Oracle® Identity Manager Audit Report Developer's Guide Release 9.1.0 Part Number E10365-03 |
|
|
View PDF |
You can configure Oracle Identity Manager to use one database for current transactional data and a secondary database for historical data. The secondary database eases the load on the transactional database.
You can use different data sources for the secondary database. The following sections describe how to configure Oracle Identity Manager and your application server to use a secondary data source.
This chapter discusses the following topics:
Using IBM WebSphere Application Server with a Secondary Data Source
Using Oracle Application Server with a Secondary Data Source
User profile audit data can increase in size quickly. Oracle recommends that you use a secondary database to store this information. The following system property enables reading and writing to this database directly:
XL.UserProfileAuditInSecondaryDS
.
By default, the XL.UserProfileAuditInSecondaryDS
property is set to false
. If this property is set to true
, the system reads and writes all user profile data directly to and from the secondary database.
If you configure a secondary database, all historical reports are automatically configured to run against it.
The user profile audit interacts directly with the secondary database. You must replicate other tables from the transactional database because the report needs them for access control and filtering of the report. You can disable these tables and constraints for ease of data backup, restore, or replication.
Table 6-1 lists the tables and constraints.
Table 6-1 Tables and Constraints Used in Historical Reports
Table Name | Foreign Key Constraint Name | Referenced Table Name | Referenced Column Name |
---|---|---|---|
AAD |
FK_AAD_FK_AAD_AC_ACT |
ACT |
ACT_KEY |
FK_AAD_FK_AAD_UG_UGP |
UGP |
UGP_KEY |
|
ACT |
FK_ACT_ACT |
ACT |
PARENT_KEY |
FK_ACT_SRP |
SRP |
SRP_KEY |
|
GPG |
FK_GPG_UGP |
UGP |
UGP_KEY |
FK_GPG_UGP_KEY_UGP |
UGP |
GPG_UGP_KEY |
|
OUG |
FK_OUG_OBJ |
OBJ |
OBJ_KEY |
FK_OUG_UGP |
UGP |
UGP_KEY |
|
POL |
|||
PTY |
|||
REQ |
FK_REQ_ORC |
ORC |
ORC_KEY |
FK_REQ_OST |
OST |
OST_KEY |
|
FK_REQ_USR |
USR |
USR_KEY |
|
UGP |
|||
USG |
FK_USG_RUL |
RUL |
RUL_KEY |
FK_USG_UGP |
UGP |
UGP_KEY |
|
FK_USG_USR |
USR |
USR_KEY |
|
USR |
FK_USR_ACT |
ACT |
ACT_KEY |
OSI |
FK_OSI_ACT |
ACT |
ACT_KEY |
FK_OSI_ASSIGNED_TO_USR |
USR |
USR_KEY |
|
FK_OSI_MIL |
MIL |
MIL_KEY |
|
FK_OSI_ORC |
ORC |
ORC_KEY |
|
FK_OSI_ORD |
ORD |
ORD_KEY |
|
FK_OSI_PKG |
PKG |
PKG_KEY |
|
FK_OSI_REQ |
REQ |
REQ_KEY |
|
FK_OSI_RSC |
RSC |
RSC_KEY |
|
FK_OSI_SCH |
SCH |
SCH_KEY |
|
FK_OSI_SCH_OSI_RECOVERY_FOR |
SCH |
SCH_KEY |
|
FK_OSI_SCH_OSI_RETRY_FOR |
SCH |
SCH_KEY |
|
FK_OSI_TLG |
TLG |
TLG_KEY |
|
FK_OSI_TOS |
TOS |
TOS_KEY |
|
FK_OSI_TO_UGP |
UGP |
UGP_KEY |
|
FK_OSI_TO_USR |
USR |
USR_KEY |
|
OST |
FK_OST_OBJ |
OBJ |
OBJ_KEY |
OBI |
FK_OBI_OBJ |
OBJ |
OBJ_KEY |
FK_OBI_ORC |
ORC |
ORC_KEY |
|
FK_OBI_QUE |
QUE |
QUE_KEY |
|
FK_OBI_REQ |
REQ |
REQ_KEY |
|
FK_OBI_USR |
USR |
USR_KEY |
|
OBJ |
FK_OBJ_SDK |
