Deploying the connector involves the following steps:
Configuring the target system involves performing the following procedures:
Ensuring That the Parent Organization Exists in Microsoft Active Directory
Enabling or Disabling Password Policies on Microsoft Active Directory
You must ensure that the parent organization exists in the target server installation. The parent organization is specified as the value of the Root Context parameter in the IT resource definition. Refer to the "Defining IT Resources" section for more information about this parameter.
On Microsoft Active Directory, the "Passwords must meet complexity requirements" policy setting is used to enable or disable password policies. You can choose whether or not you want to use SSL to secure communication between Oracle Identity Manager and Microsoft Active Directory.
Note:
The procedure to configure SSL is discussed later in this guide.
The procedure that you must perform depends on whether or not you configure SSL and enforce password policies.
If you do not configure SSL and try to provision a Microsoft Active Directory user through Oracle Identity Manager, then the user's password cannot be updated by using Oracle Identity Manager. Therefore, if the communication is not secured by SSL, then you must disable any existing password policies in Microsoft Active Directory. This is achieved by disabling the "Passwords must meet complexity requirements" policy setting.
If you configure SSL and you want to enforce both the default Microsoft Windows password policy and a custom password policy, then you must enable the "Passwords must meet complexity requirements" policy setting.
To enable or disable the "Passwords must meet complexity requirements" policy setting:
On the Microsoft Windows computer hosting the Active Directory domain controller on which you are installing the password synchronization module, start the Domain Security Policy application.
To do this, on the Microsoft Windows computer, click the Start menu, Programs, Administrative Tools, and Domain Security Policy.
Select Security Settings, expand Account Policies, and then click Password Policy.
Double-click Passwords must meet complexity requirements.
In the Password Must Meet Complexity Requirements Properties dialog box, select Define this policy setting and then select:
Enabled, if you want to enable password policies
Disable, if you do not want to enable password policies
Click OK.
The connector files to be copied and the directories to which you must copy them are given in the following table.
See Also:
"Files and Directories on the Installation Media" for more information about these files
| File in the Installation Media Directory | Destination Directory |
|---|---|
lib/xliActiveDirectory.jar |
OIM_home/xellerate/JavaTasks
|
lib/xliADRecon.jar |
OIM_home/xellerate/ScheduleTask
|
|
Files in the |
OIM_home/xellerate/connectorResources
|
|
Files in the |
OIM_home/xellerate/scripts
After you copy the |
|
Directories and files in the |
OIM_home/xellerate/test
|
|
Files in the |
OIM_home/xellerate/XLIntegrations/ActiveDirectory/xml
|
To copy the ldapbp.jar file into the required directory:
Log on the Sun Web site at
Click the Download JNDI 1.2.1 & More button.
From the table on the page that is displayed, select and download the file containing the ldapbp.jar file.
Copy the ldapbp.jar file into the OIM_home/xellerate/ThirdParty directory on the Oracle Identity Manager server.
Note:
While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the contents of the connectorResources directory and the JAR files to the corresponding directories on each node of the cluster.
Configuring the Oracle Identity Manager server involves performing the following procedures:
Note:
In a clustered environment, you must perform this step on each node of the cluster.
Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.
You may require the assistance of the system administrator to change to the required input locale.
While performing the instructions described in the "Copying the Connector Files and External Code Files" section, you copy files from the resources directory on the installation media into the OIM_home/xellerate/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, change to the OIM_home/xellerate/bin directory.
Note:
You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:
OIM_home/xellerate/bin/batch_file_name
Enter one of the following commands:
On Microsoft Windows:
PurgeCache.bat ConnectorResourceBundle
On UNIX:
PurgeCache.sh ConnectorResourceBundle
Note:
You can ignore the exception that is thrown when you perform Step 2.
In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:
OIM_home/xellerate/config/xlConfig.xml
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of informational messages that highlight the progress of the application at coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may still allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level and the log file path depend on the application server that you use:
Oracle WebLogic
To enable logging:
Add the following lines in the OIM_home/xellerate/config/log.properties file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.ACTIVEDIRECTORY=log_level
In these lines, replace log_level with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.ACTIVEDIRECTORY=INFO
After you enable logging, log information is displayed on the server console.
