| Oracle® Identity Manager Connector Guide for UNIX SSH Release 9.0.4 Part Number E10176-01 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for UNIX SSH Release 9.0.4 Part Number E10176-01 |
|
|
View PDF |
Deploying the connector involves the following steps:
The following table lists the deployment requirements for the connector.
| Item | Requirement |
|---|---|
| Oracle Identity Manager | Oracle Identity Manager release 8.5.3 or later |
| Target systems | The target system can be any one of the following:
|
| External code | JSCAPE SSH/SSH Libraries (SSH factory) |
| Other systems | OpenSSH, OpenSSL, operating system patches (HP-UX), and SUDO software (only if the SUDO Admin mode is required) |
| Target system user account | root or sudo user
You provide the credentials of this user account while performing the procedure in the "Defining IT Resources" section. If you do not use a target system user account of the specified type, then an error message similar to the following would be displayed when Oracle Identity Manager tries to exchange data with the target system:
|
Character encoding (en_US) supported by the target system |
The target system must support en_US character encoding standards such as UTF-8 and iso8859.
Use the following command to check the locale -a Note: If the target system does not support any of the |
The supported shell types for various operating systems are given in the following table.
| Solaris | HP-UX | Linux | AIX |
|---|---|---|---|
sh |
csh |
ksh |
csh |
csh |
ksh |
bash |
ksh |
| - | sh |
sh |
sh |
| - | - | csh |
- |
Configuring the target system involves the steps described in the following sections:
This section provides instructions to configure the target system on the following platforms:
Perform the following steps for Solaris and Linux environments:
Ensure that the /etc/passwd and /etc/shadow files are available on the UNIX server.
Ensure that a passwd mirror file is created on the target server by using a command similar to the following:
cp /etc/passwd /etc/passwd1
The same file name with the path must be inserted in the Passwd Mirror File/User Mirror File attribute of the reconciliation scheduled task.
Ensure that a shadow mirror file is created on the target server by using a command similar to the following:
cp /etc/shadow /etc/shadow1
The name and path of this file must be specified for the Shadow Mirror File attribute of the reconciliation scheduled task.
Perform the following steps for AIX environments:
Ensure that the /etc/passwd and /etc/security/user files are available on the server.
Ensure that a user mirror file is created on the server by using a command similar to the following:
lsuser -c -a id pgrp gecos home shell expires maxage ALL |
tr '#' ' ' > /etc/mainUserFile1
The name and path of this file must be specified for the Passwd Mirror File/User Mirror File (AIX) attribute of the scheduled task for reconciliation.
Perform the following steps for HP-UX environments:
Log in as root and then run the following command:
Select Auditing and Security and System Security Policies. A message is displayed asking if you want to switch to the trusted mode.
Click OK.
If the following message is displayed, then skip the next step:
System changed successfully to trusted system
Ensure that the /etc/passwd and /etc/shadow directories are available on the target server.
If the shadow file does not exist, then follow the installation instructions at
http://docs.hp.com/en/5991-0909/index.html
All the patches are available in the HP patch database, which you can download from
This section describes the procedure to install external software.
Follow these steps to install OpenSSH on Solaris 9 or HP-UX.
For Solaris 8
If SSH is not installed on the Solaris server, then install the appropriate OpenSSH. For Solaris 8, you can download the packages listed in this section from
http://www.sunfreeware.com/openssh8.html
If the GCC compiler is not installed, then you must install the packages in the following file:
libgcc-3.3-sol8-sparc-local.gz
The following packages are included in this file. You must install these packages in the specified order:
prngd-0.9.25-sol8-sparc-local.gz (optional)
tcp_wrappers-7.6-sol8-sparc-local.gz (optional, but recommended)
zlib-1.2.1-sol8-sparc-local.gz
openssl-0.9.7g-sol8-sparc-local.gz
openssh-4.1p1-sol8-sparc-local.gz
Create a group with the name sshd and group ID 27. Add a user with the name sshadmin to this group.
