| Oracle® Role Manager Integration Guide Release 10g (10.1.4) Part Number E12030-05 |
|
|
View PDF |
| Oracle® Role Manager Integration Guide Release 10g (10.1.4) Part Number E12030-05 |
|
|
View PDF |
This chapter describes the steps to configure Oracle Role Manager (Role Manager) for the Oracle Role Manager Integration Library (Integration Library).
Note:
This chapter assumes that an instance of Role Manager is installed with the standard model following the instructions in Oracle Role Manager Installation Guide.This chapter includes the following sections:
The procedure in this section deploys the Integration Library model and configuration in the Role Manager system.
Note:
If you want to modify the standard configuration of the Integration Library components, for example, if you want to bring over additional data elements, it is recommended that you make your changes before performing the procedure in this section. For more information, see Section 3.7, "Modifying Component Configuration."To deploy the Integration Library configuration:
On the Role Manager installation host, navigate to ORM_HOME/config.
Ensure that the db.properties file contains the correct information. If it does not, modify it so it contains the following two lines:
db.driverClass=oracle.jdbc.driver.OracleDriver db.connection_string=jdbc:oracle:thin:@$HOST$:$PORT$:$SERVICE$
where $HOST$ is the database host name, $PORT$ is the database listener port, and $SERVICE$ is the database instance on which the Role Manager users were created.
Stop the Role Manager application server if it is running.
In a command window, navigate to ORM_HOME/bin and run the following command:
deploy "collection_of_cars" orm-owner ormapp-user admin-user
Note:
The collection must be enclosed within double quotation marks. The delimiters to be used are:For Windows systems, use semicolon (;)
For UNIX-based systems, use a colon (:)
In this command:
collection_of_cars contains the relative paths and file names of the CAR files to deploy
orm-owner is the user name of the Role Manager database owner user/schema
ormapp-user is the user name of the Role Manager application user/schema
admin-user is the user name of the Role Manager system administrator
For example, if you have no customizations, the collection of CAR files on Windows would be:
"..\config\oim_integration.car"
For example, in a customized deployment, the collection of CAR files on a UNIX-based system might be similar to:
"../config/configurations_custom.car:../config/oim_integration_custom.car"
(For information about modifying the standard configuration for components affecting the Integration Library, see Section 3.7, "Modifying Component Configuration.")
At the prompts, enter the passwords of the Role Manager database owner, Role Manager application user, and Role Manager administrator.
The procedure in this section creates the oimSystem system identity to use for access to the Role Manager system by Identity Manager.
System identities are system user objects that are created for access the Role Manager system. System identities normally represent external systems, such as a user provisioning system that accesses Role Manager for role resolution for workflows or access provisioning.
To create the oimSystem system identity:
On the Integration Library installation host, copy the following files from ORMINT_HOME/config into the ORM_HOME/config directory on the Role Manager installation:
ORMINT_HOME/config/oim_systemIdentity.car ORMINT_HOME/config/oim_systemIdentity.dar
Navigate to ORM_HOME/config on the Role Manager installation host.
Stop the Role Manager application server if it is running.
In a command window, navigate to ORM_HOME/bin and run the following command.
For UNIX-based systems:
deploy "../config/oimsystemIdentity.car" orm-owner ormapp-user admin-user
For Windows systems:
deploy "..\config\oimsystemIdentity.car" orm-owner ormapp-user admin-user
In this command:
orm-owner is the user name of the Role Manager database owner user/schema
ormapp-user is the user name of the Role Manager application user/schema
admin-user is the user name of the Role Manager system administrator
At the prompts, enter the passwords of the Role Manager database owner, Role Manager application user, and Role Manager administrator.
The oimSystem system identity is not fully functional until the relationships it needs are created. Those relationships are defined in data files and loaded through the Role Manager Administrative Console.
To load the oimSystem system identity relationship data:
Start the Role Manager application server.
From the Role Manager installation host, using a Web browser, go to the Role Manager Administrative Console. By default:
WebLogic: http://host:7001/ormconsole
JBoss: http://host:8080/ormconsole
Enter the user name and password of the Role Manager administrator, then click Log In.