IBM WebSphere
To enable logging:
Add the following lines in the OIM_home/xellerate/config/log.properties file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.ACTIVEDIRECTORY=log_level
In these lines, replace log_level with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.ACTIVEDIRECTORY=INFO
After you enable logging, log information is written to the following file:
WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/SystemOut.log
JBoss Application Server
To enable logging:
In the JBoss_home/server/default/conf/log4j.xml file, add the following lines if they are not already present in the file:
<category name="XELLERATE">
<priority value="log_level"/>
</category>
<category name="XL_INTG.ACTIVEDIRECTORY">
<priority value="log_level"/>
</category>
In the second XML code line of each set, replace log_level with the log level that you want to set. For example:
<category name="XELLERATE"> <priority value="INFO"/> </category>
<category name="XL_INTG.ACTIVEDIRECTORY"> <priority value="INFO"/> </category>
After you enable logging, the log information is written to the following file:
JBoss_home/server/default/log/server.log
OC4J
To enable logging:
Add the following lines in the OIM_home/xellerate/config/log.properties file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.ACTIVEDIRECTORY=log_level
In these lines, replace log_level with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.ACTIVEDIRECTORY=INFO
After you enable logging, the log information is written to the following file:
OC4J_home/opmn/logs/default_group~home~default_group~1.log
As mentioned in the "Files and Directories on the Installation Media" section, the connector XML files contains definitions of the components of the connector. By importing the connector XML files, you create these components in Oracle Identity Manager.
To import the connector XML files into Oracle Identity Manager:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for opening files is displayed.
Locate and open the xliADResourceObject.xml file, which is in the OIM_home/xellerate/XLIntegrations/ActiveDirectory/xml directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the ADITResource IT resource is displayed.
Specify values for the parameters of the ADITResource IT resource. See the "Defining IT Resources" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the AD Server IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Tools Reference Guide for instructions.
Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. These nodes represent Oracle Identity Manager entities that are redundant. Before you import the connector XML file, you must remove these entities by right-clicking each node and then selecting Remove.
Click Import. The connector file is imported into Oracle Identity Manager.
After you import the connector XML file, proceed to the "Configuring SSL" section.
The following table provides values for the parameters of the ADITResource IT resource.
| Parameter | Description |
|---|---|
|
|
Fully qualified domain name corresponding to the administrator Format 1: Sample value 1: Format 2: Sample value 2: |
|
|
Password of the administrator account that is used to create the OU/user |
|
|
This is the fully qualified domain name of the parent or root organization. For example, the root suffix. Format: Sample value: |
|
|
Host name or IP address of the target Microsoft Windows 2003 computer on which Microsoft Active Directory is installed Sample value: |
|
|
Date and time at which the last AD User reconciliation run was completed The reconciliation engine automatically fills a value in this attribute each time it runs the AD User reconciliation. Default value: |
|
|
Date and time at which the last AD Group reconciliation run was completed The reconciliation engine automatically fills a value in this attribute each time it runs AD Group reconciliation. Default value: |
|
|
Date and time at which the last AD User trusted source reconciliation run was completed The reconciliation engine automatically fills a value in this attribute each time it runs the AD User reconciliation. Default value: |
|
|
Specifies whether or not to use SSL to secure communication between Oracle Identity Manager and Microsoft Active Directory Default value: See Also: The Known Issues list in Chapter 5 for information about a limitation arising from setting this parameter to Note: It is recommended that you enable SSL to secure communication with the target system. |
|
|
Port at which SSL is running on the Microsoft Active Directory server Default value: |
|
|
Attribute map name for the Microsoft Active Directory user Default value: |
|
|
Attribute map name for the Microsoft Active Directory group Default value: |
|
|
Country code Default value: Note: You must specify the value in uppercase. |
|
|
Language code Default value: Note: You must specify the value in lowercase. |
|
|
Specify the name of the lookup table that lists the nonmandatory user attributes defined in Microsoft Active Directory. This attribute is used in conjunction with the Note: Nonmandatory attributes of Microsoft Active Directory can accept Refer to Oracle Identity Manager Design Console Guide for information about creating the lookup definition. |
|
|
Specifies whether or not nonmandatory attributes defined in Microsoft Active Directory must be set to Note: You can use this parameter only if you specify a value for the |
|
|
If you are going to install and use the Microsoft Active Directory Password Synchronization module, then specify |
|
|
Specify the name of the user-defined field that you create in Oracle Identity Manager. You must specify a value for this parameter only if you specify Note: You must specify the column name and not the field label that you enter while adding the custom attribute in Oracle Identity Manager. For example, if you enter the label |
|
|
Specify whether you want the
|
|
|
This parameter holds the name of the lookup definition in which the names of group fields are stored during group lookup synchronization. Value: This value is the same as that of the Note: You must not change the value of this parameter. |
|
|
Specify the time zone of the target system. For example: During a provisioning operation, the connector uses this time zone information to convert date-time values entered on the process form to date-time values relative to the time zone of the target system. Default value: |
After you specify values for these IT resource parameters, proceed to Step 9 of the procedure to import connector XML files.