To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file as follows:
PermitRootLogin yes
Note:
Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value ofPermitRootLogin to without-password.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
For Solaris 9
If SSH is not installed on the Solaris server, then install the appropriate OpenSSH. For Solaris 9, you can download the packages listed in this section from
Note:
If the GCC compiler is not installed, then install the following packages:libgcc-3.4.1-sol9-sparc-local.gz
libiconv-1.8-sol9-sparc-local.gz
You must install these packages in the following order:
prngd-0.9.25-sol9-sparc-local.gz
tcp_wrappers-7.6-sol9-sparc-local.gz
zlib-1.2.1-sol9-sparc-local.gz
openssl-0.9.7d-sol9-sparc-local.gz
openssh-3.9p1-sol9-sparc-local.gz
Create a group with the name sshd and group ID 27. Add a user with the name sshadmin to this group.
To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file as follows:
PermitRootLogin yes
Note:
Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value ofPermitRootLogin to without-password.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
For Solaris 10
By default, OpenSSH is installed on Solaris 10. If it is not installed, then install the OpenSSH server from the operating system installation CD. To enable SSH on Solaris 10, make the following changes in the /etc/ssh/ssh_config file:
Remove the comment character from the Host * line.
To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file as follows:
PermitRootLogin yes
Note:
Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value ofPermitRootLogin to without-password.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
For HP-UX
If SSH is not installed on the UNIX server, then install the appropriate OpenSSH:
For HP-UX 11.11, download and install the appropriate patch from
For HP-UX B.11.11, download the file, PHCO_33711.depot for hpux_800_11.11_11300132-patch.tgz. Use the following command to install it:
swinstall -x autoreboot=true -x patch_match_target=true -s /tmp/PHCO_33711.depot
Download and install OpenSSH. You can download the T1471AA_A.03.81.002_HP-UX_B.11.11_32+64.depot file from
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA
After the patch is successfully installed, use the following command to install openSSH.
swinstall -s /tmp/T1471AA_A.03.81.002_HP-UX_B.11.11_32+64.depot
After this is installed, the HP-UX Secure Shell daemon (sshd) is automatically preconfigured and started.
Create a group with the name sshd.
Add a user with the name sshadmin to this group.
To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file as follows:
PermitRootLogin yes
Note:
Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value ofPermitRootLogin to without-password.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
For Linux
By default, OpenSSH is installed on Red Hat Advanced Server 2.1 and Red Hat Enterprise Linux 3. If it is not installed, then install the OpenSSH server from the operating system installation CD.
For AIX
If SSH is not installed on the AIX 5.2 server, then perform the following steps:
Download and install OpenSSL.
Download the openssl-0.9.7d-aix5.1.ppc.rpm file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
Then, enter the following command to install OpenSSL:
geninstall -d /root/download R: openssl-0.9.7d-2.aix5.1.ppc.rpm
In this command, /root/download is the location on the AIX server where the openssl-0.9.7d-2.aix5.1.ppc.rpm file is stored.
Download and install PRNG.
Download the prngd-0.9.23-3.aix4.3.ppc.rpm file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
Then, enter the following command to install PRNG:
geninstall -d /root/download R: prngd-0.9.23-3.aix4.3.ppc.rpm
In this command, /root/download is the location on the AIX server where the prngd-0.9.23-3.aix4.3.ppc.rpm file is stored.
Download and install OpenSSH.
Download the openssh-3.8.1p1_52.tar.gz file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
Then, enter the following commands to install openSSH:
gunzip /root/download/openssh-3.8.1p1_52.tar.gz tar -xvf /root/download/openssh-3.8.1p1_52.tar geninstall -I"Y" -d /root/download I:openssh.base
In these commands, /root/download is the location on the AIX server where the openssh-3.8.1p1_52.tar.gz file is stored.
