The following sections describe procedures involved in deploying the connector:
Installing the Connector on Oracle Identity Manager Release 9.1.0.x and Release 11.1.1
Installing the Connector on Oracle Identity Manager Release 9.0.1 Through Release 9.0.3.2
Providing Minimum Access Rights to RSA Authentication User in Remote Mode
Installing the connector on Oracle Identity Manager release 9.1.0.x and release 11.1.1 involves the following procedures:
Note:
Perform the procedure described in this section only if you are installing the connector on Oracle Identity Manager release 11.1.1.
In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.
To run the Connector Installer:
Copy the contents of the connector installation media into the following directory:
Note:
In an Oracle Identity Manager cluster, copy this JAR file to each node of the cluster.For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/ConnectorDefaultDirectory
For Oracle Identity Manager release 11.1.1: OIM_HOME/server/ConnectorDefaultDirectory
Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of the following guide:
For Oracle Identity Manager release 9.1.0.x:
Oracle Identity Manager Administrative and User Console Guide
For Oracle Identity Manager release 11.1.1:
Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 9.1.0.x:
Click Deployment Management, and then click Install Connector.
For Oracle Identity Manager release 11.1.1:
On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Install Connector.
From the Connector List list, select RSA Authentication Manager RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select RSA Authentication Manager RELEASE_NUMBER.
Click Load.
To start the installation process, click Continue.
The following tasks are performed in sequence:
Configuration of connector libraries.
Import of the connector XML files (by using the Deployment Manager). If you want to import the target system as a trusted source for reconciliation, then see "Configuring Trusted Source Reconciliation".
Compilation of adapters.
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed
Note:
At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.There are no prerequisites for some predefined connectors.
Configuring the IT resource for the connector
Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.
Configuring the scheduled tasks that are created when you installed the connector
Note:
In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of earlier Oracle Identity Manager releases is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.
Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer.
Installing the Connector in an Oracle Identity Manager Cluster
While installing the connector in an Oracle Identity Manager cluster, you must copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster. See Section 2.2.1, "Copying Connector Files" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.
To specify values for the parameters of the ACE Remote Manager and ACE Server Remote IT resources:
Log in to the Administrative and User Console.
If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter the name of the IT resource and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the IT resource. The "Configuring the IT Resource" section describes the parameters of both IT resources.
To save the values, click Update.
Note:
Perform the procedure described in this section only if you are installing the connector on any Oracle Identity Manager release from 9.0.1 through 9.0.3.2.Installing the connector on an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 involves the following procedures:
The connector files to be copied and the directories to which you must copy them are given in the following table.
See Also:
"Files and Directories That Comprise the Connector" for more information about these files| File in the Installation Media Directory | Destination Directory |
|---|---|
Directories and files in the remotePackage directory |
Note: You do not need to copy this directory if you already performed the procedure described in the "Setting Up the Remote Manager" section. |
Directories and files in the scripts directory |
|
Directories and files in the tests directory |
|
Files in the xml directory |
OIM_HOME/xellerate/XLIntegrations/AuthManager/xml
|
Note:
While installing Oracle Identity Manager in a cluster, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy theconnectorResources directory and the JAR files to the corresponding directories on each node of the cluster.As mentioned in the "Files and Directories That Comprise the Connector" section, the connector XML file contains definitions of the components of the connector. By importing the connector XML file, you create these components in Oracle Identity Manager.
To import the connector XML files into Oracle Identity Manager:
Open the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management. A dialog box for locating files is displayed.
Locate and open the RSAAuthManagerResourceObject.xml file, which is in the OIM_HOME/xellerate/XLIntegrations/AuthManager/xml directory. Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Next. The Provide IT Resource Instance Data page for the ACE Remote Manager IT resource is displayed.
Specify values for the parameters of the ACE Remote Manager IT resource. Refer to the "Parameters of the ACE Remote Manager IT Resource" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the Remote Manager IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Provide IT Resource Instance Data page for the ACE Server Remote IT resource is displayed.
See Also:
If you want to define another IT resource, then refer to Oracle Identity Manager Administrative and User Console Guide for instructions.Specify values for the parameters of the ACE Server Remote IT resource. Refer to the "Parameters of the ACE Server Remote IT Resource" section for information about the values to be specified.
Click Next. The Provide IT Resource Instance Data page for a new instance of the ACE Server IT resource type is displayed.
Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.
Click View Selections.
The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. These nodes represent Oracle Identity Manager entities that are redundant. Before you import the connector XML file, you must remove these entities by right-clicking each node and then selecting Remove.
