4 Configuring Oracle Identity Manager

This chapter contains procedures for configuring Oracle Identity Manager (Identity Manager) in preparation for the deployment of the Oracle Role Manager (Role Manager) Integration Library.

This chapter includes the following sections:

• Before You Configure

• Creating the System User and User Group for Role Manager (WebLogic)

• Creating the System User and User Group for Role Manager (JBoss)

• Importing the Prepared Configuration

• Assigning the System User to a User Group

• Configuring the IT Resource System Property

4.1 Before You Configure

The Role Manager Integration Library is intended to be deployed on the application server on which Identity Manager is deployed.

The procedures in this chapter assume the following:

• You have the appropriate permission to add and modify files in the Identity Manager home directory on the host system.

• You have the appropriate permission to add and modify files in the application server on which Identity Manager is deployed.

• You have the appropriate permission to stop and start the application server on which Identity Manager is deployed.

• You know the administrator user name and password to access the Identity manager Administrative and User Console.

• You know the administrator user name and password to access the Identity Manager Design Console.

4.2 Creating the System User and User Group for Role Manager (WebLogic)

The configuration of Identity Manager running on the WebLogic application server requires specific naming for system users and groups for integrations. This procedure creates a user in Identity Manager to receive messages from Role Manager for user group additions, modifications or deletions.

If you are updating an existing installation, you can skip this procedure.

Note:

If you have a clustered server configuration, this procedure must be performed on all managed nodes.

To create and configure the Role Manager user:

1. On the Identity Manager host, navigate to ORMINT_HOME/config.

2. Open the IMConfig.xml file for editing.

3. In the policies section, edit the oimORMUser policy to change ormSystem to Internal as follows:

   <policy> 
     <parameters>
       <parameter>
         <id>oimORMUser</id>
         <string>Internal</string>
       </parameter>
     </parameters>
   </policy>
   

4. Save and close the IMConfig.xml file.

5. Start the Identity Manager server if it is not running.

6. Connect to the Identity Manager Administrative and User Console.

7. If the user named Internal does not exist, create it as follows:

   1. Select Users, then select Create.

      Note:

      For Identity Manager on WebLogic, the user ID must be Internal and should not be changed.

   2. In the User ID field, enter Internal.

   3. In the Password field, enter a password for the user.

   4. In the Confirm Password field, enter the same password.

   5. In the Organization field, click the magnifying icon.

   6. In the Lookup Form window, select the organization in which you want to create the Internal user.

   7. Click Select.

   8. Click Create User.

8. If the user group named User does not exist, create it as follows:

   1. Select Users Groups, then select Create.

   2. In the Name field, enter User.

   3. Click Create.

9. Assign the User Groups and User Groups.User Members permissions to the User user group as follows:

   Note:

   If you have just created the user group named User, skip to step d.

   1. Select Users Groups, then select Manage.

   2. Serach for and select the User user group.

   3. Click Permissions.

   4. Click Assign.

   5. In the results table, search for the User Groups permission, then select Insert, Write Access, Delete Access and Assign for the User Groups permission.

   6. On the Confirmation page, click Confirm Assign.

   7. Click Assign.

   8. In the results table, search for the User Groups.User Members permission, then select Insert, Write Access, Delete Access and Assign for the User Groups.User Members permission.

   9. On the Confirmation page, click Confirm Assign.

4.3 Creating the System User and User Group for Role Manager (JBoss)

This procedure creates a user in Identity Manager to receive messages from Role Manager for user group additions, modifications or deletions.

If you are updating an existing installation, you can skip this procedure.

To create the Role Manager user:

1. Start the Identity Manager server if it is not running.

2. Connect to the Identity Manager Administrative and User Console.

3. Create the ormSystem user as follows:

   1. Select Users, then select Create.

   2. In the User ID field, enter ormSystem.

      Note:

      For Identity Manager on JBoss, the user ID must be ormSystem and must not be changed.

   3. In the Password field, enter ormSystem.

   4. In the Confirm Password field, enter ormSystem.

   5. In the Organization field, click the magnifying icon.

   6. In the Lookup Form window, select the organization in which you want to create the ormSystem user.

   7. Click Select.

   8. Click Create User.

4. Create the ormSystem user group as follows:

   1. Select Users Groups, then select Create.

   2. In the Name field, enter ormSystem.

   3. Click Create.

5. Assign the User Groups and User Groups.User Members permissions to the ormSystem user group as follows:

   1. Click Permissions.

   2. Click Assign.

   3. In the results table, search for the User Groups permission, then select Insert, Write Access, Delete Access and Assign for the User Groups permission.

   4. On the Confirmation page, click Confirm Assign.

   5. Click Assign.

   6. In the results table, search for the User Groups.User Members permission, then select Insert, Write Access, Delete Access and Assign for the User Groups.User Members permission.

   7. On the Confirmation page, click Confirm Assign.

6. Click the Save icon to save your changes.

4.4 Importing the Prepared Configuration

The Role Manager Integration Library requires significant configuration of Identity Manager. For convenience, there are two pre-built XML files to use to easily import configuration data into Identity Manager. These two files are ormoimBase.xml and ormoimSample.xml.

The first file, ormoimBase.xml, contains the essential configurations for a working integration. The second file, ormoimSample.xml, contains configurations for a sample resource and approval process. This sample is helpful in understanding and demonstrating a working approval process that looks to Role Manager for approvers for a role, before creating similar resources and workflows for a production environment.

Note:

The following procedures assume that the Identity Manager administrator user ID is xelsysadm. If your installation of Identity Manager uses a different user for access, you must modify the ormoimBase.xml file and the ormoimSample.xml file to match.