Note:
Although this is an optional step of the deployment procedure, it is recommended that you configure SSL communication between Microsoft Active Directory and Oracle Identity Manager.
To configure SSL connectivity between Oracle Identity Manager and the target Microsoft Active Directory server, you must perform the following tasks:
The connector requires Certificate Services to be running on the host computer. To install Certificate Services:
Insert the operating system installation media into the CD-ROM or DVD drive.
Click Start, Settings, and Control Panel.
Double-click Add/Remove Programs.
Click Add/Remove Windows Components.
Select Certificate Services.
Follow the instructions to start Certificate Services.
The target Microsoft Active Directory server must have LDAP over SSL (LDAPS) enabled. To enable LDAPS, generate a certificate as follows:
Note:
Use the Enterprise CA option when you perform the following steps.
On the Active Directory Users and Computers console, right-click the domain node, and select Properties.
Click the Group Policy tab.
Select Default Domain Policy.
Click Edit.
Click Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
Right-click Automatic Certificate Request Settings, and then select New and Automatic Certificate Request. A wizard is started.
Use the wizard to add a policy with the Domain Controller template.
At the end of this procedure, the certificate is created and LDAP is enabled using SSL on port 636.
If the Microsoft Active Directory certificate is not issued or certified by a certification authority (CA), then set it up as a trusted certificate. To do this, you first export the certificate and then import it into the keystore of the Oracle Identity Manager server as a trusted CA certificate.
To export the Microsoft Active Directory certificate:
Click Start, Programs, Administrative Tools, and Certification Authority.
Right-click the Certification Authority that you create, and then select Properties.
On the General tab, click View Certificate.
On the Details tab, click Copy To File.
Use the wizard to create a certificate (.cer) file using base-64 encoding.
To import the Microsoft Active Directory certificate into the certificate store of the Oracle Identity Manager server:
Note:
In a clustered environment, you must perform this procedure on all the nodes of the cluster.
Copy the certificate to the Oracle Identity Manager server.
If you use IBM WebSphere, then you must also copy the following files:
For a nonclustered configuration of IBM WebSphere:
Copy the jsse.jar file into the WS_home/java/jre/lib/ext directory.
For a clustered configuration of IBM WebSphere:
Copy the jnet.jar, jsse.jar, and jcert.jar files into the WS_home/java/jre/lib/ext directory.
You can download these JAR files from the Sun Web site at
Change to the directory where you copy the certificate file, and then enter a command similar to the following:
keytool -import -alias alias -file cer_file -keystore my_cacerts -storepass password
In this command:
alias is the alias for the certificate (for example, the server name)
cer_file is the full path and name of the certificate (.cer) file
my_cacerts is the full path and name of the certificate store (the default is cacerts)
The path of the certificate store depends on the application server as shown in the following table.
| Application Server | Certificate Store Location |
|---|---|
|
JBoss Application Server |
JBoss_home/jre/lib/security/cacerts
|
|
Oracle WebLogic Server |
BEA_home/java/jre/lib/security/cacerts
|
|
IBM WebSphere |
For a nonclustered configuration of IBM WebSphere, you must import the files into the following certificate stores:
WS_home/java/jre/lib/security/cacerts
For a clustered configuration of IBM WebSphere, you must import the files into the following certificate stores on each node of the cluster: WS_home/java/jre/lib/security/cacerts WS_home/etc/DummyServerTrustFile.jks |
|
Oracle Application Server |
ORACLE_HOME/jdk/jre/lib/security/cacerts
|
password is the keystore password (the default is changeit)
For example:
keytool -import -alias thorADCert -file c:\thor\ActiveDir.cer -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit
Note:
changeit is the default password for the cacerts file stored in the Sun JVM. This may change depending on the JVM that you are using.
In the command prompt window, when you are prompted to specify whether or not you want to trust this certificate, enter YES.
To confirm whether or not the certificate has been imported successfully, enter a command similar to the following:
keytool -list -alias alias -keystore mycacerts -storepass password
In the example given in Step 2, to confirm that the certificate has been successfully imported, use the following command and look for the certificate name, thorADCert, that you provide while importing the certificate into the keystore:
keytool -list -alias thorADCert -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit
Perform this step only if you are registering the certificate file in a new certificate store.
Add the following line in the jre\lib\security\java.security file:
security.provider.N=com.sun.net.ssl.internal.ssl.Provider
In this line, N is any number that is not used in the file.
Restart the application server.
Note:
The user password cannot be set unless 128-bit SSL is used. In addition, the computer on which Microsoft Active Directory is installed must have Microsoft Windows 2003 running on it.