The LDAP Gateway acts as the intermediary between Oracle Identity Manager and the connector components on the mainframe. The following sections of this chapter describe the procedure to deploy some components of the connector, including the LDAP Gateway, on the Oracle Identity Manager host computer:
Note:
The procedure to deploy the mainframe components of the connector is described in the next chapter.Section 2.1, "Files and Directories That Comprise the Connector"
Section 2.5, "Configuring Oracle Identity Manager for Request-Based Provisioning"
Table 2-1 describes the files and directories on the installation media.
Table 2-1 Files and Directories That Comprise the Connector
| Files and Directories | Description |
|---|---|
|
configuration/TopsAdv.xml |
This XML file contains configuration information that is used during connector installation. |
|
DataSets/ProvisionResource_OIMTopsResourceObject.xml DataSets/ModifyProvisionedResource_OIMTopsResourceObject |
This XML file specifies the information to be submitted by the requester during a request-based provisioning operation. Section 2.5, "Configuring Oracle Identity Manager for Request-Based Provisioning" provides more information. Note: The dataset XML files are applicable only if you are using Oracle Identity Manager release 11.1.1.x |
|
etc/LDAP Gateway/ldapgateway.zip |
This ZIP file contains the files required to deploy the LDAP Gateway. |
|
etc/Provisioning and Reconciliation Connector/Mainframe_TS.zip |
This ZIP file contains the files required to deploy the Reconciliation and Provisioning Agents on the mainframe. Section 3.2, "Deploying the Reconciliation Agent and Provisioning Agent" describes the files bundled in this ZIP file. |
|
lib/topsecret-provisioning-adapter.jar |
This JAR file contains the code for the adapters that are used during connector provisioning operations. During connector installation, this file is copied to the Oracle Identity Manager database. |
|
Files in the resources directory |
Each of these resource bundles contains locale-specific information that is used by the connector. During connector installation, this file is copied to the Oracle Identity Manager database. Note: A resource bundle is a file containing localized versions of the text strings that include GUI element labels and messages. |
|
scripts/propertyEncrypt.bat scripts/propertyEncrypt.sh |
You use this script to encrypt passwords that you enter in the beans.xml files. Section 2.6, "Installing and Configuring the LDAP Gateway" provides more information. |
|
lib/topsecret-scheduled-tasks.jar |
This JAR file contains the code for the connector's scheduled tasks that perform lookup population and full reconciliation. During connector installation, this file is copied to the Oracle Identity Manager database. |
|
xml/oimTopsAdvConnector.xml |
This XML file contains definitions of the connector components, such as the IT resource and resource object. These objects are created in Oracle Identity Manager when you import the XML file. |
|
upgrade/PostUpgradeScriptTops.sql |
This file is used during the connector upgrade procedure for Oracle Identity Manager release 11.1.2.x. |
To run the Connector Installer:
Copy the contents of the connector installation media directory into the following directory:
OIM_HOME/server/ConnectorDefaultDirectory
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to Oracle Identity System Administration by using the user account described in the Creating the User Account for Installing Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.
On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.
For Oracle Identity Manager release 11.1.2.x:
Log in to Oracle Identity System Administration by using the user account described in the Creating the User Account for Installing Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.
In the left pane, under System Management, click Manage Connector.
In the Manage Connector page, click Install.
From the Connector list, select CA Top Secret Advanced RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector list, click Refresh.
From the Connector list, select CA Top Secret Advanced RELEASE_NUMBER.
Click Load.
To start the installation process, click Continue.
The following tasks are performed in sequence:
Configuration of connector libraries.
Import of the connector Target Resource user configuration XML file (by using the Deployment Manager).
Compilation of adapters.
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed.
Note:
At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Section 2.4.3, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.There are no prerequisites for some predefined connectors.
Configuring the IT resource for the connector.
Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.
Configuring the scheduled jobs that are created when you installed the connector.
Record the names of the scheduled jobs displayed on this page. The procedure to configure these scheduled jobs is described later in this guide.
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-1.
Installing the Connector in an Oracle Identity Manager Cluster
While installing Oracle Identity Manager in a cluster, you must copy all the JAR files and the contents of the resources directory into the corresponding directories on each node of the cluster. See Section 2.1, "Files and Directories That Comprise the Connector" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.
You must specify values for the parameters of the TopSecretResource IT resource as follows:
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to the Oracle Identity System Administration.
On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
For Oracle Identity Manager release 11.1.2.x:
Log in to the Oracle Identity System Administration.
In the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter TopSecretResource and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the IT resource. Table 2-2 describes each parameter.
