4 Connector Deployment on Oracle Identity Manager

You must deploy the ACF2 connector locally in Oracle Identity Manager.

The LDAP Gateway acts as the intermediary between Oracle Identity Manager and the connector components on the mainframe. The following sections of this chapter describe the procedure to deploy some components of the connector, including the LDAP Gateway, on the Oracle Identity Manager host computer:

Files and Directories in the CA_ACF2_Connector.zip

This zip file contains the connector artifacts that need to be installed in Oracle Identity Manager.

Table 4-1 Files and Directories in the CA_ACF2_Connector.zip

Files in the Installation Media Directory Description

configuration/ACF2Adv.xml

This XML file contains configuration information that is used during connector installation.

Files in the resources directory

Each of these resource bundles contains locale-specific information that is used by the connector.

Note: A resource bundle is a file containing localized versions of text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages. During connector installation, this file is copied to the location, Oracle Identity Manager database.

lib/acf2-provisioning-adapter.jar

This JAR file contains the code for the adapters that are used during connector operations. During connector installation, this file is copied to the following location:

Oracle Identity Manager database.

lib/acf2-scheduled-tasks.jar

This JAR file contains the code for the scheduled task that is used during full reconciliation. During connector installation, this file is copied to the following location:

Oracle Identity Manager database.

xml/oimAcf2AdvConnector.xml This XML file contains definitions of the connector components, such as the IT resource and resource object. These objects are created in Oracle Identity Manager when you import the XML file.

Running the Connector Installer

When you run the Connector Installer, it automatically copies the connector files to directories in Oracle Identity Manager, imports connector XML files, and compiles adapters used for provisioning.

To run the Connector Installer:

  1. Copy the contents of the connector installation media directory (CA_ACF2_Connector.zip) into the following directory: OIM_HOME/server/ConnectorDefaultDirectory

    Note:

    In an Oracle Identity Manager cluster, copy the entire installation media to each node of the cluster.
  2. Log in to the Administrative and User Console by using the user account described in the Creating the User Account for Installing Connectors of Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager .
  3. On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Install Connector.
  4. From the Connector List, select CA ACF2 Adv RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
    If you have copied the installation files into a different directory, then:
    1. In the Alternative Directory field, enter the full path and name of that directory.

    2. To repopulate the list of connectors in the Connector List list, click Refresh.

    3. From the Connector List list, select CA ACF2 Adv RELEASE_NUMBER.

  5. Click Load
  6. To start the installation process, click Continue.
    The following tasks are performed in sequence:
    1. Configuration of connector libraries.

    2. Import of the connector Target Resource user configuration XML file (by using the Deployment Manager).

    3. Compilation of adapters.

    On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
    • Retry the installation by clicking Retry.

    • Cancel the installation and begin again from Step 1.

  7. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
    1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites.

      There are no prerequisites for some predefined connectors.

    2. Configuring the IT resource for the connector

      Record the name of the IT resource displayed on this page. See Configuring the IT Resource.

    3. Configuring the scheduled task that is created when you installed the connector
      Record the name of the scheduled task displayed on this page.
    When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Files and Directories in the ACF2 Connector Installation Media

    Note:

    While installing Oracle Identity Manager in a cluster, you must copy all the JAR files and the contents of the connectorresources directory into the corresponding directories on each node of the cluster. See Files and Directories in the CA_ACF2_Connector.zip for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.

Configuring the IT Resource

The IT resource for the target system contains connection information about the target system. Oracle Identity Manager uses this information for reconciliation and provisioning.

You must specify values for the parameters of the Acf2Resource IT resource as follows:
  1. Log in to the Administrative and User Console.
  2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
  3. In the IT Resource Name field on the Manage IT Resource page, enter Acf2Resource and then click Search.
  4. Click the edit icon for the IT resource.
  5. From the list at the top of the page, select Details and Parameters.
  6. Specify values for the parameters of the IT resource. Table 4-2 describes each parameter.

    Table 4-2 IT Resource Parameter

    Parameter Description

    AtMap User

    This parameter holds the name of the lookup definition containing attribute mappings that are used for provisioning.

    Value: AtMap.ACF2

    Note: You must not change the value of this parameter.

    idfbackendContext

    Enter the root context for LDAP Gateway backend.

    Sample value: dc=system,dc=backend

    idfBackendDn

    Enter the user ID that the connector will use to connect to the LDAP Gateway backend.

    Sample value: cn=Directory Manager,dc=system,dc=backend

    idfBackendPassword

    Enter the password of the user ID that the connector will use to connect to the LDAP Gateway backend. You also set this password in the configuration.properties file of the LDAP Gateway.

    Note: Do not enter an encrypted value.

    idfPrincipalDn

    Set a user ID for an account that the connector will use to connect to the LDAP Gateway.

    Format: cn=USER_ID,dc=acf2,dc=com

    Sample value: cn=idfAcf2Admin,dc=acf2,dc=com

    You also set this user ID in the following file: customer-configuration.properties file in LDAP_GATEWAY_HOME/conf directory. See Step 6 in Installing and Configuring the LDAP Gateway.

    idfPrincipalPwd

    Set a password for the account that the connector will use to connect to the LDAP Gateway. You also set this password in the files listed in the description of the idfPrincipalDn parameter.

    Note: Do not enter an encrypted value.

    idfRootContext

    This parameter holds the root context for CA ACF2.

