Oracle® Identity Manager Connector Guide for RSA Authentication Manager Release 9.0.4 Part Number E10168-01 |
|
|
View PDF |
Deploying the connector involves the following steps:
The following table lists the deployment requirements for the connector.
Item | Requirement |
---|---|
Oracle Identity Manager | Oracle Identity Manager release 8.5.3 or later |
Target system | The target system can be any one of the following:
|
Target system host platforms | The target system host platform can be any one of the following:
|
Other systems |
|
Remote manager node user account | In Host mode, no credentials are required.
In Remote mode, any remote node user account would suffice. Refer to the "Defining IT Resources" section for details. If the specified type of user account is not used, then the following error message is displayed when connector operations are attempted:
|
Configuring the target system involves the following steps:
Configuring Strong Authentication Between Oracle Identity Manager and the Remote Manager
Configuring SSL Client (Oracle Identity Manager Server) Authentication
To set up the remote manager on the RSA Authentication Manager server:
Note:
For Solaris, you must create an ACE administrator as a preinstallation requirement for RSA Authentication Manager. This administrator is the file owner of the RSA Authentication Manager installation. Use this ACE administrator account to install the remote manager.Create the AuthManager
directory on the RSA Authentication Manager server.
From the installation media directory, copy the remotePackage
directory into the AuthManager
directory.
For Solaris 9
Log in to the Solaris server by using the user credentials of the RSA Authentication Manager File Owner that was created as a preinstallation requirement for RSA Authentication Manager. Then, create the directory into which you copy the remotePackage
directory.
Note:
If you copy files from Microsoft Windows to Solaris, all data transfer from the FTP client must be performed in binary mode. In addition, after copying files to the Solaris server, you must check the files for the^M
character pattern.
You must also perform required operations, such as dos2unix.
As described earlier, copy all the files while using the ACE administrator credentials.
To update the class files, copy the lib/xliACE.jar
file from the installation media directory to the xl_remote
/xlremote/JavaTasks
directory.
Note:
From this point onward in the guide, the full path of theremotePackage
directory on the RSA Authentication Manager server is referred to as xl_remote
.Update the library files as follows:
On Microsoft Windows:
Use a text editor to open the following file:
xl_remote/xlremote/remotemanager.bat
In this file, depending on the version of Authentication Manager that you are using, set one of the following as the first line of the file:
For ACE 5.2:
set PATH=authmgr_home/lib/ACE52;%PATH%
For RSA Authentication Manager 6.0:
set PATH=authmgr_home/lib/AuthMgr60;%PATH%
For RSA Authentication Manager 6.1:
set PATH=authmgr_home/lib/AuthMgr61;%PATH%
On Solaris 9:
For RSA ACE 5.2, add the following lines:
LD_LIBRARY_PATH=$ACE_INSTALL/prog:$AUTHMGR_HOME/lib/ACE52Sol export LD_LIBRARY_PATH
To configure strong authentication between Oracle Identity Manager and the remote manager, you must import the required certificate from the remote manager keystore to the Oracle Identity Manager server keystore as follows:
From the Oracle Identity Manager server, copy the OIM_home
/xellerate/config/xlserver.cert
file to the AuthManager_home
/scripts/config
directory on the RSA Authentication Manager server.
Use a text editor to open the authmgr_home
/scripts/AuthMgrImportXLCert.bat
file. Here, authmgr_home
is the directory in which RSA Authentication Manager is installed.
In this file, set the following parameters:
set JAVA_HOME=jdk_home set XL_REMOTE=xl_remote
For Solaris 9, set the following parameters in the authmgr_home
/scripts/AuthMgrImportXLCert.sh
file:
XL_REMOTE=xl_remote export XL_REMOTE JAVA_HOME=jdk_home export JAVA_HOME
Run the AuthMgrImportXLCert.bat
file.
For Solaris 9, run the AuthMgrImportXLCert.sh
file.
To configure SSL client (Oracle Identity Manager server) authentication:
Open the xl_remote
/xlremote/config/xlconfig.xml
file.
