Skip Headers
Oracle® Identity Manager Connector Guide for IBM OS/400 Advanced
Release 9.0.4

Part Number E10452-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

2 Connector Deployment on Oracle Identity Manager

The following sections in this chapter describe the procedure to deploy the connector and the LDAP Gateway on the Oracle Identity Manager host computer:

Refer to the following section if you want to configure the connector for multiple installations of the target system:

See Also:

Chapter 3, "Connector Deployment on IBM OS/400" for the procedure to deploy the Reconciliation Agent and Provisioning Agent on the target system

2.1 Files and Directories that Comprise the Connector

Table 2-1 lists the contents of the connector installation media.

Table 2-1 Files and Directories That Comprise the Connector

File or Directory on the Installation Media Description of Files and Contents

etc/LDAP Gateway/ldapgateway.zip

Files required to deploy the LDAP Gateway

etc/Provisioning and Reconciliation Connector/OIMIDFEX.SAVF

Connector agent file to be placed on the target system for deployment on the mid-range system

lib/as400-adv-agent-recon.jar

JAR file containing the files required to enable real-time reconciliation

lib/as400-adv-provisioning.jar

JAR file containing the files required to enable provisioning

lib/as400Connection.properties

Properties file that specifies the controls for the initial reconciliation run between Oracle Identity Manager and the target system

Files in the resources directory

Each of these resource bundles contains language-specific information that is used by the connector.

Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Oracle Identity Manager Administrative and User Console.

Files in the scripts directory:

  • scripts/run_initial_recon_provisioning.sh

  • scripts/run_initial_recon_provisioning.bat

  • as400-adv-initial-recon.jar

  • initialAs400Adv.properties

Files that are used to perform first-time (initial) reconciliation with Oracle Identity Manager

scripts/user.txt

Sample of the file containing user data that is used during initial reconciliation

See "Running Initial Reconciliation" for information about using this file.

xml/oimAs400AdvConnector.xml

This XML file contains definitions for the connector components related to reconciliation and provisioning. These components include:

  • Resource objects

  • IT resource types

  • Process forms

  • Process tasks and adapters

  • Provisioning process

  • Lookup definitions

  • Prepopulate rules

xml/AS400TrustedXellerateUser.xml

The XML file that contains component definitions for the connector for trusted source reconciliation


2.2 Copying the Connector Files

Copy the following connector files to the destinations on the Oracle Identity Manager host computer as indicated in Table 2-2.

Note:

See "Files and Directories that Comprise the Connector" for more information about these files. Do not copy the files that are not listed in this table. Those files are used later in the deployment procedure.

Table 2-2 Copying the Connector Files

Files Destination

etc/LDAP Gateway/ldapgateway.zip

LDAP_INSTALL_DIR

This is the directory on the Oracle Identity Manager host computer on which you want to install the LDAP Gateway. See "Installing and Configuring the LDAP Gateway" for information about installing the LDAP Gateway.

lib/as400-adv-agent-recon.jar

lib/as400Connection.properties

LDAP_INSTALL_DIR/etc

lib/as400-adv-provisioning.jar

Files in the scripts directory:

  • run_initial_recon_provisioning.sh

  • run_initial_recon_provisioning.bat

  • as400-adv-initial-recon.jar

  • user.txt

  • initialAs400Adv.properties

OIM_HOME/JavaTasks/

Files in the resources directory

OIM_HOME/connectorResources/

xml/oimAs400AdvConnector.xml

xml/AS400TrustedXellerateUser.xml

OIM_HOME/XLIntegrations/as400/xml/


While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the files in the connectorResources directory and the JAR files to the corresponding directories on each node of the cluster.

2.3 Configuring Oracle Identity Manager

Configuring Oracle Identity Manager involves the following procedures:

Note:

In a clustered environment, you must perform this step on each node of the cluster.

