3 Configuring the Connector

After you deploy the connector, you must configure it to meet your requirements. This chapter discusses the following connector configuration procedures:

Note:

These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.

• Configuring Reconciliation

• Configuring Provisioning

• Configuring the Connector for Multiple Installations of the Target System

3.1 Configuring Reconciliation

As mentioned earlier in this guide, reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:

• Partial Reconciliation

• Specifying the Number of Records to Be Reconciled

• Configuring the Target System As a Trusted Source

• Configuring the Reconciliation Scheduled Tasks

• Configuring the Reconciliation Scheduled Tasks for Lookup Fields

• Enabling Reconciliation in Oracle Identity Manager Release 9.0.1

3.1.1 Partial Reconciliation

Note:

See Bug 8274800 in the "Known Issues" chapter for information about an issue related to this feature.

By default, all target system records are fetched into Oracle Identity Manager during a reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating a filter for the reconciliation module.

Creating a filter involves specifying a value for the Login Name scheduled task attribute. This value is used in the query SELECT criteria to reconcile target system records for which the value of the Login Name field matches the value of the Login Name scheduled task attribute.

For example, if you specify jdoe as the value of the Login Name scheduled task attribute, then all new or updated target system records for which the login name is jdoe are reconciled.

While deploying the connector, follow the instructions in the "Configuring the Reconciliation Scheduled Tasks" section to specify values for the Login Name scheduled task attribute.

3.1.2 Specifying the Number of Records to Be Reconciled

Note:

See Bug 8274800 in the "Known Issues" chapter for information about an issue related to this feature.

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.

For a trial reconciliation run, you can specify the number of records to be reconciled by using the Record Size user reconciliation scheduled task attribute. The numeric value that you assign to this attribute represents the number of records that must be reconciled. The default value of the Record Size attribute is All, which signifies that all records are to be reconciled.

You can use this feature to perform a trial reconciliation run.

You specify a value for the Record Size attribute by following the instructions described in the "Configuring the Reconciliation Scheduled Tasks" section.

Note:

If you provide a value for the Login Name attribute, then the Record Size attribute is ignored.

3.1.3 Configuring the Target System As a Trusted Source

While configuring the connector, the target system can be designated as a trusted source or target resource. If you designate the target system as a trusted source, then during a reconciliation run:

• For each newly created user on the target system, an OIM User is created.

• Updates made to each user on the target system are propagated to the corresponding OIM User.

If you designate the target system as a target resource, then during a reconciliation run:

• For each account created on the target system, a resource is assigned to the corresponding OIM User.

• Updates made to each account on the target system are propagated to the corresponding resource.

Note:

You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.

Configuring trusted source reconciliation involves the following steps:

1. Import the XML file for trusted source reconciliation, xelluserDbAccess Trusted.xml, by using the Deployment Manager. This section describes the procedure to import the XML file.

   Note:

   Only one target system can be designated as a trusted source. If you import the xelluserDbAccess Trusted.xml file while you have another trusted source configured, then both connector reconciliations would stop working.

2. Specify values for the attributes of the Database Reconciliation Task - Trusted scheduled task. This procedure is described later in this guide.

To import the XML file for trusted source reconciliation:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for opening files is displayed.

4. Locate and open the xelluserDbAccess Trusted.xml file, which is in the OIM_HOME/xellerate/XLIntegrations/DatabaseAccess/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Import.

8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

Note:

After you import the XML file for trusted source reconciliation, you must configure the scheduled task for trusted source reconciliation. The procedure is described in this chapter.

3.1.4 Configuring the Reconciliation Scheduled Tasks

When you perform the procedure described in the "Importing the Connector XML Files" section, the scheduled tasks for lookup fields, trusted source user, and target resource user reconciliations are automatically created in Oracle Identity Manager. To configure the trusted source or target resource reconciliation scheduled tasks:

1. Open the Oracle Identity Manager Design Console.

2. Expand the Administration folder.

3. Select Task Scheduler.

4. Use the Find option to search for either the Database Reconciliation Task - Non Trusted or Database Reconciliation Task - Trusted scheduled task. Select the task to display its details.

5. Enter a number in the Max Retries field. This number represents the number of times Oracle Identity Manager must attempt to complete the task before assigning the FAILED status to the task.

