Oracle® Identity Manager Connector Guide for CA-ACF2 Advanced Release 9.0.3 Part Number B32349-01 |
|
|
View PDF |
This chapter covers deploying the connector components on the Oracle Identity Manager server in the following sections:
Note:
Chapter 3, "Connector Deployment on the Target CA-ACF2 System" covers the deployment of the connector components on the target CA-ACF2 system.Verify that the system requirements described in the following table are met for deploying the CA-ACF2 Advanced connector.
Note:
The LDAP Gateway works in a seamless manner with Oracle Identity Manager and operates under the user account created for Oracle Identity Manager itself. As a result, it has the same permissions as those granted to the Oracle Identity Manager user account to access and operate with the Provisioning Agent and the Reconciliation Agent.Between the Oracle Identity Manager and mainframe environments, Oracle Identity Manager supports two different secure message transport layers, TCP/IP and IBM MQ Series.
The MQ Series comes with its own internal setup procedures, which are transparent at the LDAP Gateway level. The primary requirement is that port 1414 is used between Oracle Identity Manager and the mainframe.
Additional configuration is required for the TCP/IP message transport layer. Oracle Identity Manager reserves the following ports for standard message transport layer communication.
In coordination with an enterprise level architecture, port 5790 is used for the Advanced Provisioning Agent.
Between the LDAP Gateway and the Reconciliation Agent, Oracle Identity Manager reserves ports 5190 through 5199 as a range of ports for multiple LPARs.
Copy the following connector files to the destinations on the Oracle Identity Manager server as indicated in the following table.
Note:
The directory paths given in the first column of this table correspond to the location of the connector files in the following directory on the installation media:Security Applications/CA ACF2/CA ACF2 Advanced
Refer to the Files and Directories That Comprise the Connector section for more information about these files.
Note:
While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the files in theconnectorResources
directory and the JAR files to the corresponding directories on each node of the cluster.Configuring the Oracle Identity Manager server involves the following procedures:
Note:
In a clustered environment, you must perform these steps on each node of the cluster.Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.
To set the required input locale:
Note:
Depending on the operating system used, you may need to perform this procedure differently.Open Control Panel.
Double-click Regional Options.
On the Input Locales tab of the Regional Options dialog box, add the input locale that you want to use and then switch to the input locale.
Whenever you add a new resource bundle in the oim_home
/xellerate/connectorResources
directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, change to the oim_home
/xellerate/bin
directory.
Enter one of the following commands:
Note:
You must perform Step 1 before you perform this step. If you run the command as follows, then an exception is thrown:oim_home/xellerate/bin/batch_file_name
On Microsoft Windows:
PurgeCache.bat ConnectorResourceBundle
On UNIX:
PurgeCache.sh ConnectorResourceBundle
In this command, ConnectorResourceBundle
is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:
oim_home/xellerate/config/xlConfig.xml
Note:
You can ignore the exception that is thrown when you perform Step 2.When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may still allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level and the log file path depend on the application server that you use:
For JBoss Application Server
To enable logging:
Uncomment or add the following lines in the JBoss_home/server/default/conf/log4j.xml
file:
<category name="XELLERATE"> <priority value="<log_level>"/> </category> log_level= WARN or DEBUG or ALL or INFO or ERROR or FATAL or OFF
In the properties file, replace log_level
with the log level that you want to set.
log4j.logger.XELLERATE=log_level
log_level= WARN or DEBUG or ALL or INFO or ERROR or FATAL or OFF
After you enable logging, log information is written to the following file:
JBoss_home/server/default/log/server.log
For IBM WebSphere:
To enable logging:
Add the following line in the OIM_home
/xellerate/config/log.properties
file:
log4j.logger.XELLERATE=log_level
In this line, replace log_level
with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO
After you enable logging, log information is written to the following file:
WebSphere_home/AppServer/logs/server_name/startServer.log
For BEA WebLogic
To enable logging:
Add the following line in the OIM_home
/xellerate/config/log.properties
file:
log4j.logger.XELLERATE=log_level
In this line, replace log_level
with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO
After you enable logging, log information is written to the following file:
WebLogic_home/user_projects/domains/domain_name/server_name/server_name.log
For OC4J
To enable logging:
Add the following line in the oim_home
/xellerate/config/log.properties
file:
log4j.logger.XELLERATE=log_level
In this line, replace log_level
with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO
After you enable logging, log information is written to the following file:
OC4J_home/opmn/logs/default_group~home~default_group~1.log
The CA-ACF2 Advanced connector is compatible with the following application servers that Oracle Identity Manager is deployed on:
JBoss
IBM WebSphere
BEA WebLogic
Oracle Containers for Java (OC4J)
To ensure that the connector works with the application server that Oracle Identity Manager is deployed on, you must the /ldapgateway/bin/run.sh
file (or run.bat
for Microsoft Windows) and uncomment the lines related to that particular application server. The following are the contents of the run.sh
file:
SET CLASSPATH VARIABLES ##### SET ENVIRONMENT VARIABLES ####### APP_HOME=/opt/ldapgateway TMPDIR=/opt/ldapgateway/temp OIM_HOME=/opt/OIM/xellerate OIM_CLIENT_LIB=/opt/OIM/client/xlclient/lib ##### SET JBOSS HOME ################## # APPSERVER_HOME=/opt/ldapgateway/lib/jboss-4.0.2 ##### SET WEBSPHERE HOME ################## #APPSERVER_HOME=/opt/WebSphere/AppServer/lib ##### SET WEBLOGIC HOME ################## # APPSERVER_HOME=/opt/bea/ ##### SET OC4J HOME ################## #APPSERVER_HOME=/opt/oracle/oc4j
You also need to edit the related application server-specific libraries. For more information, refer to the vendor documentation for the application server.
