Skip Headers
Oracle® Identity Manager Connector Guide for CA-ACF2 Advanced
Release 9.0.3
Part Number B32349-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

2 Deployment on the Oracle Identity Manager Server

This chapter covers deploying the connector components on the Oracle Identity Manager server in the following sections:

Note:

Chapter 3, "Connector Deployment on the Target CA-ACF2 System" covers the deployment of the connector components on the target CA-ACF2 system.

Step 1: Verifying Deployment Requirements

Verify that the system requirements described in the following table are met for deploying the CA-ACF2 Advanced connector.

Item Requirement
Oracle Identity Manager Oracle Identity Manager release 8.5.3 or later
Target Systems CA-ACF2 Advanced
Mainframe Repository CA-ACF2 release 6.1, genlevel 9611 or later
Target Systems Host Platforms IBM z/OS Mainframe

Supports all z/OS versions
Infrastructure Requirements: message transport layer MQ Series or TCP/IP
Target system user account for Oracle Identity Manager APF-authorized account with SystemAdministrators privileges

Note:

The LDAP Gateway works in a seamless manner with Oracle Identity Manager and operates under the user account created for Oracle Identity Manager itself. As a result, it has the same permissions as those granted to the Oracle Identity Manager user account to access and operate with the Provisioning Agent and the Reconciliation Agent.

Message Transport Layer Requirements

Between the Oracle Identity Manager and mainframe environments, Oracle Identity Manager supports two different secure message transport layers, TCP/IP and IBM MQ Series.

The MQ Series comes with its own internal setup procedures, which are transparent at the LDAP Gateway level. The primary requirement is that port 1414 is used between Oracle Identity Manager and the mainframe.

Additional configuration is required for the TCP/IP message transport layer. Oracle Identity Manager reserves the following ports for standard message transport layer communication.

  • In coordination with an enterprise level architecture, port 5790 is used for the Advanced Provisioning Agent.

  • Between the LDAP Gateway and the Reconciliation Agent, Oracle Identity Manager reserves ports 5190 through 5199 as a range of ports for multiple LPARs.

Step 2: Copying the Connector Files

Copy the following connector files to the destinations on the Oracle Identity Manager server as indicated in the following table.

Note:

The directory paths given in the first column of this table correspond to the location of the connector files in the following directory on the installation media: 
Security Applications/CA ACF2/CA ACF2 Advanced

Refer to the Files and Directories That Comprise the Connector section for more information about these files.

Files Destination
etc/LDAP Gateway/ldapgateway.zip LDAP_install_dir

The LDAP_install_dir must be located on the Oracle Identity Manager server.
lib/acf2-adv-agent-recon.jar

lib/acf2Connection.properties

 LDAP_install_dir/etc
lib/idm.jar

scripts/run_initial_recon_provisioning.sh

scripts/run_initial_recon_provisioning.bat

scripts/run_initial_recon_disable.sh

scripts/run_initial_recon_disable.bat

 
oim_home/xellerate/JavaTasks/
Files in the resources directory 
oim_home/xellerate/connectorResources/
xml/oimAcf2AdvancedConnector.xml 
oim_home/xellerate/XLIntegrations/acf2/xml/

Note:

While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the files in the connectorResources directory and the JAR files to the corresponding directories on each node of the cluster.

Step 3: Configuring the Oracle Identity Manager Server

Configuring the Oracle Identity Manager server involves the following procedures:

Note:

In a clustered environment, you must perform these steps on each node of the cluster.

Changing to the Required Input Locale

Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

To set the required input locale:

Note:

Depending on the operating system used, you may need to perform this procedure differently.

  1. Open Control Panel.

  2. Double-click Regional Options.

  3. On the Input Locales tab of the Regional Options dialog box, add the input locale that you want to use and then switch to the input locale.

Clearing Content Related to Connector Resource Bundles from the Server Cache

Whenever you add a new resource bundle in the oim_home/xellerate/connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

  1. In a command window, change to the oim_home/xellerate/bin directory.

  2. Enter one of the following commands:

    Note:

    You must perform Step 1 before you perform this step. If you run the command as follows, then an exception is thrown: 
    oim_home/xellerate/bin/batch_file_name

    • On Microsoft Windows:

      PurgeCache.bat ConnectorResourceBundle

    • On UNIX:

      PurgeCache.sh ConnectorResourceBundle

    In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:

    oim_home/xellerate/config/xlConfig.xml

Note:

You can ignore the exception that is thrown when you perform Step 2.

Enabling Logging

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

  • ALL

    This level enables logging for all events.

