The procedure to deploy the connector can be divided into the following stages:
Preinstallation information is divided across the following sections:
This section contains the following topics:
Section 2.1.1.1, "Files and Directories on the Installation Media"
Section 2.1.1.2, "Determining the Release Number of the Connector"
Section 2.1.1.3, "Creating a Backup of the Existing Common.jar File"
Table 2-1 describes the files and directories on the installation media.
Table 2-1 Files and Directories on the Installation Media
| File in the Installation Media Directory | Description |
|---|---|
|
config/DBUMLookUpQuery.properties |
This file contains SQL queries that are used for lookup field synchronization. |
|
config/ DBUMReconQuery.properties |
This file contains SQL queries and stored procedures that are used for reconciliation. |
|
Files in the configuration directory DB_User-Management-DB2-CI.xml DB_User-Management-MSSQL-CI.xml DB_User-Management-MySQL-CI.xml DB_User-Management-Oracle-CI.xml DB_User-Management-Sybase-CI.xml |
This directory contains the configuration files that are used by the Connector Installer during installation of the connector for a particular target system. |
|
JavaDoc |
This directory contains information about the Java APIs used by the connector. |
|
lib/DBUM.jar |
This JAR file contains the class files that are used during reconciliation and provisioning operations. During connector installation, this file is copied to the following location:
|
|
lib/DBUMCommon.jar |
This JAR file contains utility classes that support provisioning and reconciliation operations. During connector installation, this file is copied to the following location:
|
|
lib/Common.jar |
This JAR file contains classes that are used by all release 9.1.x connectors. During connector installation, this file is copied to the following location:
|
|
Files in the resources directory |
Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied to the following location:
Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages. |
|
test/config/config.properties |
This testing-utility file contains the attributes for Oracle Identity Manager to connect to the target system and perform provisioning operations. |
|
test/config/log.properties |
This file is used to store logging messages that are generated when you run the testing utility. |
|
test/scripts/DBUMTestingUtility.bat test/scripts/DBUMTestingUtility.sh |
These files are used to start the testing utility. |
|
Files in the xml directory DBUserManagement-DB2-ConnectorConfig.xml DBUserManagement-MSSQL-ConnectorConfig.xml DBUserManagement-MySQL-ConnectorConfig.xml DBUserManagement-Oracle-ConnectorConfig.xml DBUserManagement-Sybase-ConnectorConfig.xml |
This directory contains XML files specific to a target system. The XML file contains definitions for the various connector objects, such as resource objects and scheduled tasks.
|
|
xml/DBUserManagementTrusted-ConnectorConfig.xml |
This file contains the configuration for the OIM User. You import this file only if you plan to use the connector in trusted source reconciliation mode. |
Note:
If you are using Oracle Identity Manager release 9.1.0.x, then the procedure described in this section is optional.
If you are using Oracle Identity Manager release 11.1.1, then skip this section.
You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:
In a temporary directory, extract the contents of the connector JAR file that is in the OIM_HOME/xellerate/JavaTasks directory.
Open the Manifest.mf file in a text editor. The Manifest.mf file is one of the files bundled inside the connector JAR file.
In the Manifest.mf file, the release number of the connector is displayed as the value of the Version property.
The Common.jar file is in the deployment package of each release 9.1.x connector. With each new release, code corresponding to that particular release is added to the existing code in this file. For example, the Common.jar file shipped with Connector Y on 12-July contains:
Code specific to Connector Y
Code included in the Common.jar files shipped with all other release 9.1.x connectors that were released before 12-July
If you have already installed a release 9.1.x connector that was released after the current release of the Database User Management connector, then back up the existing Common.jar file, install the Database User Management connector, and then restore the Common.jar file. The steps to perform this procedure are as follows:
Caution:
If you do not perform this procedure, then your release 9.1.x connectors might not work.
Determine the release date of your existing release 9.1.x connector as follows:
Extract the contents of the following file in a temporary directory:
OIM_HOME/xellerate/JavaTask/Common.jar
Note:
On Oracle Identity Manager release 11.1.1, use the Oracle Identity Manager Download JARs utility to download the Common.jar file from the database, and then extract the contents of this file into a temporary directory.
See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) for instructions about using the Download JARs utility.
Open the Manifest.mf file in a text editor.
Note down the Build Date and Build Version values.
Determine the Build Date and Build Version values of the current release of the Database User Management connector as follows:
On the installation media for the connector, extract the contents of the lib/Common.jar and then open the Manifest.mf file in a text editor.
Note down the Build Date and Build Version values.
If the Build Date and Build Version values for the Database User Management connector are less than the Build Date and Build Version values for the connector that is installed, then:
If you are using Oracle Identity Manager release 9.1.0.x, then:
Copy the OIM_HOME/xellerate/JavaTasks/Common.jar to a temporary location.
After you perform the procedure described in Section 2.2, "Installation" overwrite the new Common.jar file in the OIM_HOME/xellerate/JavaTasks directory with the Common.jar file that you backed up in the preceding step.
If you are using Oracle Identity Manager release 11.1.1, then run the Oracle Identity Manager Upload JARs utility to post the Common.jar file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you run this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.
For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.
See Also:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about the Upload JARs utility
Preinstallation on the target system involves performing the following procedures:
If you are using Microsoft SQL Server 2000, then you must configure Microsoft SQL server by ensuring that:
The target database in which users are to be created exists in the target Microsoft SQL Server installation.
The TCP/IP port is enabled. The default port is 1433.
To enable the TCP/IP port:
Open the Microsoft SQL Server Configuration Manager.
Click SQL Server Network Configuration.
Click Protocols for MSSQLSERVER.
In the right frame, right-click TCP/IP and then click Enable.
The TCP/IP port is not the only port enabled. Ports other than the TCP/IP port must also be enabled.
Mixed mode authentication is enabled.
The TCP/IP port is not blocked by a firewall.
Perform the steps given in one of the following sections to copy external code files:
Note:
While installing Oracle Identity Manager in a cluster, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the contents of the connectorResources directory and the JAR files to the corresponding directories on each node of the cluster.
Section 2.1.2.2.1, "Copying External Code Files for IBM DB2 UDB"
Section 2.1.2.2.2, "Copying External Code Files for Microsoft SQL Server"
Section 2.1.2.2.4, "Copying External Code Files for Oracle Database"
Copy the db2jcc.jar and db2jcc4.jar files from the DB2_HOME/IBM/SQLLIB/java directory into the following directory:
For Oracle Identity Manager release 9.1.0.x:
OIM_HOME/xellerate/ThirdParty
For Oracle Identity Manager release 11.1.1:
OIM_HOME/server/ThirdParty
Note:
If your Oracle Identity Manager installation is using a Microsoft SQL Server database, then you need not perform the instructions given in this section.
Copy the following JAR files into the OIM_HOME/xellerate/ThirdParty directory for Oracle Identity Manager release 9.1.0.x and OIM_HOME/server/ThirdParty directory for Oracle Identity Manager release 11.1.1:
For Microsoft SQL Server 2000
Copy the following JDBC driver files:
mssqlserver.jar
msbase.jar,
msutil.jar
These files are shipped in the Microsoft SQL Server 2000 Driver for JDBC Service Pack 4, which you can download from the Microsoft Web site.
For Microsoft SQL Server 2005
Copy the sqljdbc.jar JDBC driver file. This file can be downloaded from the Microsoft Web site.
For Microsoft SQL Server 2008
Copy the sqljdbc4.jar file.
