2 Deploying the Connector

Deploying the connector involves the following steps:

• Verifying Deployment Requirements

• Using External Code Files

• Configuring the Target System

• Depending on the release of Oracle Identity Manager that you use, perform the procedures described in one of the following sections:

  • Installing the Connector on Oracle Identity Manager Release 9.1.0 or Later

  • Installing the Connector on Oracle Identity Manager Release 9.0.3.2 or Later Release in the 9.0.3.x Series

• Configuring the Oracle Identity Manager Server

• Configuring SSL

2.1 Verifying Deployment Requirements

The following table lists the deployment requirements for the connector.

Item	Requirement
Oracle Identity Manager	Oracle Identity Manager release 9.0.3.2 or later
Target systems	Sun ONE Directory Server 5.2 Sun Java System Directory Server Enterprise Edition 6.3
Target system user account	Sun Java System Directory user account to which the Read, Write, Add, Delete, and Search permissions have been assigned You provide the credentials of this user account while configuring the IT resource. The procedure is described later in the guide. If you try to perform an operation for which the required permission has not been assigned to the user account, then the "Insufficient Privileges" message is displayed.

2.2 Using External Code Files

Note:

While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the contents of the connectorResources directory and the JAR files to the corresponding directories on each node of the cluster.

The ldapbp.jar file is used by the connector to enable LDAP-based search of user records on the target system. You must download this JAR file from the Sun Web site and copy it into the ThirdParty directory as follows:

1. Log on the Sun Web site at

   http://java.sun.com/products/jndi/downloads/index.html

2. Click Download JNDI 1.2.1 & More.

3. From the table on the page that is displayed, select and download the file containing the ldapbp.jar file.

4. Copy the ldapbp.jar file into the following directories:

   OIM_HOME/xellerate/ThirdParty
   

Note:

In an Oracle Identity Manager cluster, copy this JAR file into the ThirdParty directory on each node of the cluster.

2.3 Configuring the Target System

Configuring the target system involves performing the following steps:

• Creating a Target System User Account for Connector Operations

• Creating a VLV Index

2.3.1 Creating a Target System User Account for Connector Operations

Oracle Identity Manager requires a target system user account to access the target system during reconciliation and provisioning operations. You provide the credentials of this user account while performing the procedure described in "Configuring the IT Resource".

To create this user account:

See Also:

Sun Java System Directory documentation for detailed information about performing this procedure

1. Log in to the Sun One Server Console by using administrator credentials.

2. Expand the host name folder.

3. Expand Server Group.

4. Select Directory Server, and then click Open on the right pane.

5. On the Directory tab, right-click the root context. You can also select the OU under the root context in which you want to create the user.

6. From the shortcut menu that is displayed, select New and then select User.

7. In the Create New User dialog box, enter information about the user account and then click OK.

   The newly created user account is displayed on the right pane.

8. To determine the entryDN value of the user account:

   1. Right-click the user account, and select Edit with Generic Editor.

   2. In the Generic Editor dialog box, copy the value that is displayed in the entrydn field. Record this value for future reference. You use the entrydn while assigning permissions to the user account. In addition, while configuring the IT resource, you specify the entrydn as the value of the AdminId IT resource parameter.

After creating the user account, you must assign the following permissions to the user account for each target system attribute that is used during reconciliation and provisioning:

• Read: View the value of the attribute.

• Write: Modify the value of the attribute.

• Add: Set a value for the attribute.

• Delete: Remove the value of the attribute.