  • DEBUG

    This level enables logging of information about fine-grained events that are useful for debugging.

  • INFO

    This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.

  • WARN

    This level enables logging of information about potentially harmful situations.

  • ERROR

    This level enables logging of information about error events that may still allow the application to continue running.

  • FATAL

    This level enables logging of information about very severe error events that could cause the application to stop functioning.

  • OFF

    This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

  • For JBoss Application Server

    To enable logging:

    1. Uncomment or add the following lines in the JBoss_home/server/default/conf/log4j.xml file:

      <category name="XELLERATE">
      <priority value="<log_level>"/>
   </category>
 log_level= WARN or DEBUG or ALL or INFO or ERROR or FATAL or OFF

    2. In the properties file, replace log_level with the log level that you want to set.

      log4j.logger.XELLERATE=log_level

log_level= WARN or DEBUG or ALL or INFO or ERROR or FATAL or OFF

    After you enable logging, log information is written to the following file:

    JBoss_home/server/default/log/server.log

  • For IBM WebSphere:

    To enable logging:

    1. Add the following line in the OIM_home/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level

    2. In this line, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO

    After you enable logging, log information is written to the following file:

    WebSphere_home/AppServer/logs/server_name/startServer.log

  • For BEA WebLogic

    To enable logging:

    1. Add the following line in the OIM_home/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level

    2. In this line, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO

    After you enable logging, log information is written to the following file:

    WebLogic_home/user_projects/domains/domain_name/server_name/server_name.log

  • For OC4J

    To enable logging:

    1. Add the following line in the oim_home/xellerate/config/log.properties file:

      log4j.logger.XELLERATE=log_level

    2. In this line, replace log_level with the log level that you want to set.

      For example:

      log4j.logger.XELLERATE=INFO

    After you enable logging, log information is written to the following file:

    OC4J_home/opmn/logs/default_group~home~default_group~1.log

Step 4: Configuring the Connector to Work with the Oracle Identity Manager Application Server

The CA-ACF2 Advanced connector is compatible with the following application servers that Oracle Identity Manager is deployed on:

To ensure that the connector works with the application server that Oracle Identity Manager is deployed on, you must the /ldapgateway/bin/run.sh file (or run.bat for Microsoft Windows) and uncomment the lines related to that particular application server. The following are the contents of the run.sh file:

SET CLASSPATH VARIABLES
##### SET ENVIRONMENT VARIABLES #######
APP_HOME=/opt/ldapgateway
TMPDIR=/opt/ldapgateway/temp
OIM_HOME=/opt/OIM/xellerate
OIM_CLIENT_LIB=/opt/OIM/client/xlclient/lib
 
##### SET JBOSS HOME ##################
# APPSERVER_HOME=/opt/ldapgateway/lib/jboss-4.0.2
 
##### SET WEBSPHERE HOME ##################
#APPSERVER_HOME=/opt/WebSphere/AppServer/lib
 
##### SET WEBLOGIC HOME ##################
# APPSERVER_HOME=/opt/bea/
 
##### SET OC4J HOME ##################
#APPSERVER_HOME=/opt/oracle/oc4j

You also need to edit the related application server-specific libraries. For more information, refer to the vendor documentation for the application server.

Step 5: Importing the Connector XML File

To import the connector XML file into Oracle Identity Manager:

  1. Open the Oracle Identity Manager Administrative and User Console.

  2. Click the Deployment Management link on the left navigation bar.

  3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

  4. Locate and open the oimAcf2AdvancedConnector.xml file, which is in the oim_home/xellerate/XLIntegrations/acf2/xml/ directory. Details of this XML file are shown on the File Preview page.

  5. Click Add File. The Substitutions page is displayed.

  6. Click Next. The Confirmation page is displayed.

  7. Click Next. The Provide IT Resource Instance Data page for the OIMAcf2ResourceObject IT resource is displayed.

  8. Specify values for the parameters of the OIMAcf2ResourceObject IT resource. Refer to the table in the Defining IT Resources section for information about the values to be specified.

  9. Click Next. The Provide IT Resource Instance Data page for a new instance of the OIMAcf2ResourceObject IT resource type is displayed.

  10. Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.

    See Also:

    If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.

  11. Click View Selections.

    The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. Remove these nodes by right-clicking each node and then selecting Remove.

  12. Click Import. The connector file is imported into Oracle Identity Manager.

Defining IT Resources

You must specify values for the OIMAcf2ResourceObject IT resource parameters listed in the following table.