Click Import. The connector XML file is imported into Oracle Identity Manager.
After you import the connector XML files, proceed to the next chapter.
Adapters are used to implement provisioning functions. The following adapters are imported into Oracle Identity Manager when you import the connector XML file:
ACE ASSIGN TO GROUP
ACE DELETE USER
ACE CREATE USER
SetRSAUserAttribute
ACE PrePop DefLogin
ACE PrePop FirstName
ACE PrePop GrpLogin
ACE PrePop LastName
ACE ASSIGN TOKEN
ACE REMOVE TOKEN
ACE DISABLE TOKEN
ACE SET PIN
ACE SET PIN TO NTC
ACE TRACK LOST TOKEN
ACE ENABLE TOKEN
ACE TEST LOGIN
ACE ADD USER EXTENSION DATA TO USER
ACE UPDATE USER EXTENSION DATA FOR USER
ACE DEL USER EXTENSION DATA TO USER
Set Temporary User
You must compile these adapters before they can be used in provisioning operations.
To compile adapters by using the Adapter Manager form:
Open the Adapter Manager form.
To compile all the adapters that you import into the current database, select Compile All.
To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.
Note:
Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have anOK compilation status.Click Start. Oracle Identity Manager compiles the selected adapters.
In an Oracle Identity Manager cluster, copy the compiled adapters from the OIM_HOME/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.
If you want to compile one adapter at a time, then use the Adapter Factory form.
See Also:
Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager formsTo view detailed information about an adapter:
Highlight the adapter in the Adapter Manager form.
Double-click the row header of the adapter, or right-click the adapter.
Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.
The following sections provide information about the IT resource parameters:
Section 2.3.1, "Parameters of the ACE Remote Manager IT Resource"
Section 2.3.2, "Parameters of the ACE Server Remote IT Resource"
You must specify values for the ACE Remote Manager IT resource parameters listed in the following table:
| Parameter | Description |
|---|---|
service name |
Remote manager service name
|
url |
Remote manager URL
For example: |
You must specify values for the ACE Server Remote IT resource parameters listed in the following table:
| Parameter | Description |
|---|---|
ACEAdminMode |
Admin mode through which the connector connects to RSA Authentication Manager for provisioning and reconciliation
The value can be Note: If the value is Remote, then remote manager service will login to RSA Authentication Manager using the user credentials ACEAdminPassCode and If If |
ACEAdminPassCode |
Admin passcode, which is required only when the admin mode is Remote
The value is encrypted after the changes to the IT resource are saved. Sample value: See the "Configuring the Connector in Remote Mode by Using a Dynamic Passcode" section for information about the values you can specify for this parameter. |
ACEAdminUserId |
Admin user ID, which is required when the admin mode is either Remote or Host. |
Target Locale: Country |
Country code
Default value: Note: You must specify the value in uppercase. |
Target Locale: Language |
Language code
You can select one of the following:
Note: You must specify the value in lowercase. |
Configuring the Oracle Identity Manager server involves performing the following procedures:
Note:
In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster.Clearing Content Related to Connector Resource Bundles from the Server Cache
Configuring Oracle Identity Manager Release 11.1.1 for Request-Based Provisioning
Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.
You may require the assistance of the system administrator to change to the required input locale.
While performing the instructions described in the "Copying Connector Files" section, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME/xellerate/connectorResources directory on an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x and into the Oracle Identity Manager database for Oracle Identity Manager release 11.1.1. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, perform one of the following steps:
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x, then switch to the OIM_HOME/xellerate/bin directory.
If you are using Oracle Identity Manager release 11.1.1, then switch to the OIM_HOME/server/bin directory.
Note:
You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:For an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x:
OIM_HOME/xellerate/bin/SCRIPT_FILE_NAME
For Oracle Identity Manager release 11.1.1:
OIM_HOME/server/bin/SCRIPT_FILE_NAME
Enter one of the following commands:
Note:
You can use the PurgeCache utility to purge the cache for any content category. RunPurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.
For example, the following commands purge Metadata entries from the server cache:
PurgeCache.bat MetaData
PurgeCache.sh MetaData
For an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x:
On Microsoft Windows: PurgeCache.bat ConnectorResourceBundle
On UNIX: PurgeCache.sh ConnectorResourceBundle
Note:
You can ignore the exception that is thrown when you perform Step 2. This exception is different from the one mentioned in Step 1.In this command, ConnectorResourceBundle is one of the content categories that you can delete from the server cache. See the following file for information about the other content categories:
OIM_HOME/xellerate/config/xlconfig.xml
For Oracle Identity Manager release 11.1.1:
On Microsoft Windows: PurgeCache.bat All
On UNIX: PurgeCache.sh All
When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:
t3://OIM_HOST_NAME:OIM_PORT_NUMBER
In this format:
Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.
Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.
See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.
Depending on the Oracle Identity Manager release you are using, perform the procedure described in one of the following sections:
Enabling Logging on an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or Release 9.1.0.x
Then, perform the following procedure:
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
Note:
In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of messages that highlight the progress of the application at a coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level and the log file path depend on the application server that you use:
IBM WebSphere Application Server
To enable logging:
Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.RSA_ACE=log_level
In these lines, replace log_level with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.RSA_ACE=INFO
After you enable logging, the log information is written to the following file:
WebSphere_home/AppServer/logs/server_name/startServer.log
JBoss Application Server
To enable logging:
In the JBoss_home/server/default/conf/log4j.xml file, locate or add the following lines:
<category name="XELLERATE">
<priority value="log_level"/>
</category>
<category name="XL_INTG.RSA_ACE">
<priority value="log_level"/>
</category>
In the second XML code line of each set, replace log_level with the log level that you want to set. For example:
<category name="XELLERATE"> <priority value="INFO"/> </category>
<category name="XL_INTG.RSA_ACE"> <priority value="INFO"/> </category>
After you enable logging, the log information is written to the following file:
JBoss_home/server/default/log/server.log
Oracle Application Server
To enable logging:
Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.RSA_ACE=log_level
In these lines, replace log_level with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.RSA_ACE=INFO
After you enable logging, the log information is written to the following file:
OC4J_home/opmn/logs/default_group~home~default_group~1.log
Oracle WebLogic Server
To enable logging:
Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.RSA_ACE=log_level
In these lines, replace log_level with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.RSA_ACE=INFO
After you enable logging, the log information is written to the following file:
WebLogic_home/user_projects/domains/domain_name/server_name/server_name.log
Note:
In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.Oracle Identity Manager release 11.1.1 uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
SEVERE.intValue()+100
This level enables logging of information about fatal errors.
SEVERE
This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.
WARNING
This level enables logging of information about potentially harmful situations.
INFO
This level enables logging of messages that highlight the progress of the application.
CONFIG
This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
These log levels are mapped to ODL message type and level combinations as shown in Table 2-1.
Table 2-1 Log Levels and ODL Message Type:Level Combinations
| Log Level | ODL Message Type:Level |
|---|---|
|
SEVERE.intValue()+100 |
INCIDENT_ERROR:1 |
|
SEVERE |
ERROR:1 |
|
WARNING |
WARNING:1 |
|
INFO |
NOTIFICATION:1 |
|
CONFIG |
NOTIFICATION:16 |
|
FINE |
TRACE:1 |
|
FINER |
TRACE:16 |
|
FINEST |
TRACE:32 |
The configuration file for OJDL is logging.xml, which is located at the following path:
DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml
Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.
To enable logging in Oracle WebLogic Server:
Edit the logging.xml file as follows:
Add the following blocks in the file:
<log_handler name='rsa-ace-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='[FILE_NAME]'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="XL_INTG.RSA_ACE" level="[LOG_LEVEL]" useParentHandlers="false">
<handler name="rsa-ace-handler"/>
<handler name="console-handler"/>
</logger>
Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-1 lists the supported message type and level combinations.
Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.
The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:
<log_handler name='rsa-ace-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler> <logger name="XL_INTG.RSA_ACE" level="NOTIFICATION:1" useParentHandlers="false"> <handler name="rsa-ace-handler"/> <handler name="console-handler"/> </logger>
With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.
Save and close the file.
Set the following environment variable to redirect the server logs to a file:
For Microsoft Windows:
set WLS_REDIRECT_LOG=FILENAME
For UNIX:
export WLS_REDIRECT_LOG=FILENAME
Replace FILENAME with the location and name of the file to which you want to redirect the output.
Restart the application server.
To enable logging for the Remote Manager:
Add the following lines in the RemoteManager_home/xlremote/config/log.properties file:
log4j.rootLogger=WARN,stdout,logfile log4j.appender.logfile.File=log_file_path_and_name log4j.logger.XELLERATE=log_level log4j.logger.XL_INTG.RSA_ACE=log_level
In these lines, replace log_file_path_and_name with the full path and name of the log file and log_level with the log level that you want to set.
