The LDAP Gateway acts as the intermediary between Oracle Identity Manager and the connector components on the mainframe. The following sections of this chapter describe the procedure to deploy some components of the connector, including the LDAP Gateway, on the Oracle Identity Manager host computer:
Note:
The procedure to deploy the mainframe components of the connector is described in the next chapter.
Section 2.1, "Files and Directories that Comprise the Connector"
Section 2.2, "Determining the Release Number of the Connector"
Section 2.8, "Configuring Oracle Identity Manager for Request-Based Provisioning"
Table 2-1 lists the contents of the connector installation media.
Table 2-1 Files and Directories That Comprise the Connector
File or Directory on the Installation Media | Description |
---|---|
configuration/AS400Adv.xml |
This XML file contains configuration information that is used during connector installation. |
DataSets/ProvisionResource_OIMAS400ResourceObject.xml DataSets/ModifyResource_OIMAS400ResourceObject.xml |
This XML file specifies the information to be submitted by the requester during a request-based provisioning operation. Section 2.8, "Configuring Oracle Identity Manager for Request-Based Provisioning" provides more information. |
etc/LDAP Gateway/ldapgateway.zip |
This ZIP file contains the files required to deploy the LDAP Gateway. |
etc/Provisioning and Reconciliation Connector/OIMIDFEX.SAVF |
This ZIP file contains the files required to deploy the Reconciliation Agent on the mainframe. Section 3.1, "Deploying the Reconciliation Agent" describes the files bundled in this ZIP file. |
lib/as400-adv-provisioning.jar For Oracle Identity Manager release 11.1.1: lib-11G/as400-adv-provisioning.jar |
This JAR file containing the files required for reconciliation and provisioning. During connector installation, this file is copied to the following location:
|
Files in the resources directory |
Each of these resource bundles contains locale-specific information that is used by the connector. During connector installation, this file is copied to the following location:
Note: A resource bundle is a file containing localized versions of text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages. |
For Oracle Identity Manager release 9.1.0.x: scripts/propertyEncrypt.bat scripts/propertyEncrypt.sh For Oracle Identity Manager release 11.1.1: scripts-11G/propertyEncrypt.bat scripts-11G/propertyEncrypt. |
You use this script to encrypt passwords that you enter in the as400Connection.properties and beans.xml files. Section 2.9, "Installing and Configuring the LDAP Gateway" provides more information. |
xml/oimAs400AdvConnector.xml |
This XML file contains definitions of the connector components, such as the IT resource and resource object. These objects are created in Oracle Identity Manager when you import the XML file. Copy these XML files into the following directory: OIM_HOME/XLIntegrations/as400/xml/ |
xml/AS400TrustedXellerateUser.xml |
This XML file contains definitions of the connector components that are used for trusted source reconciliation. Copy these XML files into the following directory: OIM_HOME/XLIntegrations/as400/xml/ |
Note:
If you are using Oracle Identity Manager release 9.1.0.x, then the procedure described in this section is optional.
If you are using Oracle Identity Manager release 11.1.1, then skip this section.
You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:
In a temporary directory, extract the contents of the connector JAR file that is in the OIM_HOME/xellerate/JavaTasks directory.
Open the Manifest.mf file in a text editor. The Manifest.mf file is one of the files bundled inside the connector JAR file.
In the Manifest.mf file, the release number of the connector is displayed as the value of the Version property.
Prior to running the Connector Installer, you will need to delete the script and lib directories that do not pertain to your Oracle Identity Manager release version. If running Oracle Identity Manager release 9.1.x:
Delete the "scripts-11G" directory from the connector package.
Delete the "lib-11G" directory from the connector package.
If running Oracle Identity Manager release 11.1.1:
Delete the "scripts" directory from the connector package.
Delete the "lib" directory from the connector package.
Rename the "scripts-11G" directory to "scripts".
Rename the "lib-11G" directory to "lib".