To enable root logins, change the value of PermitRootLogin in the /etc/ssh/sshd_config file as follows:
PermitRootLogin yes
Note:
Implement this change only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value ofPermitRootLogin to without-password.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
If you want to use the SSH connector in the SUDO Admin mode, then perform the following steps to install and configure SUDO:
For Solaris
If SUDO is not installed on the Solaris server, then first download it.
For Solaris 9, download the sudo-1.6.8p4-sol9-sparc-local.gz file from
For Solaris10, download the sudo-1.6.8p9-sol9-sparc-local.gz file from
For Solaris 8, download the sudo-1.6.8p9-sol8-sparc-local.gz file from
Use the following command to install SUDO:
pkgadd -d filename_with_full_path
Edit the sudoers file on the Solaris server to customize it according to your requirements. This file is located in the following directory:
/usr/local/etc/
For example, if a group named mqm exists on the Solaris server, and you require all members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain a line similar to the following:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you require some other group members or individual users to be SUDO users with specific privileges, then you must edit this file as you did for the sample value mqm.
This connector uses the following commands:
useradd
usermod
passwd
cat
diff
userdel
Therefore, the SUDO user must have privileges to run these commands.
Note:
Do not use theNOPASSWD: ALL option for any SUDO user or group.
For information about customizing the sudoers file, refer to
Edit the same sudoers file so that every time a command is run in SUDO Admin mode, the SUDO user is prompted for the password. Add the following line under the # Defaults specification header:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Log in to the Solaris computer as root, and enter the following commands:
chmod 440 /usr/local/etc/sudoers chgrp root /usr/local/etc/sudoers chmod 4111 /usr/local/bin/sudo
Create a SUDO user. The SUDO user must be created according to the constraints specified in the sudoers file.
The SUDO user must always be created with its home directory by using a command similar to the following:
useradd -g group_name -d /export/home/directory_name -m user_name
In the sudo user's .profile file, which is created in the sudo user's home directory, add the following lines to set the value of the PATH environment variable:
PATH=/usr/sbin:/usr/local/bin:/usr/local/etc:/var/adm/sw/products:$PATH export PATH
For HP-UX
If SUDO is not installed on the HP-UX server, then install the appropriate SUDO. For HP-UX, download the sudo-1.6.8p6-sd-11.11.depot.gz file from
Enter the following command to install SUDO:
swinstall -s filename_with_full_path
Edit the sudoers file to customize it according to your requirements. This file is located in the following directory:
OIM_home/Xellerate/XLIntegrations/SSH/config/
For example, if you have a group named mqm on the HP-UX server and you want all members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain the following line:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you want to make SUDO users with specific privileges out of other group members or individual users, then edit this file as you did for the sample value mqm.
This connector uses the following commands:
useradd
usermod
passwd
cat
diff
userdel
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL option for any SUDO user or group.
For information about customizing the sudoers file, refer to
Edit the same sudoers file so that every time a command is run in SUDO Admin mode, the SUDO user is prompted for a password. Add the following line under the # Defaults specification header:
Defaults timestamp_timeout=0
This is an essential prerequisite for the connector to work successfully.
Copy the sudoers file that you edited into the /etc directory of the target system. After copying the file, enter the following command:
dos2ux /etc/sudoers > /etc/sudoers1
Then, change the name of the file from sudoers1 to sudoers.
Log in as root, and enter the following commands on the HP-UX computer:
chmod 440 /etc/sudoers chgrp root /etc/sudoers chmod 4111 /usr/local/bin/sudo
Create a SUDO user. The SUDO user should be created according to the constraints specified in the sudoers file.