2.3.1 Clearing Content Related to Connector Resource Bundles from the Server Cache

While you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

  1. In a command window, go to the OIM_HOME/bin directory.

    Note:

    You must perform step 1 before you perform step 2. An exception is thrown if you run the command described in Step 2 as follows:
    OIM_HOME/bin/BATCH_FILE_NAME
    
  2. Enter one of the following commands:

    • On Microsoft Windows:

      PurgeCache.bat ConnectorResourceBundle
      
    • On UNIX:

      PurgeCache.sh ConnectorResourceBundle
      

    Note:

    You can ignore the exception that is thrown when you perform Step 2. This exception is different from the one mentioned in Step 1.

    In this command, ConnectorResourceBundle is one of the content categories that you can remove from the server cache. Refer to the following file for information about the other content categories:

    OIM_HOME/config/xlConfig.xml
    

2.3.2 Enabling Logging

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

  • ALL

    This level enables logging for all events.

  • DEBUG

    This level enables logging of information about fine-grained events that are useful for debugging.

  • INFO

    This level enables logging of messages that highlight the progress of the application at a coarse-grained level.

  • WARN

    This level enables logging of information about potentially harmful situations.

  • ERROR

    This level enables logging of information about error events that may allow the application to continue running.

  • FATAL

    This level enables logging of information about very severe error events that could cause the application to stop functioning.

  • OFF

    This level disables logging for all events.

The file in which you set the log level and the log file path depend on the application server that you use:

  • JBoss Application Server

    To enable logging:

    1. In the JBOSS_HOME/server/default/conf/log4j.xml file, add the following lines:

      <category name="COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER">
            <priority value="LOG_LEVEL"/>
         </category>
      
    2. In the second XML line, replace LOG_LEVEL with the log level that you want to set. For example:

      <category name="COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER">
            <priority value="INFO"/>
         </category>
      

    After you enable logging, log information is written to the following file:

    JBOSS_HOME/server/default/log/server.log
    
  • IBM WebSphere Application Server:

    To enable logging:

    1. In the OIM_HOME/config/log.properties file, add the following line:

      log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=LOG_LEVEL
      
    2. In this line, replace LOG_LEVEL with the log level that you want to set. For example:

      log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=INFO
      

    After you enable logging, log information is written to the following file:

    WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/startServer.log
    
  • BEA WebLogic Server

    To enable logging:

    1. In the OIM_HOME/config/log.properties file, add the following line:

      log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=LOG_LEVEL
      
    2. In this line, replace LOG_LEVEL with the log level that you want to set. For example:

      log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=INFO
      

    After you enable logging, log information is written to the following file:

    WEBLOGIC_HOME/user_projects/domains/DOMAIN_NAME/SERVER_NAME/SERVER_NAME.log
    
  • Oracle Application Server

    To enable logging:

    1. In the OIM_HOME/config/log.properties file, add the following line:

      log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=LOG_LEVEL
      
    2. In this line, replace LOG_LEVEL with the log level that you want to set. For example:

      log4j.logger.COM.THORTECH.XL.AS400.ADVANCED.UTIL.OIMLOGGER=INFO
      

    After you enable logging, log information is written to the following file:

    OAS_HOME/opmn/logs/default_group~home~default_group~1.log
    

2.4 Importing the Connector XML File

To import the connector XML file into Oracle Identity Manager:

  1. Open the Administrative and User Console.

  2. Click Deployment Management on the left navigation pane.

  3. Click the Import link under Deployment Management. A dialog box for locating files is displayed.

  4. Locate and open the oimAs400AdvConnector.xml file, which is in the OIM_HOME/XLIntegrations/i5OS/xml/ directory. Details of this XML file are shown on the File Preview page.

    You must import the XML file for trusted source reconciliation, AS400TrustedXellerateUser.xml, after the other XML file is imported. In other words, you must import oimAs400AdvConnector.xml regardless of whether you want to implement target resource or trusted source reconciliation. If you want to implement trusted source reconciliation, then import the AS400TrustedXellerateUser.xml file after the first one is imported.

