2 Deployment on the Oracle Identity Manager Server

This chapter covers deploying the connector components on the Oracle Identity Manager server in the following sections:

• Step 1: Verifying Deployment Requirements

• Step 2: Copying the Connector Files

• Step 3: Configuring the Oracle Identity Manager Server

• Step 4: i5/OS (OS/400) Configuring the Connector to Work with the Oracle Identity Manager Application Server

• Step 5: Importing the Connector XML File

• Step 6: Compiling Adapters

• Step 7: Installing and Configuring the LDAP Gateway

• Step 8: Configuring the Message Transport Layer

Note:

Chapter 3, "Connector Deployment on the Target i5/OS (OS/400) System" covers the deployment of the connector components on the target i5/OS (OS/400) system.

Step 1: Verifying Deployment Requirements

Verify that the system requirements specified in the following table are met for deploying the IBM i5/OS (OS/400) Advanced Connector.

i5/OS (OS/400)Item	Requirement
Oracle Identity Manager	Oracle Identity Manager release 8.5.3 or later
Target Systems	IBM i5/OS (OS/400) version 4.2 or later
i5/OS (OS/400)i5/OS (OS/400) Repository	IBM i5/OS (OS/400) version 4.2 or later
Target System Host Platform	IBM i5/OS (OS/400) version 4.2 or later
Infrastructure Requirements: message transport layer	JTOpen (Open Source or commercially supported version)
Target system user account for Oracle Identity Manager	i5/OS (OS/400)-authorized account with System Administrator privileges

Note:

The LDAP Gateway works in a seamless manner with Oracle Identity Manager and operates under the user account created for Oracle Identity Manager on i5/OS (OS/400). As a result, it has the same permissions as those granted to the Oracle Identity Manager user account to access and operate with the Provisioning and Reconciliation Agents.

Step 2: Copying the Connector Files

Copy the following connector files to the destinations on the Oracle Identity Manager server as indicated in the following table.

Note:

The directory paths given in the first column of this table correspond to the location of the connector files in the following directory on the installation media:

Security Applications\IBM i5\IBM i5 Advanced

Refer to the Files and Directories that Comprise the Connector section for more information about these files.

Files	Destination
etc/LDAP Gateway/ldapgateway.zip	LDAP_install_dir The LDAP_install_dir must be located on the Oracle Identity Manager server.
lib/as400-adv-agent-recon.jar lib/as400Connection.properties	LDAP_install_dir/etc
lib/as400-adv-provisioning.jar scripts/run_initial_recon_provisioning.sh scripts/run_initial_recon_provisioning.bat scripts/run_initial_recon_disable.sh scripts/run_initial_recon_disable.bat	oim_home/xellerate/JavaTasks/
Files in the resources directory	oim_home/xellerate/connectorResources/
xml/oimAs400AdvConnector.xml	oim_home/xellerate/XLIntegrations/i5OS/xml/

Step 3: Configuring the Oracle Identity Manager Server

Configuring the Oracle Identity Manager server involves the following procedures:

• Changing to the Required Input Locale

• Clearing Content Related to Connector Resource Bundles from the Server Cache

• Enabling Logging

Note:

In a clustered environment, you must perform this step on each node of the cluster.

Changing to the Required Input Locale

Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

To set the required input locale:

Note:

Depending on the operating system used, you may need to perform this procedure differently.

1. Open Control Panel.

2. Double-click Regional Options.

3. On the Input Locales tab of the Regional Options dialog box, add the input locale that you want to use and then switch to the input locale.

Clearing Content Related to Connector Resource Bundles from the Server Cache

Whenever you add a new resource bundle in the oim_home/xellerate/connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, change to the oim_home/xellerate/bin directory.

2. Enter one of the following commands:

   Note:

   You must perform Step 1 before you perform this step. If you run the command as follows, then an exception is thrown:

   oim_home/xellerate/bin/batch_file_name
   

   • On Microsoft Windows:

     PurgeCache.bat ConnectorResourceBundle
     
     

   • On UNIX:

     PurgeCache.sh ConnectorResourceBundle
     
     

   In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:

   oim_home/xellerate/config/xlConfig.xml
   

Note:

You can ignore the exception that is thrown when you perform Step 2.