Table 2-2 IT Resource Parameters
| Parameter | Description |
|---|---|
|
AtMap User |
This parameter holds the name of the lookup definition containing attribute mappings that are used for provisioning. Value: Note: You must not change the value of this parameter. |
|
idfPrincipalDn |
Set a user ID for an account that the connector will use to connect to the LDAP Gateway. Format: Sample value: You also set this user ID in the beans.xml inside the idfserver.jar file. See Step 5 in Section 2.6, "Installing and Configuring the LDAP Gateway." |
|
idfPrincipalPwd |
Set a password for the account that the connector will use to connect to the LDAP Gateway. You also set this password in the files listed in the description of the idfPrincipalDn parameter. Note: Do not enter an encrypted value. |
|
idfRootContext |
This parameter holds the root context for CA Top Secret. Value: Note: You must not change the value of this parameter. |
|
idfServerHost |
This parameter holds the host name or IP address of the computer on which you install the LDAP Gateway. For this release of the connector, you install the LDAP Gateway on the Oracle Identity Manager host computer. Default value: Note: Do not change the value of this parameter unless you have installed the LDAP Gateway on a different machine from the Oracle Identity Manager host computer. |
|
idfServerPort |
Enter the number of the port for connecting to the LDAP Gateway. Sample value: You also set this port number in the beans.xml inside the idfserver.jar file. See Step 5 in Section 2.6, "Installing and Configuring the LDAP Gateway." |
|
idfSsl |
This parameter determines whether the LDAP Gateway will use SSL to connect to the target system. Enter Sample value: |
|
idfTrustStore |
This parameter holds the directory location of the trust store containing the SSL certificate. This parameter is optional, and should only be entered when using SSL authentication. This must be the full path to the directory location. Sample value: |
|
idfTrustStorePassword |
This parameter holds the password for the SSL trust store. This parameter is optional, and should only be entered when using SSL authentication. |
|
idfTrustStoreType |
This parameter holds the trust store type for the SSL trust store. This parameter is optional, and should only be entered when using SSL authentication. Sample value: |
|
Last Modified Time Stamp |
The most recent start time of the Reconcile LDAP Users reconciliation scheduled task is stored in this parameter. See Section 4.4.2.4, "Top Secret Reconcile All LDAP Users" for more information about his scheduled task. The format of the value stored in this parameter is as follows: MM/dd/yy hh:mm:ss a In this format: MM is the month of the year. dd is the day of the month. yy is the year. hh is the hour in am/pm (01-12). mm is the minute in the hour. ss is the second in the minute. a is the marker for AM or PM. Sample value: The default value is 0. The reconciliation task will perform full LDAP user reconciliation when the value is 0. If the value is a non-zero, standard time-stamp value in the format given above, then incremental reconciliation is performed. Only records that have been created or modified after the specified time stamp are brought to Oracle Identity Manager for reconciliation. Note: When required, you can manually enter a time-stamp value in the specified format. |
To save the values, click Update.
Configuring Oracle Identity Manager involves the following procedures:
Note:
In an Oracle Identity Manager cluster, you must perform these steps on each node of the cluster.Section 2.4.1, "Configuring Oracle Identity Manager 11.1.2 or Later"
Section 2.4.3, "Clearing Content Related to Connector Resource Bundles from the Server Cache"
If you are using Oracle Identity Manager release 11.1.2 or later, you must create additional metadata such as a UI form and an application instance. In addition, you must run entitlement and catalog synchronization jobs. These procedures are described in the following sections:
Create and activate a sandbox as follows. For detailed instructions, see the Managing Sandboxes in Oracle Fusion Middleware Administering Oracle Identity Manager.
On the upper navigation bar, click Sandboxes. The Manage Sandboxes page is displayed.
On the toolbar, click Create Sandbox. The Create Sandbox dialog box is displayed.
In the Sandbox Name field, enter a name for the sandbox. This is a mandatory field.
In the Sandbox Description field, enter a description of the sandbox. This is an optional field.
Click Save and Close. A message is displayed with the sandbox name and creation label.
Click OK. The sandbox is displayed in the Available Sandboxes section of the Manage Sandboxes page.
From the table showing the available sandboxes in the Manage Sandboxes page, select the newly created sandbox that you want to activate.
On the toolbar, click Activate Sandbox.
The sandbox is activated.
Create a new UI form as follows. For detailed instructions, see the Managing Forms chapter in the Managing Forms in Oracle Fusion Middleware Administering Oracle Identity Manager.
In the left pane, under Configuration, click Form Designer.
Under Search Results, click Create.
Select the resource type for which you want to create the form, for example, OIMTopSecretResourceObject.
Enter a form name and click Create.
Create an application instance as follows. For detailed instructions, see the Managing Application Instances in Oracle Fusion Middleware Administering Oracle Identity Manager.