Click Upload.
Click Browse, and navigate to select the oim_systemIdentity.dar file found in ORM_HOME/config.
Click Load.
You can click refresh to verify that all processes are finalized.
It is recommended that you reset the password for the oimSystem system identity in order for the system to store an encrypted value.
To reset the oimSystem system identity password:
Stop the Role Manager server.
On the Role Manager installation host, navigate to ORM_HOME/config.
Create a text file named oimSystemProps.txt containing the following system identity properties:
displayName= oimSystem status = active description = The System Identity used by the Integration Library for OIM
Navigate to ORM_HOME/bin and run the following command to update the system identity.
For UNIX-based systems:
systemidentity_update ormapp-user oimSystem ../config/oimSystemProps.txt
For Windows systems:
systemidentity_update ormapp-user oimSystem ..\config\oimSystemProps.txt
In this command, ormapp-user is the user name of the database Role Manager application user/schema.
Note:
The name of the system identity must be oimSystem and must not be changed.At the prompt, enter the password of the Role Manager application user/schema.
At the prompt, enter a new password for the oimSystem system identity.
Depending on where Identity Manager is installed on the file system, you might need to reconfigure the Integration Library to point to the correct location for the home directory. This configuration allows localized values (such as active or deleted) to be interpreted properly when sent to Role Manager.
Note:
If Identity Manager is installed in C:\oim, the default value for the Integration Library configuration, you can skip this procedure.Note:
If you have a clustered server configuration, this procedure must be performed on all managed nodes.To configure the Identity Manager home directory:
On the Identity Manager host, navigate to ORMINT_HOME/config.
Open the IMConfig.xml file for editing.
In the policies section, edit the oimRootdir policy to change C:\oim to the Identity Manager installation directory as follows:
<policy>
<parameters>
<parameter>
<id>oimRootdir</id>
<string>OIM_HOME</string>
</parameter>
</parameters>
</policy>
where OIM_HOME is the full path to the installation directory of Identity Manager.
Save and close the IMConfig.xml file.
It is recommended that you configure the Integration Library so that your system uses digital signatures to authenticate the oimSystem system identity when sending messages from Identity Manager to Role Manager.
The procedure in this section first creates the key store password on the Identity Manager host and stores it to a file named keystore.store, then creates a random symmetric key for that password and serializes it to a file named keystore.key, and finally, creates a property file named keystore.properties and adds a single property whose value is a base64-encoded encrypted value of the key store password, encrypted using the symmetric key.
Note:
Encryption must be enabled before you can perform this procedure. By default, encryption is enabled when the Integration Library is installed. For more information, see Section 3.6.1.To configure encryption:
On the Identity Manager host, navigate to ORMINT_HOME/bin.
Run the following command to create the Identity Manager key store.
For UNIX-based systems:
bash create_keystore.sh
For Windows systems:
create_keystore.bat
Note:
If you have trouble running this command, ensure that the JAVA_HOME environment variable is set to an existing Java JRE location (version 1.4 or later).At the prompt, enter a password for the Identity Manager key store.
You should see three new files created by this command as follows:
keystore.store
This file contains the private key or the public certificate of each pair of asymmetric encryption keys for passing credentials from the integration system to Role Manager.
keystore.key
This file contains the serialized form of a symmetric key that is used for encrypting the passwords necessary for key store and private key access.
keystore.properties
This file contains a set of key store passwords, the values of which have been encrypted by the symmetric key in the key file and base64-encoded.
In the same location, depending on your operating system, run the command to create the private key for the Integration Library alias and to generate the certificate containing the public key.
For UNIX-based systems:
bash create_key_pair.sh oimSystem oim_orm_cert
For Windows systems:
create_key_pair.bat oimSystem oim_orm_cert
In this command, oim_orm_cert is the name to use for the certificate file.
Note:
The alias must be oimSystem.You should see the resulting certificate file named as specified with the command.
Copy the new certificate file from ORMINT_HOME/bin to the Role Manager host into ORM_HOME/bin.
On the Role Manager host, navigate to ORM_HOME/bin.
Run the command to create the Role Manager key store.