To run the Connector Installer:
Copy the contents of the connector installation media directory into the following directory:
Note:
In an Oracle Identity Manager cluster, copy this JAR file to each node of the cluster.
For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/ConnectorDefaultDirectory
For Oracle Identity Manager release 11.1.1: OIM_HOME/server/ConnectorDefaultDirectory
If you are using Oracle Identity Manager release 9.1.0.x, then delete the files that are meant for Oracle Identity Manager release 11.1.1. Similarly, if you are using Oracle Identity Manager release 11.1.1, then delete the files that are meant for Oracle Identity Manager release 9.1.0.x. See Table 2-1 for information about files that are created for each Oracle Identity Manager release.
Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of the following guide:
For Oracle Identity Manager release 9.1.0.x:
Oracle Identity Manager Administrative and User Console Guide
For Oracle Identity Manager release 11.1.1:
Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 9.1.0.x:
Click Deployment Management, and then click Install Connector.
For Oracle Identity Manager release 11.1.1:
On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Install Connector.
From the Connector List list, select IBM AS/400 Advanced RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select IBM AS/400 Advanced RELEASE_NUMBER.
Click Load.
To start the installation process, click Continue.
The following tasks are performed in sequence:
Configuration of connector libraries
Import of the connector Target Resource user configuration XML file (by using the Deployment Manager). If you want to import the target system as a trusted source for reconciliation, then see Section 2.7, "Configuring Trusted Source Reconciliation."
Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed.
Note:
At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Section 2.6.1, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.
There are no prerequisites for some predefined connectors.
Configuring the IT resource for the connector.
Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.
Configuring the scheduled task that is created when you install the connector.
Note:
In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.
See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.
Record the names of the scheduled task that is displayed on this page. The procedure to configure this scheduled task is described later in this guide.
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-1.
Installing the Connector in an Oracle Identity Manager Cluster
While installing Oracle Identity Manager in a cluster, you must copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster. See Section 2.1, "Files and Directories that Comprise the Connector" for information about the files that you must copy and their destination locations on the Oracle Identity Manager host computer.
You must specify values for the parameters of the As400Resource IT resource as follows:
Log in to the Administrative and User Console.
If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter As400Resource
and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the IT resource. Table 2-2 describes each parameter.
Table 2-2 IT Resource Parameters
Parameter | Description |
---|---|
AtMap User |
This parameter holds the name of the lookup definition containing attribute mappings that are used for provisioning. Value: Note: You must not change the value of this parameter. |
idfPrincipalDn |
Set a user ID for an account that the connector will use to connect to the LDAP Gateway. Format: Sample value: You also set this user ID in the beans.xml file inside the idfserver.jar file. See Step 7 in Section 2.9, "Installing and Configuring the LDAP Gateway." |
idfPrincipalPwd |
Set a password for the account that the connector will use to connect to the LDAP Gateway. You also set this password in the files listed in the description of the idfPrincipalDn parameter. Note: Do not enter an encrypted value. |
idfRootContext |
This parameter holds the root context for IBM AS/400. Value: Note: You must not change the value of this parameter. |
idfServerHost |
This parameter holds the host name of the computer on which you install the LDAP Gateway. For this release of the connector, you install the LDAP Gateway on the Oracle Identity Manager host computer. Value: Note: You must not change the value of this parameter. |
idfServerPort |
Enter the number of the port for connecting to the LDAP Gateway. Sample value: You also set this port number in the beans.xml inside the idfserver.jar file. See Step 7 in Section 2.9, "Installing and Configuring the LDAP Gateway." |
Last Modified Time Stamp |
The most recent start time of the reconciliation scheduled task is stored in this parameter. See Section 4.1, "Configuring Reconciliation" for more information about this scheduled task. The format of the value stored in this parameter is as follows:
In this format:
Sample value: The default value is Note: When required, you can manually enter a time-stamp value in the specified format. |
idfSSL |
This parameter determines whether the LDAP Gateway will use SSL to connect to the target system. Enter true if using SSL. Otherwise, enter false. Sample value: |
idfTrustStore |
This parameter holds the directory location of the trust store containing the SSL certificate. This parameter is optional, and should only be entered when using SSL authentication. Sample value: |
idfTrustStorePassword |
This parameter holds the password for the SSL trust store. This parameter is optional, and should only be entered when using SSL authentication. |
idfTrustStoreType |
This parameter holds the trust store type for the SSL trust store. This parameter is optional, and should only be entered when using SSL authentication. Sample value: |
To save the values, click Update.