To assign permissions to the user account:

1. On the Sun One Server Console, expand the host name folder.

2. Expand Server Group.

3. Select Directory Server, and then click Open on the right pane.

4. On the Directory tab, right-click the root context.

5. From the shortcut menu that is displayed, select Edit with Generic Editor.

6. Select aci.

7. In the Edit region, click Add value.

8. In the field that is displayed, copy the following:

   (targetattr = "physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || nsRoleDN || audio || internationaliSDNNumber || owner || postalAddress || roomNumber || givenName || carLicense || userPKCS12 || searchGuide || userPassword || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || userSMIMECertificate || displayName || destinationIndicator || telexNumber || employeeNumber || secretary || uid || userCertificate || st || sn || description || mail || labeledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || modifyTimestamp || postOfficeBox || ou || nsAccountLock || seeAlso || registeredAddress || postalCode || photo || title || uniqueMember || street || pager || departmentNumber || dc || o || cn || l || initials || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || x121Address || employeeType") (version 3.0;acl "ACI_NAME";allow (read,write,delete,add)(userdn = "ldap:///ENTRYDN_VALUE");)
   

9. In the string that you copy:

   • Replace ACI_NAME with the name that you want to assign to the ACI, for example, OIMUserACI.

   • Replace ENTRYDN_VALUE with the entrydn value that you record in Step 8.b, for example, uid=OIMUser,ou=Org1,dc=corp,dc=oracle,dc=com.

10. Click OK.

11. To view or modify the access permissions you have set for the user account:

    1. In the main Sun One Server Console window, right-click the root context.

    2. From the shortcut menu, click Set Access Permissions.

    3. In the Manage Access Control dialog box, select the ACI that you create for the user account and then click Edit.

       The ACI that you create for the user account is displayed.

    4. If required, make changes in the ACI and then click OK.

2.3.2 Creating a VLV Index

By creating a VLV index, you can improve the performance of reconciliation runs. To create a VLV index:

1. Log in to the Sun One Server Console by using administrator credentials.

2. Expand the host name folder.

3. Expand Server Group.

4. Select Directory Server, and then click Open on the right pane.

5. On the Directory tab, right-click the root context.

6. From the shortcut menu that is displayed, select New and then select Other.

7. In the New Object dialog box, select vlvindex and then click OK.

8. In the Generic Editor dialog box, select Object class and then click Add value.

9. In the Add Object Class dialog box, select vlvsearch and then click OK.

10. In the Generic Editor dialog box, click Change.

11. In the Naming Attribute column of the Change Naming Attribute dialog box, deselect the check box for the vlvsort attribute, select the check box for the cn attribute, and then click OK.

12. Specify values for the following attributes:

    • vlvbase: Enter the tree level where you want the index to be created.

      Sample value: dc=corp,dc=example,dc=com

    • vlvfilter: Enter the search filter for the index.

      Sample value: (|(objectclass=*)(objectclass=ldapsubentry))

    • vlvscope: This attribute specifies the scope of the search. Specify one of the following values:

      • Enter 0 for a base-level search.

      • Enter 1 stands for a one-level search.

      • Enter 2 for a sub-tree search.

      Sample value: 1

    • vlvsort: This attribute specifies the sort order that the VLV ldapsearch command uses for the VLV index.

      Sample value: modifytimestamp

13. Click OK.

2.4 Installing the Connector on Oracle Identity Manager Release 9.1.0 or Later

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

Installing the connector on Oracle Identity Manager release 9.1.0 or later involves the following procedures:

• Running the Connector Installer

• Configuring the IT Resource

2.4.1 Running the Connector Installer

To run the Connector Installer:

1. Copy the contents of the connector installation media into the following directory:

   OIM_HOME/xellerate/ConnectorDefaultDirectory
   

2. Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Identity Manager Administrative and User Console Guide.

3. Click Deployment Management, and then click Install Connector.

4. From the Connector List list, select Sun Java System Directory RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory:

   OIM_HOME/xellerate/ConnectorDefaultDirectory 
   

   If you have copied the installation files into a different directory, then:

   1. In the Alternative Directory field, enter the full path and name of that directory.

   2. To repopulate the list of connectors in the Connector List list, click Refresh.

   3. From the Connector List list, select Sun Java System Directory RELEASE_NUMBER.

5. Click Load.

6. To start the installation process, click Continue.

   The following tasks are performed in sequence:

   1. Configuration of connector libraries

   2. Import of the connector Target Resource user configuration XML file (by using the Deployment Manager). If you want to import the target system as a trusted source for reconciliation, then see "Configuring Trusted Source Reconciliation".