Parameter Name Parameter Value (Default)
Resource Asset Name OIMAcf2ResourceObject
Resource Asset Type LDAP Server
Admin Id uid=idfAcf2Admin,ou=People,dc=acf2,dc=com
Admin Password idfAcf2Pwd
Server Address localhost
Root DN dc=acf2,dc=com
Port 5389
Is the resource asset to be used to call a method on an API, which resides on a system that is external to Xellerate? No

After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.

Step 6: Compiling Adapters

The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

To compile adapters by using the Adapter Manager form:

  1. Open the Adapter Manager form.

  2. To compile all the adapters that you have imported into the current database, select Compile All.

    To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.

  3. Click Start. Oracle Identity Manager compiles the adapters that you specify.

  4. If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the oim_home/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

To view detailed information about an adapter:

  1. Highlight the adapter in the Adapter Manager form.

  2. Double-click the row header of the adapter, or right-click the adapter.

  3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

Note:

To compile multiple adapters simultaneously, use the Adapter Manager form. To compile one adapter at a time, use the Adapter Factory form. Refer to Oracle Identity Manager Tools Reference Guide for information about how to use these forms.

Step 7: Installing and Configuring the LDAP Gateway

The LDAP Gateway is installed on the same system as Oracle Identity Manager. To install the LDAP Gateway, do the following:

  1. Unzip the ldapgateway.zip file to a directory on the same system as Oracle Identity Manager. For convenience, this location is referred to as LDAP_install_dir.

    See Also:

    Step 2: Copying the Connector Files

  2. Open the ACF2.properties file located under the LDAP_install_dir/conf directory. Edit this file and specify information for the following properties, depending on whether you use TCP/IP or IBM MQ Series for the message transport layer:

    • For TCP/IP:

      _type_=socket
_isencrypted_=true
_timeout_=5000
_authretries_=2
_host_=Target system host IP Address
_port_=5790
_agentport_=5190

    • For MQ Series:

      _type_=mq
_isencrypted_=true
_timeout_=5000
_authretries_=2
_qmgr_=CSQ1
_qhost_=Target system host IP Address
_qport_=1414
_qchannel_=CSQ1.PIONEER
_qname_=PIONEER.REQUEST
_qreplyname_=PIONEER.REPLY

  3. Extract the idfserver.jar file and edit the beans.xml file located under LDAP_install_dir/dist/. Edit the port property of the server and specify the port used for communication between the Gateway and the mainframe LPAR that you use for the connector installation. For example, the port property is set to 5389 in the following code:

    <bean id="listener" class=
"com.identityforge.ximserver.nio.Listener">
<constructor-arg><ref bean="bus"/></constructor-arg>
<property name="admin"><value>false</value></property>
<property name="config"> <value>../conf/listener.xml</value></property>
<property name="port" value="5389"/>
</bean>

  4. If you are using IBM MQ Series for the message transport layer, you must also copy the following files to the LDAP_install_dir/lib directory:

    • com.ibm.mq.jar

    • com.ibm.mqbind.jar

    • com.ibm.mqjms.jar

    • fscontext.jar

    • providerutil.jar

Configuring the LDAP Gateway for Provisioning

To configure Oracle Identity Manager LDAP Gateway for provisioning:

  1. Open the ximserver.jar and edit the beans.xml file located under LDAP_install_dir/dist/ximserver.jar.

  2. Find the <bean name = "ACF2"> tag and edit the properties highlighted in the following code in bold:

    <bean name="ACF2" singleton="true"class="com.identityforge.ximserver.backend.ACF2.ACF2Module>
  
  <!-- The following change is optional. If you make this change, also edit    
       metaengine.xml-->
  <property name="suffix" value="dc=ACF2,dc=com"/>

  <property name="workingDirectory" value="..ACF2"/>

  <!-- The following change is optional -->
  <property name="adminUserDN" value="oimACF2Admin,dc=ACF2,dc=com"/>

  <property name="adminUserPassword" value="oimACF2Pwd"/>
  ... 
  ... 
  <property name="transport">
        <map>
              <!-- For IBM MQ Series set _type_ value to MQ -->
              <entry key="_type_" value="socket"/>

              <!-- Set _isencrypted_ to true for 128-bit AES encryption -->
              <entry key="_isencrypted_" value="false"/>

              <entry key="_host_" value="IP Address of ACF2 System"/>
              ...
              ...
        </map>
  </property>
  <property name="Connector" value="false"/>
</bean>

  3. If the domain partition is changed from the default "dc=ACF2,dc=com", open the metaengine.xml file located at LDAP_install_dir/conf.

    1. Replace all occurrences of the domain partition "dc=ACF2,dc=com" with the domain partition that is chosen for your installation.

    2. Save the file.

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us