Skip Headers
Oracle® Identity Manager Connector Guide for RSA Authentication Manager
Release 9.0.4

Part Number E10168-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

2 Deploying the Connector

Deploying the connector involves the following steps:

Step 1: Verifying Deployment Requirements

The following table lists the deployment requirements for the connector.

Item Requirement
Oracle Identity Manager Oracle Identity Manager release 8.5.3 or later
Target system The target system can be any one of the following:
  • RSA Authentication Manager 6.1

  • RSA Authentication Manager 6.0

  • RSA ACE Server 5.2

Target system host platforms The target system host platform can be any one of the following:
  • Microsoft Windows 2003 Server for RSA Authentication Manager 6.0, RSA Authentication Manager 6.1, and RSA ACE Server 5.2

  • Microsoft Windows 2000 Server for RSA ACE Server 5.2

  • Solaris 9 for RSA Authentication Manager 6.0 and RSA ACE Server 5.2

Other systems
  • JDK

    The version of JDK on which Oracle Identity Manager server is running must be installed on the ACE server.

  • RSA SecurID software token application

    See Also: The "Installing Software Tokens" section for more information about the RSA SecurID software token

Remote manager node user account In Host mode, no credentials are required.

In Remote mode, any remote node user account would suffice.

Refer to the "Defining IT Resources" section for details.

If the specified type of user account is not used, then the following error message is displayed when connector operations are attempted:

Access denied, check administrator credentials


Step 2: Configuring the Target System

Configuring the target system involves the following steps:

Setting Up the Remote Manager

To set up the remote manager on the RSA Authentication Manager server:

Note:

For Solaris, you must create an ACE administrator as a preinstallation requirement for RSA Authentication Manager. This administrator is the file owner of the RSA Authentication Manager installation. Use this ACE administrator account to install the remote manager.
  1. Create the AuthManager directory on the RSA Authentication Manager server.

  2. From the installation media directory, copy the remotePackage directory into the AuthManager directory.

    For Solaris 9

    Log in to the Solaris server by using the user credentials of the RSA Authentication Manager File Owner that was created as a preinstallation requirement for RSA Authentication Manager. Then, create the directory into which you copy the remotePackage directory.

    Note:

    If you copy files from Microsoft Windows to Solaris, all data transfer from the FTP client must be performed in binary mode. In addition, after copying files to the Solaris server, you must check the files for the ^M character pattern.

    You must also perform required operations, such as dos2unix. As described earlier, copy all the files while using the ACE administrator credentials.

  3. To update the class files, copy the lib/xliACE.jar file from the installation media directory to the xl_remote/xlremote/JavaTasks directory.

    Note:

    From this point onward in the guide, the full path of the remotePackage directory on the RSA Authentication Manager server is referred to as xl_remote.
  4. Update the library files as follows:

    On Microsoft Windows:

    Use a text editor to open the following file:

    xl_remote/xlremote/remotemanager.bat
    
    

    In this file, depending on the version of Authentication Manager that you are using, set one of the following as the first line of the file:

    For ACE 5.2:

    set PATH=authmgr_home/lib/ACE52;%PATH%
    
    

    For RSA Authentication Manager 6.0:

    set PATH=authmgr_home/lib/AuthMgr60;%PATH%
    
    

    For RSA Authentication Manager 6.1:

    set PATH=authmgr_home/lib/AuthMgr61;%PATH%
    
    

    On Solaris 9:

    For RSA ACE 5.2, add the following lines:

    LD_LIBRARY_PATH=$ACE_INSTALL/prog:$AUTHMGR_HOME/lib/ACE52Sol
    export LD_LIBRARY_PATH
    

Configuring Strong Authentication Between Oracle Identity Manager and the Remote Manager

To configure strong authentication between Oracle Identity Manager and the remote manager, you must import the required certificate from the remote manager keystore to the Oracle Identity Manager server keystore as follows:

  1. From the Oracle Identity Manager server, copy the OIM_home/xellerate/config/xlserver.cert file to the AuthManager_home/scripts/config directory on the RSA Authentication Manager server.