In the System Administration page, under Configuration in the left pane, click Application Instances.
Under Search Results, click Create.
Enter appropriate values for the fields displayed on the Attributes form and click Save.
In the Form drop-down list, select the newly created form and click Apply.
Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See Modifying Application Instances section in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed instructions.
To publish the sandbox that you created in Section 2.4.1.1, "Creating and Activating a Sandbox":
Close all the open tabs and pages.
In the upper-right corner of the page, click the Sandboxes link.
The Manage Sandboxes page is displayed.
From the table showing the available sandboxes in the Manage Sandboxes page, select the sandbox that you created in Section 2.4.1.1, "Creating and Activating a Sandbox."
On the toolbar, click Publish Sandbox. A message is displayed asking for confirmation.
Click Yes to confirm. The sandbox is published and the customizations it contained are merged with the main line.
To harvest entitlements and sync catalog:
Run the scheduled jobs for lookup field synchronization. See Section 4.2, "Scheduled Tasks for Lookup Field Synchronization" for more information about these scheduled jobs.
Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.
Run the Catalog Synchronization Job scheduled job. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.
For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:
Create a sandbox and activate it as described in Section 2.4.1.1, "Creating and Activating a Sandbox."
Create a new UI form for the resource as described in Section 2.4.1.2, "Creating a New UI Form."
Open the existing application instance.
In the Form field, select the new UI form that you created.
Save the application instance.
Publish the sandbox as described in Section 2.4.1.4, "Publishing a Sandbox."
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x, and you want to localize UI form field labels.To localize field label that is added to the UI forms:
Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open the following file in a text editor: For Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and later:
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf
Edit the BizEditorBundle.xlf file as follows:
Search for the following text:
<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Replace with the following text:
<file source-language="en" target-language="LANG_CODE" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:
<file source-language="en" target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Search for the application instance code. The original code will be in the following format:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}">
<source><Field_Label></source>
<target/>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL">
<source><Field_Label></source>
<target/>
</trans-unit>
For example, the following sample code show the update that should be made for the FULL NAME field on a UI form named TopSecretUserFormv1:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_IDF_TOPS_CN__c_description']}">
<source>FULL NAME</source>
<target/>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.TopSecretUserFormv1.entity.TopSecretUserFormv1EO.UD_IDF_TOPS_CN__c_LABEL">
<source>FULL NAME</source>
<target/>
</trans-unit>
Open the resource file from the /resources directory in the connector installation media, for example TopSecret-Adv_ja.properties, and get the value of the attribute from the file, for example global.udf.UD_IDF_TOPS_CN=\u6C0F\u540D.
Replace the original code shown in Step 6.c with the following:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}">
<source>< global.udf.UD_Field_Name></source>
<target/>enter Unicode values here</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL">
<source><Field_Label></source>
<target/>enter Unicode values here</target>
</trans-unit>
As an example, the code for FULL_NAME field translation would be:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_IDF_TOPS_CN__c_description']}">
<source>FULL_NAME</source> <target>\u6C0F\u540D</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.TopSecretUserFormv1.entity.TopSecretUserFormv1EO.UD_IDF_TOPS_CN__c_LABEL"> <source>FULL_NAME</source> <target>\u6C0F\u540D</target> </trans-unit>
Repeat Steps 6.c through 6.e for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing. Sample file name: BizEditorBundle_ja.xlf.
Repackage the ZIP file and import it into MDS.
Log out of and log in to Oracle Identity Manager.
When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, switch to the OIM_HOME/server/bin directory.
Enter one of the following commands:
Note:
You can use the PurgeCache utility to purge the cache for any content category. RunPurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.
For example, the following commands purge Metadata entries from the server cache:
PurgeCache.bat MetaData
PurgeCache.sh MetaData
On Microsoft Windows: PurgeCache.bat All
On UNIX: PurgeCache.sh All
When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:
t3://OIM_HOST_NAME:OIM_PORT_NUMBER
In this format:
Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.
Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.
See Oracle Fusion Middleware Administering Oracle Identity Manager for more information about the PurgeCache utility.
The CA Top Secret connector supports two forms of logging, namely LDAP gateway-level logging and Oracle Identity Manager-level logging. This section discusses the following topics:
LDAP Gateway logging operations are managed by the log4j.properties file, which can be extracted from within the ldapgateway/dist/idfserver.jar compilation (see step 10 of Section 2.6, "Installing and Configuring the LDAP Gateway"). In the log4j.properties file, edit the rootLogger log level:
log4j.rootLogger=ERROR
The following is a list of log levels that can be used:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of messages that highlight the progress of the application at a coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that might allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
Multiple log files are available for use with the connector. Table 2-3 lists the name, location, and contents of each LDAP gateway log file.