For example:
log4j.rootLogger=WARN,stdout,logfile log4j.appender.logfile.File=c:/rm_rsa_ace_connector.log log4j.logger.XELLERATE=INFO log4j.logger.XL_INTG.RSA_ACE=INFO
After you enable logging, log information is written to the file that you specify as the value of the log4j.appender.logfile.File attribute.
While configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then both newly created and modified user accounts are reconciled in Oracle Identity Manager. If you designate the target system as a target resource, then only modified user accounts are reconciled in Oracle Identity Manager.
Note:
You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.Configuring trusted source reconciliation involves the following steps:
Import the XML file for trusted source reconciliation, RSAAuthManagerXLResourceObject.xml, by using the Deployment Manager. This section describes the procedure to import the XML file.
Note:
Only one target system can be designated as a trusted source. If you import theRSAAuthManagerXLResourceObject.xml file while you have another trusted source configured, then both connector reconciliations would stop working.Set the IsTrusted scheduled task attribute to True. You specify a value for this attribute while configuring the user reconciliation scheduled task, which is described later in this guide.
To import the XML file for trusted source reconciliation:
Open the Oracle Identity Manager Administrative and User Console.
If you are using an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x, then:
Click the Deployment Management link on the left navigation pane.
Click the Import link under Deployment Management. A dialog box for opening files is displayed.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Import Deployment Manager File. A dialog box for opening files is displayed.
Locate and open the RSAAuthManagerXLResourceObject.xml file located in the following directory:
For an Oracle Identity Manager release from 9.0.1 through 9.0.3.2 or release 9.1.0.x:
OIM_HOME/xellerate/XLIntegrations/AuthManager/xml
For Oracle Identity Manager release 11.1.1:
OIM_HOME/server/XLIntegrations/AuthManager/xml
Details of this XML file are shown on the File Preview page.
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Import.
In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.
After you import the XML file for trusted source reconciliation, you must set the value of the IsTrusted reconciliation scheduled task attribute to True. This procedure is described in the "Configuring the Reconciliation Scheduled Tasks" section.
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.1 and you want to configure request-based provisioning.In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.
The following are features of request-based provisioning:
A user can be provisioned only one resource (account) on the target system.
Note:
Direct provisioning allows the provisioning of multiple target system accounts on the target system.Direct provisioning cannot be used if you enable request-based provisioning.
To configure request-based provisioning, perform the following procedures:
A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation. The following is the predefined request dataset available in the DataSets directory on the installation media:
ModifyAuth Manager User.xml
ModifyAuth Manager Token.xml
ProvisionAuth Manager User.xml
ProvisionResourceAuth Manager Token.xml
Copy these files from the installation media to any directory on the Oracle Identity Manager host computer. It is recommended that you create a directory structure as follows:
/custom/connector/RESOURCE_NAME
For example:
E:\MyDatasets\custom\connector\AuthMgr
Note:
Until you complete the procedure to configure request-based provisioning, ensure that there are no other files or directories inside the parent directory in which you create the directory structure. In the preceding example, ensure that there are no other files or directories inside the E:\MyDatasets directory.The directory structure to which you copy the dataset files is the MDS location into which these files are imported after you run the Oracle Identity Manager MDS Import utility. The procedure to import dataset files is described in the next section.
Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information on modifying request datasets.
All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.
To import a request dataset definition into MDS:
Ensure that you have set the environment for running the MDS Import utility. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about setting up the environment for MDS utilities.
Note:
While setting up the properties in the weblogic.properties file, ensure that the value of the metadata_from_loc property is the parent directory of the /custom/connector/RESOURCE_NAME directory. For example, while performing the procedure in Section 2.4.5.1, "Copying Predefined Request Datasets," if you copy the files to the E:\MyDatasets\custom\connector\AuthMgr directory, then set the value of the metada_from_loc property toE:\MyDatasets.In a command window, change to the OIM_HOME\server\bin directory.
Run one of the following commands:
On Microsoft Windows
weblogicImportMetadata.bat
On UNIX
weblogicImportMetadata.sh
When prompted, enter the following values:
Please enter your username [weblogic]
Enter the username used to log in to the WebLogic server
Sample value: WL_User
Please enter your password [weblogic]
Enter the password used to log in to the WebLogic server.
Please enter your server URL [t3://localhost:7001]
Enter the URL of the application server in the following format:
t3://HOST_NAME_IP_ADDRESS:PORT
In this format, replace:
HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed.
PORT with the port on which Oracle Identity Manager is listening.
The request dataset is imported into MDS.
To enable the Auto Save Form feature:
Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the Auth Manager User process definition.
Select the Auto Save Form check box.