   3. Compilation of adapters

   On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:

   • Retry the installation by clicking Retry.

   • Cancel the installation and begin again from Step 0.

7. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:

   1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. Refer to "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.

      There are no prerequisites for some predefined connectors.

   2. Configuring the IT resource for the connector

      Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.

   3. Configuring the scheduled tasks that are created when you installed the connector

      Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 1-1.

Installing the Connector in an Oracle Identity Manager Cluster

While installing Oracle Identity Manager in a clustered environment, you must copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster. See "Files and Directories on the Installation Media" for information about the files that you must copy and their destination locations on the Oracle Identity Manager server.

2.4.2 Configuring the IT Resource

Note:

Perform this procedure if you are installing the connector on Oracle Identity Manager release 9.1.0 or later.

You must specify values for the parameters of the iPlanet IT Resource IT resource as follows:

1. Log in to the Administrative and User Console.

2. Expand Resource Management.

3. Click Manage IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter iPlanet User and then click Search.

5. Click the edit icon for the IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Specify values for the parameters of the IT resource. The following table describes each parameter:

   Parameter	Description
   Admin Id	DN value of the user who has administrator rights on Sun Java System Directory The default value is uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
   Admin Password	Password of the user who has administrator rights on Sun Java System Directory
   Server Address	IP address of the target Sun Java System Directory server
   Port	Port number to connect to the target Sun Java System Directory server The default value is 389. This parameter is mentioned in the "Configuring SSL" section.
   Root DN	Base DN where all the user operations are to be carried out The value can be o=xyz
   SSL	Specifies whether or not an SSL connection is used for communication between Oracle Identity Manager and the target Sun Java System Directory server The value can be true or false. This parameter is mentioned in the "Configuring SSL" section. Note: It is recommended that you enable SSL to secure communication with the target system.
   Target Resource Reconciliation Time Stamp	Starting with the first reconciliation run, this parameter stores the time-stamp value at which a target resource reconciliation run ends. Note: You must not change the default value of this parameter.
   Trusted Source Reconciliation Time Stamp	Starting with the first reconciliation run, this parameter stores the time-stamp value at which trusted source reconciliation run ends. Note: You must not change the default value of this parameter.
   Prov Attribute Lookup Code	Name of the lookup definition that has the target attribute mappings required for provisioning of users The default value of this parameter is AttrName.Prov.Map.iPlanet
   Recon Attribute Lookup Code	Name of the lookup definition that has the target attribute mappings required for reconciliation of users The default value of this parameter is AttrName.Recon.Map.iPlanet
   Use XL Org Structure	If set to true, then the Oracle Identity Manager Organization structure is used during provisioning and reconciliation. If set to false, then the value of the Organization field in the process form is used for provisioning and the organization or container in Sun Java System Directory is used for reconciliation.
   Group Reconciliation Time Stamp	Starting with the first reconciliation run, this parameter stores the time-stamp value at which a group reconciliation run ends. Note: You must not change the default value of this parameter.
   Role Reconciliation Time Stamp	Starting with the first reconciliation run, this parameter stores the time-stamp value at which a role reconciliation run ends. Note: You must not change the default value of this parameter.
   Prov Group Attribute Lookup Code	Name of the lookup definition that has the target attribute mappings required for provisioning of Groups. The default value of this parameter is AtMap.iPlanetGroup.
   Prov Role Attribute Lookup Code	Name of the lookup definition that has the target attribute mappings required for provisioning of Roles. The default value of this parameter is AttrMap.iPlanetRole.

   
   

8. To save the values, click Update.

2.5 Installing the Connector on Oracle Identity Manager Release 9.0.3.2 or Later Release in the 9.0.3.x Series

Installing the connector on any Oracle Identity Manager release between release 9.0.3.2 or later releases in the 9.0.3.x series involves the following procedures:

• Copying the Connector Files

• Importing the Connector XML File

2.5.1 Copying the Connector Files

The connector files to be copied and the directories to which you must copy them are given in the following table.