Table 2-3 Log Files and their Contents
| Log File | Description |
|---|---|
|
nohup.out |
This log file contains the console window output from the LDAP Gateway. This file is primarily used in conjunction with the run.sh script (instead of the run.bat file) Location: … |
|
idfserver.log.0 |
This log file contains provisioning and reconciliation logging messages from the LDAP Gateway and is the primary log file used by the gateway component. Location: … |
Oracle Identity Manager uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
SEVERE.intValue()+100
This level enables logging of information about fatal errors.
SEVERE
This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.
WARNING
This level enables logging of information about potentially harmful situations.
INFO
This level enables logging of messages that highlight the progress of the application.
CONFIG
This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
These log levels are mapped to ODL message type and level combinations as shown in Table 2-4.
Table 2-4 Log Levels and ODL Message Type:Level Combinations
| Log Level | ODL Message Type:Level |
|---|---|
|
SEVERE.intValue()+100 |
INCIDENT_ERROR:1 |
|
SEVERE |
ERROR:1 |
|
WARNING |
WARNING:1 |
|
INFO |
NOTIFICATION:1 |
|
CONFIG |
NOTIFICATION:16 |
|
FINE |
TRACE:1 |
|
FINER |
TRACE:16 |
|
FINEST |
TRACE:32 |
OIM level logging operations are managed by the logging.xml file, which is located in following directory:
DOMAIN_NAME/config/fmwconfig/servers/SERVER_NAME/
Loggers are used to configure logging operations for the connector's OIM functions. To configure loggers:
In the text editor, open the DOMAIN_NAME/config/fmwconfig/servers/SERVER_NAME/logging.xml file.
Locate the logger you want to configure. If adding a logger for the first time, you must create the logger definition. Table 2-5, "Logger Parameters" lists the Oracle Identity Manager loggers for this connector.
| Logger | Description |
|---|---|
|
COM.IDENTITYFORGE.IDFTOPSUSEROPERATIONS |
Logs events related to provisioning operations from Oracle Identity Manager to the LDAP gateway, such as user creation and modification events. |
|
COM.IDENTITYFORGE.UTIL.TOPS.IDFLDAPOPERATIONS |
Logs events related to basic LDAP functions, including connecting to and disconnecting from the LDAP gateway. |
|
COM.IDENTITYFORGE.TOPS.TASKS.FINDALLDATASETSTASK |
Logs events related to the Find All Datasets scheduled task. |
|
COM.IDENTITYFORGE.TOPS.TASKS.FINDALLFACILITIESTASK |
Logs events related to the Find All Facilities scheduled task. |
|
COM.IDENTITYFORGE.TOPS.TASKS.FINDALLGROUPSTASK |
Logs events related to the Find All Groups scheduled task. |
|
COM.IDENTITYFORGE.TOPS.TASKS.FINDALLPROFILESTASK |
Logs events related to the Find All Profiles scheduled task. |
|
COM.IDENTITYFORGE.TOPS.TASKS.FINDALLSOURCESTASK |
Logs events related to the Find All Sources scheduled task. |
|
COM.IDENTITYFORGE.TOPS.TASKS.RECONCILEALLLDAPUSERSTASK |
Logs events related to the Reconcile All LDAP Users scheduled task. |
|
COM.IDENTITYFORGE.TOPS.TASKS.RECONCILEUSERSTOINTERNALLDAPTASK |
Logs events related to the CFILE extract from TSS to initialize users to the internal LDAP, reconcile users to internal LDAP scheduled task. |
|
COM.IDENTITYFORGE.TOPS.TASKS.RECONCILEALLUSERSTASK |
Logs events related to the Reconcile All Users scheduled task |
|
COM.IDENTITYFORGE.TOPS.TASKS.RECONCILEDELETEDUSERSTOOIMTASK |
Logs events related to the Reconcile Deleted Users to OIM scheduled task. |
Define the <logger> element and its handlers. You can use the standard odl-handler as the log handler, or write your own. For more information on configuring logging in Oracle Identity Manager 11g, see Enabling Logging in Oracle Fusion Middleware Administering Oracle Identity Manager.
The following is an example of a logger definition for the Reconcile All Users scheduled task:
<logger name="COM.IDENTITYFORGE.TOPS.TASKS.RECONCILEALLUSERSTASK" level='TRACE:32'> <handler name='odl-handler'/> </logger>
Save the changes and close the file.
Restart the Oracle Identity Manager server for the changes to take effect.
Log statements will be written to the path that is defined in the log handler that you assigned in the logger definition. For example, in the above logger definition for the Reconcile All Users scheduled task (in step3), the handler is odl-handler, which has the following default output file path:
${domain.home}/servers/${weblogic.Name}/logs/${weblogic.Name}-diagnostic.log'
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.1.x and you want to configure request-based provisioning.In request-based provisioning, an end user creates a request for a resource by using the Oracle Identity System Administration. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.
