The LDAP Gateway acts as the intermediary between Oracle Identity Manager and the connector components on the mainframe. The following sections of this chapter describe the procedure to deploy some components of the connector, including the LDAP Gateway, on the Oracle Identity Manager host computer:
Note:
The procedure to deploy the mainframe components of the connector is described in the next chapter.
When you run the Connector Installer, it automatically copies the connector files to directories in Oracle Identity Manager, imports connector XML files, and compiles adapters used for provisioning.
The IT resource for the target system contains connection information about the target system. Oracle Identity Manager uses this information during provisioning and reconciliation. The IT resource for this connector is automatically created when you run the Connector Installer, and you must specify values for the parameters of the IT resource.
You must specify values for the parameters of the TopSecretResource IT resource as follows:
Log in to the Oracle Identity System Administration.
In the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter TopSecretResource
and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the IT resource. Table 3-1 describes each parameter.
Table 3-1 IT Resource Parameters for CA Top Secret Connector
Parameter | Description |
---|---|
AtMap User |
This parameter holds the name of the lookup definition containing attribute mappings that are used for provisioning. Value: Note: You must not change the value of this parameter. |
auditTemplate |
This parameter is required for audit statements to be passed on along with all TSS commands. If you do not specify a value for this parameter, then the connector will not post audit comments for any process task that is initiated from Oracle Identity Manager. Sample value: See Configuring the Connector for Audit Comments for detailed information on value to be specified for this parameter. |
idfBackendDn |
Enter the user ID that the connector will use to connect to the LDAP Gateway backend. Sample value: |
idfBackendPassword |
Enter the password of the user ID that the connector will use to connect to the LDAP Gateway backend. You also set this password in the configuration.properties file of the LDAP Gateway. Note: Do not enter an encrypted value. |
idfbackendContext |
Enter the root context for LDAP Gateway backend. Sample Value: |
idfConnectTimeoutMS |
Enter an integer value that specifies the number of milliseconds after which an attempt to establish a connection between the LDAP gateway and Oracle Identity Manager times out. If you do not enter a value for this parameter, then the connector uses a default time out of Note: If the number of records to be retrieved are high, ensure to adjust or increase the timeout value accordingly. |
idfPrincipalDn |
Set a user ID for an account that the connector will use to connect to the LDAP Gateway. Format: Sample value: |
idfPrincipalPwd |
Set a password for the account that the connector will use to connect to the LDAP Gateway. You also set this password in the files listed in the description of the idfPrincipalDn parameter. Note: Do not enter an encrypted value. |
idfReadTimeoutMS |
Enter an integer value that specifies the number of milliseconds after which an attempt to read data from the target system times out. If you do not enter a value for this parameter, then the connector uses a default time out of Note: If the number of records to be retrieved are high, ensure to adjust or increase the timeout value accordingly. |
idfRootContext |
This parameter holds the root context for CA Top Secret. Value: Note: You must not change the value of this parameter. |
idfServerHost |
This parameter holds the host name or IP address of the computer on which you install the LDAP Gateway. For this release of the connector, you install the LDAP Gateway on the Oracle Identity Manager host computer. Default value: Note: Do not change the value of this parameter unless you have installed the LDAP Gateway on a different machine from the Oracle Identity Manager host computer. |
idfServerPort |
Enter the number of the port for connecting to the LDAP Gateway. Sample value: |
idfSsl |
This parameter determines whether the LDAP Gateway will use SSL to connect to the target system. Enter Sample value: |
idfTrustStore |
This parameter holds the directory location of the trust store containing the SSL certificate. This parameter is optional, and should only be entered when using SSL authentication. This must be the full path to the directory location. Sample value: |
idfTrustStorePassword |
This parameter holds the password for the SSL trust store. This parameter is optional, and should only be entered when using SSL authentication. |
idfTrustStoreType |
This parameter holds the trust store type for the SSL trust store. This parameter is optional, and should only be entered when using SSL authentication. Sample value: |
Last Modified Time Stamp |
The most recent start time of the Reconcile LDAP Users reconciliation scheduled task is stored in this parameter. See Top Secret Reconcile LDAP Users to OIM for more information about his scheduled task. The format of the value stored in this parameter is as follows: MM/dd/yy hh:mm:ss a In this format: MM is the month of the year. dd is the day of the month. yy is the year. hh is the hour in am/pm (01-12). mm is the minute in the hour. ss is the second in the minute. a is the marker for AM or PM. Sample value: The default value is 0. The reconciliation task will perform full LDAP user reconciliation when the value is 0. If the value is a non-zero, standard time-stamp value in the format given above, then incremental reconciliation is performed. Only records that have been created or modified after the specified time stamp are brought to Oracle Identity Manager for reconciliation. Note: When required, you can manually enter a time-stamp value in the specified format. |
Secondary IT resource |
If you created a secondary IT resource for reconciliation or provisioning, then enter its name. |
To save the values, click Update.
You must create additional metadata such as a UI form and an application instance. In addition, you must run entitlement and catalog synchronization jobs. These procedures are described in the following sections:
Create a new UI form as follows:
Create an application instance as follows:
To harvest entitlements and sync catalog:
See Also:
Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Governance for a description of the Entitlement List and Catalog Synchronization Job scheduled jobsFor any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:
You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation package.