Configuring Oracle Identity Manager involves the following procedures:
Note:
In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster.
Note:
In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.
When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME/xellerate/connectorResources directory for Oracle Identity Manager release 9.1.0.x, and Oracle Identity Manager database for Oracle Identity Manager release 11.1.1. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then switch to the OIM_HOME/xellerate/bin directory.
If you are using Oracle Identity Manager release 11.1.1, then switch to the OIM_HOME/server/bin directory.
Note:
You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:
For Oracle Identity Manager release 9.1.0.x:
OIM_HOME/xellerate/bin/SCRIPT_FILE_NAME
For Oracle Identity Manager release 11.1.1:
OIM_HOME/server/bin/SCRIPT_FILE_NAME
Enter one of the following commands:
Note:
You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat
CATEGORY_NAME
on Microsoft Windows or PurgeCache.sh
CATEGORY_NAME
on UNIX. The CATEGORY_NAME
argument represents the name of the content category that must be purged.
For example, the following commands purge Metadata entries from the server cache:
PurgeCache.bat MetaData
PurgeCache.sh MetaData
For Oracle Identity Manager release 9.1.0.x:
On Microsoft Windows: PurgeCache.bat ConnectorResourceBundle
On UNIX: PurgeCache.sh ConnectorResourceBundle
Note:
You can ignore the exception that is thrown when you perform Step 2. This exception is different from the one mentioned in Step 1.
In this command, ConnectorResourceBundle
is one of the content categories that you can delete from the server cache. See the following file for information about the other content categories:
OIM_HOME/xellerate/config/xlconfig.xml
For Oracle Identity Manager release 11.1.1:
On Microsoft Windows: PurgeCache.bat All
On UNIX: PurgeCache.sh All
When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:
t3://OIM_HOST_NAME:OIM_PORT_NUMBER
In this format:
Replace OIM_HOST_NAME
with the host name or IP address of the Oracle Identity Manager host computer.
Replace OIM_PORT_NUMBER
with the port on which Oracle Identity Manager is listening.
See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of messages that highlight the progress of the application at a coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level and the log file path depend on the application server that you use:
IBM WebSphere Application Server
To enable logging:
In the OIM_HOME/xellerate/config/log.properties file, add the following line:
log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=LOG_LEVEL
In this line, replace LOG_LEVEL with the log level that you want to set. For example:
log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=INFO
After you enable logging, log information is written to the following file:
WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/startServer.log
JBoss Application Server
To enable logging:
In the JBOSS_HOME/server/default/conf/log4j.xml file, locate or add the following lines:
<category name="COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER">
<priority value="LOG_LEVEL"/>
</category>
In the second XML line, replace LOG_LEVEL with the log level that you want to set. For example:
<category name="COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER"> <priority value="INFO"/> </category>
After you enable logging, log information is written to the following file:
JBOSS_HOME/server/default/log/server.log
Oracle Application Server
To enable logging:
In the OIM_HOME/config/log.properties file, add the following line:
log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=LOG_LEVEL
In this line, replace LOG_LEVEL with the log level that you want to set. For example:
log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=INFO
After you enable logging, log information is written to the following file:
OAS_HOME/opmn/logs/default_group~home~default_group~1.log
Oracle WebLogic Server
To enable logging:
In the OIM_HOME/config/log.properties file, add the following line:
log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=LOG_LEVEL
In this line, replace LOG_LEVEL with the log level that you want to set. For example:
log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=INFO
After you enable logging, log information is displayed on the server console.