The SUDO user should always be created with its home directory by using a command similar to the following:
useradd -g group_name -d /home/directory_name -m user_name
In addition, in the .profile file, which is created in the home directory, add the following lines to set the appropriate PATH:
PATH=/usr/sbin:/usr/local/bin:/usr/local/etc:/var/adm/sw/products:$PATH export PATH
For AIX
If SUDO is not installed on AIX 5.2, then install the appropriate SUDO AIX 5.2 version sudo-1.6.7p5-2.aix5.1.ppc.rpm file from
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html
If RPM Package Manager is not installed on the AIX 5.2 server, then install it from
http://www-1.ibm.com/servers/aix/products/aixos/linux/altlic.html
Enter the following command to install SUDO:
rpm -I /root/download/sudo-1.6.7p5-2.aix5.1.ppc.rpm
In this command, /root/download is the location on the AIX server where the sudo-1.6.7p5-2.aix5.1.ppc.rpm file is stored.
Edit the sudoers file, which is in the /etc directory on the AIX server, to customize the file according to your requirements.
For example, if you have a group named mqm in the AIX server and require all members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain the following line:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you need other group members or individual users to be SUDO users with specific privileges, then edit this file as was done for the sample value mqm.
This connector uses the following commands:
mkuser
chuser
passwd
cat
diff
usermod
rmuser
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL option for any SUDO user or group.
For information about customizing the sudoers file, refer to
Edit the same sudoers file to configure the system, so that every time a command is run through SUDO Admin mode, the SUDO user is prompted for a password. Add the following line under the # Defaults specification header:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Create a SUDO user. The SUDO user should be created according to the constraints specified in the sudoers file.
For Red Hat Advanced Server 2.1
If SUDO is not installed on the Red Hat Advanced Server 2.1 server, then install the appropriate SUDO. To do this, first download the sudo-1.6.7p5-1.i686.rpm file from
http://rpmfind.net/linux/rpm2html/search.php?query=sudo&submit=Search
Then, enter the following command to install SUDO:
rpm -i /root/download/sudo-1.6.7p5-1.i686.rpm
In this command, /root/download is the location on the Linux server where the sudo-1.6.7p5-1.i686.rpm file is stored.
Use the visudo command to edit and customize the /etc/sudoers file according to your requirements.
Note:
If you cannot use thevisudo command to edit the sudoers file, then:
Enter the following command:
chmod 777 /etc/sudoers
Make the required changes in the sudoers file.
Enter the following command:
chmod 440 /etc/sudoers
For example, if you have a group named mqm on the Linux server and require all members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain the following line:
mqm ALL= (ALL) ALL
This example is only a sample configuration. If you need other group members or individual users to be SUDO users with specific privileges, then edit this file as was done for the sample value mqm.
The commands that this connector uses are:
useradd
usermod
passwd
cat
diff
userdel
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL option for any SUDO user or group.
For information about customizing the sudoers file, refer to
Edit the same sudoers file to configure the system, so that every time a command is run in SUDO Admin mode, the SUDO user is prompted for a password. Under the # Defaults specification header, add the following line:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Create a SUDO user as follows:
Enter the following command:
useradd -g group_name -d /home/directory_name -m user_name
In this command:
- group_name is the SUDO users group for which there is an entry in the /etc/sudoers file.
- directory_name is the name of the directory in which you want to create the default directory for the user.
In the .bash_profile file, which is created in the /home/directory_name directory, add the following lines to set the PATH environment variable:
PATH=/usr/sbin:$PATH export PATH
For Red Hat Enterprise Linux 3.x and Red Hat Linux 4.x
If SUDO is not installed on the Red Hat Enterprise Linux 3.x or 4.x server, then install the appropriate SUDO. For Linux Advanced Server 3.0 and 4.1, download the sudo-1.6.7p5-1.i686.rpm file from
http://rpmfind.net/linux/rpm2html/search.php?query=sudo&submit=Search
Then, enter the following command to install SUDO:
rpm -i /root/download/sudo-1.6.7p5-1.i686.rpm
In this command, /root/download is the location on the Linux server where the sudo-1.6.7p5-1.i686.rpm file is stored.
Use the visudo command to edit and customize the /etc/sudoers file according to your requirements.