For UNIX-based systems:
bash create_keystore.sh
For Windows systems:
create_keystore.bat
At the prompt, enter a password for the Role Manager key store.
Run the command to import the certificate that was generated earlier into the Role Manager key store.
For UNIX-based systems:
import_certificate.sh oimSystem oim_orm_cert
For Windows systems:
import_certificate.bat oimSystem oim_orm_cert
In this command:
oim_orm_cert is the certificate file named and generated in step 4.
Note:
The alias must be oimSystem.For WebLogic, set the system property for the Role Manager key store directory as follows:
Log on to the WebLogic Server Console using a Web browser.
From Environment, select Servers, then select the server on which Role Manager is deployed.
On the Configuration tab, click the Server Start subtab.
In the Arguments field, append the following argument to any existing arguments:
-Doracle.iam.rm.encryption.keystore_dir=ORM_HOME/bin
where ORM_HOME is the Role Manager installation directory
For JBoss, set the system property for the Role Manager key store directory as follows:
On the Role Manager application server host, navigate to JBOSS_HOME/bin.
On Windows, open the run.bat file for editing, and set the system property as follows:
set JAVA_OPTS=-Doracle.iam.rm.encryption.keystore_dir=ORM_HOME/bin %JAVA_OPTS%
where ORM_HOME is the Role Manager installation directory.
On UNIX-based systems, open the run.sh file for editing, and set the system property as follows:
JAVA_OPTS="-Doracle.iam.rm.encryption.keystore_dir=ORM_HOME\bin $JAVA_OPTS"
where ORM_HOME is the Role Manager installation directory.
Save and close the file.
Encryption is enabled by default the Integration Library is installed. Use this procedure to re-enable encryption if encryption had been disabled previously.
Note:
If you have a clustered server configuration, this procedure must be performed on all managed nodes.On the Identity Manager host, navigate to ORMINT_HOME/config.
Open the IMConfig.xml file for editing.
In the ormEncrypt policy definition, set the value of the boolean element to true as follows:
<policy>
<parameters>
<parameter>
<id>ormEncrypt</id>
<boolean>true</boolean>
</parameter>
</parameters>
</policy>
Save and close the IMConfig.xml file.
Note:
If this is the first time the Integration Library is installed, perform the procedures described in this section only to change the configuration from the default settings. Default settings are described in the subsections below for each configurable component.The Integration Library component configuration is deployed in the same way as other Role Manager component configuration. Configuration settings are defined in XML files and packaged as a CAR (configuration archive) file that is deployed to Role Manager system. To simplify the deployment process, it is recommended that you make all your changes to the XML files for all components that you want to reconfigure before packaging the CAR file.
This section includes the following topics:
It is recommended that the standard configuration files be used as a starting place for your configuration changes as a convenience.
To view or edit these configuration XML files, you must extract them from CAR files. There are two CAR files that contain configuration that pertains to Integration Library components: configurations.car, which includes the Batch Resolution Timer configuration (described in Section 3.7.2) and the configuration files for all the configurable Role Manager server components; and oim_integration.car, which includes the configuration files described in the subsequent sections of this chapter.
To get the standard configuration files:
From the Identity Manager host, copy the oim_integration.car file in the ORMINT_HOME/config directory to the ORM_HOME/config directory on the Role Manager host.
Navigate to the ORM_HOME/config directory on the Role Manager host.
Using a utility like WinZip or jar, extract the entire contents of oim_integration.car into a temporary location, such as ORM_HOME/config_temp/oim_integration.
The oim_integration directory contains subdirectories for all the configurable components of the Integration Library. Once expanded, the files that contain configuration pertaining to the Integration Library can be found in the following layout:
oim_integration/
config/
oracle.iam.rm.bizlogic.def/
bizlogic.oim_integration.xml
oracle.iam.rm.event.incoming/
oim_integration.xml
oracle.iam.rm.event.outgoing/
oim_integration.xml
oracle.iam.rm.temporal/
oim_integration.xml
oracle.iam.rm.timer/
roleMembershipUpdateTimer.xml
The settings in these files are described in Section 3.7.3 through Section 3.7.6
If not performed previously, extract the entire contents of configurations.car into the temporary location, such as ORM_HOME/config_temp/configurations.