In the <RMSecurity>
section of this file, change the value of the <ClientAuth>
element to true.
The following is a code block from the xlconfig.xml
file:
<RMSecurity>
<RMIOverSSL>true</RMIOverSSL>
<SSLPort>12345</SSLPort>
<SSLContextAlgorithm>TLS</SSLContextAlgorithm>
<KeyManagerFactory>SunX509</KeyManagerFactory>
<BindingPort>12346</BindingPort>
<ServiceName>RManager</ServiceName>
<LoggerConfigFilePath>log.conf</LoggerConfigFilePath>
<ClientAuth>true</ClientAuth>
</RMSecurity>
Multiple Oracle Identity Manager Servers Communicating with a Single Remote Manager
If a setup involves more than one Oracle Identity Manager server communicating with a single remote manager, then you must address the considerations described in this section.
The OIM_home
/xellerate/config/xlserver.cert
certificate for any Oracle Identity Manager installation would have the same dname
value. If you import this certificate from one Oracle Identity Manager installation into the target system remote manager keystore, then you cannot directly use the same certificate from another installation for the same purpose and in the same manner.
Therefore, if one Oracle Identity Manager installation is already configured with a particular remote manager and the same is needed for another Oracle Identity Manager installation, then you must first create a certificate with a different DN for the second installation before you can use this new certificate with the remote manager.
Enter the following commands in the specified order.
Generate a new key pair by entering the following command:
jdk_home/jre/bin/keytool -genkey -alias xell2 -keyalg DSA -keysize 1024 -dname "CN=Customer1, OU=Customer, O=Customer, L=City, ST=NY, C=US" -validity 3650 -keypass xellerate -keystore OIM_home/xellerate/config/.xlkeystore -storepass xellerate -storetype jks -provider sun.security.provider.Sun
When you run this command, ensure that the dname
value specified in the preceding command, is not the same as the default value of dname,
for the existing certificates in the Oracle Identity Manager keystore:
OIM_home/xellerate/config/.xlkeystore
The default value is as follows:
CN=Customer, OU=Customer, O=Customer, L=City, ST=NY, C=US
Create a certificate request by entering the following command:
jdk_home/jre/bin/keytool -certreq -alias xell2 -file OIM_home/xellerate/config/xell1.csr -keypass xellerate -keystore OIM_home\/ellerate/config/.xlkeystore -storepass xellerate -storetype jks -provider sun.security.provider.Sun
Export the certificate to a file by entering the following command:
jdk_home/jre/bin/keytool -export -alias xell2 -file OIM_home/xellerate/config/xlserver1.cert -keypass xellerate -keystore OIM_home/xellerate/config/.xlkeystore -storepass xellerate -storetype jks -provider sun.security.provider.Sun
This command creates the following security certificate:
OIM_home/xellerate/config/xlserver1.cert
This is the certificate that you must use for configuration purposes.
Import the certificate into the remote manager keystore by entering the following command:
jdk_home/jre/bin/keytool -import -trustcacerts -alias xel2trusted -noprompt -keystore OIM_home/xellerate/config/.xlkeystore -file OIM_home/xellerate/config/xlserver1.cert -storepass xellerate
For configuring strong authentication between another Oracle Identity Manager Server installation and the remote manager, use the OIM_home
/xellerate/config/xlserver1.cert
file instead of the xlserver.cert
file.
To set up the remote manager as a trusted source for Oracle Identity Manager:
On the RSA Authentication Manager server, copy the xl_remote
/xlremote/config/xlserver.cert
file into the following directory:
OIM_home/xellerate/XLIntegrations/AuthManager/scripts/config
Use a text editor to open the following file:
OIM_home/xellerate/XLIntegrations/AuthManager/scripts/AuthMgrImportRMCert.bat
In this file, edit the following lines to specify the path to the JDK and Oracle Identity Manager installation directories:
set JAVA_HOME = jdk_home set XELLERATE_HOME = OIM_home
For Oracle Identity Manager installed on Solaris 8 or Red Hat Advanced Server 2.1, open the following file in a text editor:
OIM_home/xellerate/XLIntegrations/AuthManager/scripts/AuthMgrImportRMCert.sh
In this file, edit the following lines to specify the path to the JDK and Oracle Identity Manager installation directories:
JAVA_HOME = jdk_home export JAVA_HOME XELLERATE_HOME = OIM_home export XELLERATE_HOME
Run the AuthMgrImportRMCert.bat
file.