  5. Click Add File. The Substitutions page is displayed.

  6. Click Next. The Confirmation page is displayed.

  7. Click Next. The Provide IT Resource Instance Data page is displayed.

  8. Create an IT resource based on the OIMLDAPGatewayResourceType IT resource type. You must specify values for the IT resource parameters listed in Table 2-3.

    Table 2-3 Defining IT Resources

    Parameter Description

    AtMap User

    Name of the lookup definition containing attribute mappings that are used for provisioning

    Value: AtMAp.AS400

    Note: You must not change the value of this parameter.

    idfPrincipalDn

    Enter the administrator ID for connecting to the LDAP Gateway

    Sample value: cn=idfAs400Admin,dc=as400,dc=com

    idfPrincipalPwd

    Enter the administrator password for connecting to the LDAP Gateway

    idfRootContext

    This parameter holds the root context for IBM OS/400

    Value: dc=as400,dc=com

    Note: You must not change the value of this parameter.

    idfServerHost

    This parameter holds the host name for connecting to the LDAP Gateway

    Value: localhost

    Note: You must not change the value of this parameter if you install the LDAP Gateway on the host computer on which Oracle Identity Manager is installed. If you install the LDAP Gateway on a different computer, then specify the host name or IP address of that computer. However, it is recommended that you install the LDAP Gateway on the same computer on which you are installing Oracle Identity Manager.

    idfServerPort

    Enter the port number for connecting to the LDAP Gateway

    Sample value: 5389


  9. Click Next. The Provide IT Resource Instance Data page for a new instance of the OIMLDAPGatewayResourceType IT resource type is displayed.

  10. Click Skip to indicate that you do not want to define another IT resource. The Confirmation page is displayed.

  11. Click View Selections.

    The contents of the XML file are displayed on the Import page. You may see a cross-shaped icon along with some nodes. These nodes represent Oracle Identity Manager entities that are redundant. Before you import the connector XML file, you must remove these entities by right-clicking each node and then selecting Remove.

  12. Click Import. The connector file is imported into Oracle Identity Manager.

2.5 Compiling Adapters

Adapters are used to implement provisioning functions. The following adapters are imported into Oracle Identity Manager when you import the connector XML file:

You must compile these adapters before they can be used in provisioning operations. To compile adapters by using the Adapter Manager form:

  1. Open the Adapter Manager form.

  2. To compile all the adapters that you have imported into the current database, click Compile All.

    If you have created your own adapters or if a new adapter is shipped with a patch that you installed, then you might need to compile one adapter at a time. To compile multiple (but not all) adapters, select the adapters you want to compile. Then, click Compile Selected.

  3. Click Start. Oracle Identity Manager compiles the adapters that you specify.

  4. If Oracle Identity Manager is installed in a clustered environment, then copy the compiled adapters from the OIM_HOME/adapters/ directory to the same directory on each of the other nodes of the cluster. If required, overwrite the adapter files on the other nodes.

2.6 Configuring the Message Transport Layer

The connector uses JTOpen as the message transport layer to access OS/400 data and resources from the Oracle Identity Manager host computer. More specifically, it is used by the LDAP Gateway to communicate with the Reconciliation Agent that is installed on the IBM OS/400 system.

See Also:

"Connector Architecture" for more information about JTOpen

To configure JTOpen as the message transport layer:

  1. Download JTOpen from the IBM Web site at and unzip the jtopen_ver.zip file. You can download JTOpen from the following URL:

    http://www14.software.ibm.com/webapp/download/search.jsp?go=y&rs=expastbjm3

  2. Copy the jt400.jar and uti400.jar files from the JTOPEN_INSTALL_DIR/jtopen/lib/ directory to the LDAP_INSTALL_DIR/lib/ directory.

    Note:

    • The directory on which you install JTOpen is referred to as JTOPEN_INSTALL_DIR.

    • You must also configure the LDAP Gateway to use JTOpen as the message transport layer. This is covered in "Installing and Configuring the LDAP Gateway".