The configurations directory contains many subdirectories for all the configurable components of the Role Manager. The one subdirectory that pertains to the Integration Library can be found in the following layout:
configurations/
config/
oracle.iam.rm.timer/
batchResolutionTimer.xml
For more information about the settings in this file, see Section 3.7.2. For information about the other configurable Role Manager server components, see Oracle Role Manager Administrator's Guide.
The batch resolution timer is included with the standard Role Manager configuration bundle and sets preferences for the batch resolution job for periodic update of user-to-role assignments calculated for complex dynamic roles (roles that have complex rules that dynamically determine membership). The batch resolution timer can have multiple jobs configured (identified by the job ID), used for integrations with external systems.
To modify the Batch Resolution Timer configuration:
Navigate to ORM_HOME on the Role Manager installation host.
From the temporary location where configurations.car was extracted, navigate to configurations/config/oracle.iam.rm.timer.
Edit the values in the batchResolutionTimer.xml file as needed.
For detailed information about the configuration settings, see Section 3.7.2.1
Using a utility like WinZip or jar, repackage everything in the configurations directory and create a new file appended with the .car extension, for example, configurations_custom.car.
Ensure that the CAR file directory layout is as follows:
configurations/
config/
oracle.iam.rm.timer/
batchResolutionTimer.xml
If it does not match this layout, fix the layout, then repackage the CAR file.
Include this file in the collection of CAR files as part of the deploy command described in Section 3.1, "Deploying the Integration Library Configuration.".
Table 3-1 shows the default configuration values for the implementing Java class and whether the timer type is simple (defining a repeat interval of n milliseconds between invocations) or a cron timer (defining a UNIX-style cron timer). The default is the simple timer type. (For more information about cron expressions, see Appendix A.)
Table 3-1 Batch Resolution Timer Configuration Values
| Element | Default Value |
|---|---|
|
oracle.iam.rm.resolution.impl.BatchResolutionTimerFactory |
|
|
job-id |
BatchResolutionJob |
|
singleton |
true |
|
14400000 |
|
|
cron cron-expression |
N/A |
Note:
For repeat intervals, use 3600000 for 1 hour, 7200000 for 2 hours, 14400000 for 4 hours, 28800000 for 8 hours, 86400000 for 1 day, and so forth.The following example shows the default configuration in XML format. If you want, you can use this as a starting place for customization.
Example 3-1 Batch Resolution Timer Default Values in XML
<?xml version="1.0" encoding="UTF-8"?>
<timer-config xmlns="http://xmlns.oracle.com/iam/rm/timer/config/1_0">
<job-configs>
<job-config>
<factory-classname>
oracle.iam.rm.resolution.impl.BatchResolutionTimerFactory
</factory-classname>
<job-id>BatchResolutionJob</job-id>
<group-id>BatchGroup</group-id>
<parameters/>
<singleton>true</singleton>
<simple>
<repeat-interval>14400000</repeat-interval>
</simple>
</job-config>
</job-configs>
</timer-config>
The role membership update timer controls the periodic process on Role Manager responsible for creating the messages for updates of role membership information (user-to-role assignments) from Role Manager to external systems. For example, for Identity Manager, this timer triggers the update of User Group memberships based on role memberships in Role Manager.
The role membership update timer configuration file is included with the oim_integration.car configuration bundle and sets preferences for the role membership resolution job. The role membership update timer can have multiple jobs configured (identified by the job ID), used for integrations with different external systems.
It is recommended that the timer interval for role membership update is equal to or longer than the batch resolution timer interval.
To modify the Role Membership Update Timer component:
Navigate to ORM_HOME on the Role Manager installation host.
From the temporary location where oim_integration.car was extracted, navigate to oim_integration/config/oracle.iam.rm.timer.
Edit the values in the roleMembershipUpdateTimer.xml file as needed.
For detailed information about the settings in this file, see Section 3.7.3.1.
Package your configuration changes with any other changes as described in Section 3.7.7 for deployment.