Note:
If you cannot use thevisudo command to edit the sudoers file, then:
Enter the following command:
chmod 777 /etc/sudoers
Make the required changes in the sudoers file.
Enter the following command:
chmod 440 /etc/sudoers
For example, if you have a group named mqm on the Linux server and want all of the members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain the following line:
%mqm ALL= (ALL) ALL
This is only a sample configuration. If you want some other group members or individual users to be SUDO users with specific privileges, you must edit this file as was done for the sample value mqm.
This connector uses the following commands:
useradd
usermod
passwd
cat
diff
userdel
Therefore, the SUDO user must have the privileges required to run these commands.
Note:
Do not use theNOPASSWD: ALL option for any SUDO user or group.
For information about customizing the sudoers file, refer to
Edit the same sudoers file to configure the system, so that every time a command is run in SUDO Admin mode, the SUDO user is prompted for a password. Under the # Defaults specification header, add the following line:
Defaults timestamp_timeout=0
This is a prerequisite for this connector to work successfully.
Create a SUDO user as follows:
Enter the following command:
useradd -g group_name -d /home/directory_name -m user_name
In this command:
- group_name is the SUDO users group for which there is an entry in the /etc/sudoers file.
- directory_name is the name of the directory in which you want to create the default directory for the user.
In the .bash_profile file, which is created in the /home/directory_name directory, add the following lines to set the PATH environment variable:
PATH=/usr/sbin:$PATH export PATH
This section discusses the following topics:
To configure Public Key Authentication:
Copy SSH/scripts/privateKeyGen.sh to any directory on the server.
Open this script file in a text editor and specify a working directory path other than the default value given in the file.
If required, enter the following command:
For Solaris or Linux:
dos2unix privateKeyGen.sh privateKeyGen.sh
For HP-UX:
dos2ux privateKeyGen.sh
Run the privateKeyGen.sh script on the UNIX server. Provide a secure pass phrase when prompted.
When these commands are run, the following files are created in the $HOME/.ssh directory:
id_rsa: This is a private key file.
authorized_keys: This file lists public keys that can be used to log in.
When the keys are generated successfully, edit the sshd_config file for Public Key Authentication and test login.
After successfully testing login, copy the id_rsa file to the following directory:
OIM_home/Xellerate/XLIntegrations/SSH/Config
Note:
This release of the connector has been tested and certified only for RSA keys, and not DSA. In addition, this connector has been tested and certified for only single key configuration and not multiple keys.To configure SSH Public Key Authentication:
For Solaris
Set the following parameters in the /etc/ssh/sshd_config file:
PubKeyAuthorization yes PasswordAuthentication no PermitRootLogin yes
Note:
Change the value ofPermitRootLogin to yes only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin to without-password.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
To restart the SSH server, enter the following commands:
/etc/init.d/sshd stop
/etc/init.d/sshd start
To test login:
ssh -i /.ssh/id_rsa -l root server_IP_address
This command prompts you for the passkey before setting up the connection.
For HP-UX
Uncomment the following lines in the /etc/ssh/sshd_config file:
PermitRootLogin yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Note:
Change the value ofPermitRootLogin to yes only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin to without-password.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
To restart the SSH Server, enter the following command:
/opt/ssh/sbin/sshd
To test login, enter the following command:
ssh -i /.ssh/id_rsa -l root server_IP_address
When prompted, enter the passkey to connect to the server.
For Linux
Enter the following commands at the UNIX server prompt:
mkdir /.ssh chmod 700 /.ssh ssh-keygen -q -f /.ssh/id_rsa -t rsa chmod 700 /.ssh/*
You are prompted to enter a passphrase when you enter these commands. You can press Enter if you do not want to use a passphrase.