Click the Save icon.
Repeat this procedure for the Auth Manager Token process definition.
Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Section 2.4.2, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.
The procedure to configure request-based provisioning ends with this step.
Configuring the target system involves the following steps:
Configuring Strong Authentication Between Oracle Identity Manager and the Remote Manager
Configuring SSL Client (Oracle Identity Manager Server) Authentication
To set up the remote manager on the RSA Authentication Manager server:
Note:
For Solaris, you must create an ACE administrator as a preinstallation requirement for RSA Authentication Manager. This administrator is the file owner of the RSA Authentication Manager installation. Use this ACE administrator account to install the remote manager.Create the AuthManager directory on the RSA Authentication Manager server.
From the installation media directory, copy the remotePackage directory into the AuthManager directory.
For Solaris
Log in to the Solaris server by using the user credentials of the RSA Authentication Manager File Owner that was created as a preinstallation requirement for RSA Authentication Manager. Then, create the directory into which you copy the remotePackage directory.
Note:
If you copy files from Microsoft Windows to Solaris, all data transfer from the FTP client must be performed in binary mode. In addition, after copying files to the Solaris server, you must check the files for the^M character pattern.
You must also perform required operations, such as dos2unix. As described earlier, copy all the files while using the ACE administrator credentials.
To update the class files, copy the authmgr_home/lib/xliACERemote.jar file from the installation media directory to the xl_remote/xlremote/JavaTasks directory.
Note:
From this point onward in the guide, the full path of theremotePackage directory on the RSA Authentication Manager server is referred to as authmgr_home.Update the library files as follows:
On Microsoft Windows:
Use a text editor to open the following file:
xl_remote/xlremote/remotemanager.bat
In this file, depending on the version of Authentication Manager that you are using, set one of the following as the first line of the file:
For ACE 5.2:
set PATH=authmgr_home/lib/ACE52;%PATH%
For RSA Authentication Manager 6.0:
set PATH=authmgr_home/lib/AuthMgr60;%PATH%
For RSA Authentication Manager 6.1:
set PATH=authmgr_home/lib/AuthMgr61;%PATH%
For RSA ACE 5.2 on Solaris 8, 9, 10:
Set the LD_LIBRARY_PATH environment variable as follows:
LD_LIBRARY_PATH=$ACE_INSTALL/prog:$AUTHMGR_HOME/lib/ACE52Sol export LD_LIBRARY_PATH
For RSA ACE 6.1.2 on Solaris 9, 10:
Set the LD_LIBRARY_PATH environment variable as follows:
LD_LIBRARY_PATH=$ACE_INSTALL/prog:$AUTHMGR_HOME/lib/ACE612Sol export LD_LIBRARY_PATH
To configure strong authentication between Oracle Identity Manager and the remote manager, you must import the required certificate from the remote manager keystore to the Oracle Identity Manager server keystore as follows:
From the Oracle Identity Manager server, copy the OIM_HOME/xellerate/config/xlserver.cert file to the AuthManager_home/scripts/config directory on the RSA Authentication Manager server.
Use a text editor to open the authmgr_home/scripts/AuthMgrImportXLCert.bat file.
In this file, set the following parameters:
set JAVA_HOME=jdk_home set XL_REMOTE=xl_remote
For Solaris, set the following parameters in the authmgr_home/scripts/AuthMgrImportXLCert.sh file:
XL_REMOTE=xl_remote export XL_REMOTE JAVA_HOME=jdk_home export JAVA_HOME
Run the AuthMgrImportXLCert.bat file.
For Solaris, run the AuthMgrImportXLCert.sh file.
To configure SSL client (Oracle Identity Manager server) authentication:
Open the xl_remote/xlremote/config/xlconfig.xml file.
In the <RMSecurity> section of this file, change the value of the <ClientAuth> element to true.
The following is a code block from the xlconfig.xml file:
<RMSecurity>
<RMIOverSSL>true</RMIOverSSL>
<SSLPort>12345</SSLPort>
<SSLContextAlgorithm>TLS</SSLContextAlgorithm>
<KeyManagerFactory>SunX509</KeyManagerFactory>
<BindingPort>12346</BindingPort>
<ServiceName>RManager</ServiceName>
<LoggerConfigFilePath>log.conf</LoggerConfigFilePath>
<ClientAuth>true</ClientAuth>
</RMSecurity>
Multiple Oracle Identity Manager Servers Communicating with a Single Remote Manager
If a setup involves more than one Oracle Identity Manager server communicating with a single remote manager, then you must address the considerations described in this section.