To import the connector XML file into Oracle Identity Manager:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the oimAcf2AdvancedConnector.xml
file, which is in the oim_home
/xellerate/XLIntegrations/acf2/xml/
directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the OIMAcf2ResourceObject
IT resource is displayed.
Specify values for the parameters of the OIMAcf2ResourceObject
IT resource. Refer to the table in the Defining IT Resources section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the OIMAcf2ResourceObject
IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. Remove these nodes by right-clicking each node and then selecting Remove.
Click Import. The connector file is imported into Oracle Identity Manager.
You must specify values for the OIMAcf2ResourceObject
IT resource parameters listed in the following table.
Parameter Name | Parameter Value (Default) |
---|---|
Resource Asset Name | OIMAcf2ResourceObject |
Resource Asset Type | LDAP Server |
Admin Id | uid=idfAcf2Admin,ou=People,dc=acf2,dc=com |
Admin Password | idfAcf2Pwd |
Server Address | localhost |
Root DN | dc=acf2,dc=com |
Port | 5389 |
Is the resource asset to be used to call a method on an API, which resides on a system that is external to Xellerate? | No |
After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.
The following adapters are imported into Oracle Identity Manager when you import the connector XML file:
CreateAcf2User
ResetAcf2Password
ChangeAcf2UserPassword
DeleteAcf2User
RevokeAcf2User
ResumeAcf2User
ModifyAcf2User
AddAcf2UserToGroup
RemoveAcf2UserFromGroup
GrantAcf2UserTso
AssignACF2UserToDataset
To compile adapters by using the Adapter Manager form:
Open the Adapter Manager form.
To compile all the adapters that you have imported into the current database, select Compile All.
To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.
Click Start. Oracle Identity Manager compiles the adapters that you specify.
If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the oim_home
/xellerate/Adapter
directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.
To view detailed information about an adapter:
The LDAP Gateway is installed on the same system as Oracle Identity Manager. To install the LDAP Gateway, do the following:
Unzip the ldapgateway.zip
file to a directory on the same system as Oracle Identity Manager. For convenience, this location is referred to as LDAP_install_dir
.
See Also:
Step 2: Copying the Connector FilesOpen the ACF2.properties
file located under the LDAP_install_dir
/conf
directory. Edit this file and specify information for the following properties, depending on whether you use TCP/IP or IBM MQ Series for the message transport layer:
For TCP/IP:
_type_=socket
_isencrypted_=true
_timeout_=5000
_authretries_=2
_host_=Target system host IP Address
_port_=5790
_agentport_=5190
For MQ Series:
_type_=mq
_isencrypted_=true
_timeout_=5000
_authretries_=2
_qmgr_=CSQ1
_qhost_=Target system host IP Address
_qport_=1414
_qchannel_=CSQ1.PIONEER
_qname_=PIONEER.REQUEST
_qreplyname_=PIONEER.REPLY
Extract the idfserver.jar
file and edit the beans.xml
file located under LDAP_install_dir
/dist/
. Edit the port
property of the server and specify the port used for communication between the Gateway and the mainframe LPAR that you use for the connector installation. For example, the port property is set to 5389
in the following code:
<bean id="listener" class=
"com.identityforge.ximserver.nio.Listener">
<constructor-arg><ref bean="bus"/></constructor-arg>
<property name="admin"><value>false</value></property>
<property name="config"> <value>../conf/listener.xml</value></property>
<property name="port" value="5389"/>
</bean>
If you are using IBM MQ Series for the message transport layer, you must also copy the following files to the LDAP_install_dir
/lib
directory:
com.ibm.mq.jar
com.ibm.mqbind.jar
com.ibm.mqjms.jar
fscontext.jar
providerutil.jar
To configure Oracle Identity Manager LDAP Gateway for provisioning:
Open the ximserver.jar
and edit the beans.xml
file located under LDAP_install_dir
/dist/ximserver.jar
.
Find the <bean name = "ACF2">
tag and edit the properties highlighted in the following code in bold:
<bean name="ACF2" singleton="true"class="com.identityforge.ximserver.backend.ACF2.ACF2Module> <!-- The following change is optional. If you make this change, also edit metaengine.xml--> <property name="suffix" value="dc=ACF2,dc=com"/> <property name="workingDirectory" value="..ACF2"/> <!-- The following change is optional --> <property name="adminUserDN" value="oimACF2Admin,dc=ACF2,dc=com"/> <property name="adminUserPassword" value="oimACF2Pwd"/> ... ... <property name="transport"> <map> <!-- For IBM MQ Series set _type_ value to MQ --> <entry key="_type_" value="socket"/> <!-- Set _isencrypted_ to true for 128-bit AES encryption --> <entry key="_isencrypted_" value="false"/> <entry key="_host_" value="IP Address of ACF2 System"/> ... ... </map> </property> <property name="Connector" value="false"/> </bean>
If the domain partition is changed from the default "dc=ACF2,dc=com"
, open the metaengine.xml
file located at LDAP_install_dir
/conf
.
Replace all occurrences of the domain partition "dc=ACF2,dc=com"
with the domain partition that is chosen for your installation.
Save the file.