6. Ensure that the Disabled and Stop Execution check boxes are not selected.

7. In the Start region, double-click the Start Time field. From the date-time editor that is displayed, select the date and time at which you want the task to run.

8. In the Interval region, set the following schedule parameters:

   • To set the task to run on a recurring basis, select the Daily, Weekly, Recurring Intervals, Monthly, or Yearly option.

     If you select the Recurring Intervals option, then you must also specify the time interval at which you want the task to run on a recurring basis.

   • To set the task to run only once, select the Once option.

9. Depending on whether you want to implement trusted source or target resource reconciliation, you must specify values for the attributes of one of the following scheduled tasks:

   • Database Reconciliation Task - Trusted (Scheduled task for trusted source reconciliation)

   • Database Reconciliation Task - Non Trusted (Scheduled task for target resource reconciliation)

   The following table describes the attributes of both scheduled tasks.

   Note:

   • Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.

   • Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value were left empty, then reconciliation would not be performed.

   Attribute	Description	Sample Value
   Server	Name of the IT resource	Oracle
   isTrusted	Specifies whether or not reconciliation is to be carried out in trusted mode	For trusted source reconciliation, set the value of this attribute to Yes. For target resource reconciliation, set the value of this attribute to No.
   Target System Login Recon - Resource Object name	Name of the target system parent resource object	For Oracle Database: Database Access Oracle User RO For IBM DB2 UDB: Database Access DB2UDB User RO For Microsoft SQL Server: Database Access SQLServer Login RO For Sybase: Database Access Sybase Login RO
   Target System User Recon - Resource Object name	Name of the target system child resource object	For IBM DB2 UDB: nodata For Microsoft SQL Server: Database Access SQLServer User RO For Oracle Database: nodata For Sybase: Database Access Sybase User RO
   Trusted Source Recon - Resource Object name	Name of the trusted source resource object	For trusted source reconciliation: Xellerate User For target resource reconciliation: False
   DBName	For IBM DB2 UDB, Microsoft SQL Server, and Sybase, specify the name of the target database from where data is to be reconciled. For Oracle Database, specify none as the value of this attribute.	TESTDB
   Login Name	This is a filter attribute. Use this attribute to specify the login name of the user whose records you want to reconcile. If you do not want to use then specify Nodata. If you provide a value for the Login Name attribute, then the Record Size attribute is ignored. See Also: The "Partial Reconciliation" section	Jdoe
   Record Size	Specifies the number of records to be reconciled The value can be any integer greater than zero. Note: If you provide a value for the Login Name attribute, then the Record Size attribute is ignored.	The default value of this attribute is All.
   ExcludeSystemUsers	Specifies the logins to be excluded from reconciliation You can use this attribute to specify system logins that you do not want to reconcile into Oracle Identity Manager.	A comma-separated list of logins.
   ReconcileLockedUser	Specifies whether or not users who are in the Locked state in Oracle Database must be reconciled Enter yes as the value of this attribute if you want users that are in the Locked state on the target system to be reconciled during a reconciliation run. Otherwise, enter no.	The default value is yes.

   
   

   See Also:

   Oracle Identity Manager Design Console Guide for information about adding and removing task attributes

10. Click Save. The scheduled task is created. The INACTIVE status is displayed in the Status field, because the task is not currently running. The task is run at the date and time that you set in Step 7.

3.1.5 Configuring the Reconciliation Scheduled Tasks for Lookup Fields

To configure the lookup field reconciliation scheduled tasks:

1. Perform Steps 1 through 8 of the procedure described in "Configuring the Reconciliation Scheduled Tasks". While performing Step 4, search for the DBAccessLookupReconTask scheduled task.