The OIM_HOME/xellerate/config/xlserver.cert certificate for any Oracle Identity Manager installation would have the same dname value. If you import this certificate from one Oracle Identity Manager installation into the target system remote manager keystore, then you cannot directly use the same certificate from another installation for the same purpose and in the same manner.
Therefore, if one Oracle Identity Manager installation is already configured with a particular remote manager and the same is needed for another Oracle Identity Manager installation, then you must first create a certificate with a different DN for the second installation before you can use this new certificate with the remote manager.
Enter the following commands in the specified order.
Generate a new key pair by entering the following command:
jdk_home/jre/bin/keytool -genkey -alias xell2 -keyalg DSA -keysize 1024 -dname "CN=Customer1, OU=Customer, O=Customer, L=City, ST=NY, C=US" -validity 3650 -keypass xellerate -keystore OIM_HOME/xellerate/config/.xlkeystore -storepass xellerate -storetype jks -provider sun.security.provider.Sun
When you run this command, ensure that the dname value specified in the preceding command, is not the same as the default value of dname, for the existing certificates in the Oracle Identity Manager keystore:
OIM_HOME/xellerate/config/.xlkeystore
The default value is as follows:
CN=Customer, OU=Customer, O=Customer, L=City, ST=NY, C=US
Create a certificate request by entering the following command:
jdk_home/jre/bin/keytool -certreq -alias xell2 -file OIM_HOME/xellerate/config/xell1.csr -keypass xellerate -keystore OIM_HOME\/ellerate/config/.xlkeystore -storepass xellerate -storetype jks -provider sun.security.provider.Sun
Export the certificate to a file by entering the following command:
jdk_home/jre/bin/keytool -export -alias xell2 -file OIM_HOME/xellerate/config/xlserver1.cert -keypass xellerate -keystore OIM_HOME/xellerate/config/.xlkeystore -storepass xellerate -storetype jks -provider sun.security.provider.Sun
This command creates the following security certificate:
OIM_HOME/xellerate/config/xlserver1.cert
This is the certificate that you must use for configuration purposes.
Import the certificate into the remote manager keystore by entering the following command:
jdk_home/jre/bin/keytool -import -trustcacerts -alias xel2trusted -noprompt -keystore OIM_HOME/xellerate/config/.xlkeystore -file OIM_HOME/xellerate/config/xlserver1.cert -storepass xellerate
For configuring strong authentication between another Oracle Identity Manager Server installation and the remote manager, use the OIM_HOME/xellerate/config/xlserver1.cert file instead of the xlserver.cert file.
To configure Oracle Identity Manager to trust the Remote Manager:
On the computer hosting Oracle Identity Manager, export the certificate by running the following command:
keytool -export -keystore KEYSTORE_FILE -storepass KEYSTORE_PASSWORD -alias ALIAS -file CERT_FILE_NAME
In this command:
KEYSTORE_FILE is the complete path and name of the keystore.
KEYSTORE_PASSWORD is the password of the keystore.
ALIAS is the alias of the certificate to be exported.
CERT_FILE_NAME is the file name containing the exported certificate
The following is a sample command:
keytool -export -keystore D:\March11g\Middleware\user_projects\domains\MARCHWIN\config\fmwconfig\default-keystore.jks -storepass MyPa55word -alias xell -file oim.cer
Copy the exported certificate to any directory on the target system.
To import the certificate, run the following command:
keytool -import -keystore KEYSTORE_FILE -storepass KEYSTORE_PASSWORD -alias ALIAS -file CERT_FILE_NAME
In this command:
KEYSTORE_FILE is the complete path and name of the keystore.
KEYSTORE_PASSWORD is the password of the keystore.
ALIAS is the alias of the certificate to be imported.
CERT_FILE_NAME is the file name containing the imported certificate
The following is a sample command:
keytool -import -keystore C:\Oracle\Middleware1\Oracle_IDM1\remote_manager\config\default-keystore.jks -storepass MyPa55word -alias oimserver -file C:\Oracle\Middleware1\OIMCert\oim.cer
Copy the OIM_HOME\server\config\xlserver.cert file from the Remote Manager host computer to a temporary directory on the Oracle Identity Manager host computer.
To import the certificate, run the following command:
keytool -import -keystore KEYSTORE_FILE -storepass KEYSTORE_PASSWORD -alias ALIAS -file CERT_FILE_NAME
In this command:
KEYSTORE_FILE is the complete path and name of the keystore.
KEYSTORE_PASSWORD is the password of the keystore.