This connector uses the log4j JAR file that you copy into the OIM_DC_HOME/xlclient/ext directory while installing the Oracle Identity Manager Design Console. If this JAR file is not present in the OIM_DC_HOME/xlclient/ext directory, then:
Locate the log4j JAR file in the directory in which you install the application server on which Oracle Identity Manager is running.
Copy log4j JAR file into the OIM_DC_HOME/xlclient/ext directory.
Restart the application server.
Note:
This section describes an optional procedure. Perform this procedure only if you want to configure IBM AS/400 as a trusted source for identity data. By performing this procedure, you enable trusted source reconciliation for both full reconciliation runs and incremental reconciliation.
The XML file for trusted source reconciliation, AS400TrustedXellerateUser.xml, contains definitions of the connector components that are used for trusted source reconciliation. To import this XML file:
Open the Oracle Identity Manager Administrative and User Console.
If you are using Oracle Identity Manager release 9.1.0.x, then:
Click the Deployment Management link on the left navigation pane.
Click the Import link under Deployment Management. A dialog box for opening files is displayed.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Import Deployment Manager File. A dialog box for opening files is displayed.
Locate and open the AS400TrustedXellerateUser.xml file from the xml directory on the installation media. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Import.
In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.1 and you want to configure request-based provisioning.
In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.
The following are features of request-based provisioning:
A user can be provisioned only one resource (account) on the target system.
Note:
Direct provisioning allows the provisioning of multiple target system accounts on the target system.
Direct provisioning cannot be used if you enable request-based provisioning.
To configure request-based provisioning, perform the following procedures:
A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation. The following predefined request datasets are available in the DataSets directory on the installation media:
ProvisionResource_OIMAS400ResourceObject.xml
ModifyResource_OIMAS400ResourceObject.xml
Copy these files from the installation media to any directory on the Oracle Identity Manager host computer. It is recommended that you create a directory structure as follows:
/custom/connector/RESOURCE_NAME
For example:
E:\MyDatasets\custom\connector\as400Adv
Note:
Until you complete the procedure to configure request-based provisioning, ensure that there are no other files or directories inside the parent directory in which you create the directory structure. In the preceding example, ensure that there are no other files or directories inside the E:\MyDatasets directory.
The directory structure to which you copy the dataset files is the MDS location into which these files are imported after you run the Oracle Identity Manager MDS Import utility. The procedure to import dataset files is described in the next section.
Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information on modifying request datasets.
All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.
To import a request dataset definition into the MDS:
Ensure that you have set the environment for running the MDS Import utility. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about setting up the environment for MDS utilities.
Note:
While setting up the properties in the weblogic.properties file, ensure that the value of the metadata_from_loc property is the parent directory of the /custom/connector/RESOURCE_NAME directory. For example, while performing the procedure in Section 2.8.1, "Copying Predefined Request Datasets," if you copy the files to the E:\MyDatasets\custom\connector\as400Adv directory, then set the value of the metada_from_loc property to E:\MyDatasets.
In a command window, change to the OIM_HOME\server\bin directory.
Run one of the following commands:
On Microsoft Windows
weblogicImportMetadata.bat
On UNIX
weblogicImportMetadata.sh
When prompted, enter the following values:
Please enter your username [weblogic]
Enter the username used to log in to the WebLogic server
Sample value: WL_User
Please enter your password [weblogic]
Enter the password used to log in to the WebLogic server.
Please enter your server URL [t3://localhost:7001]
Enter the URL of the application server in the following format:
t3://
HOST_NAME_IP_ADDRESS
:
PORT
In this format, replace:
HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed.
PORT with the port on which Oracle Identity Manager is listening.
The request dataset is imported into MDS at the following location:
/custom/connector/RESOURCE_NAME
To enable the Auto Save Form feature:
Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the OIMAS400AdvProvisioningProcess process definition.
Select the Auto Save Form check box.