  2. Use a text editor to open the authmgr_home/scripts/AuthMgrImportXLCert.bat file. Here, authmgr_home is the directory in which RSA Authentication Manager is installed.

    In this file, set the following parameters:

    set JAVA_HOME=jdk_home
    set XL_REMOTE=xl_remote
    
    

    For Solaris 9, set the following parameters in the authmgr_home/scripts/AuthMgrImportXLCert.sh file:

    XL_REMOTE=xl_remote
    export XL_REMOTE
    JAVA_HOME=jdk_home
    export JAVA_HOME
    
    
  3. Run the AuthMgrImportXLCert.bat file.

    For Solaris 9, run the AuthMgrImportXLCert.sh file.

Configuring SSL Client (Oracle Identity Manager Server) Authentication

To configure SSL client (Oracle Identity Manager server) authentication:

  1. Open the xl_remote/xlremote/config/xlconfig.xml file.

  2. In the <RMSecurity> section of this file, change the value of the <ClientAuth> element to true.

    The following is a code block from the xlconfig.xml file:

    <RMSecurity>
      <RMIOverSSL>true</RMIOverSSL>
      <SSLPort>12345</SSLPort>
      <SSLContextAlgorithm>TLS</SSLContextAlgorithm>
      <KeyManagerFactory>SunX509</KeyManagerFactory>
      <BindingPort>12346</BindingPort>
      <ServiceName>RManager</ServiceName>
      <LoggerConfigFilePath>log.conf</LoggerConfigFilePath>
      <ClientAuth>true</ClientAuth>
    </RMSecurity>
    
    

Multiple Oracle Identity Manager Servers Communicating with a Single Remote Manager

If a setup involves more than one Oracle Identity Manager server communicating with a single remote manager, then you must address the considerations described in this section.

The OIM_home/xellerate/config/xlserver.cert certificate for any Oracle Identity Manager installation would have the same dname value. If you import this certificate from one Oracle Identity Manager installation into the target system remote manager keystore, then you cannot directly use the same certificate from another installation for the same purpose and in the same manner.

Therefore, if one Oracle Identity Manager installation is already configured with a particular remote manager and the same is needed for another Oracle Identity Manager installation, then you must first create a certificate with a different DN for the second installation before you can use this new certificate with the remote manager.

Enter the following commands in the specified order.

  1. Generate a new key pair by entering the following command:

    jdk_home/jre/bin/keytool -genkey -alias xell2 -keyalg DSA -keysize 1024 -dname "CN=Customer1, OU=Customer, O=Customer, L=City, ST=NY, C=US" -validity 3650 -keypass xellerate -keystore OIM_home/xellerate/config/.xlkeystore -storepass xellerate -storetype jks -provider sun.security.provider.Sun
    
    

    When you run this command, ensure that the dname value specified in the preceding command, is not the same as the default value of dname, for the existing certificates in the Oracle Identity Manager keystore:

    OIM_home/xellerate/config/.xlkeystore
    
    

    The default value is as follows:

    CN=Customer, OU=Customer, O=Customer, L=City, ST=NY, C=US
    
    
  2. Create a certificate request by entering the following command:

    jdk_home/jre/bin/keytool -certreq -alias xell2 -file OIM_home/xellerate/config/xell1.csr -keypass xellerate -keystore OIM_home\/ellerate/config/.xlkeystore -storepass xellerate -storetype jks -provider sun.security.provider.Sun
    
    
  3. Export the certificate to a file by entering the following command:

    jdk_home/jre/bin/keytool -export -alias xell2 -file OIM_home/xellerate/config/xlserver1.cert -keypass xellerate -keystore OIM_home/xellerate/config/.xlkeystore -storepass xellerate -storetype jks -provider sun.security.provider.Sun
    
    

    This command creates the following security certificate:

    OIM_home/xellerate/config/xlserver1.cert
    
    

    This is the certificate that you must use for configuration purposes.