ALIAS is the alias of the certificate to be imported.
CERT_FILE_NAME is the file name containing the imported certificate
The following is a sample command
keytool -import -keystore D:\March11g\Middleware\user_projects\domains\MARCHWIN\config\fmwconfig\default_keystore.jks -storepass Welcome1 -alias rmcert -file D:\March11g\Middleware\RMCert146\xlserver.cert
To set up the remote manager as a trusted source for Oracle Identity Manager:
On the RSA Authentication Manager server, copy the xl_remote/xlremote/config/xlserver.cert file into the following directory:
OIM_HOME/xellerate/XLIntegrations/AuthManager/scripts/config
Use a text editor to open the following file:
OIM_HOME/xellerate/XLIntegrations/AuthManager/scripts/AuthMgrImportRMCert.bat
In this file, edit the following lines to specify the path to the JDK and Oracle Identity Manager installation directories:
set JAVA_HOME = jdk_home set XELLERATE_HOME = OIM_HOME
For Oracle Identity Manager installed on Solaris, open the following file in a text editor:
OIM_HOME/xellerate/XLIntegrations/AuthManager/scripts/AuthMgrImportRMCert.sh
In this file, edit the following lines to specify the path to the JDK and Oracle Identity Manager installation directories:
JAVA_HOME = jdk_home export JAVA_HOME XELLERATE_HOME = OIM_HOME export XELLERATE_HOME
Run the AuthMgrImportRMCert.bat file.
For Oracle Identity Manager installed on Solaris, run the AuthMgrImportRMCert.sh file.
The RSA Authentication Manager connector can be configured in remote mode by using either a dynamic passcode or a static password. The following sections provide information about the procedure:
Note:
You specify your choice by entering a value for the ACEAdminPassCode parameter of the ACE Server Remote IT resource. The "Parameters of the ACE Server Remote IT Resource" section provides information about this IT resource.Configuring the Connector in Remote Mode by Using a Dynamic Passcode
Configuring RSA Authentication Manager Connector in Remote Mode by Using a Static Password
To configuring the connector in remote mode by using a dynamic passcode:
Create a user in ACE server. For example, remoteAdminUser in host mode.
From the User menu in RSA Authentication Manager, click Edit User and select the user created in Step 1.
Click Administrative Role.
In the Change Administrative Role pop-up window, select Administrator as user type and click OK.
From the System menu, click Edit System Configuration, and then click Edit System Parameter.
In the Administration Authentication Methods of the System Parameters window, select Secure ID Software Tokens and click OK.
Assign the token to remoteAdminUser by performing the following steps:
From the token menu, select Issue Software Tokens.
Select the appropriate algorithm. For example, SID SDTID Algorithm.
In the Password Protect field, select Static Password and enter the password.
Enter the target directory path and file name where SDTID file has to be generated and click Next. The file name extension should be .sdtid.
In the RSA SecureID Software Token Selection Users pop-up window, select the user and click Next.
In the Select User window, select remoteAdminUser and click OK.
In the Verify RSA SecureID Software Token Issuing List window, click Next.
In the RSA SecureID Software Token window, select User authenticate with passcode and click Next.
In the Continue Issuing RSA SecureID Software Tokens pop-up window, click Yes.
In the Save Software Token pop-up window, click Yes and provide the path to save. If you do not want to save, click No.
Launch the SecureID Software Tokens by clicking Start, All Programs, SecureID Software Token.
From the SecureID Software Token, select File Menu and then click Import Tokens.
Locate the stdid file that you created in step D of step 7.
Enter the password that you provided in step C of step 7 and click OK.
Select the token and click Transfer Selected Token to Hardware Drive.
In the Software Token API pop-up window, click Yes.
In the Token List Box of Select Token popup window, select software token of remoteAdminUser and click OK. An eight digit token codes that changes every 60 seconds in RSA SecureID is displayed.
From the View menu, select Advance View in RSA SecureID.
From RSA SecureID, copy the current Tokencode.
In the user menu of RSA Authentication Manager, click Edit User.
Select remoteAdminUser and click OK.
In the Tokens textbox, double-click on the token assigned to the user.
In the Edit Token window, click Set PIN to Next Tokencode.
Enter the token code that you copied in step 16 and click OK.
Note the first four digits of the next token code as this is the PIN of RSA SecureID.
Enter the PIN value that you noted in RSA SecureID and click Apply Pin. SecureID Software Token starts generating the passcode values.
Copy the current PASSCODE.
Launch the RSA Authentication Manager in the Database Administrator Remote Mode by clicking Start, All Programs, RSA Authentication Manager.