SDK |
SDK_KEY |
OBA |
FK_OBA_OBJ |
OBJ |
OBJ_KEY |
FK_OBA_UGP |
UGP |
UGP_KEY |
|
RCE |
FK_RCE_ACT |
ACT |
ACT_KEY |
FK_RCE_ADMIN_UGP |
UGP |
UGP_KEY |
|
FK_RCE_ADMIN_USR |
USR |
USR_KEY |
|
FK_RCE_OBJ |
OBJ |
OBJ_KEY |
|
FK_RCE_ORC |
ORC |
ORC_KEY |
|
FK_RCE_USR |
USR |
USR_KEY |
|
MIL |
FK_MIL_DEFAULT_ASSIGNEE_USR |
USR |
USR_KEY |
FK_MIL_EVT |
EVT |
EVT_KEY |
|
FK_MIL_TOS |
TOS |
TOS_KEY |
|
RCX |
|||
ORC |
FK_ORC_ACT |
ACT |
ACT_KEY |
FK_ORC_ORC_PARENT_KEY |
ORC |
ORC_KEY |
|
FK_ORC_ORD |
ORD |
ORD_KEY |
|
FK_ORC_PKG |
PKG |
PKG_KEY |
|
FK_ORC_PKH |
PKH |
PKH_KEY |
|
FK_ORC_REQ |
REQ |
REQ_KEY |
|
FK_ORC_TOS |
TOS |
TOS_KEY |
|
FK_ORC_USR |
USR |
USR_KEY |
|
OIU |
FK_OIU_LAST_ATTESTED_USR |
USR |
USR_KEY |
FK_OIU_OBI |
OBI |
OBI_KEY |
|
FK_OIU_ORC |
ORC |
ORC_KEY |
|
FK_OIU_OST |
OST |
OST_KEY |
|
FK_OIU_POL |
POL |
POL_KEY |
|
FK_OIU_REQ |
REQ |
REQ_KEY |
|
FK_OIU_USR |
USR |
USR_KEY |
|
OSH |
FK_OSH_BY_USR |
USR |
USR_KEY |
FK_OSH_SCH |
SCH |
SCH_KEY |
|
FK_OSH_STA |
STA |
STA_KEY |
|
FK_OSH_TO_UGP |
UGP |
UGP_KEY |
|
FK_OSH_TO_USR |
USR |
USR_KEY |
|
SCH |
|||
RQU |
FK_RQU_REQ |
REQ |
REQ_KEY |
FK_RQU_USR |
USR |
USR_KEY |
|
RQO |
FK_RQO_OBI |
OBI |
OBI_KEY |
FK_RQO_OBJ |
OBJ |
OBJ_KEY |
|
FK_RQO_POL |
POL |
POL_KEY |
|
FK_RQO_REQ |
REQ |
REQ_KEY |
|
STA |
To set up a secondary database:
Create the secondary database.
You can back up and restore the transactional database under a different database name, or you can replicate the transactional database.
Set up the application server to use the secondary database.
See the following sections for details.
Set the system property XL.UserProfileAuditInSecondaryDS
to True
.
This stores user profile audit data in the secondary database.
Configure daily replication of the data so that the tables in the secondary database listed in Table 6-1 are updated from the primary database. After the secondary database is functional, do not replicate the entire primary database in the secondary database or any audit data that has been stored in the secondary database will be deleted.
Or, set up either a full restore or replication.
Ensure that all stored procedures are replicated correctly in the secondary database.
Define a connection URL as follows:
For Oracle Database:
jdbc:oracle:thin:@
IP of database
:
SID
For Microsoft SQL Server:
Note:
Microsoft SQL Server is not supported in Oracle Identity Manager release 9.1.0. See ÒCertified ComponentsÓ in Oracle Identity Manager Release Notes for information about certified components.jdbc:Microsoft:sqlserver://
IP of database
:
Port
;DatabaseName=
SID
;SelectMethod=Cursor
Note:
Microsoft SQL Server is not supported in Oracle Identity Manager release 9.1.0. See ÒCertified ComponentsÓ in Oracle Identity Manager Release Notes for information about certified components.To create a new data source on JBoss Application Server, a new file called xlreportds-service.xml
is created by the setup in the deployment directory. This file creates an alias to the transactional database by using the java:jdbc/xlXAReportingDS
setting.