Enabling Logging

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• ALL

  This level enables logging for all events.

• DEBUG

  This level enables logging of information about fine-grained events that are useful for debugging.

• INFO

  This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.

• WARN

  This level enables logging of information about potentially harmful situations.

• ERROR

  This level enables logging of information about error events that may still allow the application to continue running.

• FATAL

  This level enables logging of information about very severe error events that could cause the application to stop functioning.

• OFF

  This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

• For JBoss Application Server

  To enable logging:

  1. Uncomment or add the following lines in the JBoss_home/server/default/conf/log4j.xml file:

     <category name="XELLERATE">
           <priority value="<log_level>"/>
        </category>
      log_level= WARN or DEBUG or ALL or INFO or ERROR or FATAL or OFF
     
     

  2. In the properties file, replace log_level with the log level that you want to set.

     log4j.logger.XELLERATE=log_level
     
     log_level= WARN or DEBUG or ALL or INFO or ERROR or FATAL or OFF
     
     

  After you enable logging, log information is written to the following file:

  JBoss_home/server/default/log/server.log
  
  

• For IBM WebSphere:

  To enable logging:

  1. Add the following line in the OIM_home/xellerate/config/log.properties file:

     log4j.logger.XELLERATE=log_level
     
     

  2. In this line, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.XELLERATE=INFO
     
     

  After you enable logging, log information is written to the following file:

  WebSphere_home/AppServer/logs/server_name/startServer.log
  
  

• For BEA WebLogic

  To enable logging:

  1. Add the following line in the OIM_home/xellerate/config/log.properties file:

     log4j.logger.XELLERATE=log_level
     
     

  2. In this line, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.XELLERATE=INFO
     
     

  After you enable logging, log information is written to the following file:

  WebLogic_home/user_projects/domains/domain_name/server_name/server_name.log
  
  

• For OC4J

  To enable logging:

  1. Add the following line in the oim_home/xellerate/config/log.properties file:

     log4j.logger.XELLERATE=log_level
     
     

  2. In this line, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.XELLERATE=INFO
     
     

  After you enable logging, log information is written to the following file:

  OC4J_home/opmn/logs/default_group~home~default_group~1.log
  

Step 4: i5/OS (OS/400) Configuring the Connector to Work with the Oracle Identity Manager Application Server

The IBM i5/OS (OS/400) Advanced connector is compatible with the following application servers:

• JBoss

• IBM WebSphere

• BEA WebLogic

• Oracle Containers for Java (OC4J)

To ensure that the connector works with the application server that Oracle Identity Manager is deployed on, you must the /ldapgateway/bin/run.sh file (or run.bat for Microsoft Windows) and uncomment the lines related to that particular application server. The following are the contents of the run.sh file:

SET CLASSPATH VARIABLES
##### SET ENVIRONMENT VARIABLES #######
APP_HOME=/opt/ldapgateway
TMPDIR=/opt/ldapgateway/temp
OIM_HOME=/opt/OIM/xellerate
OIM_CLIENT_LIB=/opt/OIM/client/xlclient/lib
 
##### SET JBOSS HOME ##################
# APPSERVER_HOME=/opt/ldapgateway/lib/jboss-4.0.2
 
##### SET WEBSPHERE HOME ##################
#APPSERVER_HOME=/opt/WebSphere/AppServer/lib
 
##### SET WEBLOGIC HOME ##################
# APPSERVER_HOME=/opt/bea/
 
##### SET OC4J HOME ##################
#APPSERVER_HOME=/opt/oracle/oc4j

You also need to edit the related application server-specific libraries. For more information, refer to the vendor documentation for the application server.

Step 5: Importing the Connector XML File

To import the connector XML file into Oracle Identity Manager:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

4. Locate and open the oimAs400Connector.xml file, which is in the oim_home/xellerate/XLIntegrations/i5OS/xml/ directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Next. The Provide IT Resource Instance Data page for the As400Resource IT resource is displayed.

8. Specify values for the parameters of the As400Resource IT resource. Refer to the table in the Defining IT Resources section for information about the values to be specified.

9. Click Next. The Provide IT Resource Instance Data page for a new instance of the As400Resource IT resource type is displayed.

10. Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.

    See Also:

    If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.