  4. Import the certificate into the remote manager keystore by entering the following command:

    jdk_home/jre/bin/keytool -import -trustcacerts -alias xel2trusted -noprompt -keystore OIM_home/xellerate/config/.xlkeystore -file OIM_home/xellerate/config/xlserver1.cert -storepass xellerate
    
    

For configuring strong authentication between another Oracle Identity Manager Server installation and the remote manager, use the OIM_home/xellerate/config/xlserver1.cert file instead of the xlserver.cert file.

Configuring Strong Authentication Between the Remote Manager and the Oracle Identity Manager Server

To set up the remote manager as a trusted source for Oracle Identity Manager:

  1. On the RSA Authentication Manager server, copy the xl_remote/xlremote/config/xlserver.cert file into the following directory:

    OIM_home/xellerate/XLIntegrations/AuthManager/scripts/config
    
    
  2. Use a text editor to open the following file:

    OIM_home/xellerate/XLIntegrations/AuthManager/scripts/AuthMgrImportRMCert.bat
    
    

    In this file, edit the following lines to specify the path to the JDK and Oracle Identity Manager installation directories:

    set JAVA_HOME = jdk_home
    set XELLERATE_HOME = OIM_home
    
    

    For Oracle Identity Manager installed on Solaris 8 or Red Hat Advanced Server 2.1, open the following file in a text editor:

    OIM_home/xellerate/XLIntegrations/AuthManager/scripts/AuthMgrImportRMCert.sh
    
    

    In this file, edit the following lines to specify the path to the JDK and Oracle Identity Manager installation directories:

    JAVA_HOME = jdk_home
    export JAVA_HOME
    XELLERATE_HOME = OIM_home
    export XELLERATE_HOME
    
    
  3. Run the AuthMgrImportRMCert.bat file.

    For Oracle Identity Manager installed on Solaris 8 or Red Hat Linux AS 2.1, run the AuthMgrImportRMCert.sh file.

Step 3: Copying the Connector Files

The connector files to be copied and the directories to which you must copy them are given in the following table.

Note:

The directory paths given in the first column of this table correspond to the location of the connector files in the following directory on the installation media:
Security Applications/RSA Authentication Manager

Refer to the "Files and Directories That Comprise the Connector" section for more information about these files.

File in the Installation Media Directory Destination Directory
lib/xliACE.jar
OIM_home/xellerate/JavaTasks
OIM_home/xellerate/ScheduleTask
Directories and files in the remotePackage directory
OIM_home/xellerate/XLIntegrations/AuthManager/remotePackage
Note: You do not need to copy this directory if you already performed the procedure described in the "Setting Up the Remote Manager" section.
Files in the resources directory
OIM_home/xellerate/connectorResources
Directories and files in the scripts directory
OIM_home/xellerate/XLIntegrations/AuthManager/scripts
Directories and files in the tests directory
OIM_home/xellerate/XLIntegrations/AuthManager/tests
Files in the xml directory
OIM_home/xellerate/XLIntegrations/AuthManager/xml

Note:

While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the connectorResources directory and the JAR files to the corresponding directories on each node of the cluster.

Step 4: Configuring the Oracle Identity Manager Server

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

Configuring the Oracle Identity Manager server involves performing the following procedures:

Note:

In a clustered environment, you must perform this step on each node of the cluster.

Changing to the Required Input Locale

Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

You may require the assistance of the system administrator to change to the required input locale.

Clearing Content Related to Connector Resource Bundles from the Server Cache

While performing the instructions described in the "Step 3: Copying the Connector Files" section, you copy files from the resources directory on the installation media into the OIM_home/xellerate/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

  1. In a command window, change to the OIM_home/xellerate/bin directory.

    Note:

    You must perform Step 1 before you perform Step 2. If you run the command described in Step 2 as follows, then an exception is thrown:
    OIM_home/xellerate/bin/batch_file_name
    
  2. Enter one of the following commands:

    • On Microsoft Windows:

      PurgeCache.bat ConnectorResourceBundle
      
      
    • On UNIX:

      PurgeCache.sh ConnectorResourceBundle
      

    Note:

    You can ignore the exception that is thrown when you perform Step 2.