Download the mysql-connector-java-5.1.8-bin.jar file or the latest version of the JDBC driver from the MySQL Web site at http://dev.mysql.com/downloads/connector/j/
Then, copy the mysql-connector-java-5.1.8-bin.jar file or the latest version of the JDBC driver into the following directory:
For Oracle Identity Manager release 9.1.0.x:
OIM_HOME/xellerate/ThirdParty
For Oracle Identity Manager release 11.1.1:
OIM_HOME/server/ThirdParty
If the connector is used with Oracle9i Database or Oracle Database 10g or 11g, then the required external code file is ojdbc14.jar.
This JAR file is available in the Oracle Database installation at, for example, the following path:
ORACLE_HOME/jdbc/lib
In this directory path, ORACLE_HOME is the location where Oracle Database is installed. For example, C:\Oracle\ora92.
You must copy the ojdbc14.jar file to the following directory:
For Oracle Identity Manager release 9.1.0.x:
OIM_HOME/xellerate/ThirdParty
For Oracle Identity Manager release 11.1.1:
OIM_HOME/server/ThirdParty
Copy the jconn2.jar file from the SYBASE_HOME/jConnect-5_5/classes directory into the OIM_HOME/xellerate/ThirdParty directory.
If SYBASE_HOME contains the jConnect-6_0 directory, then copy the jconn3.jar file from the SYBASE_HOME/jConnect-6_0/classes directory, into the OIM_HOME/xellerate/ThirdParty directory.
Installing the connector on Oracle Identity Manager involves the following procedures:
Note:
In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.
To run the Connector Installer:
Copy the contents of the connector installation media directory into the following directory:
Note:
In an Oracle Identity Manager cluster, perform this step on each node of the cluster.
For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/ConnectorDefaultDirectory
For Oracle Identity Manager release 11.1.1: OIM_HOME/server/ConnectorDefaultDirectory
Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of the following guide:
For Oracle Identity Manager release 9.1.0.x:
Oracle Identity Manager Administrative and User Console Guide
For Oracle Identity Manager release 11.1.1:
Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager 9.1.0.x:
Click Deployment Management, and then click Install Connector.
For Oracle Identity Manager 11.1.1:
On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Install Connector.
The Connector List list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
You can select one of the following options:
For IBM DB2 UDB:
DB2 DBUM User Management RELEASE_NUMBER
For Microsoft SQL Server:
MSSQL DBUM User Management RELEASE_NUMBER
For MySQL:
MySQL DBUM User Management RELEASE_NUMBER
For Oracle Database:
Oracle DBUM User Management RELEASE_NUMBER
For Sybase:
Sybase DBUM User Management RELEASE_NUMBER
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select DB User Management RELEASE_NUMBER.
Click Load.
To start the installation process, click Continue.
The following tasks are performed in sequence:
Configuration of connector libraries
Import of the connector XML file (through the Deployment Manager). If you want to import the target system as a trusted source for reconciliation, then see Section 2.3.1.1, "Configuring the Target System As a Trusted Source".
Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed
Note:
At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Section 2.3.1.4, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.
There are no prerequisites for some predefined connectors.
Configuring an IT resource for the connector
Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.
Configuring the scheduled tasks that are created when you installed the connector
Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-1.
Installing the Connector in an Oracle Identity Manager Cluster
While installing Oracle Identity Manager in a cluster, you must copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster. Then, restart each node. See Section 2.1.1.1, "Files and Directories on the Installation Media" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.
If required, restore the Common.jar file that you had backed up by following the procedure described in Section 2.1.1.3, "Creating a Backup of the Existing Common.jar File."
After you run the Connector Installer, you must manually copy the files listed in Table 2-2.
Note:
If a particular destination directory does not exist on the Oracle Identity Manager host computer, then create it.
Table 2-2 Files to Be Copied to the Oracle Identity Manager Host Computer
| Files on the Installation Media | Destination Directory on the Oracle Identity Manager Release 9.1.0.x Host Computer | Destination Directory on the Oracle Identity Manager Release 11.1.1 Host Computer |
|---|---|---|
|
Files in the config directory |
OIM_HOME/xellerate/XLintegrations/DBUM/config |
OIM_HOME/server/XLintegrations/DBUM/config |
|
Files in the test/config directory |
OIM_HOME/xellerate/XLintegrations/DBUM/config |
OIM_HOME/server/XLintegrations/DBUM/config |
|
Files in the test/scripts directory |
OIM_HOME/xellerate/XLintegrations/DBUM/scripts |
OIM_HOME/server/XLintegrations/DBUM/scripts |
Postinstallation steps are divided across the following sections:
Section 2.3.1, "Postinstallation on Oracle Identity Manager"
Section 2.3.2, "Creating the Administrator Account on Oracle Database Vault"
Section 2.3.4, "Determining Values for the JDBC URL and Connection Properties Parameters"
This section discusses the following topics:
Note:
In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster.
Section 2.3.1.1, "Configuring the Target System As a Trusted Source"
Section 2.3.1.4, "Clearing Content Related to Connector Resource Bundles from the Server Cache"
Section 2.3.1.6, "Modifying the Lookup.DBUM.MSSQL.TargetRecon.Role.Mapping Lookup Definition"
Section 2.3.1.7, "Configuring the Connector for Incremental Reconciliation"
Section 2.3.1.8, "Configuring Oracle Identity Manager for Request-Based Provisioning"
The target system can be designated as a trusted source or target resource. As discussed earlier in this guide, if you designate the target system as a trusted source, then during a reconciliation run:
For each newly created user on the target system, an OIM User is created.
Updates made to each user on the target system are propagated to the corresponding OIM User.
If you designate the target system as a target resource, then during a reconciliation run:
For each account created on the target system, a resource is assigned to the corresponding OIM User.
Updates made to each account on the target system are propagated to the corresponding resource.
Note:
You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.
Configuring trusted source reconciliation involves the following steps:
Import the XML file for trusted source reconciliation, DBUserManagementTrusted-ConnectorConfig.xml, by using the Deployment Manager. This section describes the procedure to import the XML file.
Note:
Only one target system can be designated as a trusted source. If you import the DBUserManagementTrusted-ConnectorConfig.xml file while you have another trusted source configured, then both connector reconciliations would stop working.
Depending on the target system that you use, specify values for the attributes of the corresponding scheduled task for trusted source reconciliation. This procedure is described later in this guide.
To import the XML file for trusted source reconciliation:
Open the Oracle Identity Manager Administrative and User Console.
If you are using Oracle Identity Manager release 9.1.0.x, then:
Click the Deployment Management link on the left navigation pane.
Click the Import link under Deployment Management. A dialog box for opening files is displayed.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome page, click Advanced in the upper-right corner.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Import Deployment Manager File. A dialog box for opening files is displayed.
Locate and open the DBUserManagementTrusted-ConnectorConfig.xml file, which is in the following directory:
For Oracle Identity Manager release 9.1.0.x:
OIM_HOME/xellerate/ConnectorDefaultDirectory/DB_User_Management_RELEASE_NUMBER/xml
For Oracle Identity Manager release 11.1.1:
OIM_HOME/server/ConnectorDefaultDirectory/DB_User_Management_RELEASE_NUMBER/xml
Details of this XML file are shown on the File Preview page.
Note:
If you have copied the contents of the connector installation media directory to an alternative directory, then the DBUserManagementTrusted-ConnectorConfig.xml file is located in the following directory:
ALTERNATIVE_DIRECTORY/DB_User_Management_RELEASE_NUMBER/xml
Click Add File. The Substitutions page is displayed.