In the Select Server to Administer window, click Ok.
Enter remoteAdminUser as user login ID.
Enter the passcode value that is copied in the step 24 and click OK. A user authentication successful message is displayed.
To configuring the connector in remote mode by using a static password:
Create a user in ACE server. For example, remoteAdminUser in host mode.
From the User menu in RSA Authentication Manager, click Edit User and select the user created in Step 1.
Click Administrative Role.
In the Change Administrative Role pop-up window, select Administrator as user type and click OK.
From the System menu, click Edit System Configuration, and then click Edit System Parameter.
In the Administration Authentication Methods of the System Parameters window, select User Password and click OK.
In the Confirmation pop-up window, click Yes.
In the User menu, click Edit User and then select remoteAdminUser.
In the Edit User window, click Set/Change User Password.
In the Enter New User Password popup window, enter the password and click OK.
In the Enter New User Password pop-up window, click Ok.
In the Edit User window, click Ok.
Open RSA Auth Manager in the Database Administrator Remote Mode.
In the Select Server to Administrator window, click Ok.
In the Administrator Authentication pop-up window, enter user login and passcode that you created in step 11 and click OK.
In the Do you want the system to generate your new PIN? [y/n] dialog box, enter n and click OK.
Enter the new PIN between 4 to 8 digits and click on Ok.
In the Confirm PIN field, reenter the new PIN and Ok. A user authentication successful message is displayed.
To provide minimum access rights to RSA authentication user:
Create a user in ACE server. For example, remoteAdminUser in host mode.
From the User menu in RSA Authentication Manager, click Edit User and select the user created in Step 1.
Click Administrative Role.
In the Change Administrative Role pop-up window, select Administrator as user type and click OK.
Go to Define Task List tab and click New.
In the Task List field, enter the name of the task.
From Available Tasks list on the left tab, select privileges, which you want to assign the user and click on right arrow to add and left arrow to remove the tasks.
Click OK.
Select the task that you have created from the list.
In the ChangeAdministrativeRole window, click OK.
In the Edit User window, click Set/Change User Password.
In the Enter New User Password popup window, enter the password and click OK.
In the Edit User window, click OK.
Go to System menu of ACE Server, select Edit System Configuration, Edit System Parameter.
Check the User Password under Administration Authentication Methods and click OK in the System Parameters window.
Note:
To enable reconciliation and provisioning, enter this static passcode as the value of the ACEAdminPassCode parameter of the ACE Server Remote IT resource.In the Confirmation popup window, click Yes.
From the User menu click Edit user, and then select remoteAdminUser.
Open the RSA ACE Server in Database Administrator-Remote Mode (RSA Authentication Manager RemoteMode).
In the Select Server to Administer window, click OK.
Enter user Login and passcode created in Step 12 and click OK in the Administrator Authentication popup window. The system will prompt whether you want to generate a new PIN. Enter "n" and then click OK.
Enter a new PIN between four to eight digits and click OK.
Re-enter the new PIN to confirm and click OK.
Enter same pin given in previous step and click OK.
A user authentication successful message is displayed.
When you use this connector to run provisioning functions that are specific to software tokens, you must provide the required input parameters, such as the Token Code.
You can determine the values of these token-specific parameters only after the RSA Software Token application is installed on the Oracle Identity Manager server or on a user computer other than the Oracle Identity Manager server.
If you are using RSA SecurID software tokens, then:
Download RSA SecurID Token for Windows Desktops 3.0.5 from
Install the file on the Oracle Identity Manager server.
Copy the RSA SecurID software token file to an appropriate location on the Oracle Identity Manager server. The file to be copied is in the RSA Authentication Manager installation directory. The format of the directory path where you copy this file can be as follows:
target_dir_location/Token1File/
Note:
While assigning a software token to an ACE user, you must specify the name and complete location of this file (in thedb_file_location/file_name.sdtid format) in the Software Token File Name process form field.Import the .sdtid file into the RSA SecurID Token software application as follows:
Click Start, and then select Programs.
Click RSA SecurID Software Token, and select the subcategory RSA SecurID Software Token.
The token screen is displayed.
Click the File menu, and then select Import Tokens. In the dialog box that is displayed, select the .sdtid file mentioned in Step 3.
For example:
target_dir_location/Token1File/file_name.sdtid
Select the token serial number, and click Transfer Selected Tokens to Hard Drive. The software token is imported.
On the screen that is displayed, click View and then select Advanced View.
On the screen that is displayed, click View and then select Token View to view the software token number.