2.7 Installing and Configuring the LDAP Gateway

To install and configure the LDAP Gateway:

  1. Extract the contents of the ldapgateway.zip file to a directory on the computer on which Oracle Identity Manager is installed.

    Note:

    In this document, the location (and name) of the ldapgateway directory is referred to as LDAP_INSTALL_DIR.
  2. Open the LDAP_INSTALL_DIR/conf/as400.properties file and specify the values for the parameters of the JTOpen message transport layer, as described in Table 2-4.

    Table 2-4 Configuring the LDAP Gateway

    Parameter Sample Value Description

    _host_

    127.0.0.1

    Target system IP address for the Provisioning Agent host computer

    _adminId_

    test

    Target system administrator ID

    _adminPwd_

    test

    Target system administrator password

    _agentHost_

    127.0.0.1

    Target system IP address for the Reconciliation Agent host computer

    _agentAdminId_

    test

    Target system Reconciliation Agent administrator ID

    _agentAdminPwd_

    test

    Target system Reconciliation Agent administrator password

    _agentLib_

    LSVALGAARD

    Target system library in which the Reconciliation Agent files are located

    _agentFile_

    QCSRC

    Reconciliation Agent file on the target system

    _agentMember_

    EUSRPWD

    Reconciliation Agent user with privileges to retrieve reconciliation event information

    _agentport_

    5490

    Target system port allocated to the Reconciliation Agent

    _defaultDelete_

    delete

    Delete users or revoke access rights during Disable User provisioning operations

    Set delete as the value of this property if you want the user to be deleted from the target system as the outcome of a Delete User provisioning operation.

    Set revoke as the value of this property if you want the user to be disabled on the target system as the outcome of a Delete User provisioning operation.


  3. In a text editor, open the following scripts:

    • Open the run.sh or run.bat file from the LDAP_INSTALL_DIR/bin/ directory.

    • Open the run_initial_recon_provisioning script file from the OIM_HOME/JavaTasks/ directory.

  4. In the run script:

    • Set the JAVA_HOME property as follows:

      JAVA_HOME=DIRECTORY_LOCATION\j2sdj1.4.2_13
      

      Replace DIRECTORY_LOCATION with the full path of the directory.

    • If you plan to run multiple LDAP Gateways on a Linux or Solaris environment and there are not enough socket file descriptors to open up all the ports needed for the server, then add the following line:

      -Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.PollSelectorProvider
      
  5. In the run and run_initial_recon_provisioning scripts, uncomment the line related to the application server directory. In addition, change the path to reflect the actual location of the application server directory.

    Note:

    The contents of the run and run_initial_recon_provisioning scripts are similar. You must make the same change in both the scripts.

    The lines starting with a number sign (#) are comments, as shown:

    ##### SET JBOSS HOME ##################
    #APPSERVER_HOME=/opt/ldapgateway/lib/jboss-4.0.2
    

    To uncomment the line, remove the number sign. For example, to ensure that the connector works with JBoss Application Server, change the line to the following:

    ##### SET JBOSS HOME ##################
    APPSERVER_HOME=/opt/ldapgateway/lib/jboss-4.0.2
    
  6. If you are using IBM WebSphere Application Server 6.1, then add the com.ibm.ws.wccm_6.1.0.jar file to the CLASSPATH variable in the run and run_initial_recon_provisioning scripts as shown in the following example:

    rem
    rem SET WEBSPHERE APPLICATION SERVER REQUIRED LIBRARIES
    rem
    set CLASSPATH=%CLASSPATH%;"%APPSERVER_HOME%"\lib\com.ibm.ws.wccm_6.1.0.jar
    
  7. Open the LDAP_INSTALL_DIR/etc/as400Connection.properties file and edit the following property:

    Note:

    You must also make this change in the initialAs400Adv.properties file, which is in the OIM_HOME/JavaTasks directory.
    _itResource_=NAME_OF_THE_NEW_IT_RESOURCE
    

    Replace NAME_OF_THE_NEW_IT_RESOURCE with the name of the IT resource that you create by performing Step 8 of the procedure described in "Importing the Connector XML File".