Click Next. The Confirmation page is displayed.
Click Import.
In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.
Note:
After you import the XML file for trusted source reconciliation, you must also configure the scheduled task for trusted source reconciliation. The procedure is described in Section 3.4.5, "Reconciliation Scheduled Tasks."
Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.
You may require the assistance of the system administrator to change to the required input locale.
Change the length of the SVP_FIELD_VALUE column in the SVP table to 2000 as follows:
Log in to the Oracle Identity Manager database by using the Oracle Identity Manager database user credentials.
Enter the following command at the SQL prompt:
For Oracle Database:
ALTER TABLE SVP MODIFY SVP_FIELD_VALUE VARCHAR2(2000);
For Microsoft SQL Server:
ALTER TABLE SVP ALTER COLUMN SVP_FIELD_VALUE VARCHAR(2000);
Note:
In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.
When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME/xellerate/connectorResources directory for Oracle Identity Manager release 9.1.0.x and Oracle Identity Manager database for Oracle Identity Manager release 11.1.1. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, perform one of the following steps:
If you are using Oracle Identity Manager release 9.1.0.x, then switch to the OIM_HOME/xellerate/bin directory.
If you are using Oracle Identity Manager release 11.1.1, then switch to the OIM_HOME/server/bin directory.
Note:
You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:
For Oracle Identity Manager release 9.1.0.x:
OIM_HOME/xellerate/bin/SCRIPT_FILE_NAME
For Oracle Identity Manager release 11.1.1:
OIM_HOME/server/bin/SCRIPT_FILE_NAME
Enter one of the following commands:
Note:
You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.
For example, the following commands purge Metadata entries from the server cache:
PurgeCache.bat MetaData
PurgeCache.sh MetaData
For Oracle Identity Manager release 9.1.0.x:
On Microsoft Windows: PurgeCache.bat ConnectorResourceBundle
On UNIX: PurgeCache.sh ConnectorResourceBundle
Note:
You can ignore the exception that is thrown when you perform Step 2. This exception is different from the one mentioned in Step 1.
In this command, ConnectorResourceBundle is one of the content categories that you can delete from the server cache. See the following file for information about the other content categories:
OIM_HOME/xellerate/config/xlconfig.xml
For Oracle Identity Manager release 11.1.1:
On Microsoft Windows: PurgeCache.bat All
On UNIX: PurgeCache.sh All
When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:
t3://OIM_HOST_NAME:OIM_PORT_NUMBER
In this format:
Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.
Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.
See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.
Depending on the Oracle Identity Manager release you are using, perform instructions in one of the following sections:
Section 2.3.1.5.1, "Enabling Logging on Oracle Identity Manager Release 9.1.0.x"
Section 2.3.1.5.2, "Enabling Logging on Oracle Identity Manager Release 11.1.1"
Note:
In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of messages that highlight the progress of the application at a coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that might allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level and the log file path depend on the application server that you use:
IBM WebSphere Application Server
To enable logging:
Make the following changes in the OIM_HOME/xellerate/config/log.properties file:
Search for the following line:
log4j.rootLogger=WARN,stdout
Make this line a comment and uncomment the line preceding this line.
Locate and uncomment the following lines:
#log4j.appender.logfile=org.apache.log4j.DailyRollingFileAppender
#log4j.appender.logfile.DatePattern='.'yyyy-MM-dd
#log4j.appender.logfile.File=DIRECTORY_PATH/xel.log
#log4j.appender.logfile.MaxBackupIndex=20
#log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
#log4j.appender.logfile.layout.ConversionPattern=%p %t %c - %m%n
Specify the name and location of the file to which the preceding logs must be written. You can do this by changing the value of the following line:
log4j.appender.logfile.File=c:/oracle/xellerate/logs/xel.log
Replace c:/oracle/xellerate/logs with a valid directory location.
Add the following line in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.OIMCP.DBUM=log_level
log4j.logger.OIMCP.DBUMCOMMON=LOG_LEVEL
In this line, replace log_level with the log level to set.
For example:
log4j.logger.OIMCP.DBUM=DEBUG log4j.logger.OIMCP.DBUMCOMMON=DEBUG
After you enable logging, log information is written to the following file:
DIRECTORY_PATH/xel.log
JBoss Application Server
To enable logging:
In the JBOSS_HOME/server/default/conf/jboss-log4j.xml file, add the following lines:
<category name="OIMCP.DBUM">
<priority value="log_level"/>
</category>
<category name="OIMCP.DBUMCOMMON">
<priority value="LOG_LEVEL"/>
</category>
In an Oracle Identity Manager cluster, make these changes in the following file:
JBOSS_HOME/server/all/conf/jboss-log4j.xml
In these lines, replace log_level with the log level that you want to set. For example:
<category name="OIMCP.DBUM"> <priority value="DEBUG"/> </category> <category name="OIMCP.DBUMCOMMON"> <priority value="DEBUG"/> </category>
After you enable logging, log information is written to the following file:
JBOSS_HOME/server/default/log/server.log
In an Oracle Identity Manager cluster, log information is written to the following file:
JBOSS_HOME/server/all/log/server.log
Oracle WebLogic Server
To enable logging:
Make the following changes in the OIM_HOME/xellerate/config/log.properties file:
Search for the following line:
log4j.rootLogger=WARN,stdout
Make this line a comment and uncomment the line preceding this line.
Locate and uncomment the following lines:
#log4j.appender.logfile=org.apache.log4j.DailyRollingFileAppender
#log4j.appender.logfile.DatePattern='.'yyyy-MM-dd
#log4j.appender.logfile.File=DIRECTORY_PATH/xel.log
#log4j.appender.logfile.MaxBackupIndex=20
#log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
#log4j.appender.logfile.layout.ConversionPattern=%p %t %c - %m%n
Specify the name and location of the file to which the preceding logs must be written. You can do this by changing the value of the following line:
log4j.appender.logfile.File=c:/oracle/xellerate/logs/xel.log
Replace c:/oracle/xellerate/logs with a valid directory location.
Add the following line in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.OIMCP.DBUM=log_level
In this line, replace log_level with the log level that you want to set.
For example:
log4j.logger.OIMCP.DBUM=DEBUG
After you enable logging, log information is written to the following file:
DIRECTORY_PATH/xel.log
Note:
In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.
Oracle Identity Manager release 11.1.1 uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
SEVERE.intValue()+100
This level enables logging of information about fatal errors.
SEVERE
This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.
WARNING
This level enables logging of information about potentially harmful situations.
INFO
This level enables logging of messages that highlight the progress of the application.
CONFIG
This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
These log levels are mapped to ODL message type and level combinations as shown in Table 2-3.
Table 2-3 Log Levels and ODL Message Type:Level Combinations
| Log Level | ODL Message Type:Level |
|---|---|
|
SEVERE.intValue()+100 |
INCIDENT_ERROR:1 |
|
SEVERE |
ERROR:1 |
|
WARNING |
WARNING:1 |
|
INFO |
NOTIFICATION:1 |
|
CONFIG |
NOTIFICATION:16 |
|
FINE |
TRACE:1 |
|
FINER |
TRACE:16 |
|
FINEST |
TRACE:32 |
The configuration file for OJDL is logging.xml, which is located at the following path:
DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml
Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.