Click the Save icon.
Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Section 2.6.1, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.
The procedure to configure request-based provisioning ends with this step.
The IT resource contains connection information for Oracle Identity Manager to connect to the LDAP Gateway. The as400.properties file is one of the components of the gateway. This file contains information used by the gateway to connect to the mainframe. Configuring the gateway involves setting values in the as400.properties file and the other files that are used by the gateway.
To install and configure the LDAP Gateway:
Extract the contents of the ldapgateway.zip file to a directory on the computer on which Oracle Identity Manager is installed. This ZIP file is in the etc/LDAP Gateway directory on the installation media.
Note:
In this document, the full path (and name) of the ldapgateway directory on the Oracle Identity Manager host computer is referred to as LDAP_INSTALL_DIR.
Download JTOpen from the IBM Web site at
Extract the contents of the jtopen_ver.zip file.
Copy the jt400.jar and uti400.jar files from the JTOPEN_INSTALL_DIR/jtopen/lib directory to the LDAP_INSTALL_DIR/lib directory.
Note:
The directory on which you install JTOpen is referred to as JTOPEN_INSTALL_DIR.
You must also configure the LDAP Gateway to use JTOpen as the message transport layer. This is covered in Section 2.9, "Installing and Configuring the LDAP Gateway."
Open the LDAP_INSTALL_DIR/conf/as400.properties file in a text editor, and specify values for the properties described in Table 2-3.
Table 2-3 LDAP Gateway Properties in the as400.properties File
Property | Description | Sample Value |
---|---|---|
_host_ |
Set the host name or IP address of the IBM AS/400 host computer as the value of this property. |
|
_adminId_ |
User ID of a target system administrator with SystemAdministrators privileges |
|
_adminPwd_ or _adminPwdEncrypt_ |
Password of the target system administrator with SystemAdministrators privileges If you do not encrypt the password, then use the _adminPwd_ property to enter the password. If you encrypt the password, then use the _adminPwdEncrypt_ property. See Step 7 of Section 2.9, "Installing and Configuring the LDAP Gateway" for information about using the propertyEncryt script to encrypt passwords. |
|
_agentHost_ |
Target system IP address for the Reconciliation Agent host computer In most cases, this is the same as the value of the _host_ property. |
|
_agentAdminId_ |
Target system Reconciliation Agent administrator ID In most cases, this is the same as the value of the _adminId_ property. |
|
_agentAdminPwd_ or _agentAdminPwdEncrypt_ |
Target system Reconciliation Agent administrator password If you do not encrypt the password, then use the _agentAdminPwd_ property to enter the password. If you encrypt the password, then use the _agentAdminPwdEncrypt_ property. See Step 7 of Section 2.9, "Installing and Configuring the LDAP Gateway" for information about using the propertyEncryt script to encrypt passwords. In most cases, the password that you enter is the same as the value of the _adminPwd_ or _adminPwdEncrypt_ property. |
|
_agentLib_ |
Target system library in which the Reconciliation Agent files are located |
|
_agentFile_ |
Reconciliation Agent file on the target system |
|
_agentMember_ |
Reconciliation Agent user with privileges to access the file specified as the value of the _agentFile_ property |
|
_agentport_ |
Target system port allocated to the Reconciliation Agent |
|
_ignoreUsers_ |
Enter a pipe-separated list of user IDs to ignore when retrieving user profiles from the target system. |
|
_ignoreGroups_ |
Enter a pipe-separated list of group IDs to ignore when retrieving group profiles from the target system. |
|
_isSSL_ |
Enter one of the following as the value of this property:
|
|
defaultDelete |
Enter one of the following as the value of this property:
|
|
_internalEnt_ |
Enter one of the following as the value of this property:
|
Save and close the as400.properties file.