    Value: dc=acf2,dc=com

    Note: You must not change the value of this parameter.

    idfServerHost

    This parameter holds the host name of the computer on which you install the LDAP Gateway. For this release of the connector, you install the LDAP Gateway on the Oracle Identity Manager host computer.

    Value: localhost

    Note: Do not change the value of this parameter unless you have installed the LDAP Gateway on a different machine from the Oracle Identity Manager host computer.

    idfServerPort

    Enter the number of the port for connecting to the LDAP Gateway.

    Sample value: 5389

    You also set this port number in the beans.xml inside the idfserver.jar file. See Step 6 in Installing and Configuring the LDAP Gateway.

    idfSsl

    This parameter determines whether the LDAP Gateway will use SSL to connect to the target system. Enter true if using SSL. Otherwise, enter false.

    Sample value: true

    idfTrustStore

    This parameter holds the directory location of the trust store containing the SSL certificate. This parameter is optional, and should only be entered when using SSL authentication.

    Sample value: ../conf/idf.jks

    idfTrustStorePassword

    This parameter holds the password for the SSL trust store. This parameter is optional, and should only be entered when using SSL authentication.

    idfTrustStoreType

    This parameter holds the trust store type for the SSL trust store. This parameter is optional, and should only be entered when using SSL authentication.

    Sample value: jks

    Last Modified Time Stamp

    The most recent start time of the Reconcile LDAP Users reconciliation scheduled task is stored in this parameter. See Reconciling Internal LDAP Users to Oracle Identity Manager for more information about this scheduled task.

    The format of the value stored in this parameter is as follows:

    MM/dd/yy hh:mm:ss a

    In this format:

    • MM is the month of the year.

    • dd is the day of the month.

    • yy is the year.

    • hh is the hour in am/pm (01-12).

    • mm is the minute in the hour.

    • ss is the second in the minute.

    • a is the marker for AM or PM.

    • Sample value: 05/07/10 02:46:52 PM

    The default value is 0. The reconciliation task will perform full LDAP user reconciliation when the value is 0. If the value is a non-zero, standard time-stamp value in the format given above, then incremental reconciliation is performed. Only records that have been created or modified after the specified time stamp are brought to Oracle Identity Manager for reconciliation.

    Note: When required, you can manually enter a time-stamp value in the specified format.

  7. To save the values, click Update.

Configuring Oracle Identity Manager

You must create a UI form and an application instance for the resource against which you want to perform reconciliation and provisioning operations.

Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for instructions on creating and activating a sandbox.

Creating a New UI Form

See Managing Forms in Oracle Fusion Middleware Administering Oracle Identity Manager. for instructions on creating a new UI form. While creating the UI form, ensure that you select the resource object corresponding to the ACF2 connector that you want to associate the form with.

Creating an Application Instance

Create an application instance and associate it with form created in Creating a New UI Form. For detailed instructions, see the Managing Application Instances in Oracle Fusion Middleware Administering Oracle Identity Manager.

Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See Managing Organizations Associated With Application Instances in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed instructions.

Publishing a Sandbox

You must publish the sandbox that you created in Creating and Activating a Sandbox to merge the customizations it contains with the main line.

See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for instructions on publishing a sandbox.

Updating an Existing Application Instance with a New Form

For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:
  1. Create a sandbox and activate it as described in Creating and Activating a Sandbox.
  2. Create a new UI form for the resource as described in Creating a New UI Form.
  3. Open the existing application instance.
  4. In the Form field, select the new UI form that you created.
  5. Save the application instance.
  6. ublish the sandbox as described in Publishing a Sandbox.

Enabling Logging

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. Oracle Identity Manager uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger.

To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
  • ERROR:1

  • WARNING:1

  • NOTIFICATION:1

  • NOTIFICATION:16

  • TRACE:1

  • TRACE:16

  • TRACE:32

See Message Types and Levels in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about the log levels.

Oracle Identity Manager level logging operations are managed by the logging.xml file which is located in the following directory:

DOMAIN_NAME/config/fmwconfig/servers/SERVER_NAME/

Loggers are used to configure logging operations for the Oracle Identity Manager functions of the connector.

To configure loggers:

  1. In a text editor, open the DOMAIN_NAME/config/fmwconfig/servers/SERVER_NAME/logging.xml file.
  2. Locate the logger you want to configure. If you are adding a logger for the first time, you must create the logger definition. Table 4-3 lists the Oracle Identity Manager loggers for this connector.

    Table 4-3 Logger Parameters

    Logger Description

    com.identityforge.util.acf2.LdapOperationsImpl

    Logs events related to basic LDAP functions, including connecting to and disconnecting from the LDAP gateway.

    com.identityforge.util.acf2.tasks.DeleteReconcileOIMUsersTask

    Logs events related to the ACF2 Delete OIM Users scheduled task.

    com.identityforge.util.acf2.tasks.FindAllAccessRulesTask

    Logs events related to the ACF2 Find All Access Rules scheduled task.

    com.identityforge.util.acf2.tasks.FindAllResourcesTask

    Logs events related to the ACF2 Find All Resources scheduled task.

    com.identityforge.util.acf2.tasks.ReconcileAllLdapUsersTask

    Logs events related to the ACF2 Resources scheduled task.

    com.identityforge.util.acf2.tasks.ReconcileAllUsersTask

    Logs events related to the ACF2 Reconcile All Users scheduled task.