11. Click View Selections.

    The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. Remove these nodes by right-clicking each node and then selecting Remove.

12. Click Import. The connector file is imported into Oracle Identity Manager.

Defining IT Resources

You must specify values for the As400Resource IT resource parameters listed in the following table.

Parameter Name	Parameter Value (Default)
Resource Asset Name	AS400Resource
Resource Asset Type	OIMLDAPGatewayResourceType
Admin Id	uid=idfAs400Admin,dc=as400,dc=com
Admin Password	idfAs400Pwd
Server Address	localhost
Root DN	dc=as400,dc=com
Port	5389
Is the resource asset to be used to call a method on an API, which resides on a system that is external to Oracle Identity Manager?	No

After you specify values for these IT resource parameters, go to Step 9 of the procedure to import connector XML files.

Step 6: Compiling Adapters

The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

• CreateAs400AdvUser

• ChangeAs400AdvUserPassword

• ResetAs400AdvPassword

• DeleteAs400AdvUser

• RevokeAs400AdvUser

• ResumeAs400AdvUser

• ModifyAs400AdvUser

• ModifyRemoveAs400AdvUser

To compile adapters by using the Adapter Manager form:

1. Open the Adapter Manager form.

2. To compile all the adapters that you have imported into the current database, select the Compile All option.

   To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select the Compile Selected option.

3. Click Start. Oracle Identity Manager compiles the adapters that you specify.

4. If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the oim_home/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

To view detailed information about an adapter:

1. Highlight the adapter in the Adapter Manager form.

2. Double-click the row header of the adapter, or right-click the adapter.

3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

Note:

To compile one adapter at a time, use the Adapter Factory form. Refer to Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager forms.

Step 7: Installing and Configuring the LDAP Gateway

To install and configure the LDAP Gateway on the Oracle Identity Manager server, do the following:

1. Unzip the ldapgateway.zip file to a directory on the Oracle Identity Manager system, referred to as the LDAP_install_dir.

   See Also:

   Step 2: Copying the Connector Files

2. You must configure the LDAP Gateway to use the message transport layer, JTOpen. For this, open the LDAP_install_dir/conf/as400.properties file and specify the values for the parameters that are described in following table:

   Parameter	Sample Value	Description
   _host_	10.0.0.1	Target i5/OS (OS/400) system IP address
   _adminId_	As400AdminID	Target i5/OS (OS/400) system administrator ID
   _adminPwd_	As400Pwd	Target i5/OS (OS/400) system administrator password
   _agentHost_	10.0.0.1	Target i5/OS (OS/400) system IP address
   _agentAdminId_	As400AgentAdmin	Target i5/OS (OS/400) system reconciliation agent administrator ID
   _agentAdminPwd_	As400AgentAdmPwd	Target i5/OS (OS/400) system reconciliation agent administrator password
   _agentLib_	OIMI5ADV	Target i5/OS (OS/400) system library in which the reconciliation agent files are located
   _agentFile_	QCSRC	Reconciliation agent file on the target i5/OS (OS/400) system
   _agentMember_	EUSRPWD	Reconciliation Agent user with privileges to retrive reconciliation event information
   _agentport_	5490	Target i5/OS (OS/400) system port allocated to the reconciliation agent

   
   

Step 8: Configuring the Message Transport Layer

The IBM i5/OS (OS/400) Advanced Connector uses JTOpen as the message transport layer to access i5/OS (OS/400) data and resources from the Oracle Identity Manager server. More specifically, it is used by the LDAP Gateway to communicate with the Provisioning and Reconciliation Agents that are installed on the i5/OS (OS/400) system.

See Also:

Message Transport Layer in Appendix B, "Connector Architecture"

To configure JTOpen as the message transport layer, do the following:

1. Download JTOpen from the IBM Web site at and unzip the jtopen_ver.zip file:

   http://www14.software.ibm.com/webapp/download/search.jsp?go=y&rs=expastbjm3

2. Copy the jt400.jar and uti400.jar files from the jtopen_install_dir/jtopen/lib/ directory to the LDAP_install_dir/lib/ directory.

3. You also need to configure the LDAP Gateway to use JTOpen as the message transport layer. This is covered in the Step 7: Installing and Configuring the LDAP Gateway section.