See Also:

"Files and Directories on the Installation Media" for more information about these files

Files in the Installation Media Directory	Destination Directory
lib/SJSDSProv.jar	OIM_HOME/xellerate/JavaTasks
lib/SJSDSRecon.jar	OIM_HOME/xellerate/ScheduleTasks
Files in the resources directory	OIM_HOME/xellerate/connectorResources
Files in the test directory	OIM_HOME/xellerate/SJSDS/test/troubleshoot
Files in the xml directory	OIM_HOME/xellerate/SJSDS/xml

Note:

In a clustered environment, copy the JAR files and the contents of the connectorResources directory to the corresponding directories on each node of the cluster.

2.5.2 Importing the Connector XML File

As mentioned in the "Files and Directories on the Installation Media" section, the connector XML file contains definitions of the components of the connector. By importing the connector XML file, you create these components in Oracle Identity Manager.

To import the connector XML files into Oracle Identity Manager:

1. Open the Oracle Identity Manager Administrative and User Console.

2. Click the Deployment Management link on the left navigation bar.

3. Click the Import link under Deployment Management. A dialog box for opening files is displayed.

4. Locate and open the iPlanetResourceObject.xml file, which is in the OIM_HOME/xellerate/iPlanet/xml directory. Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.

6. Click Next. The Confirmation page is displayed.

7. Click Next. The Provide IT Resource Instance Data page for the iPlanet User IT resource is displayed.

8. Specify values for the parameters of the iPlanet User IT resource. Refer to the following table for information about the values to be specified:

   Parameter	Description
   Admin Id	DN value of the user who has administrator rights on Sun Java System Directory The default value is uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
   Admin Password	Password of the user who has administrator rights on Sun Java System Directory
   Server Address	IP address of the target Sun Java System Directory server
   Port	Port number to connect to the target Sun Java System Directory server The default value is 389. This parameter is mentioned in the "Configuring SSL" section.
   Root DN	Base DN where all the user operations are to be carried out The value can be o=xyz
   SSL	Specifies whether or not an SSL connection is used for communication between Oracle Identity Manager and the target Sun Java System Directory server The value can be true or false. This parameter is mentioned in the "Configuring SSL" section. Note: It is recommended that you enable SSL to secure communication with the target system.
   Target Resource Reconciliation Time Stamp	Starting with the first reconciliation run, this parameter stores the time-stamp value at which a target resource reconciliation run ends. Note: You must not change the default value of this parameter.
   Trusted Source Reconciliation Time Stamp	Starting with the first reconciliation run, this parameter stores the time-stamp value at which trusted source reconciliation run ends. Note: You must not change the default value of this parameter.
   Prov Attribute Lookup Code	Name of the lookup definition that has the target attribute mappings required for provisioning The default value of this parameter is AttrName.Prov.Map.iPlanet
   Recon Attribute Lookup Code	Name of the lookup definition that has the target attribute mappings required for reconciliation The default value of this parameter is AttrName.Recon.Map.iPlanet
   Use XL Org Structure	If set to true, then the Oracle Identity Manager Organization structure is used during provisioning and reconciliation. If set to false, then the value of the Organization field in the process form is used for provisioning and the organization or container in Sun Java System Directory is used for reconciliation.
   Group Reconciliation Time Stamp	Starting with the first reconciliation run, this parameter stores the time-stamp value at which a group reconciliation run ends. Note: You must not change the default value of this parameter.
   Role Reconciliation Time Stamp	Starting with the first reconciliation run, this parameter stores the time-stamp value at which a role reconciliation run ends. Note: You must not change the default value of this parameter.
   Prov Group Attribute Lookup Code	Name of the lookup definition that has the target attribute mappings required for provisioning of Groups. The default value of this parameter is AtMap.iPlanetGroup.
   Prov Role Attribute Lookup Code	Name of the lookup definition that has the target attribute mappings required for provisioning of Roles. The default value of this parameter is AttrMap.iPlanetRole.