To enable logging in Oracle WebLogic Server:
Edit the logging.xml file as follows:
Add the following blocks in the file:
<log_handler name='db-um-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='[FILE_NAME]'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="OIMCP.DBUM" level="[LOG_LEVEL]" useParentHandlers="false">
<handler name="db-um-handler"/>
<handler name="console-handler"/>
</logger>
<logger name="OIMCP.DBUMCOMMON" level="[LOG_LEVEL]" useParentHandlers="false">
<handler name="db-um-handler"/>
<handler name="console-handler"/>
</logger>
Replace all occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-3 lists the supported message type and level combinations.
Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.
The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME] :
<log_handler name='db-um-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler> <logger name="OIMCP.DBUM" level="NOTIFICATION:1" useParentHandlers="false"> <handler name="db-um-handler"/> <handler name="console-handler"/> </logger> <logger name="OIMCP.DBUMCOMMON" level="NOTIFICATION:1" useParentHandlers="false"> <handler name="db-um-handler"/> <handler name="console-handler"/> </logger>
With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.
Save and close the file.
Set the following environment variable to redirect the server logs to a file:
For Microsoft Windows:
set WLS_REDIRECT_LOG=FILENAME
For UNIX:
export WLS_REDIRECT_LOG=FILENAME
Replace FILENAME with the location and name of the file to which you want to redirect the output.
Restart the application server.
Note:
Perform the procedure described in this section only if you are using Microsoft SQL Server 2005 as the target system.
By default, the Lookup.DBUM.MSSQL.TargetRecon.Role.Mapping lookup definition contains the following entry:
| Code Key | Decode |
|---|---|
|
Role |
LOOKUP~RoleName |
If you are using Microsoft SQL Server 2005 as the target system, then you must change the Decode value as follows:
On the Design Console, expand Administration, and then double-click Lookup Definition.
Search for and open the Lookup.DBUM.MSSQL.TargetRecon.Role.Mapping lookup definition that you want to modify.
Change the Decode value of the Role Code Key to LOOKUP~GroupName.
Click the Save icon.
Note:
Perform the procedure described in this section to configure the connector for incremental reconciliation. If you are using Oracle Database as your target system, then you need not perform the procedure described in this section.
During an incremental reconciliation run, the scheduled task fetches only target system records that are added or modified after the time stamp stored in the Last Execution Time attribute of the scheduled task. The connector requires a query to calculate the time-stamp value. This time-stamp value is used by the query that is used to perform reconciliation.
To configure the connector for incremental reconciliation, you must perform the following steps:
In a text editor, open the reconciliation properties file.
Enter a SQL query that returns in milliseconds the current date and time of the computer on which your database is running. The value returned by this query is stored as the value of the Last Execution Time attribute of the scheduled task.
The name of this query must be specified as the value of the Recon Time Query Name attribute while performing the procedure described in Section 3.4.5, "Reconciliation Scheduled Tasks."
For example, in Oracle Database the ORACLE_RECON_TIME query, in the properties file, is used for calculating a value for the Last Execution Time attribute:
SELECT (SYSDATE - TO_DATE('01011970', 'DDMMYYYY')) *24*60*60*1000 as ts FROM DUAL
The name of this query, ORACLE_RECON_TIME, is specified as the value of the Recon Time Query Name attribute while running the scheduled task.
Modify the query that is used to perform reconciliation by including a WHERE clause. The WHERE clause must contain the condition that determines if a target system record was added or modified after the time stamp stored in the Last Execution Time scheduled task attribute.
In the following example, the condition highlighted in bold has been added to the WHERE clause of the ORACLE_TARGET_USER_RECON query:
SELECT \
USERNAME, \
DECODE(PASSWORD, 'EXTERNAL', 'EXTERNAL', 'GLOBAL', 'GLOBAL', 'PASSWORD')
PASSWORD, \
EXTERNAL_NAME , \
DEFAULT_TABLESPACE, \
ACCOUNT_STATUS, \
TEMPORARY_TABLESPACE, \
PROFILE, \
SELECT BYTES FROM DBA_TS_QUOTAS WHERE dba.USERNAME = USERNAME AND
TABLESPACE_NAME = dba.DEFAULT_TABLESPACE) AS DEFAULT_TABLESPACE_QUOTA , \
SELECT BYTES FROM DBA_TS_QUOTAS WHERE dba.USERNAME = USERNAME AND
TABLESPACE_NAME = dba.TEMPORARY_TABLESPACE) AS TEMPORARY_TABLESPACE_QUOTA \
FROM DBA_USERS dba \
WHERE ((CREATED - TO_DATE('01011970','ddmmyyyy')) *24*60*60*1000) > :lastExecutionTime
Save and close the file.
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.1 and you want to configure request-based provisioning.
In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.
The following are features of request-based provisioning:
A user can be provisioned only one resource (account) on the target system.
Note:
Direct provisioning allows the provisioning of multiple database accounts on the target system.
Direct provisioning cannot be used if you enable request-based provisioning.
To enable request-based provisioning, perform the following procedures:
This section discusses the following topics:
A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation.
The following is the list of predefined request datasets available in the DataSets directory on the installation media:
For IBM DB2 UDB
ProvisionResource_DB2 DB User.xml
ModifyProvisionedResource_DB2 DB User.xml
For Microsoft SQL Server
ProvisionResource_MSSQL DB User Login.xml
ProvisionResource_MSSQL DB User.xml
ModifyProvisionedResource_MSSQL DB User Login.xml
ModifyProvisionedResource_MSSQL DB User.xml
For MySQL
ProvisionResource_MySQL DB User.xml
ModifyProvisionedResource_MySQL DB User.xml
For Oracle Database
ProvisionResource_Oracle DB User.xml
ModifyProvisionedResource_Oracle DB User.xml
Copy the files from the DataSets directory on the installation media to the OIM_HOME/DataSet/file directory.
Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information on modifying request datasets.
Note:
In an Oracle Identity Manager cluster, perform this procedure on any node of the cluster.
All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.
To import a request dataset definition into MDS:
Ensure that you have set the environment for running the MDS Import utility. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about setting up the environment for MDS utilities.
In a command window, change to the OIM_HOME/server/bin directory.
Run one of the following commands:
On Microsoft Windows
weblogicImportMetadata.bat
On UNIX
weblogicImportMetadata.sh
When prompted, enter values for the following:
Please enter your username [weblogic]
Enter the username used to log in to the Oracle WebLogic Server
Sample value: WL_User
Please enter your password [weblogic]
Enter the password used to log in to the Oracle WebLogic Server
Please enter your server URL [t3://localhost:7001]
Enter the URL of the application server in the following format:
t3://HOST_NAME_IP_ADDRESS:PORT
In this format, replace:
HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed.
PORT with the port on which Oracle Identity Manager is listening.
The request dataset is imported into MDS.
To enable the Auto Save Form feature:
Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the process definition for the target system that you are using.
See Section 4.5, "Configuring the Connector for Multiple Installations of the Target System" for a listing of the process definition for each target system.
Select the Auto Save Form check box.
Click the Save icon.
Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Section 2.3.1.4, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.
The procedure to enable enabling request-based provisioning ends with this step.
Note:
Perform the procedure described in this section only if you have Oracle Database Vault installed and you want to configure the connector for provisioning and reconciling authorization to Oracle Database Vault realms.
You must create an administrator account on Oracle Database Vault. This account is used by the connector for performing reconciliation and provisioning operations on Oracle Database Vault realms.