The following are features of request-based provisioning:
A user can be provisioned only one resource (account) on the target system.
Note:
Direct provisioning allows the provisioning of multiple target system accounts on the target system.Direct provisioning cannot be used if you enable request-based provisioning.
To configure request-based provisioning, perform the following procedures:
A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation. The following predefined request datasets are available in the DataSets directory on the installation media:
ProvisionResource_OIMTopsResourceObject.xml
ModifyProvisionedResource_OIMTopsResourceObject
Copy these files from the installation media to any directory on the Oracle Identity Manager host computer. It is recommended that you create a directory structure as follows:
/custom/connector/RESOURCE_NAME
For example:
E:\MyDatasets\custom\connector\TopSecretAdv
Note:
Until you complete the procedure to configure request-based provisioning, ensure that there are no other files or directories inside the parent directory in which you create the directory structure. In the preceding example, ensure that there are no other files or directories inside the E:\MyDatasets directory.The directory structure to which you copy the dataset files is the MDS location into which these files are imported after you run the Oracle Identity Manager MDS Import utility. The procedure to import dataset files is described in the next section.
Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets. See for information on modifying request datasets. Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.
To import a request dataset definition into MDS:
Ensure that you have set the environment for running the MDS Import utility. See Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed information about setting up the environment for MDS utilities.
Note:
While setting up the properties in the weblogic.properties file, ensure that the value of the metadata_from_loc property is the parent directory of the /custom/connector/RESOURCE_NAME directory. For example, while performing the procedure in Section 2.5.1, "Copying Predefined Request Datasets," if you copy the files to the E:\MyDatasets\custom\connector\TopSecretAdv directory, then set the value of the metada_from_loc property toE:\MyDatasets.In a command window, change to the OIM_HOME\server\bin directory.
Run one of the following commands:
On Microsoft Windows
weblogicImportMetadata.bat
On UNIX
weblogicImportMetadata.sh
When prompted, enter the following values:
Please enter your username [weblogic]
Enter the username used to log in to the WebLogic server
Sample value: WL_User
Please enter your password [weblogic]
Enter the password used to log in to the WebLogic server.
Please enter your server URL [t3://localhost:7001]
Enter the URL of the application server in the following format:
t3://HOST_NAME_IP_ADDRESS:PORT
In this format, replace:
HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed.
PORT with the port on which Oracle Identity Manager is listening.
The request dataset is imported into MDS at the following location:
/custom/connector/RESOURCE_NAME
To enable the Auto Save Form feature:
Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the OIMTopsProvisioningProcess process definition.
Select the Auto Save Form check box.
Click the Save icon.
Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Section 2.4.3, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.
The procedure to configure request-based provisioning ends with this step.
The IT resource contains connection information for Oracle Identity Manager to connect to the LDAP Gateway. The tops.properties file is one of the components of the gateway. This file contains information used by the gateway to connect to the mainframe. Configuring the gateway involves setting values in the tops.properties file and the other files that constitute the gateway.
To install and configure the LDAP Gateway:
Extract the contents of the ldapgateway.zip file to a directory on the computer on which you want to install the LDAP Gateway. This ZIP file is in the etc/LDAP Gateway directory on the installation media.
Note:
In this document, the location (and name) of the ldapgateway directory on the host computer is referred to as LDAP_INSTALL_DIR.In a text editor, open the LDAP_INSTALL_DIR/conf/tops.properties file. The following table describes these properties.