   
   

9. Click Next. The Provide IT Resource Instance Data page for a new instance of the LDAP Server IT resource type is displayed.

10. Click Skip to specify that you do not want to define another IT resource. The Confirmation page is displayed.

    See Also:

    If you want to define another IT resource, then refer to Oracle Identity Manager Administrative and User Console Guide for instructions.

11. Click View Selections.

    The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. These nodes represent Oracle Identity Manager entities that are redundant. Before you import the connector XML file, you must remove these entities by right-clicking each node and then selecting Remove.

12. Click Import. The connector file is imported into Oracle Identity Manager.

2.6 Configuring the Oracle Identity Manager Server

Configuring the Oracle Identity Manager server involves the following procedures:

Note:

In a clustered environment, you must perform this step on each node of the cluster.

• Changing to the Required Input Locale

• Clearing Content Related to Connector Resource Bundles from the Server Cache

• Enabling Logging

• Setting Up Lookup Definitions in Oracle Identity Manager

2.6.1 Changing to the Required Input Locale

Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

You may require the assistance of the system administrator to change to the required input locale.

2.6.2 Clearing Content Related to Connector Resource Bundles from the Server Cache

While performing the instructions described in the "Copying the Connector Files" section, you copy files from the resources directory on the installation media into the OIM_HOME/xellerate/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, change to the OIM_HOME/xellerate/bin directory.

   Note:

   You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:

   OIM_HOME/xellerate/bin/batch_file_name
   

2. Enter one of the following commands:

   • On Microsoft Windows:

     PurgeCache.bat ConnectorResourceBundle
     

   • On UNIX:

     PurgeCache.sh ConnectorResourceBundle
     

   Note:

   You can ignore the exception that is thrown when you perform Step 2.

   In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:

   OIM_HOME/xellerate/config/xlConfig.xml
   

2.6.3 Enabling Logging

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• ALL

  This level enables logging for all events.

• DEBUG

  This level enables logging of information about fine-grained events that are useful for debugging.

• INFO

  This level enables logging of messages that highlight the progress of the application at a coarse-grained level.

• WARN

  This level enables logging of information about potentially harmful situations.

• ERROR

  This level enables logging of information about error events that may allow the application to continue running.

• FATAL

  This level enables logging of information about very severe error events that could cause the application to stop functioning.

• OFF

  This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

• BEA WebLogic Server

  To enable logging:

  1. Add the following lines in the OIM_HOME/xellerate/config/log.properties file:

     log4j.logger.XELLERATE=log_level
     log4j.logger.XL_INTG.SJSDS=log_level
     

  2. In these lines, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.XELLERATE=INFO
     log4j.logger.XL_INTG.SJSDS=INFO
     

  After you enable logging, log information is displayed on the server console.

• IBM WebSphere Application Server

  To enable logging:

  1. Add the following lines in the OIM_HOME/xellerate/config/log.properties file:

     log4j.logger.XELLERATE=log_level
     log4j.logger.XL_INTG.SJSDS=log_level
     

  2. In these lines, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.XELLERATE=INFO
     log4j.logger.XL_INTG.SJSDS=INFO
     

  After you enable logging, log information is written to the following file:

  WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/SystemOut.log
  

• JBoss Application Server

  To enable logging:

  1. In the JBOSS_HOME/server/default/conf/log4j.xml file, add the following lines if they are not already present in the file:

     <category name="XELLERATE">
        <priority value="log_level"/>
     </category>
     

     <category name="XL_INTG.SJSDS">
        <priority value="log_level"/>
     </category>
     

  2. In the second XML code line of each set, replace log_level with the log level that you want to set. For example:

     <category name="XELLERATE">
        <priority value="INFO"/>
     </category>
     

     <category name="XL_INTG.SJSDS">
        <priority value="INFO"/>
     </category>
     