To create the administrator account on Oracle Database Vault:
Log in to Oracle Database Vault as a user with the DV_ACCTMGR privilege.
Create the administrator account by running the following command:
CREATE USER USERNAME IDENTIFIED BY PASSWORD;
Log out and then log in as a user with the DV_OWNER privilege.
Grant access to Oracle Database Vault and Data Dictionary realms by running the following commands:
exec DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM('Database Vault Account Management','USERNAME','Enabled',1)
exec DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM('Oracle Data Dictionary','USERNAME','Enabled',1)
Grant the DV_ADMIN and DV_SECANALYST privileges.
Log in as a user with the DV_ACCTMGR privilege.
Grant the DV_SECANALYST privilege.
Log in as SYS and grant the following privileges (run the command):
GRANT ANY OBJECT PRIVILEGE GRANT ANY PRIVILEGE GRANT ANY ROLE UNLIMITED TABLESPACE with ADMIN OPTION to USERNAME
Note:
It is recommended that you perform the procedure described in this section to secure communication between the target system and Oracle Identity Manager.
The procedure to secure communication depends on the database that you are using:
Section 2.3.3.1, "Configuring Secure Communication Between IBM DB2 UDB and Oracle Identity Manager"
Section 2.3.3.3, "Configuring Secure Communication Between MySQL and Oracle Identity Manager"
Section 2.3.3.5, "Configuring Secure Communication Between Sybase and Oracle Identity Manager"
Note:
IBM DB2 UDB version 9.1 Fix Pack 2 and later support secure communication over SSL.
To configure secure communication between IBM DB2 UDB and Oracle Identity Manager:
See IBM DB2 UDB documentation for information about enabling SSL communication between IBM DB2 UDB and a client system. In this context, the client is Oracle Identity Manager.
Export the certificate on the IBM DB2 UDB host computer, and then restart the database service.
Copy the certificate to the Oracle Identity Manager host computer.
Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.
To import the certificate into the truststore, run the following command:
..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
In this command:
Replace FILE_LOCATION with the full path and name of the certificate file.
Replace ALIAS with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD with a password for the truststore.
Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-4. This table shows the location of the truststore for each of the supported application servers.
Note:
In an Oracle Identity Manager cluster, must import the file into the truststore on each node of the cluster.
Table 2-4 Truststore Locations on Supported Application Servers
| Application Server | Truststore Location |
|---|---|
|
IBM WebSphere Application Server |
For any supported IBM WebSphere Application Server release, import the certificate into the following certificate store: WEBSPHERE_HOME/java/jre/lib/security/cacerts In addition to importing the certificate into the cacerts certificate store, you must import the certificate into one of the following certificate stores:
|
|
JBoss Application Server |
JAVA_HOME/jre/lib/security/cacerts |
|
Oracle WebLogic Server |
|
To enable secure communication between IBM DB2 UDB and Oracle Identity Manager, set the value of the isSecure IT resource parameter to yes. You must provide a value for this parameter while performing the procedure described in Section 2.3.5, "Configuring the IT Resource."
To configure secure communication between Microsoft SQL Server and Oracle Identity Manager:
See Microsoft SQL Server documentation for information about enabling SSL communication between Microsoft SQL Server and a client system. In this context, the client is Oracle Identity Manager.
Export the certificate on the Microsoft SQL Server host computer, and then restart the database service.
Copy the certificate to the Oracle Identity Manager host computer.
Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.
To import the certificate into the truststore, run the following command:
..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
In this command:
Replace FILE_LOCATION with the full path and name of the certificate file.
Replace ALIAS with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD with a password for the truststore.
Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-5. This table shows the location of the truststore for each of the supported application servers.
Note:
In an Oracle Identity Manager cluster, import the file into the truststore on each node of the cluster.
Table 2-5 Truststore Locations on Supported Application Servers
| Application Server | Truststore Location |
|---|---|
|
IBM WebSphere Application Server |
For any supported IBM WebSphere Application Server release, import the certificate into the following certificate store: WEBSPHERE_HOME/java/jre/lib/security/cacerts In addition to importing the certificate into the cacerts certificate store, you must import the certificate into one of the following certificate stores:
|
|
JBoss Application Server |
JAVA_HOME/jre/lib/security/cacerts |
|
Oracle WebLogic Server |
|
To enable secure communication between Microsoft SQL Server and Oracle Identity Manager, set the value of the isSecure IT resource parameter to yes. You must provide a value for this parameter while performing the procedure described in Section 2.3.5, "Configuring the IT Resource".
To configure secure communication between MySQL and Oracle Identity Manager:
See MySQL documentation for information about enabling SSL communication between MySQL and a client system. In this context, the client is Oracle Identity Manager.
Export the certificate on the MySQL host computer.
Restart the MySQL database service by using the certificate exported in the preceding step. See MySQL documentation for information on restarting the database service.
Copy the ca-cert.pem and client-cert.pem certificates to the Oracle Identity Manager host computer.
Import the certificates into the JVM truststore of the application server on which Oracle Identity Manager is running.
To import the certificates into the truststore, run the following command for each certificate:
keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
In this command:
Replace FILE_LOCATION with the full path and name of the certificate file.
Replace ALIAS with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD with a password for the truststore.
Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-6. This table shows the location of the truststore for each of the supported application servers.
Note:
In an Oracle Identity Manager cluster, import the file into the truststore on each node of the cluster.
Table 2-6 Truststore Locations on Supported Application Servers
| Application Server | Truststore Location |
|---|---|
|
IBM WebSphere Application Server |
For any supported IBM WebSphere Application Server release, import the certificate into the following certificate store: WEBSPHERE_HOME/java/jre/lib/security/cacerts In addition to importing the certificate into the cacerts certificate store, you must import the certificate into one of the following certificate stores:
|
|
JBoss Application Server |
JAVA_HOME/jre/lib/security/cacerts |
|
Oracle WebLogic Server |
|
To enable secure communication between MySQL and Oracle Identity Manager, set the value of the isSecure IT resource parameter to yes. You must provide a value for this parameter while performing the procedure described in Section 2.3.5, "Configuring the IT Resource."
To secure communication between Oracle Database and Oracle Identity Manager, you can perform either one or both of the following procedures:
Section 2.3.3.4.1, "Configuring Data Encryption and Integrity in Oracle Database"
Section 2.3.3.4.2, "Configuring SSL Communication in Oracle Database"
Refer to Oracle Database Advanced Security Administrator's Guide for information about configuring data encryption and integrity.
Note:
The Database User Management connector does not support SSL communication between an Oracle Database target system and Oracle Identity Manager running on IBM WebSphere Application Server or Oracle Application Server. This is also mentioned in Chapter 7, "Known Issues" (see Bug 6696248).
To enable SSL communication between Oracle Database and Oracle Identity Manager:
See Oracle Database Advanced Security Administrator's Guide for information about enabling SSL communication between Oracle Database and Oracle Identity Manager.
Export the certificate on the Oracle Database host computer.
Copy the certificate to Oracle Identity Manager.
Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.
To import the certificate into the truststore, run the following command:
..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
In this command:
Replace FILE_LOCATION with the full path and name of the certificate file.
Replace ALIAS with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD with a password for the truststore.
Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-7. This table shows the location of the truststore for each of the supported application servers.
Note:
In an Oracle Identity Manager cluster, import the file into the truststore on each node of the cluster.
