notes and Domino server, create a key ring using the Server Certificate Admin (certsrv.nsf
) database. Move the two key ring files, keyfile.kyr
and keyfile.sth,
to the data directory of the server.
Restart the DIIOP task to generate a file named TrustedCerts.class
in the IBM Lotus Notes and Domino data directory. The following is the path of the data directory:
lotus_home/Lotus/Domino/Data
Here, lotus_home
is the directory in which IBM Lotus Notes and Domino is installed.
Package the TrustedCerts.class
file in the TrustedCerts.jar
file.
Move the TrustedCerts.jar
file to the java_installation
\jre\lib\ext
directory on the Oracle Identity Manager server.