Table 2-6 Properties in the tops.properties File
| Property | Description |
|---|---|
|
agentPort |
Enter the port number on the LDAP Gateway host computer that you are going to reserve for messages sent from the mainframe by the Reconciliation Agent, Voyager. The LDAP Gateway will receive real-time reconciliation messages using this port. This value should match the value of the PORT parameter in the Voyager agent control file. See Table 3-13 in section 3.8, "Configuring the Started Tasks"for more information on the Voyager control file parameters. |
|
configDNames |
This property holds the name of any custom target system attributes that should be included when the LDAP gateway parses a user profile from the target system (typically performed during reconciliation). If you are using a target system attribute that is not supported out-of-the-box, then add the name of that attribute to the value of the configDNames property. The name should match the format of the attribute name when executing a LIST command on the target system and you must include the Spaces and = for each attribute. This step is mentioned in the following sections: For example, if you defined two Top Secret fields named PST15, and VEND, then you would enter: # CONFIG DISPLAY NAMES configDNames =VEND =|PST15 =| To enter multiple custom attributes, separate each entry with a vertical bar. |
|
configAttrs |
This property holds the name of any custom target system attributes that should be included when the LDAP gateway parses a user profile from the target system (typically performed during reconciliation). If you are using a target system attribute that is not supported out-of-the-box, then add the name of that attribute to the value of the configAttrs property. The name should match the format of the attribute name when executing a LIST command on the target system but without the data from above in the configDNames and this is that will match your LDAP and OIM attribute name when configuring. This step is mentioned in the following sections: For example, if you define three Top Secret fields named $PST15, PST VRO 16, and VEND ID, then you would enter:
To enter multiple custom attributes, separate each entry with a vertical bar. |
|
configDatasets |
If you create a custom dataset on the target system, then add the name of that dataset type to the value of the configDatasets property. For example:
To enter multiple custom dataset names, separate each entry with a vertical bar. |
|
customDataset |
This property is used to store custom dataset names when issuing a WHOHAS command to the Top Secret system. If more than one custom dataset exists, separate each entry with a vertical bar ('|') character. Custom datasets that are added to this property will be included when the dataset lookup synchronization task ('Top Secret Find All Datasets') is run in Oracle Identity Manager. For example:
|
|
defaultDelete |
Enter one of the following as the value of this property:
For example:
|
|
host |
Set the host name or IP address of the mainframe as the value of this property. |
|
port |
Enter the number of the port on the mainframe that you are going to reserve for the Provisioning Agent. The LDAP Gateway will send provisioning messages to this port. This value should match the PORT parameter specified in the Pioneer provisioning agent STC. See Section 3.8, "Configuring the Started Tasks" for more information on the Pioneer STC. |
|
ver45 |
This property is used to determine whether the LDAP gateway must use the large (240K) socket buffer when passing messages to the target system.Values: If you set the value of this property to |
|
stcID |
This property is not supported from 9.0.4.18 and later releases of this connector. This property allows the real-time agent to ignore events that have been submitted to the target system by the Pioneer STC (such as by request from Oracle Identity manager). Enter the name given to the Pioneer STARTED TASK. |
|
domainOu |
This property stores users in the specified subtree under the ou=People tree of the internal LDAP store. This entry needs to be unique and specific for each system if multiple systems are used within one LDAP Gateway. Default setting is |
|
internalEnt |
This property allows the real-time agent to store user data in the LDAP Gateway internal store. Values: |
|
useExtractUser |
This property specifies whether messages sent to the Provisioning Agent (PIONEER) will use EXTRACT format. Values: Note: Message format from the Reconciliation Agent (VOYAGER) is configured in the agent control file. |
|
ignoreChar |
Use this property to specify characters in PROFILE names that must be ignored when retrieving user data from the LDAP Gateway. For example: Suppose User1 is a member of the TESTGRP1 profile until 01-Jan-2020. When a LIST function is called for User1, the output for the PROFILES section is If you set the value of the ignoreChar property to *, then the LDAP Gateway ignores the asterisk character in the name of the profile. In other words, when the LIST function is called, the output for the PROFILES section is You can set multiple characters to be ignored as the value of the ignoreChar property. Do not use any blank character or space as the delimiter for the set of characters that you specify. For example, if you want both the asterisk character and the dollar sign ($) to be ignored, then enter the value as shown:
Suppose User2 is a member of the TESTGRP1, *TESTGRP2, and *TESTGRP$ profiles. If a LIST function is run for User2, then the following profiles are listed:
|
|
processFailedXML |
This property is used by the Top Secret Reconcile Users to Internal LDAP scheduled task and determines whether the LDAP gateway will attempt to parse any failed XML entries. Default value: |
|
isStreamingUsers |
This property is used by the Top Secret Reconcile Users to Internal LDAP scheduled task. If you set the value of this property to If you set the value of this property to Default value: |
|
revokePsuspendUsers |
Use this property to specify whether users with the PSUSPEND attribute should be flagged as revoked when parsing a LIST USER result message.