For Oracle Identity Manager installed on Solaris 8 or Red Hat Linux AS 2.1, run the AuthMgrImportRMCert.sh
file.
The connector files to be copied and the directories to which you must copy them are given in the following table.
Note:
The directory paths given in the first column of this table correspond to the location of the connector files in the following directory on the installation media:Security Applications/RSA Authentication Manager
Refer to the "Files and Directories That Comprise the Connector" section for more information about these files.
File in the Installation Media Directory | Destination Directory |
---|---|
lib/xliACE.jar |
OIM_home/xellerate/JavaTasks OIM_home/xellerate/ScheduleTask |
Directories and files in the remotePackage directory |
OIM_home/xellerate/XLIntegrations/AuthManager/remotePackage
Note: You do not need to copy this directory if you already performed the procedure described in the "Setting Up the Remote Manager" section. |
Files in the resources directory |
OIM_home/xellerate/connectorResources
|
Directories and files in the scripts directory |
OIM_home/xellerate/XLIntegrations/AuthManager/scripts
|
Directories and files in the tests directory |
OIM_home/xellerate/XLIntegrations/AuthManager/tests
|
Files in the xml directory |
OIM_home/xellerate/XLIntegrations/AuthManager/xml
|
Note:
While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy theconnectorResources
directory and the JAR files to the corresponding directories on each node of the cluster.Note:
In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.Configuring the Oracle Identity Manager server involves performing the following procedures:
Note:
In a clustered environment, you must perform this step on each node of the cluster.Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.
You may require the assistance of the system administrator to change to the required input locale.
While performing the instructions described in the "Step 3: Copying the Connector Files" section, you copy files from the resources
directory on the installation media into the OIM_home
/xellerate/connectorResources
directory. Whenever you add a new resource bundle in the connectorResources
directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, change to the OIM_home
/xellerate/bin
directory.
Note:
You must perform Step 1 before you perform Step 2. If you run the command described in Step 2 as follows, then an exception is thrown:OIM_home/xellerate/bin/batch_file_name
Enter one of the following commands:
On Microsoft Windows:
PurgeCache.bat ConnectorResourceBundle
On UNIX:
PurgeCache.sh ConnectorResourceBundle
Note:
You can ignore the exception that is thrown when you perform Step 2.In this command, ConnectorResourceBundle
is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:
OIM_home/xellerate/config/xlConfig.xml
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may still allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level and the log file path depend on the application server that you use:
BEA WebLogic
To enable logging:
Add the following lines in the OIM_home
/xellerate/config/log.properties
file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.RSA_ACE=log_level
In these lines, replace log_level
with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.RSA_ACE=INFO
After you enable logging, the log information is written to the following file:
WebLogic_home/user_projects/domains/domain_name/server_name/server_name.log
IBM WebSphere
To enable logging:
Add the following lines in the OIM_home
/xellerate/config/log.properties
file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.RSA_ACE=log_level
In these lines, replace log_level
with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.RSA_ACE=INFO
After you enable logging, the log information is written to the following file:
WebSphere_home/AppServer/logs/server_name/startServer.log
JBoss Application Server
To enable logging:
In the JBoss_home
/server/default/conf/log4j.xml
file, locate or add the following lines:
<category name="XELLERATE">
<priority value="log_level"/>
</category>
<category name="XL_INTG.RSA_ACE">
<priority value="log_level"/>
</category>
In the second XML code line of each set, replace log_level
with the log level that you want to set. For example:
<category name="XELLERATE"> <priority value="INFO"/> </category>
<category name="XL_INTG.RSA_ACE"> <priority value="INFO"/> </category>
After you enable logging, the log information is written to the following file:
JBoss_home/server/default/log/server.log
OC4J
To enable logging:
Add the following lines in the OIM_home
/xellerate/config/log.properties
file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.RSA_ACE=log_level
In these lines, replace log_level
with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.RSA_ACE=INFO
After you enable logging, the log information is written to the following file:
OC4J_home/opmn/logs/default_group~home~default_group~1.log
To enable logging for the Remote Manager:
Add the following lines in the RemoteManager_home
/xlremote/config/log.properties
file:
log4j.rootLogger=WARN,stdout,logfile log4j.appender.logfile.File=log_file_path_and_name log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.RSA_ACE=log_level
In these lines, replace log_file_path_and_name
with the full path and name of the log file and log_level
with the log level that you want to set.