  After you enable logging, log information is written to the following file:

  JBOSS_HOME/server/default/log/server.log
  

• Oracle Application Server

  To enable logging:

  1. Add the following lines in the OIM_HOME/xellerate/config/log.properties file:

     log4j.logger.XELLERATE=log_level
     log4j.logger.XL_INTG.SJSDS=log_level
     

  2. In these lines, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.XELLERATE=INFO
     log4j.logger.XL_INTG.SJSDS=INFO
     

  After you enable logging, log information is written to the following file:

  ORACLE_HOME/opmn/logs/default_group~home~default_group~1.log
  

2.6.4 Setting Up Lookup Definitions in Oracle Identity Manager

The following lookup definition are created in Oracle Identity Manager when you deploy the connector:

• Lookup.IPNT.CommLang

  During a provisioning operation, you use this lookup definition to specify a communication language for the user.

• IPNT.Parameter

  The entries in this lookup definition are used during both reconciliation and provisioning.

You must enter or modify values in these lookup definitions before they can be used for connector operations.

To enter or modify value in the lookup definitions:

1. Log in to the Design Console.

2. Expand Administration, and double-click Lookup Definition.

3. Search for and open the Lookup.IPNT.CommLang lookup definition.

4. Enter Code Key and Decode values for each communication language that can be used for provisioning operations.

   You can enter any value. However, you must enter the same value in both the Code Key and Decode column, for example, German.

5. Click Save.

6. Search for and open the IPNT.Parameter lookup definition.

   Enter Decode values for the following Code Key entries:

   Note:

   It is recommended that you do not change Decode values of the remaining code Key entries.

   • TARGET_TIMESTAMP_SEARCHFORMAT

     Use this parameter to specify the time-stamp format used by the target system to store time stamps of events related to user data changes. During reconciliation, the connector uses the time stamp value of each event to determine whether the user data change should be fetched into Oracle Identity Manager for reconciliation.

     Default value: yyyyMMddHHmmss.0'Z'

   • SPECIALCHARACTERS

     Use this parameter to specify the special characters that must not be allowed in the User ID and Common Name fields during reconciliation and provisioning operations.

     Default value: #%+,<>|/

     Note:

     Do not use a separator when you add or remove special characters from the default list of special characters.

   • TREE_DELETE_CONTROL_OID

     Use this parameter to specify the OID of the object whose deletion you want to enable for connector operations.

     Default value: 2.5.4.11 (this is the OID of organizational units)

   • LDAP_REFERRAL

     Use this parameter if there are multiple root contexts in your organization. You can specify one of the following values:

     • NONE: Specifies that the LDAP search must not use the LDAP_REFERRAL parameter.

     • follow: Specifies that the LDAP search must follow referrals automatically.

     • ignore: Specifies that the LDAP search must ignore referrals.

     • throw: Specifies that the LDAP search must throw the ReferralException exception when a referral is encountered.

     Default value: NONE

2.6.5 Configuring High Availability of the Target System

Suppose you have set up multiple, replicated installations of the target system for high availability. You can use the Lookup.iPlanet.BackupServers lookup definition to ensure that if the primary target system installation becomes unavailable, then Oracle Identity Manager switches to one of the secondary target system installations. The Lookup.iPlanet.BackupServers lookup definition is one of the lookup definitions created when you deploy the connector.

For a single primary installation, you can have any number of secondary installations. In addition, if you configure the connector to work with multiple primary installations, then you can specify secondary installations for each primary installation.

To use the Lookup.iPlanet.BackupServers lookup definition, open it in the Design Console and enter code key and decode values for each combination of primary and secondary target system installation.

See Also:

Oracle Identity Manager Design Console Guide for information about working with lookup definitions

Table 2-1 shows samples entries for the Lookup.iPlanet.BackupServers lookup definition.