  8. From the LDAP_INSTALL_DIR/dist/idfserver.jar file, extract the beans.xml file, open it in an editor, and set values for the following:

    • Target system administrator credentials

      You must change the administrator credentials stored in the following lines of the beans.xml file:

      Note:

      In these lines, the values that you can change are highlighted in bold font. The values that you enter in the beans.xml file must be the same as the values that you specify for the IT resource parameters and the properties in the as400Connection.properties and initialAs400Adv.properties files.
      <property name="adminUserDN" value="cn=idfAs400Admin,dc=as400,dc=com"/>
      <property name="adminUserPassword" value="password"/>
      
    • Port used for communication between the LDAP Gateway and the mainframe logical partition (LPAR) that you use for the connector installation

      The default value of the port property is 5389. If you want to change this value, then edit the value of the port property defined in the beans.xml file:

      <property name="port" value="5389"/>
      
    • Configuration for provisioning and initial reconciliation

      If you want the connector to perform provisioning and initial reconciliation but not real-time reconciliation, then change the value from true to false in the following property:

      <property name="agent" value="true"/>
      

      Do not change the value of the agent property if you want the connector to perform real-time reconciliation.

  9. Save the changes made to the beans.xml file, and then re-create the idfserver.jar file.

2.8 Configuring the Connector for Multiple Installations of the Target System

You can configure the connector for multiple installations of the target system. You can also configure the connector for a scenario in which multiple logical partitions (LPARs), which are not associated with the first LPAR, are configured in the target system.

For each installation of the target system, you create an IT resource and configure an additional instance of the LDAP Gateway.

To configure the connector for the second installation of the target system:

Note:

Perform the same procedure for each additional installation of the target system.
  1. Create an IT resource based on the OIMLDAPGatewayResourceType IT resource type.

    See Also:

    • Oracle Identity Manager Design Console Guide for information about creating IT resources

    • Step 8 of "Importing the Connector XML File" for information about the parameters of the IT resource

  2. Copy the current LDAP_INSTALL_DIR directory, including all the subdirectories, to a new location.

    Note:

    In the remaining steps of this procedure, LDAP_INSTALL_DIR refers to the newly copied directory.
  3. Extract the contents of the LDAP_INSTALL_DIR/dist/idfserver.jar file.

  4. In the beans.xml file, change the value of the port in the <property name="port" value="xxxx"/> line to specify a port that is different from the port used for the first instance of the LDAP Gateway. The default port number is shown in the following example:

    <bean id="listener" class="com.identityforge.idfserver.nio.Listener">
    <constructor-arg><ref bean="bus"/></constructor-arg>
    <property name="admin"><value>false</value></property>
    <property name="config"><value>../conf/listener.xml</value></property>
    <property name="port" value="5389"/>
    </bean>
    

    If you change the port number, then you must make the same change in the value of the idfServerPort parameter of the IT resource that you create.

  5. Save and close the beans.xml file.

  6. Open the LDAP_INSTALL_DIR/conf/as400.properties file and edit the following properties:

    • _host_=IP_ADDRESS_OR_HOST_NAME_OF_THE_MAINFRAME

    • _port_=PORT_OF_THE_SECOND_INSTANCE_OF_THE_PROVISIONING_AGENT

    • _agentPort_=PORT_OF_THE_SECOND_INSTANCE_OF_THE_RECONCILIATION_AGENT

      Note:

      The value of the _agentPort_ property must not be the same as that of the first instance if a second LPAR, which is not associated with the first LPAR, is configured in the target system. This value can be the same as the value of the idfServerPort property if you have two mainframe servers with IBM OS/400 running on each server.
  7. Open the LDAP_INSTALL_DIR/etc/as400Connection.properties file and edit the following property:

    _itResource_=NAME_OF_THE_NEW_IT_RESOURCE