    In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:

    OIM_home/xellerate/config/xlConfig.xml
    

Enabling Logging

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

  • ALL

    This level enables logging for all events.

  • DEBUG

    This level enables logging of information about fine-grained events that are useful for debugging.

  • INFO

    This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.

  • WARN

    This level enables logging of information about potentially harmful situations.

  • ERROR

    This level enables logging of information about error events that may still allow the application to continue running.

  • FATAL

    This level enables logging of information about very severe error events that could cause the application to stop functioning.

  • OFF

    This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

  • BEA WebLogic

    To enable logging:

    1. Add the following lines in the OIM_home/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level
      log4j.logger.XL_INTG.RSA_ACE=log_level
      
      
    2. In these lines, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO
      log4j.logger.XL_INTG.RSA_ACE=INFO
      
      

    After you enable logging, the log information is written to the following file:

    WebLogic_home/user_projects/domains/domain_name/server_name/server_name.log
    
    
  • IBM WebSphere

    To enable logging:

    1. Add the following lines in the OIM_home/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level
      log4j.logger.XL_INTG.RSA_ACE=log_level
      
      
    2. In these lines, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO
      log4j.logger.XL_INTG.RSA_ACE=INFO
      
      

    After you enable logging, the log information is written to the following file:

    WebSphere_home/AppServer/logs/server_name/startServer.log
    
    
  • JBoss Application Server

    To enable logging:

    1. In the JBoss_home/server/default/conf/log4j.xml file, locate or add the following lines:

      <category name="XELLERATE">
         <priority value="log_level"/>
      </category>
      
      
      <category name="XL_INTG.RSA_ACE">
         <priority value="log_level"/>
      </category>
      
      
    2. In the second XML code line of each set, replace log_level with the log level that you want to set. For example:

      <category name="XELLERATE">
         <priority value="INFO"/>
      </category>
      
      
      <category name="XL_INTG.RSA_ACE">
         <priority value="INFO"/>
      </category>
      
      

    After you enable logging, the log information is written to the following file:

    JBoss_home/server/default/log/server.log
    
    
  • OC4J

    To enable logging:

    1. Add the following lines in the OIM_home/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level
      log4j.logger.XL_INTG.RSA_ACE=log_level
      
      
    2. In these lines, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO
      log4j.logger.XL_INTG.RSA_ACE=INFO
      
      

    After you enable logging, the log information is written to the following file:

    OC4J_home/opmn/logs/default_group~home~default_group~1.log
    

Enabling Logging for the Remote Manager

To enable logging for the Remote Manager:

  1. Add the following lines in the RemoteManager_home/xlremote/config/log.properties file:

    log4j.rootLogger=WARN,stdout,logfile
    log4j.appender.logfile.File=log_file_path_and_name
    log4j.logger.XELLERATE=log_level
    log4j.logger.XL_INTG.RSA_ACE=log_level
    
    
  2. In these lines, replace log_file_path_and_name with the full path and name of the log file and log_level with the log level that you want to set.

    For example:

    log4j.rootLogger=WARN,stdout,logfile
    log4j.appender.logfile.File=c:/rm_rsa_ace_connector.log
    log4j.logger.XELLERATE=INFO
    log4j.logger.XL_INTG.RSA_ACE=INFO
    
    

After you enable logging, log information is written to the file that you specify as the value of the the log4j.appender.logfile.File attribute.

Step 5: Importing the Connector XML Files

As mentioned in the "Files and Directories That Comprise the Connector" section, the connector XML file contains definitions of the components of the connector. By importing the connector XML file, you create these components in Oracle Identity Manager.