Table 2-1 Samples Entries for the Lookup.iPlanet.BackupServers Lookup Definition

Code Key	Decode
172.20.55.64	172.20.55.65
172.20.55.64	172.20.55.66
172.20.55.97	172.20.55.98

In this table, the first two entries represent two secondary installations (172.20.55.65 and 172.20.55.66) for one primary installation (172.20.55.64). The third entry shows a one-to-one combination of primary (172.20.55.97) and secondary (172.20.55.98) installations.

2.7 Configuring SSL

Note:

This is an optional step of the deployment procedure.

To enable SSL communication between Oracle Identity Manager and Sun Java System Directory, you must perform the following tasks:

1. Creating the CA and SSL Certificates

2. Importing the CA and SSL Certificates into Sun Java System Directory

3. Importing the CA and SSL Certificates into Oracle Identity Manager

4. Enabling SSL Communication on Sun Java System Directory

2.7.1 Creating the CA and SSL Certificates

Creating the CA and SSL certificates involves performing the following procedures:

• Generating the Certificate Signing Request on Sun Java System Directory

• Using the Certificate Signing Request to Generate the CA and SSL Certificates

2.7.1.1 Generating the Certificate Signing Request on Sun Java System Directory

To generate the certificate signing request:

1. Export the certificate file on the target system as follows:

   1. Log in to the Sun One Server Console by using administrator credentials.

   2. Expand the host name folder.

   3. Expand Server Group.

   4. Select Directory Server, and then click Open on the right pane.

   5. On the Tasks tab, click Manage Certificates.

   6. When you are prompted for the Security Device password, specify the password.

      Note:

      You use this password again while importing the SSL certificate into Sun Java System Directory.

   7. On the Server Certs tab of the Manage Certificates dialog box, click Request.

   8. On the first page of the Certificate Request Wizard, ensure that Request Certificate Manually is selected and then click Next.

   9. On the Requestor Information page of the wizard, enter the required information and then click Next.

   10. On the Token Password page of the wizard, enter the security device password that you provided earlier and then click Next.

   11. On the Request Submission page of the wizard, click Save to file.

   12. In the Save dialog box, specify a location and name for the file and then click Save.

   13. On the Request Submission page of the wizard, click Done.

2.7.1.2 Using the Certificate Signing Request to Generate the CA and SSL Certificates

To generate CA and SSL certificates, follow the procedure defined by the certificate authority (CA) that you want to use. While performing that procedure, use the certificate signing request that you created earlier. Download and save the certificate (.cer) files to the Sun Java System Directory host computer.

2.7.2 Importing the CA and SSL Certificates into Sun Java System Directory

The following sections describe the procedure to import the CA and SSL certificates into Sun Java System Directory:

• Importing the CA Certificate into Sun Java System Directory

• Importing the SSL Certificate into Sun Java System Directory

2.7.2.1 Importing the CA Certificate into Sun Java System Directory

To import the CA certificate to Sun Java System Directory:

1. Log in to the Sun One Server Console by using administrator credentials.

2. Expand the host name folder.

3. Expand Server Group.

4. Select Directory Server, and then click Open on the right pane.

5. On the Tasks tab, click Manage Certificates.

6. On the CA Certs tab of the Manage Certificates dialog box, click Install.

7. On the Certificate Location page of the Certificate Install Wizard, use the Browse button to navigate to the CA certificate file that you saved on this computer. Then, click Next.

8. On the Certificate Information page of the Certificate Install Wizard, click Next.

9. On the Certificate Type page of the Certificate Install Wizard, click Next.

10. On the Intended Purpose page of the Certificate Install Wizard, ensure that both check boxes are selected and then click Done.

2.7.2.2 Importing the SSL Certificate into Sun Java System Directory

To import the SSL certificate to Sun Java System Directory:

1. Log in to the Sun One Server Console by using administrator credentials.

2. Expand the host name folder.

3. Expand Server Group.

4. Select Directory Server, and then click Open on the right pane.

5. On the Tasks tab, click Manage Certificates.

6. On the Server Certs tab of the Manage Certificates dialog box, click Install.

7. On the Certificate Location page of the Certificate Install Wizard, use the Browse button to navigate to the SSL certificate file that you saved on this computer. Then, click Next.