Table 2-7 Truststore Locations on Supported Application Servers
| Application Server | Truststore Location |
|---|---|
|
JBoss Application Server |
JAVA_HOME/jre/lib/security/cacerts |
|
Oracle WebLogic Server |
|
To enable secure communication between Oracle Database and Oracle Identity Manager, set the value of the isSecure IT resource parameter to yes. You must provide a value for this parameter while performing the procedure described in Section 2.3.5, "Configuring the IT Resource".
To configure secure communication between Sybase and Oracle Identity Manager:
See Sybase Adaptive Server Enterprise documentation for information about enabling SSL communication between Sybase and a client system. In this context, the client is Oracle Identity Manager.
Export the certificate on the Sybase host computer.
Copy the certificate to the Oracle Identity Manager host computer.
Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.
To import the certificate into the truststore, run the following command:
..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
In this command:
Replace FILE_LOCATION with the full path and name of the certificate file.
Replace ALIAS with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD with a password for the truststore.
Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-8. This table shows the location of the truststore for each of the supported application servers.
Note:
In an Oracle Identity Manager cluster, import the file into the truststore on each node of the cluster.
Table 2-8 Truststore Locations on Supported Application Servers
| Application Server | Truststore Location |
|---|---|
|
IBM WebSphere Application Server |
For any supported IBM WebSphere Application Server release, import the certificate into the following certificate store: WEBSPHERE_HOME/java/jre/lib/security/cacerts In addition to importing the certificate into the cacerts certificate store, you must import the certificate into one of the following certificate stores:
|
|
JBoss Application Server |
JAVA_HOME/jre/lib/security/cacerts |
|
Oracle WebLogic Server |
|
To enable secure communication between Sybase and Oracle Identity Manager, set the value of the isSecure IT resource parameter to yes. You must provide a value for this parameter while performing the procedure described in Section 2.3.5, "Configuring the IT Resource".
This section discusses the JDBC URL and Connection Properties parameters. You apply the information in this section while performing the procedure described in Section 2.3.5, "Configuring the IT Resource".
The values that you specify for the Database URL and Connection Properties parameters depend on the target system:
Section 2.3.4.1, "JDBC URL and Connection Properties for IBM DB2 UDB"
Section 2.3.4.2, "JDBC URL and Connection Properties for Microsoft SQL Server"
Section 2.3.4.3, "JDBC URL and Connection Properties for MySQL"
Section 2.3.4.4, "JDBC URL and Connection Properties for Oracle Database"
Section 2.3.4.5, "JDBC URL and Connection Properties for Sybase Adaptive Server Enterprise"
The following are guidelines on specifying the JDBC URL and Connection Properties parameters:
JDBC URL parameter
Enter the following component of the connection URL as the value of the JDBC URL provider:
jdbc:db2://[SERVER_NAME][:PORT_NUMBER]/[DATABASE_NAME]
In this format:
SERVER_NAME is the IP address (not the host name) of the target system host computer.
PORT_NUMBER is the port at which the target system database is listening.
DATABASE_NAME is the name of the database we are connecting.
The following is a sample value for the Database URL parameter:
jdbc:db2://192.168.16.76:50000/DBUSER
Connection Properties parameter
Enter the following component of the connection URL as the value of the Connection Properties parameter:
[,PROPERTY=VALUE[,PROPERTY=VALUE]] . . .
In this format:
PROPERTY is the name of one or more database connection properties, such as applicationName and disableStatementPooling.
VALUE is the value of each database connection property whose name you specify by using the PROPERTY placeholder.
Note:
Semicolons must be changed to number signs (#) in the value that you specify.
The following is a sample value for the Connection Properties parameter:
databaseName=sales#port=50000
If you enable SSL communication between IBM DB2 UDB and Oracle Identity Manager, then you must include the javax.net.ssl.trustStore, and javax.net.ssl.trustStorePassword properties in the Decode value that you specify for the SSL Keystore Properties Code Key entry in the Lookup.DBUM.DB2.Configuration lookup definition. In other words, the Decode value of the SSL Keystore Properties Code Key must be in the following format:
javax.net.ssl.trustStore=STORE_LOCATION~javax.net.ssl.trustStorePassword=STORE_PASSWORD
When you specify this value, replace STORE_LOCATION with the full path and name of the truststore, and replace STORE_PASSWORD with the password of the truststore.
For example:
Djavax.net.ssl.trustStore=C:/j2sdk1.4.2_12/jre/lib/security/cacerts~javax.net.ssl.trustStorePassword=changeit
Note:
In Microsoft SQL Server documentation, the term "connection URL" is used instead of "JDBC URL."
JDBC URL parameter
Enter the following component of the connection URL as the value of the JDBC URL provider:
jdbc:sqlserver://[SERVER_NAME][:PORT_NUMBER][;database=DATABASE_NAME]
In this format:
SERVER_NAME is the IP address (not the host name) of the target system host computer.
PORT_NUMBER is the port at which the target system database is listening.
DATABASE_NAME is the name of the database we are connecting.
The following is a sample value for the Database URL parameter:
jdbc:sqlserver://192.168.16.76:1433;database=model
Connection Properties parameter
Enter the following component of the connection URL as the value of the Connection Properties parameter:
[;PROPERTY=VALUE[;PROPERTY=VALUE]] . . .
In this format:
PROPERTY is the name of one or more database connection properties, such as applicationName and disableStatementPooling.
VALUE is the value of each database connection property whose name you specify by using the PROPERTY placeholder.
Note:
Semicolons must be changed to number signs (#) in the value that you specify.
The following is a sample value for the Connection Properties parameter:
databaseName=sales#port=1433
If you enable SSL communication between Microsoft SQL Server and Oracle Identity Manager, then you must include the encrypt and hostNameInCertificate properties in the value that you specify for the Connection Properties parameter. In other words, the following must be part of the string that you enter as the value of the parameter:
encrypt=true,hostNameInCertificate=HOST_NAME
Replace HOST_NAME with the host name given in the certificate that you use.
In addition, you must specify the location of the truststore if you import the certificate into a truststore other than the JVM truststore of Oracle Identity Manager. To specify the location of the truststore, include the following properties in the value that you specify for the Connection Properties parameter:
encrypt=true,hostNameInCertificate=HOST_NAME,trustStore=STORE_LOCATION,trustStorePassword=STORE_PASSWORD
When you specify this value, replace STORE_LOCATION with the full path and name of the truststore, and replace STORE_PASSWORD with the password of the truststore.
The following are guidelines on specifying the JDBC URL and Connection Properties parameters:
JDBC URL parameter
Enter the following component of the connection URL as the value of the JDBC URL provider:
jdbc:mysql://[SERVER_NAME][:PORT_NUMBER]/[DATABASE_NAME]
In this format:
SERVER_NAME is the IP address (not the host name) of the target system host computer.
PORT_NUMBER is the port at which the target system database is listening.
DATABASE_NAME is the name of the database we are connecting.
The following is a sample value for the Database URL parameter:
jdbc:mysql://192.168.16.76:50000/information_schema
Connection Properties parameter
Enter the following component of the connection URL as the value of the Connection Properties parameter:
[,PROPERTY=VALUE[,PROPERTY=VALUE]] . . .
In this format:
PROPERTY is the name of one or more database connection properties, such as applicationName and disableStatementPooling.
VALUE is the value of each database connection property whose name you specify by using the PROPERTY placeholder.
Note:
Semicolons must be changed to number signs (#) in the value that you specify.