Add the following line in the /etc/ssh/sshd_config file:
AuthorizedKeysFile /.ssh/id_rsa.pub
Enter the following commands to restart the UNIX server:
/etc/init.d/sshd stop /etc/init.d/sshd start
To check if you can connect to the target system using the SSH protocol, directly from the command prompt and without using a password, enter the following command:
#ssh -l root -i /.ssh/id_rsa host_ip_address
Copy the /.ssh/id_rsa file to the following directory:
OIM_home/xellerate/XLIntegrations/SSH/config
When you perform the procedure described in the "Defining IT Resources" section, provide the name and full path of the id_rsa file as the value of the Private Key parameter:
OIM_home/xellerate/XLIntegrations/SSH/config/id_rsa
For AIX
The first step of this procedure depends on the version of AIX that you are using:
For AIX 4.3, use the /etc/openssh/sshd_config file to set the following parameters:
export PATH=$PATH: /usr/local/bin Installation path: /etc/openssh/ sshd -- /usr/local/bin/
For AIX 5.2, use the /etc/ssh/sshd_config file to set the following parameters:
export PATH=$PATH: /usr/sbin Installation path: /etc/ssh/ sshd -- /usr/sbin/
Open the /etc/ssh/sshd_config file, and uncomment the following lines:
AuthorizedKeysFile .ssh/authorized_keys PermitRootLogin yes PubkeyAuthentication yes
Note:
Change the value ofPermitRootLogin to yes only if it does not violate local security policies. If Public Key Authentication is enabled, then you can change the value of PermitRootLogin to without-password.
Instead of using the root account, if you can use a user account with sudo privileges, then you do not need to perform this step.
To restart the SSH server, enter the following commands:
/opt/ssh/sbin/sshd (For AIX 4.3)
/usr/sbin/sshd (For AIX 5.2)
To test the login, enter the following command:
ssh -i /.ssh/id_rsa -l root server_IP_address
When prompted, enter the passkey to connect to the server.
Note:
This release of the connector does not support Public Key Authentication provisioning if it is implemented through the SUDO Admin mode. The Public Key Authentication used for system access is available for the root user. This point is also mentioned in the Known Issues list in Chapter 5.The connector files to be copied and the directories to which you must copy them are given in the following table.
Note:
The directory paths given in the first column of this table correspond to the location of the connector files in the following directory on the installation media:Operating Systems/UNIX/UNIX SSH
Refer to the "Files and Directories That Comprise the Connector" section for more information about these files.
| File in the Installation Media Directory | Destination Directory |
|---|---|
ext/sshfactory.jar |
OIM_home/xellerate/ThirdParty
|
lib/xliSSH.jar |
OIM_home/xellerate/JavaTasks
|
lib/xliSSH.jar |
OIM_home/xellerate/ScheduleTask
|
Files in the resources directory |
OIM_home/xellerate/connectorResources
|
Files in the scripts directory |
OIM_home/xellerate/XLIntegrations/SSH/scripts
|
Files and directories in the test directory |
OIM_home/xellerate/XLIntegrations/SSH
|
Files in the xml directory |
OIM_home/xellerate/XLIntegrations/SSH/xml
|
Note:
While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy theconnectorResources directory and the JAR files to the corresponding directories on each node of the cluster.Configuring the Oracle Identity Manager server involves the following procedures:
Note:
In a clustered environment, you must perform this step on each node of the cluster.Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.
You may require the assistance of the system administrator to change to the required input locale.
While performing the instructions described in the "Step 3: Copying the Connector Files" section, you copy files from the resources directory on the installation media into the OIM_home/xellerate/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, change to the OIM_home/xellerate/bin directory.
Note:
You must perform Step 1 before you perform Step 2. If you run the command described in Step 2 as follows, then an exception is thrown:OIM_home/xellerate/bin/batch_file_name
Enter one of the following commands:
On Microsoft Windows:
PurgeCache.bat ConnectorResourceBundle
On UNIX:
PurgeCache.sh ConnectorResourceBundle
Note:
You can ignore the exception that is thrown when you perform Step 2.In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:
OIM_home/xellerate/config/xlConfig.xml
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may still allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level depends on the application server that you use:
BEA WebLogic
To enable logging:
Add the following line in the OIM_home/xellerate/config/log.properties file:
log4j.logger.Adapter.TELNETSSH=log_level
In this line, replace log_level with the log level that you want to set.