To point to a secondary database on JBoss Application Server:
Add the following to xell-ds.xml as a second xa-datasource
tag for the Oracle database:
<xa-datasource> <jndi-name>jdbc/xlXAReportingDS</jndi-name> <track-connection-by-tx>true</track-connection-by-tx> <isSameRM-override-value>false</isSameRM-override-value> <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource </xa-datasource- class> <xa-datasource-property name="URL">jdbc:oracle:thin:@<IP of database system>: 1521:XELL </xa-datasource-property> <xa-datasource-property name="User">sysadm</xa-datasource-property> <xa-datasource-property name="Password">sysadm</xa-datasource-property> <exception-sorter-class-name> org.jboss.resource.adapter.jdbc.vendor. OracleExceptionSorter </exception-sorter-class-name> <no-tx-separate-pools/> <valid-connection-checker-class-name> org.jboss.resource.adapter.jdbc.vendor. OracleValidConnectionChecker </valid-connection-checker-class-name> </xa-datasource>
For Microsoft SQL Server, the secondary database tag is as follows:
<xa-datasource>
<jndi-name>jdbc/xlXADS</jndi-name>
<track-connection-by-tx>true</track-connection-by-tx>
<xa-datasource-class>
com.microsoft.jdbcx.sqlserver.SQLServerDataSource</xa-datasource-class>
<xa-datasource-property name="ServerName"><IP of database system> </xa-datasource-property>
<xa-datasource-property name="DatabaseName">XELL</xa-datasource-property>
<xa-datasource-property name="SelectMethod">cursor</xa-datasource-property>
<xa-datasource-property name="PortNumber">1433</xa-datasource-property>
<user-name>sysadm</user-name>
<password>sysadm</password>
<check-valid-connection-sql>
select 1 from USR where 1=2
</check-valid-connection-sql>
</xa-datasource>
The class names for Oracle Database and Microsoft SQL Server vary as indicated:
Oracle:
oracle.jdbc.xa.client.OracleXADataSource
Microsoft SQL Server:
com.microsoft.jdbcx.sqlserver.SQLServerDataSource
Change the database name, user name, and password to connect to the database you set up as the secondary database.
Restart the JBoss server.
Note:
Do not add thexa-datasource
block in this section or point the jdbc/xlXAReportingDS
to the transactional database because it causes errors. To point to the same transactional database, keep the xlreportds-service.xml
file as is.Note:
JBoss Application Server clustered environments are not supported in Oracle Identity Manager release 9.1.0. See ÒCertified ComponentsÓ in Oracle Identity Manager Release Notes for information about certified components.In a standalone setup, the xell-ds.xml and xlreportds-service.xml files are in the JBOSS_HOME
/server/default/deploy/
directory.
In a clustered setup, the xell-ds.xml
file is in the JBOSS_HOME
/server/all/farm/
directory, and xlreportds-service.xml
in the JBOSS_HOME
/server/all/deploy/
directory.
To configure a cluster for JBoss Application Server:
Copy the changes to the xell-ds.xml
file to all computers in the cluster.
Restart the JBoss servers on all computers in the cluster.
Before changing the data source that Oracle Identity Manager uses for reporting, create a new data source in BEA WebLogic Server. Follow the BEA WebLogic Server manuals to set up a new data source.
To configure BEA WebLogic Server with a secondary data source by using the Oracle database:
Log in to the WebLogic administrative console.
Create a secondary data source and deploy it on the server.
Navigate to JDBC Data Sources on the WebLogic administrative console and create a data source with the following credentials:
Edit the weblogic.profile
file in the OIM_HOME
/xellerate/Profiles/
directory to point to the new data source.
Add the JNDI name to weblogic.profile as follows:
Run the patch command (patch_weblogic
) for the changes to take effect.
Before changing the data source used by Oracle Identity Manager for reporting, you must create a new data source in IBM WebSphere Application Server. See the IBM WebSphere Application Server manuals for information about setting up a new data source.
To configure IBM WebSphere Application Server with a secondary data source by using the Oracle database:
Log in to the WebSphere administrator console.