The following is a sample value for the Connection Properties parameter:
databaseName=information_schema#port=3306
If you enable SSL communication between MySQL and Oracle Identity Manager, then:
Append the following value to the value in the Connection Properties parameter of the IT resource:
useSSL=true#requireSSL=true
For example, suppose the following is the existing value for the Connection Properties parameter:
databaseName=information_schema#port=3306
Now, if you enable SSL communication between MySQL and Oracle Identity Manager, then the value of the Connection Properties parameter must be as follows:
databaseName=information_schema#port=3306, useSSL=true#requireSSL=true
Include the javax.net.ssl.trustStore, javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword , and javax.net.ssl.trustStorePassword properties in the Decode value that you specify for the SSL Keystore Properties Code Key entry in the Lookup.DBUM.MySQL.Configuration lookup definition. In other words, the Decode value of the SSL Keystore Properties Code Key must be in the following format:
javax.net.ssl.trustStore=STORE_LOCATION~javax.net.ssl.trustStorePassword=STORE_PASSWORD~javax.net.ssl.keyStorePassword=KEYSTORE_PASSWORD~ javax.net.ssl.keyStore=KEYSTORE_LOCATION
When you specify this value, replace:
STORE_LOCATION with the full path and name of the truststore.
STORE_PASSWORD with the password of the truststore.
KEYSTORE_PASSWORD with the password of the keystore.
KEYSTORE_LOCATION with the full path and name of the identity store.
For example:
javax.net.ssl.trustStore=C:/j2sdk1.4.2_12/jre/lib/security/cacerts~javax.net.ssl.trustStorePassword=changeit~javax.net.ssl.keyStore=C:/j2sdk1.4.2_12/jre/lib/security/cacerts~ javax.net.ssl.keyStorePassword=changeit
The values that you specify for the JDBC URL and Connection Properties parameters depend on the security measures that you have implemented:
Section 2.3.4.4.1, "Only Data Encryption and Integrity Is Configured"
Section 2.3.4.4.3, "Both Data Encryption and Integrity and SSL Communication Are Configured"
If you are using Oracle Database with RAC implementation as the target system, then enter a value for the JDBC URL property in the format specified in the following section:
Section 2.3.4.4.4, "JDBC URL and Connection Properties for Oracle RAC"
If you have configured only data encryption and integrity, then enter the following values:
JDBC URL parameter
While configuring the IT resource, the value that you specify for the JDBC URL parameter must be in the following format:
jdbc:oracle:thin:@TARGET_HOST_NAME_or_IP_ADDRESS:PORT_NUM:sid
The following is a sample value for the JDBC URL parameter:
jdbc:oracle:thin:@ten.mydomain.com:1521:cust_db
Connection Properties parameter
After you configure data encryption and integrity, the connection properties are recorded in the sqlnet.ora file. The value that you must specify for the Connection Properties parameter is explained by the following sample scenario:
See Also:
Oracle Database Advanced Security Administrator's Guide for information about the sqlnet.ora file
Suppose the following entries are recorded in the sqlnet.ora file:
SQLNET.ENCRYPTION_SERVER=REQUIRED SQLNET.ENCRYPTION_TYPES_SERVER=(3DES168, DES40, DES, 3DES112) SQLNET.CRYPTO_CHECKSUM_SERVER=REQUESTED SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1,MD5)
While configuring the IT resource, you must specify the following as the value of the Connection Properties parameter:
Note:
The property-value pairs must be separated by number signs (#).
As shown in the following example, for the encryption_types and crypto_checksum_types properties, you can select any of the values recorded in the sqlnet.ora file.
oracle.net.encryption_client=REQUIRED,oracle.net.encryption_types_client=(3DES168),oracle.net.crypto_checksum_client=REQUESTED,oracle.net.crypto_checksum_types_client=(MD5)
After you configure SSL communication, the JDBC URL is recorded in the tnsnames.ora file. See Oracle Database Net Services Reference for detailed information about the tnsnames.ora file.
The following are sample formats of the contents of the tnsnames.ora file. In these formats, DESCRIPTION contains the connection descriptor, ADDRESS contains the protocol address, and CONNECT_DATA contains the database service identification information.
Sample Format 1:
NET_SERVICE_NAME= (DESCRIPTION= (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME)))
Sample Format 2:
NET_SERVICE_NAME= (DESCRIPTION_LIST= (DESCRIPTION= (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME))) (DESCRIPTION= (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME))))
Sample Format 3:
NET_SERVICE_NAME= (DESCRIPTION= (ADDRESS_LIST= (LOAD_BALANCE=on) (FAILOVER=off) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))) (ADDRESS_LIST= (LOAD_BALANCE=off) (FAILOVER=on) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))) (CONNECT_DATA= (SERVICE_NAME=SERVICE_NAME)))
If you have configured only SSL communication and imported the certificate that you create on the target system host computer into the JVM truststore of Oracle Identity Manager, then enter the following values:
JDBC URL parameter
While configuring the IT resource, the value that you specify for the JDBC URL parameter must be derived from the value of NET_SERVICE_NAME in the tnsnames.ora file. For example:
Note:
As shown in this example, you must include only the (ADDRESS=(PROTOCOL=TCPS)(HOST=HOST_NAME)(PORT=2484)) element because you are configuring SSL. You need not include other (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) elements.
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))
Connection Properties parameter
Whether you need to specify a value for the Connection Properties parameter depends on the truststore into which you import the certificate:
If you import the certificate into the truststore of the JVM that Oracle Identity Manager is using, then you need not specify a value for the Connection Properties parameter.
If you import the certificate into any other truststore, then while creating the connector, specify a value for the Connection Properties parameter in the following format:
javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStoreType=JKS,javax.net.ssl.trustStorePassword=STORE_PASSWORD
When you specify this value, replace STORE_LOCATION with the full path and name of the truststore, and replace STORE_PASSWORD with the password of the truststore.
If both data encryption and integrity and SSL communication are configured, then:
JDBC URL parameter
While configuring the IT resource, to specify a value for the JDBC URL parameter, enter a comma-separated combination of the values for the JDBC URL parameter described in Section 2.3.4.4.1, "Only Data Encryption and Integrity Is Configured" and Section 2.3.4.4.2, "Only SSL Communication Is Configured". For example:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))
Connection Properties parameter
While configuring the IT resource, to specify a value for the Connection Properties parameter, enter a comma-separated combination of the values for the Connection Properties parameter described in Section 2.3.4.4.1, "Only Data Encryption and Integrity Is Configured" and Section 2.3.4.4.2, "Only SSL Communication Is Configured". For example:
oracle.net.encryption_client=REQUIRED,oracle.net.encryption_types_client=(3DES168),oracle.net.crypto_checksum_client=REQUESTED,oracle.net.crypto_checksum_types_client=(MD5),javax.net.ssl.trustStore=STORE_LOCATION,javax.net.ssl.trustStoreType=JKS,javax.net.ssl.trustStorePassword=STORE_PASSWORD
As shown in the following example, for the encryption_types and crypto_checksum_types properties, you can select any of the values recorded in the sqlnet.ora file. When you specify this value, replace STORE_LOCATION with the full path and name of the truststore, and replace STORE_PASSWORD with the password of the truststore.
The following are guidelines on specifying the JDBC URL and Connection Properties parameters:
JDBC URL parameter
While configuring the IT resource, the value that you specify for the JDBC URL parameter must be in the following format:
Note:
The JDBC URL connection string must not exceed 200 characters.