8. On the Certificate Information page of the Certificate Install Wizard, click Next.

9. On the Certificate Type page of the Certificate Install Wizard, click Next.

10. On the Token Password of the Certificate Install Wizard, enter the security device password and then click Done.

2.7.3 Importing the CA and SSL Certificates into Oracle Identity Manager

To import the CA and SSL certificates into the certificate store of the Oracle Identity Manager host computer:

Note:

In a clustered environment, you must perform this procedure on all the nodes of the cluster.

1. Copy both certificate files to the Oracle Identity Manager host computer.

2. Change to the directory where you copy the certificate files.

3. For each certificate, enter a command similar to the following:

   keytool -import -alias ALIAS -file CER_FILE -keystore MY_CACERTS -storepass PASSWORD
   

   In this command:

   • ALIAS is the alias for the certificate (for example, the server name).

   • CER_FILE is the full path and name of the certificate (.cer) file.

   • MY_CACERTS is the full path and name of the certificate store.

     Table 2-2 shows the location of the certificate store for each of the supported application servers.

     Table 2-2 Certificate Store Locations

     Application Server	Certificate Store Location
     BEA WebLogic Server	If you are using BEA jrockit_R27.3.1-jdk, then copy the certificate into the following directory: JROCKIT_HOME/jre/lib/security If you are using the default BEA WebLogic Server JDK, then copy the certificate into the following directory: WEBLOGIC_HOME/java/jre/lib/security/cacerts
     IBM WebSphere Application Server	For a nonclustered configuration of any supported IBM WebSphere Application Server release, import the certificate into the following certificate store: WEBSPHERE_HOME/java/jre/lib/security/cacerts For IBM WebSphere Application Server 6.1.x, in addition to the cacerts certificate store, you must import the certificate into the following certificate store: WEBSPHERE_HOME/AppServer/profiles/SERVER_NAME/config/cells/CELL_NAME/nodes/NODE_NAME/trust.p12 For example: C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv02\config\cells\wkslaurel3224Node02Cell\nodes\wkslaurel3224Node02\trust.p12 For IBM WebSphere Application Server 5.1.x, in addition to the cacerts certificate store, you must import the certificate into the following certificate store: WEBSPHERE_HOME/etc/DummyServerTrustFile.jks
     JBoss Application Server	JAVA_HOME/jre/lib/security/cacerts
     Oracle Application Server	ORACLE_HOME/jdk/jre/lib/security/cacerts

     
     

4. To confirm whether or not the certificate has been imported successfully, enter a command similar to the following:

   keytool -list -alias ALIAS -keystore MY_CACERTS -storepass PASSWORD
   

   For example:

   keytool -list -alias MyAlias -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit
   

5. For a nonclustered configuration of IBM WebSphere Application Server, download the jsse.jar file from the Sun Web site and copy this file into the WEBSPHERE_HOME/java/jre/lib/ext directory.

6. For a clustered configuration of IBM WebSphere Application Server, download the jnet.jar, jsse.jar, and jcert.jar files from the Sun Web site and copy these files into the WEBSPHERE_HOME/java/jre/lib/ext directory.

2.7.4 Enabling SSL Communication on Sun Java System Directory

To enable SSL communication on Sun Java System Directory:

1. Log in to the Sun One Server Console by using administrator credentials.

2. Expand the host name folder.

3. Expand Server Group.

4. Select Directory Server, and then click Open on the right pane.

5. On the Configuration tab, select the Encryption tab.

6. Select Enable SSL for this server.

7. Select Use this cipher family RSA.

8. Select Certificate, and then click Save.

9. Restart Sun Java System Directory.

Determining the Port Number for SSL Communication with LDAP

To determine the port number for SSL communication with LDAP, perform the following steps:

1. Log in to Sun Java System Directory.

2. Click the Configuration tab, and then the Network tab.

The Secure Port number that is displayed is the SSL port number.