Table 3-2 shows the default configuration values for the implementing Java class and whether the timer type is simple (defining a repeat interval of n milliseconds between invocations) or a cron timer (defining a UNIX-style cron timer). The default is the simple timer type. (For more information about cron expressions, see Appendix A.)
Table 3-2 Role Membership Update Timer Configuration Values
| Element | Default Value |
|---|---|
|
oracle.iam.rm.resolution.impl.RoleMembershipUpdateTimerFactory |
|
|
job-id |
RoleMembershipUpdateJob |
|
singleton |
true |
|
14400000 |
|
|
cron cron-expression |
N/A |
Note:
For repeat intervals, use 3600000 for 1 hour, 7200000 for 2 hours, 14400000 for 4 hours, 28800000 for 8 hours, 86400000 for 1 day, and so forth.The following example shows the default configuration in XML format. If you want, you can use this as a starting place for customization.
Example 3-2 Role Membership Update Default Values in XML
<?xml version="1.0" encoding="UTF-8"?>
<timer-config xmlns="http://xmlns.oracle.com/iam/rm/timer/config/1_0">
<job-configs>
<job-config>
<factory-classname>
oracle.iam.rm.resolution.impl.RoleMembershipUpdateTimerFactory
</factory-classname>
<job-id>RoleMembershipUpdateJob</job-id>
<group-id>BatchGroup</group-id>
<parameters>
<parameter>
<id>roleTypes</id>
<string>businessRole,itRole</string>
</parameter>
<parameter>
<id>userAttributes</id>
<string>oimId,givenName,sn,displayName</string>
</parameter>
</parameters>
<singleton>true</singleton>
<simple>
<repeat-interval>14400000</repeat-interval>
</simple>
</job-config>
</job-configs>
</timer-config>
The Incoming Event Manager configuration maps incoming parameters from Identity Manager to arguments required by the Role Manager business logic layer.
To modify the Incoming Event Manager component:
Navigate to ORM_HOME on the Role Manager installation host.
From the temporary location where oim_integration.car was extracted, navigate to oim_integration/config/oracle.iam.rm.event.incoming.
Edit the values in the oim_integration.xml file as needed.
For detailed information about the settings in this file, see Section 3.7.4.1.
Package your configuration changes with any other changes as described in Section 3.7.7 for deployment.
The following example shows the default configuration for the Incoming Event Manager component of the Integration Library. You can use this XML content as a starting place for customization. Note that these mappings are simply samples for demonstration. In a production environment, these mappings most likely encompass custom data fields on Identity Manager and custom business logic on Role Manager.
Example 3-3 Incoming Event Manager Default Values in XML
<incoming-action-mapping xmlns="http://xmlns.oracle.com/iam/rm/event/incoming/1_0">
<dependencies>
<business-logic-dependency def-id="bizlogic.oim_integration" version="10.1.4"/>
</dependencies>
<actions>
<action id="OIM_reconcile_user" definition-id="bizlogic.oim_integration" operation="reconcileUser">
<parameters>
<parameter mandatory="true">
<source-name>Users.Key</source-name>
<dest-name>oimId</dest-name>
<dest-type>java.lang.Long</dest-type>
</parameter>
<parameter>
<source-name>Users.First Name</source-name>
<dest-name>givenName</dest-name>
<dest-type>java.lang.String</dest-type>
<default>NULL_IF_NULL</default>
</parameter>
<parameter>
<source-name>Users.Last Name</source-name>
<dest-name>sn</dest-name>
<dest-type>java.lang.String</dest-type>
<default>NULL_IF_NULL</default>
</parameter>
<parameter>
<source-name>displayName</source-name>
<dest-name>displayName</dest-name>
<dest-type>java.lang.String</dest-type>
<default>No display name provided</default>
</parameter>
<parameter>
<source-name>Users.Email</source-name>
<dest-name>mail</dest-name>
<dest-type>java.lang.String</dest-type>
<default>NULL_IF_NULL</default>
</parameter>
<parameter>
<source-name>Users.Xellerate Type</source-name>
<dest-name>jobTitle</dest-name>
<dest-type>java.lang.String</dest-type>
<default>NULL_IF_NULL</default>
</parameter>
<parameter>
<source-name>Users.Status</source-name>
<dest-name>status</dest-name>
<dest-type>java.lang.String</dest-type>
<default>active</default>
</parameter>
<parameter>
<source-name>Users.Manager Key</source-name>
<dest-name>oimManagerKey</dest-name>
<dest-type>java.lang.Long</dest-type>
</parameter>
<parameter>
<source-name>deleted</source-name>
<dest-name>deleteFlag</dest-name>
<dest-type>java.lang.Boolean</dest-type>
<default>false</default>
</parameter>
</parameters>
</action>
</actions>
</incoming-action-mapping>
Note:
If an element is found with an empty value, the default value is used. Two special values of thedefault element indicate one of two possible treatments: 1) A value of NULL_IF_NULL is set to null by the incoming event manager when sent to the consuming function. This behavior is the default if there is an empty element and no default at all. 2) A value of EMPTY_STRING_IF_NULL is sent as an empty String.The Outgoing Event Manager configuration defines how messages generated by Role Manager for role creation and role membership updates are sent to the appropriate integration queue.