From the LDAP_INSTALL_DIR/dist/idfserver.jar file, extract the beans.xml file, open it in an editor, and set values for the following:
LDAP Gateway user credentials
Use the beans.xml file to store the credentials of the account used by Oracle Identity Manager to connect to the LDAP Gateway. You also enter these credentials as parameters of the IT resource. During provisioning and reconciliation, the credentials passed through the IT resource are authenticated against the credentials stored in the beans.xml file. The LDAP Gateway exchanges data with the connector only after this authentication succeeds.
You enter the credentials of the LDAP Gateway user in the following lines of the beans.xml file:
<property name="adminUserDN" value="cn=idfAs400Admin,dc=as400,dc=com"/> <property name="adminUserPassword" value="idfAs400Pwd"/>
In the first line, replace cn=idfAs400Admin,dc=as400,dc=com
with the value that you enter for the idfPrincipalDn parameter of the IT resource. In the second line, replace idfAs400Pwd
with the value that you enter for the idfPrincipalPwd parameter of the IT resource. Table 2-2, "IT Resource Parameters" describes both parameters. If you want to encrypt the password before you enter it in the beans.xml file, then:
Note:
It is optional to encrypt the password that you set in the beans.xml file. However, it is recommended that you encrypt the password for security reasons.
You must enter the unencrypted password as the value of the idfPrincipalPwd IT resource parameter. This is regardless of whether you enter the encrypted password in the beans.xml file.
In a text editor, copy one of the following script files from the installation media into a temporary directory and then open the script file in a text editor:
For Microsoft Windows:
/scripts/propertyEncrypt.bat
For UNIX:
/scripts/propertyEncrypt.sh
Specify values for the following properties in the file:
SET CLASSPATH=DIRECTORY_LOCATION\idfserver.jar
Replace DIRECTORY_LOCATION
with the full path of the directory into which you copied the idfserver.jar file while deploying the connector.
For example:
SET CLASSPATH=C:\software\ldapgateway\dist\idfserver.jar
%JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil PLAINTEXT_PASSWORD
Replace PLAINTEXT_PASSWORD
with the password that you want to encrypt.
For example:
%JAVACMD% %JVM_OPTS% -cp %CLASSPATH% com.identityforge.idfserver.util.AESCipherUtil idfAS400Pwd
Save the changes made to the propertyEncrypt script.
Run the script.
The script encrypts the password that you provide and displays it in the command window.
In the beans.xml file, search for the following string:
<property name="adminUserPassword"
Replace the value of this property with the encrypted password.
For example:
<property name="adminUserPassword" value="468018DD1CDBE82E515EBF78A41C428E"/>
Port used for communication between the LDAP Gateway and the mainframe LPAR on which you install the connector mainframe component
Note:
The procedure to install the mainframe component of the connector is described in the next chapter.
As shown in the following line, the default value of the port property is 5389
in the beans.xml file. You can change this default value to any port of your choice.
<property name="port" value="5389"/>
Configuration for provisioning and initial reconciliation
If you want the connector to perform provisioning and initial reconciliation but not incremental (that is, real-time) reconciliation, then change the value of the following property from true
to false
:
<property name="agent" value="true"/>
Leave the value of the agent property as false
if you want the connector to perform incremental reconciliation.
To enable logging for the LDAP Gateway:
Copy the log4j JAR file from the application server directory in which it is placed to the LDAP_INSTALL_DIR/lib directory.
Extract the log4j.properties file from the LDAP_INSTALL_DIR/dist/idfserver.jar file.
Enter a log level as the value of the log4j.rootLogger variable. For example:
log4j.rootLogger=ERROR, A1
Save and close the file.
When you use the connector, the idfserver.log.0:
log file is generated in the LDAP_INSTALL_DIR/logs directory. This is the main log file.
To configure SSL in the LDAP Gateway:
Edit the /ldapgateway/idfserver.jar beans.xml directory for the following:
< bean id="sslChannelFactory" class="com.identityforge.idfserver.nio.ssl. SSLChannelFactory"> <constructor-arg><value>false</value></constructor-arg> <constructor-arg><value>./conf/idf.jks</value></constructor-arg> <constructor-arg><value>abc123</value></constructor-arg> <constructor-arg><value>false</value></constructor-arg> </bean >
The first argument indicates we are not in client mode.