For example:
log4j.logger.Adapter.TELNETSSH=INFO
After you enable logging, log information is written to the following file:
WebLogic_home/user_projects/domains/domain_name/server_name/server_name.log
IBM WebSphere
To enable logging:
Add the following line in the OIM_home/xellerate/config/log.properties file:
log4j.logger.Adapter.TELNETSSH=log_level
In this line, replace log_level with the log level that you want to set.
For example:
log4j.logger.Adapter.TELNETSSH=INFO
After you enable logging, log information is written to the following file:
WebSphere_home/AppServer/logs/server_name/startServer.log
JBoss Application Server
To enable logging:
In the JBoss_home/server/default/conf/log4j.xml file, locate the following lines:
<category name="Adapter.TELNETSSH">
<priority value="log_level"/>
</category>
In the second XML code line, replace log_level with the log level that you want to set. For example:
<category name="Adapter.TELNETSSH"> <priority value="INFO"/> </category>
After you enable logging, log information is written to the following file:
JBoss_home/server/default/log/server.log
OC4J
To enable logging:
Add the following line in the OIM_home/xellerate/config/log.properties file:
log4j.logger.Adapter.TELNETSSH=log_level
In this line, replace log_level with the log level that you want to set.
For example:
log4j.logger.Adapter.TELNETSSH=INFO
After you enable logging, log information is written to the following file:
OC4J_home/opmn/logs/default_group~home~default_group~1.log
To import the connector XML files:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the SSHNonTrustedUser.xml file, which is in the OIM_home/xellerate/XLIntegrations/SSH/xml directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the SSH server Solaris IT resource is displayed.
Specify values for the parameters of the SSH server Solaris IT resource. Refer to the table in the "Defining IT Resources" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the SSH Server IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. These nodes represent Oracle Identity Manager entities that are redundant. Before you import the connector XML file, you must remove these entities by right-clicking each node and then selecting Remove.
Click Import. The connector file is imported into Oracle Identity Manager.
After you import the connector XML file, proceed to the next chapter.
You must specify values for the SSH server Solaris IT resource parameters listed in the following table.
| Parameter | Description |
|---|---|
Admin UserId |
User ID of the administrator
Here, |
Admin Password/Private file Pwd |
Password of the administrator
Here, Note: For the SUDO Admin mode, the private key is not supported. You must not specify a value for this mode. If a private key is used, then the Private Key PassPhrase must be provided as the value of this parameter. |
Server IP Address |
Server IP address |
Port |
The port at which the SSH service is running on the server
Default value: |
Private Key |
Private key file name with full path
Note: For SUDO Admin administrator, this parameter must be left blank. |
Server OS |
Specify one of the following:
|
Shell Prompt |
# or $ |
Login Prompt |
You can ignore this parameter. This parameter is not used for SSH. |
Password Prompt |
You can ignore this parameter. This parameter is not used for SSH. |
Whether Trusted System (HP-UX) |
YES (for trusted HP-UX System) or NO (for nontrusted HP-UX system) |
Whether SUDO Admin Mode |
NO (for root) or YES (for SUDO Admin mode) |
Target Locale |
Target locale (language and country)
For the locale that you want to use, you can specify a value similar to the following:
Note: You must not make any change (uppercase or lowercase) in the value that you specify. |
Supported Character Encoding (en_US) - Target |
Encoding format for the en_US target locale
The default value is UTF-8. Note: You can check which locale -a |
Max Retries |
Number of times that the connector must retry connecting to the target server if the connection fails
Default value: |
Delay |
Delay (in milliseconds) before the connector attempts to retry connecting to the target system, if the connection fails
Default value: |
Timeout |
Value of the timeout (in milliseconds) for the connection to the target server
Default value: |
After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.