Perform the following steps to localize field labels that you add to in UI forms:
Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open the following file in a text editor:
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf
Edit the BizEditorBundle.xlf file as follows:
Search for the following text:
<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Replace with the following text:
<file source-language="en" target-language="LANG_CODE" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:
<file source-language="en" target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Search for the application instance code. The original code will be in the following format:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}"> <source><Field_Label></source> <target/> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL"> <source><Field_Label></source> <target/> </trans-unit>
For example, the following sample code show the update that should be made for the FULL NAME field on a UI form named TopSecretUserFormv1:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_IDF_TOPS_CN__c_description']}"> <source>FULL NAME</source> <target/> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.TopSecretUserFormv1.entity.TopSecretUserFormv1EO.UD_IDF_TOPS_CN__c_LABEL"> <source>FULL NAME</source> <target/> </trans-unit>
Open the resource file from the /resources directory in the connector installation media, for example TopSecret-Adv_ja.properties, and get the value of the attribute from the file, for example global.udf.UD_IDF_TOPS_CN=\u6C0F\u540D.
Replace the original code shown in Step 6.c with the following:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}"> <source>< global.udf.UD_Field_Name></source> <target/>enter Unicode values here</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL"> <source><Field_Label></source> <target/>enter Unicode values here</target> </trans-unit>
As an example, the code for FULL_NAME field translation would be:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_IDF_TOPS_CN__c_description']}">
<source>FULL_NAME</source> <target>\u6C0F\u540D</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.TopSecretUserFormv1.entity.TopSecretUserFormv1EO.UD_IDF_TOPS_CN__c_LABEL"> <source>FULL_NAME</source> <target>\u6C0F\u540D</target> </trans-unit>
Repeat Steps 6.6.c through 6.6.e for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing. Sample file name: BizEditorBundle_ja.xlf.
Repackage the ZIP file and import it into MDS.
Log out of and log in to Oracle Identity Manager.
When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
The CA Top Secret connector supports two forms of logging, namely LDAP gateway-level logging and Oracle Identity Manager-level logging.
This section discusses the following topics:
LDAP Gateway logging operations are managed by the log4j2.properties file, which is located in the LDAP_INSTALL_DIR/conf/
directory.
In the log4j2.properties file, edit the rootLogger log level:
rootLogger.level = INFO
The following is a list of log levels that can be used:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of messages that highlight the progress of the application at a coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that might allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
Multiple log files are available for use with the connector. Table 3-2 lists the name, location, and contents of each LDAP gateway log file.
Table 3-2 Log Files and their Contents for CA Top Secret Connector
Log File | Description |
---|---|
nohup.out |
This log file contains the console window output from the LDAP Gateway. This file is primarily used in conjunction with the run.sh script (instead of the run.bat file) Location: … |
idfserver.log.0 |
This log file contains provisioning and reconciliation logging messages from the LDAP Gateway and is the primary log file used by the gateway component. Location: … |
Oracle Identity Manager uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger.
This section contains the following topics:
To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
SEVERE.intValue()+100
This level enables logging of information about fatal errors.
SEVERE
This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.
WARNING
This level enables logging of information about potentially harmful situations.
INFO
This level enables logging of messages that highlight the progress of the application.
CONFIG
This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
Log Levels in Oracle Identity Manager
These log levels are mapped to ODL message type and level combinations as shown in Table 3-3.
Table 3-3 Log Levels and ODL Message Type:Level Combinations
Log Level | ODL Message Type:Level |
---|---|
SEVERE.intValue()+100 |
INCIDENT_ERROR:1 |
SEVERE |
ERROR:1 |
WARNING |
WARNING:1 |
INFO |
NOTIFICATION:1 |
CONFIG |
NOTIFICATION:16 |
FINE |
TRACE:1 |
FINER |
TRACE:16 |
FINEST |
TRACE:32 |
OIM level logging operations are managed by the logging.xml file, which is located in following directory:
DOMAIN_NAME/config/fmwconfig/servers/SERVER_NAME/
Loggers are used to configure logging operations for the connector's OIM functions. To configure loggers:
Log statements will be written to the path that is defined in the log handler that you assigned in the logger definition. For example, in the above logger definition for the Reconcile All Users scheduled task (in step3), the handler is odl-handler, which has the following default output file path:
${domain.home}/servers/${weblogic.Name}/logs/${weblogic.Name}-diagnostic.log
'
If you want to configure the connector to pass on all TSS command comments for audit purposes, then you must specify a value for auditTemplate parameter of the IT resource.
/*MY_AUDIT_TEXT {{auditcomment}} MY_AUDIT_TEXT*/
Sample value: /* Operation initiated by {{auditcomment}} through OIM */
The value must be begin with /*
and end with */
{{auditcomment}}
with a dynamic value that is obtained from the Desc field of the auditInfo
parameter that is present in the method signature of the adapter task.{{auditcomment}}
can be any text of your choice for audit.The connector already includes the auditInfo
parameter for some of the commonly used provisioning adapters such as ModifyUserAttrTops. In such a scenario, you only need to search for the adapter task corresponding to the provisioning operation for which you want the connector to pass on audit statements. Then, edit the adapter task to locate the auditInfo
method parameter and update its Desc field to include the audit text that meets your requirements. This value replaces {{auditcomment}}
in the audit template to build the audit comment to be passed with the TSS command.
In scenarios where the adapter task does not include the auditInfo
parameter (for example, RemoveTopsUserFromSources), you need to manually create a new adapter task for audit (for example, RemoveTopsUserFromSourceWithAudit) selecting the relevant constructor and method signatures, and then adding the auditInfo
method parameter.
auditInfo
parameter to include an audit message that meets your requirements:See Also:
Using the Adapter Factory in the Oracle® Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance guide for detailed information about creating and modifying adapter tasks