Create a new data source with the following details:
Define the connection URL as follows:
jdbc:oracle:thin:@
IP_of_database
:
port_number
:
SID
For example: jdbc:oracle:thin:@192.168.161.134:1521:xeltest
Use the following J2C authentication data values:
Alias: secondary_user_alias
User: secondary_user
Password: secondary_user_password
Description: Descriptive_text_for_the_data
Select the component-managed authentication aliases for XAReportingDatasource
with the following values:
Component-managed authentication alias: J2C_Authentication_Data Entries
Container-managed authentication alias: J2C_Authentication_Data Entries
Save and synchronize changes among all nodes.
Open the websphere.profile
file, and add the JNDI information that points to the new data source in the OIM_HOME
/xellerate/Profiles/
directory.
Comment out the existing data source entry for xlXADS
and add the information for xlXAReportingDS
as follows:
# Reporting data source #datasource.report=jdbc/xlXADS datasource.report=jdbc/xlXAReportingDS
Set the following Java Client System property to true:
XL.UserProfileAuditInSecondaryDS=True
Run patch_websphere.cmd
or patch_websphere.sh
as applicable from the OIM_HOME
/xellerate/setup
directory.
Before changing the data source used by Oracle Identity Manager for reporting, you must create a new data source in Oracle Application Server.
To configure Oracle Application Server with a secondary data source by using the Oracle database:
Log in to the Oracle Enterprise Manager 10g Application Server Console for the Oracle Application Server instance.
Click the Oracle Application Server instance on which Oracle Identity Manager is deployed.
The Administration tab displays the list of administration tasks you can perform on the selected Oracle Application Server instance.
Expand the Services section of the table by either clicking the expand icon or clicking Expand All.
In the JDBC Resources row, click the task icon.
To create a connection pool, in the Connection Pools section, click Create and then select the following values for the Application and Connection Pool Type parameters:
Application: default
Connection Pool Type: New Connection Pool
Click Continue.
For the following parameters, enter (or change to) the specified values:
Name: xlXAReportingConnectionPool
Connection Factory Class: oracle.jdbc.xa.client.OracleXADataSource
JDBC URL: jdbc:oracle:thin:@IP_of_database:port_number:SID
For example: jdbc:oracle:thin:@127.0.0.1:1521:xeltest
Username: Enter the secondary database user name.
Use Cleartext Password: Enter the secondary database password.
See Also:
Oracle Application Server documentation for information about using the Indirect Password featureAlternatively, to view information about this feature, click the i icon displayed next to the Use Indirect Password field in the Credentials section of the same tab.
On the Attributes tab, enter the values specified for xlXAConnectionPool
. To view those values:
Log in to another instance of the Oracle Enterprise Manager 10g Application Server Console for the Oracle Application Server instance.
Click the Oracle Application Server instance on which Oracle Identity Manager is deployed.
On the Administration tab, expand the Services section of the table.
In the JDBC Resources row, click the task icon.
Click xlXAConnectionPool.
The values that you must copy are displayed on the Attributes tab.
Click Finish.
In the Data Sources section, click Create to create a datasource with the following parameters:
Application: default
Datasource Type: Managed Data Source
Click Continue.
For the following parameters, enter (or change to) the specified values:
Name: xlXAReportingDS
JNDI Location: jdbc/xlXAReportingDS
Transaction Level: Global & Local transaction
Connection Pool: xlXAReportingConnectionPool
Click Finish.
Open the oc4j.profile
file, and add the JNDI information that points to the new data source in the OIM_HOME
/Profiles/
directory. Comment out the existing data source entry for xlXADS
and add the information for xlXAReportingDS
as follows:
# Reporting data source #datasource.report=jdbc/xlXADS datasource.report=jdbc/xlXAReportingDS
Based on the operating system on which Oracle Identity Manager is installed, run one of the following scripts:
For UNIX:
patch_oc4j.sh
oc4j_admin_password
oim_db_user_password
For Microsoft Windows:
patch_oc4j.cmd
oc4j_admin_password
oim_db_user_password
Restart Oracle Application Server.
To configure a cluster for Oracle Application Server:
Perform steps 2 through 13 of the procedure to configure Oracle Application Server with a secondary data source in all the Oracle Application Server instances on which Oracle Identity Manager is installed.
Modify each OIM_HOME
/profiles/oc4j.profile
file on all cluster members participating in the cluster.
Based on the operating system on which Oracle Identity Manager is installed, run patch_oc4j.sh
or patch_oc4j.cmd
on all cluster members participating in the cluster.
Stop and restart all cluster members.