To modify the Outgoing Event Manager component:
Navigate to ORM_HOME on the Role Manager installation host.
From the temporary location where oim_integration.car was extracted, navigate to oim_integration/config/oracle.iam.rm.event.outgoing.
Edit the values in the oim_integration.xml file as needed.
For detailed information about the settings in this file, see Section 3.7.5.1.
Package your configuration changes with any other changes as described in Section 3.7.7 for deployment.
The following example shows a configuration for Role Manager's Outgoing Event Manager. The configuration shown here is the default configuration supporting the Integration Library with Identity Manager.
Note:
The two events in this configuration, role_membership and delete_object, are configured in this file to send updates to the specified JMS endpoint using the named connection factory. These named resources must correspond to JNDI names defined on the application server hosting Identity Manager.Example 3-4 Outgoing Event Manager Configuration Default Values in XML
<event-actions-mapping xmlns="http://xmlns.oracle.com/iam/rm/event/outgoing/1_0">
<event-actions>
<event-action>
<event-type>role_membership</event-type>
<event-dests>
<event-dest>
<endpoint>oim/OIMserver/RoleManagerQueue</endpoint>
<connection-factory>/oim/OIMserver/QueueConnectionFactory
</connection-factory>
<message-version-uri>
http://xmlns.oracle.com/iam/rm/schema/event/event/1_0
</message-version-uri>
</event-dest>
</event-dests>
</event-action>
<event-action>
<event-type>delete_object</event-type>
<event-dests>
<event-dest>
<endpoint>oim/OIMserver/RoleManagerQueue</endpoint>
<connection-factory>/oim/OIMserver/QueueConnectionFactory
</connection-factory>
<message-version-uri>
http://xmlns.oracle.com/iam/rm/schema/event/event/1_0
</message-version-uri>
</event-dest>
</event-dests>
</event-action>
</event-actions>
</event-actions-mapping>
The Business Logic configuration defines the reconcileUser operation by associating incoming event parameters with those required by the underlying reconcileEntity plug-in. You may want to edit this file to add new attributes to the user data to be sent to Role Manager from an external system.
To modify the Business Logic component:
Navigate to ORM_HOME on the Role Manager installation host.
From the temporary location where oim_integration.car was extracted, navigate to oim_integration/config/oracle.iam.rm.bizlogic.def.
Edit the values in the bizlogic.oim_integration.xml file as needed.
For detailed information about the settings in this file, see Section 3.7.6.1.
Package your configuration changes with any other changes as described in Section 3.7.7 for deployment.
The following example shows the default configuration for the Business Logic component of the Integration Library. You can use this XML content as a starting place for customization.