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=HOST1_NAME.DOMAIN)(PORT=PORT1_NUMBER))(ADDRESS=(PROTOCOL=TCP)(HOST=HOST2_NAME.DOMAIN)(PORT=PORT2_NUMBER))(ADDRESS=(PROTOCOL=TCP)(HOST=HOST3_NAME.DOMAIN)(PORT=PORT3_NUMBER)) . . . (ADDRESS=(PROTOCOL=TCP)(HOST=HOSTn_NAME.DOMAIN)(PORT=PORTn_NUMBER))(CONNECT_DATA=(SERVICE_NAME=ORACLE_DATABASE_SERVICE_NAME)))
Sample value:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST= host1.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host2.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host3.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host4.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME= srvce1)))
Connection Properties parameter
While configuring the IT resource, do not specify any value for the Connection Properties parameter.
The following are guidelines on specifying the JDBC URL and Connection Properties parameters:
JDBC URL parameter
Enter the following component of the connection URL as the value of the JDBC URL provider:
jdbc:sybase:Tds:SERVER_NAME:PORT_NUMBER/DATABSE_NAME
In this format:
SERVER_NAME is the IP address (not the host name) of the target system host computer.
PORT_NUMBER is the port at which the target system database is listening.
DATABSE_NAME is the name of the target system database.
The following is a sample value for the JDBC URL parameter:
jdbc:sybase:Tds:172.21.109.62:9050/master
Connection Properties parameter
Enter the following component of the connection URL as the value of the Connection Properties parameter:
[,PROPERTY=VALUE[,PROPERTY=VALUE]] . . .
In this format:
PROPERTY is the name of one or more database connection properties, such as applicationName and disableStatementPooling.
VALUE is the value of each database connection property whose name you specify by using the PROPERTY placeholder.
The following is a sample value for the Connection Properties parameter:
databaseName=sales#port=9000
If you enable SSL communication between Sybase Adaptive Server Enterprise and Oracle Identity Manager, then you must include the SYBSOCKET_FACTORY property in the value that you specify for the Connection Properties parameter. In other words, the following must be part of the string that you enter as the value of the parameter:
SYBSOCKET_FACTORY=VALUE
Replace VALUE with the of the class that implements com.sybase.jdbcx.SybSocketFactory; or "DEFAULT", which instantiates a new java.net.Socket( ).
Note:
Perform the procedure described in this section if you are using a certified database listed in Table 1-1. For all other databases, proceed to Chapter 5, "Configuring the Connector for a JDBC-Based Database."
You must specify values for the parameters of the IT resource as follows:
Log in to the Administrative and User Console.
If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.1, then:
On the Welcome to Oracle Identity Manager Self Service page, click Advanced.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter the name of one of the following IT resources, and then click Search:
For IBM DB2 UDB, enter DB2UDB.
For Microsoft SQL Server, enter MS SQL Server.
For MySQL, enter MySQL.
For Oracle Database, enter Oracle.
For Sybase, enter Sybase.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the IT resource. Table 2-9 describes each parameter.
Table 2-9 IT Resource Parameters
| Parameter | Description |
|---|---|
|
Admin ID |
Enter the user name of the target system account to be used for connector operations. Note: If you are configuring the connector for Oracle Database Vault, then you must enter the user name of the account that you had created in Section 2.3.2, "Creating the Administrator Account on Oracle Database Vault." Sample value: See the "Target system user account" row in Table 1-1 more information. |
|
Admin Password |
Enter the password of the target system account specified by the Admin ID parameter. Note: If you are configuring the connector for Oracle Database Vault, then you must enter the password of the account that you had created in Section 2.3.2, "Creating the Administrator Account on Oracle Database Vault." |
|
Database Driver |
Depending on the target system that you are using, enter one of the following values as the JDBC driver class name:
|
|
JDBC URL |
Specify the JDBC URL for the target system database. See Section 2.3.4, "Determining Values for the JDBC URL and Connection Properties Parameters" for information about the JDBC URL value that you must enter. |
|
Configuration Lookup |
This parameter holds the name of the lookup definition that stores configuration information for connector operations. If you have configured your target system as a target resource, then enter one of the following values:
If you have configured your target system as a trusted source, then enter one of the following values: |
|
Database Name |
If you are using Microsoft SQL Server or Sybase as the target system for creating users, then specify a value for this parameter. Otherwise, do not enter any value. This parameter holds the name of the database as specified in the JDBC URL parameter. Sample value: |
|
isSecure |
Enter Default value: n |
|
Connection Properties |
Specify the connection properties for the target system database. See Section 2.3.4, "Determining Values for the JDBC URL and Connection Properties Parameters" for information about the connection properties value that you must enter. |
|
Connection Pooling Parameters |
|
|
Abandoned connection timeout |
Enter the time (in seconds) after which a connection must be automatically closed if it is not returned to the pool. Note: You must set this parameter to a value that is high enough to accommodate processes that take a long time to complete (for example, full reconciliation). Default value: |
|
Connection wait timeout |
Enter the maximum time (in seconds) for which the connector must wait for a connection to be available. Default value: |
|
Inactive connection timeout |
Enter the time (in seconds) of inactivity after which a connection must be dropped and replaced by a new connection in the pool. Default value: |
|
Initial pool size |
Enter the number of connections that must be established when the connection pool is initialized. The pool is initialized when it receives the first connection request from a connector. Default value: |
|
Max pool size |
Enter the maximum number of connections that must be established in the pool at any point of time. This number includes the connections that have been borrowed from the pool. Default value: |
|
Min pool size |
Enter the minimum number of connections that must be in the pool at any point of time. This number includes the connections that have been borrowed from the pool. Default value: |
|
Validate connection on borrow |
Enter It is recommended that you set the value to Default value: |
|
Timeout check interval |
Enter the time interval (in seconds) at which the other timeouts specified by the other parameters must be checked. Default value: |
|
Pool preference |
This parameter holds the preferred connection pooling implementation. Value: Note: Do not change this value of this parameter. |
|
Connection pooling supported |
Enter Default value: |
|
Target supports only one connection |
This parameter indicates whether the target system can support one or more connections at a time. Value: Note: Do not change the value of this parameter. |
|
ResourceConnection class definition |
This parameter holds the implementation of the ResourceConnection class. Value: Note: Do not change the value of this parameter. |
|
Native connection pool class definition |
This parameter holds the name of the wrapper to the native pool mechanism that implements the GenericPool class. Note: Do not specify a value for this parameter. |
|
Pool excluded fields |
This parameter holds a list of comma-separated list of IT parameters whose change must not trigger a refresh of the connector pool Value: Note: Do not change the value of this parameter unless you are adding or deleting a parameter from the IT resource. You must ensure that the total length of the list does not exceed 2000 characters. If you are adding a parameter to the IT resource, then that parameter name must be added to the above list with a comma separator. If you are deleting a parameter from the IT resource, then that parameter must be removed from the list if it exists in the list. You must restart Oracle Identity Manager for changes that you make to this parameter to take effect. |
|
Connection Retries |
Enter the number of consecutive attempts to be made at establishing a connection with the target system. Default value: |
|
Connection wait timeout |
Enter the time in milliseconds within which the target system is expected to respond to a connection attempt. For a particular connection attempt, if the target system does not respond within the time interval specified by the Connection Timeout parameter, then it is assumed that the connection attempt has failed. Default value: |
|
Retry Interval |
Enter the interval in milliseconds between consecutive attempts at establishing a connection with the target system. Default value: |
To save the values, click Update.