Note:
Do not change this argument.
The second argument is the path to the keystore. Either change this path to your keystore or add your certificate to this keystore.
The third argument is the keystore password that you used to generate your keystore.
The fourth argument is whether the keystore password is encrypted.
Edit a listener using the SSLChannelFactory for only "port", which is the only item you can change in the listener:
<bean id="sslListener" class="com.identityforge.idfserver.nio.Listener"> constructor-arg><ref bean="bus"/></constructor-arg> <constructor-arg><ref bean="sslChannelFactory"/></constructor-arg> <property name="admin"><value>false</value></property> <property name="config"><value>./conf/listener.xml</value></property> <property name="port" value="7389"/> <property name="threadName" value="SSLLDAPListener"/> </bean>
Add the listener to the server by uncommenting the following line:
<bean id="server" class="com.identityforge.idfserver.Server"> <property name="tasks"> <list> <ref bean="bus"/> <ref bean="decoder"/> <ref bean="listener"/> <!-- <ref bean="sslListener"/> ? <!-- added here --> <ref bean="client"/> <ref bean="protocol"/> <ref bean="encoder"/> <ref bean="output"/> </list> </property> <property name="nexus" ref="nexus"/> <property name="logPath" value="../logs/idfserver.log"/> </bean>
Save the changes made to the beans.xml file, and then re-create the idfserver.jar file.
In a text editor, open the script, run.sh or run.bat file from the LDAP_INSTALL_DIR/bin directory.
In the run script, uncomment the line related to the application server directory. In addition, change the path to reflect the actual location of the application server directory.
Note:
The instructions given in this step apply to Oracle Identity Manager release 9.1.0.x. For Oracle Identity Manager release 11.1.1, follow the instructions given in the run script itself.
The lines starting with a number sign (#) are comments, as shown:
##### SET JBOSS HOME ################## #APPSERVER_HOME=/opt/ldapgateway/lib/jboss-4.0.2
To uncomment the line, remove the number sign. For example, to ensure that the connector works with JBoss Application Server, change the line to the following:
##### SET JBOSS HOME ################## APPSERVER_HOME=/opt/ldapgateway/lib/jboss-4.0.2
In the run script:
Set the JAVA_HOME property as follows:
JAVA_HOME=DIRECTORY_LOCATION\j2sdj1.4.2_13
Replace DIRECTORY_LOCATION
with the full path of the directory.
If you plan to run multiple LDAP Gateways on a Linux or Solaris environment and there are not enough socket file descriptors to open up all the ports needed for the server, then add the following line:
-Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.PollSelectorProvider
If you are using IBM WebSphere Application Server 6.1, then add the com.ibm.ws.wccm_6.1.0.jar file to the CLASSPATH variable in the run script as shown in the following example:
rem
rem SET WEBSPHERE APPLICATION SERVER REQUIRED LIBRARIES
rem
set CLASSPATH=%CLASSPATH%;"%APPSERVER_HOME%"\lib\com.ibm.ws.wccm_6.1.0.jar
Save and close the run script.
Starting and Stopping the LDAP Gateway on UNIX
To start the LDAP Gateway on UNIX, run the following command:
bin> ./run.sh
When the LDAP Gateway has started, the LDAP Gateway
VERSION_NUMBER
Started
message is recorded in the in the LDAP_INSTALL_DIR/bin/nohup.out file.
To stop the LDAP Gateway on UNIX, run the following command:
bin> ./stop_idf.sh
Starting and Stopping the LDAP Gateway on Microsoft Windows
To start the LDAP Gateway on Microsoft Windows, run the run.bat file.
When the LDAP Gateway has started, the LDAP Gateway
VERSION_NUMBER
Started
message is recorded in the in the service log.
To stop the LDAP Gateway on Microsoft Windows, close the command window in which the gateway is running.