2. While performing Step 9, use the information given in the following table:

   Attribute	Description	Sample Value
   Server	Name of the IT resource	Oracle
   LookupFieldName	Specifies the name of the lookup definition for which reconciliation must be performed The list of lookup definitions for which reconciliation is supported can be performed is given in the OIM_HOME\XLIntegrations\DatabaseAccess\config\LookUpQuery.properties file. You can specify the name of any one of the supported lookup definitions as the value of the LookupFieldName attribute.	UD_Lookup.DB_ORA_Roles.
   Exclusion List	Specifies the target system attribute values that must not be reconciled into the corresponding lookup For example, if you specify UD_Lookup.DB_ORA_Roles as the value of the LookupFieldName attribute, then you can specify DBA as the value of the Exclusion List attribute. By doing this, you ensure that the DBA role will not be stored in the UD_Lookup.DB_ORA_Roles lookup definition.	Comma-separated list of target system property names

   
   

3. Perform Step 10 of the procedure to configure the reconciliation scheduled tasks.

3.1.6 Enabling Reconciliation in Oracle Identity Manager Release 9.0.1

If you are using Oracle Identity Manager release 9.0.1, then you must perform the following procedure to enable reconciliation:

See Also:

Oracle Identity Manager Design Console Guide

1. Open the provisioning process.

2. Click the Reconciliation Field Mappings tab.

3. For each field that is of the IT resource type:

   1. Double-click the field to open the Edit Reconciliation Field Mapping window for that field.

   2. Deselect Key Field for Reconciliation Matching.

3.2 Configuring Provisioning

As mentioned earlier in this guide, provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager.

Note:

You must perform the procedure described in this section if you want to use the provisioning features of Oracle Identity Manager for this target system.

You need not perform the procedure to compile adapters if you have performed the procedure described in "Installing the Connector on Oracle Identity Manager Release 9.1.0 or Later".

Adapters are used to implement provisioning functions. The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

See Also:

The "Supported Functionality" section for a listing of the provisioning functions that are available with this connector

• DB Revoke Role

• DB Modify Password

• DB Modify Login

• DB Enable login

• DB Disable login

• DB Delete Login

• DB Create Login

• DB Add TableSpace

• DB Add Schema

• DB Add Role

• DB2 Delete TableSpace

• DB Prepopulate UserLogin

• DB Update Group

• DB EnableSybaseUser

• DB DisableSybaseUser

• DB Delete User

• DB Create User

• DBPrepopulateUserFullName

• DB Add Privilege

• DB Revoke Privilege

• DBPreventModify

• DB2 Delete Schema

You must compile these adapters before they can be used in provisioning operations.

To compile adapters by using the Adapter Manager form:

1. Open the Adapter Manager form.

2. To compile all the adapters that you import into the current database, select Compile All.

   To compile multiple (but not all) adapters, select the adapters you want to compile. Then, select Compile Selected.

   Note:

   Click Compile Previously Failed to recompile only those adapters that were not compiled successfully. Such adapters do not have an OK compilation status.

3. Click Start. Oracle Identity Manager compiles the selected adapters.

4. If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_HOME/xellerate/Adapter directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

If you want to compile one adapter at a time, then use the Adapter Factory form.

See Also:

Oracle Identity Manager Tools Reference Guide for information about using the Adapter Factory and Adapter Manager forms

To view detailed information about an adapter:

1. Highlight the adapter in the Adapter Manager form.

2. Double-click the row header of the adapter, or right-click the adapter.

3. Select Launch Adapter from the shortcut menu that is displayed. Details of the adapter are displayed.

3.3 Configuring the Connector for Multiple Installations of the Target System

Note:

Perform this procedure only if you want to configure the connector for multiple installations of the target system.

You may want to configure the connector for multiple installations of the target system. The following example illustrates this requirement:

The Tokyo, London, and New York offices of Example Multinational Inc. have their own installations of the target system. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of the target system.

To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of the target system.

To configure the connector for multiple installations of the target system:

See Also:

Oracle Identity Manager Design Console Guide for detailed instructions on performing each step of this procedure

1. Create and configure one IT resource for each target system installation.

   The IT Resources form is in the Resource Management folder. An IT resource is created when you import the connector XML file. You can use this IT resource as the template for creating the remaining IT resources, of the same IT resource type.

2. Configure reconciliation for each target system installation. Refer to the "Configuring Reconciliation" section for instructions. Note that you only need to modify the attributes that are used to specify the IT resource and to specify whether or not the target system installation is to be set up as a trusted source.

3. If required, modify the fields to be reconciled for the Xellerate User resource object.

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the target system installation to which you want to provision the user.