Example 3-5 Business Logic Configuration Default Values in XML
<config xmlns="http://xmlns.oracle.com/iam/rm/bizlogic/def/1_0"
xmlns:i18n="http://xmlns.oracle.com/iam/rm/i18n/config/1_0"
xmlns:t="http://xmlns.oracle.com/iam/rm/type/def/1_0"
id="bizlogic.oim_integration" version="10.1.4">
<dependencies>
<model-dependency id="standard_permissions" version 3.0.0"/>
</dependencies>
<operations>
<business-transaction id="reconcileUser" related-object-type="person" permission="manage">
<title>Reconcile User</title>
<arguments>
<argument id="startTime">
<title>Start Date</title>
<t:datetime>
<t:default-value>transaction</t:default-value>
</t:datetime>
</argument>
<argument id="deleteFlag">
<title>Delete Flag</title>
<t:boolean/>
</argument>
<argument id="oimId">
<title>OIM Identifier</title>
<related-object-type>person</related-object-type>
<related-object-attribute>oimId</related-object-attribute>
</argument>
<argument id="givenName">
<title>First Name</title>
<related-object-type>person</related-object-type>
<related-object-attribute>givenName</related-object-attribute>
</argument>
<argument id="sn">
<title>Last Name</title>
<related-object-type>person</related-object-type>
<related-object-attribute>sn</related-object-attribute>
</argument>
<argument id="displayName">
<title>Display Name</title>
<related-object-type>person</related-object-type>
<related-object-attribute>displayName</related-object-attribute>
</argument>
<argument id="jobTitle">
<title>Job Title</title>
<related-object-type>person</related-object-type>
<related-object-attribute>jobTitle</related-object-attribute>
</argument>
<argument id="status">
<title>Status</title>
<related-object-type>person</related-object-type>
<related-object-attribute>status</related-object-attribute>
</argument>
<argument id="mail">
<title>Email</title>
<related-object-type>person</related-object-type>
<related-object-attribute>mail</related-object-attribute>
</argument>
<argument id="oimManagerKey">
<title>OIM Manager Key</title>
<related-object-type>person</related-object-type>
<related-object-attribute>oimManagerKey</related-object-attribute>
</argument>
</arguments>
<snapshot-logic-definition plugin-pack-id="oracle.iam.rm.bizlogic.plugin.standard_ext" plugin-id="reconcile_entity">
<ext config-version="1.0">
<config>
<![CDATA[
<reconcile-entity xmlns="http://xmlns.oracle.com/iam/rm/bizlogic/plugin/standard_ext/1_0"
entity-type="person"
identifying-attribute="oimId"
delete-flag-attribute="deleteFlag">
<attributes>
<attribute attribute-id="oimId" argument-id="oimId"/>
<attribute attribute-id="givenName" argument-id="givenName"/>
<attribute attribute-id="sn" argument-id="sn"/>
<attribute attribute-id="displayName" argument-id="displayName"/>
<attribute attribute-id="jobTitle" argument-id="jobTitle"/>
<attribute attribute-id="mail" argument-id="mail"/>
<attribute attribute-id="oimManagerKey"argument-id="oimManagerKey"/>
<attribute attribute-id="status" argument-id="status"/>
</attributes>
</reconcile-entity>
]]>
</config>
</ext>
<effective-date>
<argument-id>startTime</argument-id>
</effective-date>
</snapshot-logic-definition>
</business-transaction>
</operations>
</config>
After you have made your modifications, the modified XML files must be repackaged into a new CAR (configuration archive) file before they can be deployed to the Role Manager system.
Note:
The layout of files and directories in the new CAR file must match the layout of the original CAR file before extraction.To package the modified configuration:
Navigate to the temporary location where oim_integration.car was extracted and where the XML files were modified.
Using a utility like WinZip or jar, repackage everything in the oim_integration directory and create a new file appended with the .car extension, for example, oim_integration_custom.car.
Ensure that the CAR file directory layout is as follows:
oim_integration/
config/
oracle.iam.rm.bizlogic.def/
bizlogic.oim_integration.xml
oracle.iam.rm.event.incoming/
oim_integration.xml
oracle.iam.rm.event.outgoing/
oim_integration.xml
oracle.iam.rm.temporal/
oim_integration.xml
oracle.iam.rm.timer/
roleMembershipUpdateTimer.xml
If it does not match this layout, fix the layout and repackage the CAR file.
Include this file in the collection of CAR files as part of the deploy command described in Section 3.1, "Deploying the Integration Library Configuration."
|
 Copyright © 2008, 2009, Oracle. All rights reserved. Legal Notices |
|