|
|
secretKeyValue |
This property contains the custom encryption key. This key should match the secretKey value used by the mainframe agents. See Appendix B, "AES 128 User Key Definition and Usage" for more information on using this property. |
|
includeData |
This property is used when retrieving a list of all users on the Top Secret system. If you set the value of this property to true, for each ACID in TSS, the LDAP gateway will return both the ACID and the user data. If you set the value of this property to false, for each ACID in TSS, the LDAP gateway will only the ACID. Default value: |
|
resumeOnReset |
This property is used when resetting a user's password. If you set the value of this property to true, the user will be enabled during a reset password operation. If you set the value of this property to false, the user will not be enabled during a reset password operation. Default value: |
|
trimOmvsUid |
This property is used with the omvsUid attribute. If you set the value of this property to true, the LDAP gateway will trim leading zeros, "0", from the omvsUid value. If you set the value of this property to false, the LDAP gateway will not trim any leading zeroes from the omvsUid value. Default value: |
|
trimNum |
This property is used with the trimOmvsUid property and specifies the number of leading zeroes to trim from a user's omvsUid attribute. Default value: |
|
newOmvsUidAttr |
This property specifies the new name to use for the omvsUid property. Default value: |
|
usePwdComplexLength |
This property is used to control the length of passwords. If you set the value of this property to true, the LDAP gateway will use the properties file password length settings. If you set the value of this property to false, the LDAP gateway will use the standard password length. Default value: |
|
idMinLength |
This property specifies the minimum ACID length in characters. Default value: |
|
idMaxLength |
This property specifies the maximum ACID length in characters. Default value: |
|
pwdMinLength |
This property specifies the minimum password length for an ACID. Default value: |
|
pwdMaxLength |
This property specifies the maximum password length for an ACID. Default value: |
|
minDays |
This password specifies the minimum number of days that must pass before a password can be changed. Default value: |
|
mainframeCodePage |
This property specifies the mainframe code page in use on the mainframe. Default value: |
|
luMulti |
This property is used with LU6.2 attributes. If you set the value of this property to true, the LDAP gateway will process LU6.2 attributes as multi-valued attributes. If you set the value of this property to false, the LDAP gateway will process LU6.2 attributes as single-valued attributes. Default value: |
|
luMultiSep |
This property is used with LU6.2 attributes and specifies the separator character used for multi-valued attributes. Default value: |
|
type isencrypted timeout authretries requestorId CPF CPF-WAIT |
These properties are no longer used in Oracle installations. Do not modify their values. |
Save and close the tops.properties file.
From the LDAP_INSTALL_DIR/dist/idfserver.jar file, extract the beans.xml file and then open it in an editor.
In the beans.xml file, set values for the LDAP Gateway user credentials as follows:
You use the beans.xml file to store the credentials of the account used by Oracle Identity Manager to connect to the LDAP Gateway. You also enter these credentials as parameters of the IT resource. During provisioning and reconciliation, the credentials passed through the IT resource are authenticated against the credentials stored in the beans.xml file. The LDAP Gateway exchanges data with the connector only after this authentication succeeds.
You enter the credentials of the LDAP Gateway user in the following lines of the beans.xml file:
<property name="adminUserDN" value="cn=idfTopsAdmin,dc=tops,dc=com"/> <property name="adminUserPassword" value="idfTopsPwd"/>
In the first line, replace cn=idfTopsAdmin,dc=tops,dc=com with the value that you set for the idfPrincipalDn parameter of the IT resource. In the second line, replace the sample value idfTopsPwd with the encrypted version of the password that you set for the idfPrincipalPwd parameter of the IT resource. Table 2-2, "IT Resource Parameters" describes both parameters. If you want to encrypt the password before you enter it in the beans.xml file, then:
Note:
It is optional to encrypt the password that you set in the beans.xml file. However, it is recommended that you encrypt the password for security reasons.You must enter the unencrypted password as the value of the idfPrincipalPwd IT resource parameter. This is regardless of whether you enter the encrypted password in the beans.xml file.
In a text editor, copy one of the following script files from the installation media into a temporary directory and then open the script file in a text editor:
For Microsoft Windows:
/scripts/propertyEncrypt.bat
For UNIX:
/scripts/propertyEncrypt.sh
Specify values for the following properties in the file:
SET CLASSPATH=DIRECTORY_LOCATION\idfserver.jar
Replace DIRECTORY_LOCATION with the full path of the directory into which you copied the idfserver.jar file while deploying the connector.
For example:
SET CLASSPATH=C:\software\ldapgateway\dist\idfserver.jar
%JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil PLAINTEXT_PASSWORD
Replace PLAINTEXT_PASSWORD with the password that you want to encrypt.
For example:
%JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfTopsPwd
Save the changes made to the propertyEncrypt.bat or propertyEncrypt.sh script.
Run the script.
The script encrypts the password that you provide and displays it in the command window.
In the beans.xml file, search for the following string:
<property name="adminUserPassword"
Replace the value of this property with the encrypted password.
For example:
<property name="adminUserPassword" value="468018DD1CDBE82E515EBF78A41C428E"/>
In the beans.xml file, specify the port used for communication between the LDAP Gateway and the mainframe logical partition (LPAR) that you use for the connector installation
As shown in the following line, the default value of the port property is 5389. You can change this default value to any port of your choice.
The port number should match the value that you specify for the idfServerPort IT resource parameter.