For example:
log4j.rootLogger=WARN,stdout,logfile log4j.appender.logfile.File=c:/rm_rsa_ace_connector.log log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.RSA_ACE=INFO
After you enable logging, log information is written to the file that you specify as the value of the the log4j.appender.logfile.File
attribute.
As mentioned in the "Files and Directories That Comprise the Connector" section, the connector XML file contains definitions of the components of the connector. By importing the connector XML file, you create these components in Oracle Identity Manager.
To import the connector XML files into Oracle Identity Manager:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the xliAuthMgrUser_DM.xml
file, which is in the OIM_home
/xellerate/XLIntegrations/AuthManager/xml
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the ACE Remote Manager
IT resource is displayed.
Specify values for the parameters of the ACE Remote Manager
IT resource. Refer to the table in the "IT Resource: ACE Remote Manager" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the Remote Manager
IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Provide IT Resource Instance Data page for the ACE Server Remote
IT resource is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.Specify values for the parameters of the ACE Server Remote
IT resource. Refer to the table in the "IT Resource: ACE Server Remote" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the ACE Server
IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. These nodes represent Oracle Identity Manager entities that are redundant. Before you import the connector XML file, you must remove these entities by right-clicking each node and then selecting Remove.
Click Import. The connector XML file is imported into Oracle Identity Manager.
Perform this procedure again to import the remaining connector XML files in the following order:
Note:
The IT resources that you define while importing thexliAuthMgrUser_DM.xml
file are the same as those that you would need to define when you import the xliAuthMgrToken_DM.xml
file. Therefore, you do not need to define these IT resources again when you import the xliAuthMgrToken_DM.xml
file.xliAuthMgrToken_DM.xml xliAuthMgrScheduledTask_DM.xml
These files are in the OIM_home
/xellerate/XLIntegrations/AuthManager/xml
directory.
Note:
If you do not import the connector XML files in the specified order, then the connector may not work.After you import the connector XML files, proceed to the next chapter.
This section provides information about defining the following IT resources.
You must specify values for the ACE Remote Manager
IT resource parameters listed in the following table.
Parameter | Description |
---|---|
service name |
Remote manager service name
|
url |
Remote manager URL
For example: |
After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.
You must specify values for the ACE Server Remote
IT resource parameters listed in the following table.
Parameter | Description |
---|---|
ACEAdminMode |
Admin mode through which the connector connects to RSA Authentication Manager for provisioning and reconciliation
The value can be |
ACEAdminPassCode |
Admin passcode, which is required only when the admin mode is Remote
This value is encrypted after it is saved. Sample value: This value is encrypted after it is saved. |
ACEAdminUserId |
Admin user ID, which is required when the admin mode is either Remote or Host . |
Target Locale: Country |
Country code
Default value: Note: You must specify the value in uppercase. |
Target Locale: Language |
Language code
You can select one of the following:
Note: You must specify the value in lowercase. |
CustomReconQuery |
Query condition on which reconciliation must be based
If you specify a query condition for this parameter, then the target system records are searched based on the query condition. If you want to reconcile all the target system records, then do not specify a value for this parameter. The query can be composed with the AND (&) and OR (|) logical operators. Sample value: For more information about this parameter, refer to the "Partial Reconciliation" section. |
After you specify values for these IT resource parameters, proceed to Step 12 of the procedure to import connector XML files.