To import the connector XML files into Oracle Identity Manager:

  1. Open the Oracle Identity Manager Administrative and User Console.

  2. Click the Deployment Management link on the left navigation bar.

  3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

  4. Locate and open the xliAuthMgrUser_DM.xml file, which is in the OIM_home/xellerate/XLIntegrations/AuthManager/xml directory. Details of this XML file are shown on the File Preview page.

  5. Click Add File. The Substitutions page is displayed.

  6. Click Next. The Confirmation page is displayed.

  7. Click Next. The Provide IT Resource Instance Data page for the ACE Remote Manager IT resource is displayed.

  8. Specify values for the parameters of the ACE Remote Manager IT resource. Refer to the table in the "IT Resource: ACE Remote Manager" section for information about the values to be specified.

  9. Click Next. The Provide IT Resource Instance Data page for a new instance of the Remote Manager IT resource type is displayed.

  10. Click Skip to specify that you do not want to define another IT resource. The Provide IT Resource Instance Data page for the ACE Server Remote IT resource is displayed.

    See Also:

    If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.
  11. Specify values for the parameters of the ACE Server Remote IT resource. Refer to the table in the "IT Resource: ACE Server Remote" section for information about the values to be specified.

  12. Click Next. The Provide IT Resource Instance Data page for a new instance of the ACE Server IT resource type is displayed.

  13. Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.

    See Also:

    If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.
  14. Click View Selections.

    The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. These nodes represent Oracle Identity Manager entities that are redundant. Before you import the connector XML file, you must remove these entities by right-clicking each node and then selecting Remove.

  15. Click Import. The connector XML file is imported into Oracle Identity Manager.

  16. Perform this procedure again to import the remaining connector XML files in the following order:

    Note:

    The IT resources that you define while importing the xliAuthMgrUser_DM.xml file are the same as those that you would need to define when you import the xliAuthMgrToken_DM.xml file. Therefore, you do not need to define these IT resources again when you import the xliAuthMgrToken_DM.xml file.
    xliAuthMgrToken_DM.xml
    xliAuthMgrScheduledTask_DM.xml
    
    

    These files are in the OIM_home/xellerate/XLIntegrations/AuthManager/xml directory.

    Note:

    If you do not import the connector XML files in the specified order, then the connector may not work.

After you import the connector XML files, proceed to the next chapter.

Defining IT Resources

This section provides information about defining the following IT resources.

IT Resource: ACE Remote Manager

You must specify values for the ACE Remote Manager IT resource parameters listed in the following table.

Parameter Description
service name Remote manager service name

RManager

url Remote manager URL

For example: rmi://10.1.1.114:12346


After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.

IT Resource: ACE Server Remote

You must specify values for the ACE Server Remote IT resource parameters listed in the following table.

Parameter Description
ACEAdminMode Admin mode through which the connector connects to RSA Authentication Manager for provisioning and reconciliation

The value can be Host or Remote.

ACEAdminPassCode Admin passcode, which is required only when the admin mode is Remote

This value is encrypted after it is saved.

Sample value: 123456

This value is encrypted after it is saved.

ACEAdminUserId Admin user ID, which is required when the admin mode is either Remote or Host.
Target Locale: Country Country code

Default value: US

Note: You must specify the value in uppercase.

Target Locale: Language Language code

You can select one of the following:

  • English: en

  • Japanese: jp

  • French: fr

Note: You must specify the value in lowercase.

CustomReconQuery Query condition on which reconciliation must be based

If you specify a query condition for this parameter, then the target system records are searched based on the query condition.

If you want to reconcile all the target system records, then do not specify a value for this parameter.

The query can be composed with the AND (&) and OR (|) logical operators.

Sample value: First Name=John&Last Name=Doe

For more information about this parameter, refer to the "Partial Reconciliation" section.


After you specify values for these IT resource parameters, proceed to Step 12 of the procedure to import connector XML files.