<property name="port" value="6389"/>
To enable logging for the LDAP Gateway:
Copy the log4j JAR file from the application server directory in which it is placed to the LDAP_INSTALL_DIR/lib directory.
Extract the log4j.properties file from the LDAP_INSTALL_DIR/dist/idfserver.jar file.
Enter a log level as the value of the log4j.rootLogger variable. For example:
log4j.rootLogger=DEBUG, A1
See Also:
Section 2.4.4, "Enabling Logging" for more informationSave and close the file.
When you use the connector, the following log file is generated in the LDAP_INSTALL_DIR/logs directory:
idfserver.log.0: This is the main LDAP Gateway operations log file.
To configure the SSL in the LDAP Gateway:
Edit the /ldapgateway/idfserver.jar beans.xml directory for the following:
<bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl.SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>./conf/idf.jks</value></constructor-arg> <constructor-arg><value>abc123</value></constructor-arg> <constructor-arg><value>false</value></constructor-arg> </bean>
The first argument indicates we are not in client mode.
Note:
Do not change this argument.The second argument is the path to the keystore. Either change this path to your keystore or add your certificate to this keystore.
The third argument is the keystore password that you used to generate your keystore.
The fourth argument indicates whether the keystore password is encrypted. Use false for plain-text passwords, and true for encrypted passwords.
Edit a listener using the SSLChannelFactory for only "port", which is the only item you can change in the listener:
<bean id="sslListener" class="com.identityforge.idfserver.nio.Listener"> constructor-arg><ref bean="bus"/></constructor-arg> <constructor-arg><ref bean="sslChannelFactory"/></constructor-arg> <property name="admin"><value>false</value></property> <property name="config"><value>./conf/listener.xml</value></property> <property name="port" value="7389"/> <property name="threadName" value="SSLLDAPListener"/> </bean>
Add the listener to the server by uncommenting the following line:
<bean id="server" class="com.identityforge.idfserver.Server"> <property name="tasks"> <list> <ref bean="bus"/> <ref bean="decoder"/> <ref bean="listener"/> <!-- <ref bean="sslListener"/> ? <!- added here -> <ref bean="client"/> <ref bean="protocol"/> <ref bean="encoder"/> <ref bean="output"/> </list> </property> <property name="nexus" ref="nexus"/> <property name="logPath" value="../logs/idfserver.log"/> </bean>
Save the changes made to the beans.xml file, and then re-create the idfserver.jar file.
To configure the LDAP Gateway for the application server that Oracle Identity Manager is running on:
In a text editor, open the run script from the LDAP_INSTALL_DIR/bin directory. This run script is used to start and stop the LDAP gateway.
If using a Windows system, open the run.bat file. If using a UNIX system, open the run.sh file.
In the run script, you will need to update certain sections (see the run script comments for more details):
(i) Update the environment variables to reflect the actual location of the application server directories
rem ***************************************************** rem ******* UPDATE THE FOLLOWING CLASSPATHS ************* rem ***************************************************** set JAVA_HOME=C:\software\Java\jdk1.6.0_20 set APPSERVER_HOME=C:\jboss set OIM_HOME=C:\oracle\9.0.3\xellerate set OIM_CLIENT_HOME=C:\oracle\9.0.3\client\xlclient
(ii) Uncomment the lines related to the application server libraries that you are using.
(iii) Update the application server library classpaths to reflect the actual location of the directories on your system.
(iv) Uncomment the STARTUP command for the application server that you are using.
If you are using IBM WebSphere Application Server 6.1, then add the com.ibm.ws.wccm_6.1.0.jar file to the CLASSPATH variable in the run script as shown in the following example:
rem
rem SET WEBSPHERE APPLICATION SERVER REQUIRED LIBRARIES
rem
set CLASSPATH=%CLASSPATH%;"%APPSERVER_HOME%"\lib\com.ibm.ws.wccm_6.1.0.jar
Save and close the run script.
Starting and Stopping the LDAP Gateway on UNIX
To start the LDAP Gateway on UNIX, run the following command:
bin>./run.sh
When the LDAP Gateway has started, the LDAP Gateway VERSION_NUMBER Started message is recorded in the LDAP_INSTALL_DIR/bin/nohup.out log file. For more information on logging, see Section 2.4.4, "Enabling Logging."
To stop the LDAP Gateway on UNIX, run the following command:
bin>./stop_idf.sh
Starting and Stopping the LDAP Gateway on Microsoft Windows
To start the LDAP Gateway on Microsoft Windows, run the run.bat file.
When the LDAP Gateway has started, the LDAP Gateway VERSION_NUMBER Started message is recorded in the idfserver.log.
To stop the LDAP Gateway on Microsoft Windows, close the command window in which the gateway is running.