This section includes the following topics:

• Importing the Base Configuration

• Importing the Sample Configuration for Role Approvals

4.4.1 Importing the Base Configuration

The base configuration provides the framework configuration for the Role Manager Integration Library and is a prerequisite to any additional configuration relating to the integration.

To import the Integration Library base configuration:

1. Start the Identity Manager server if it is not running.

2. Connect to the Identity Manager Administrative and User Console.

3. Select Deployment Management, then select Import.

4. In the Select File to Import window, browse to ORMINT_HOME/config and select ormoimBase.xml, then click Add File.

5. On the Substitutions page, click Next to make no substitutions, then click Next again to confirm.

6. Depending on the application server on which Identity Manager is deployed, define the parameters of the IT Resource for Role Manager as follows:

   Note:

   All values are case-sensitive and must be entered exactly as shown here.

   • For WebLogic

     Field	Value
     ormJMSConnectionFactory	external/srqueues/orm/QueueConnectionFactory
     ormJMSQueue	orm/queue/IncomingEventQueue
     ormServerURL	t3://ORM_appserver:port
     initialContextFactory	weblogic.jndi.WLInitialContextFactory
     ormServerJNDI	ejb/orm/ServerEJB
     ormAdmin	oimSystem
     ormPassword	Enter the password of the oimSystem system identity that was set in Section 3.2, "Creating the oimSystem System Identity."

     
     

     Note:

     In a clustered environment, ormServerURL must be populated with all the managed servers for Role Manager. For example, t3://ORM_appserver1:port1,ORM_appserver2:port2

   • For JBoss

     Field	Value
     ormJMSQueue	external/srqueues/orm/IncomingEventQueue
     ormAdmin	oimSystem
     ormPassword	Enter the password of the oimSystem system identity that was set in Section 3.2, "Creating the oimSystem System Identity."
     initialContextFactory	org.jnp.interfaces.NamingContextFactory
     ormServerJNDI	external/srserver/ServerEJB
     ormServerURL	Do not enter any value in this field.
     ormJMSConnectionFactory	external/srqueues/QueueConnectionFactory

     
     

7. Click Next, then click Skip to skip the current resource instance.

8. On the Confirmation page, ensure that the information is correct.

   To make changes, click Back.

9. Click View Selections.

10. Right-click ALL USERS, then select Remove.

11. Right-click SYSTEM ADMINISTRATORS, then select Remove.

12. Click Import.

13. Click OK to confirm.

    You should see a confirmation message that import was successful.

4.4.2 Importing the Sample Configuration for Role Approvals

This procedure is necessary only if you want to test the Role Manager Integration Library with a sample workflow for role approvals using the configuration provided as a convenience for demonstration purposes.

To import the Integration Library sample configuration:

1. From the Identity Manager Administration and User Console, select Deployment Management, then select Import.

2. Browse to the ORMINT_HOME/samples directory, select ormoimSample.xml, then click Add File.

3. Click Next to make no substitutions, then click Next again to confirm.

   In the Summary pane, you should see that six objects are ready to be imported, including one resource, two processes, one process form, one data object definition, and one task adapter.

4. Click Import.

5. Click OK to confirm.

4.5 Assigning the System User to a User Group

Depending on the application server on which Identity Manager is deployed, perform either of the two following procedures.

(WebLogic) To assign the Internal system user to the User user group:

1. From the Identity Manager Administration and User Console, select Users, then select Manage.

2. Search for the user named Internal (created in Section 4.2).

3. Click Internal to view details.

4. On the User Details page, select Group Membership from the list.

5. On the Assign Permissions page, click Assign.

6. Select the box next to the group named User (created in Section 4.2).

7. Click Assign Group.

8. Click Confirm Assign to confirm.

(Jboss) To assign the ormSystem user to the ormSystem user group:

1. From the Identity Manager Administration and User Console, select Users, then select Manage.

2. Search for the user named ormSystem (created in Section 4.3).

3. Click ormSystem to view details.

4. On the User Details page, select Group Membership from the list.

5. On the Assign Permissions page, click Assign.

6. Select the box next to the group named ormSystem (created in Section 4.3).

7. Click Assign Group.

8. Click Confirm Assign to confirm.

4.6 Configuring the IT Resource System Property

The system property provides the name of the IT Resource in Identity Manager to access the Role Manager Integration Library software through the Role Manager IT Resource.

To configure the IT Resource system property:

1. Log in to the Identity Manager Design Console (Identity Manager client) using the user name and password entered in the Admin User Information page when installing Identity Manager.

2. On the left pane, expand the Administration folder.

3. Double-click System Configuration.

4. Choose the Server option.

5. In the Name field, enter ORMITResourceName as the name of the system property to create.

6. In the Keyword field, enter XL.ORMITResourceName.

7. In the Value field, enter ORM ITResource.

   Note:

   The key should not be supplied as it is generated automatically the system.

8. Click the Save icon on the toolbar.

9. Optionally, ensure that the values for the IT resource parameters are correct:

   1. On the left pane, expand the Resource Management folder.

   2. Click Manage IT Resource.

   3. Search for and select the IT resource named ORM ITResource.

   4. On the View IT Resource Details and Parameters page, verify that the values displayed in the fields are the same as the values mentioned in step 6 of Section 4.4.1.

      If the values are different, enter the appropriate values.

10. If Identity Manager is installed on WebLogic, assign permissions as follows:

    1. Select Resource Management, then click Manage IT Resource.

    2. Search for and select ORM ITResource.

    3. From the You can view additional information about this IT resource list, select Administrative Groups.

    4. Select the box next to the group named User (created in Section 4.2).

    5. Click Assign Group.

    6. Select the appropriate boxes to specify the Read and Write permissions.

    7. Click Assign.

11. Click the Save icon on the toolbar.