| Oracle® Identity Manager Connector Guide for Database Application Tables Release 9.1.0 Part Number E11194-03 |
|
|
View PDF |
| Oracle® Identity Manager Connector Guide for Database Application Tables Release 9.1.0 Part Number E11194-03 |
|
|
View PDF |
The following sections of this chapter describe the procedures that you must perform before you create the connector:
This section describes the following procedures:
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of messages that highlight the progress of the application at a coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level and the log file path depend on the application server that you use:
BEA WebLogic Server
To enable logging:
Add the following line in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.OIMCP.DATC=LOG_LEVEL
In this line, replace LOG_LEVEL with the log level that you want to set.
For example:
log4j.logger.OIMCP.DATC=INFO
After you enable logging, log information is written to the following file:
WEBLOGIC_HOME/user_projects/domains/DOMAIN_NAME/SERVER_NAME/SERVER_NAME.log
IBM WebSphere Application Server
To enable logging:
Add the following line in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.OIMCP.DATC=LOG_LEVEL
In this line, replace LOG_LEVEL with the log level that you want to set.
For example:
log4j.logger.OIMCP.DATC=INFO
After you enable logging, log information is written to the following file:
WEBSPHERE_HOME/AppServer/logs/SERVER_NAME/startServer.log
JBoss Application Server
To enable logging:
In the JBOSS_HOME/server/default/conf/log4j.xml file, locate or add the following lines:
<category name="OIMCP.DATC">
<priority value="LOG_LEVEL"/>
</category>
In the second XML line, replace LOG_LEVEL with the log level that you want to set. For example:
<category name="OIMCP.DATC"> <priority value="INFO"/> </category>
After you enable logging, log information is written to the following file:
JBOSS_HOME/server/default/log/server.log
Oracle Application Server
To enable logging:
Add the following line in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.OIMCP.DATC=LOG_LEVEL
In this line, replace LOG_LEVEL with the log level that you want to set.
For example:
log4j.logger.OIMCP.DATC=INFO
After you enable logging, log information is written to the following file:
ORACLE_HOME/opmn/logs/default_group~home~default_group~1.log
Note:
This is an optional procedure. Perform this procedure only if you want to add fields to the standard set of OIM User fields.While creating the connector, when you perform the procedure described in "Step 3: Modify Connector Configuration Page", you create mappings between the OIM User fields and the corresponding target system fields (columns). If there are additional target system fields that you want to use during reconciliation or provisioning, then you can extend the set of OIM User fields by creating user-defined fields (UDFs). See Oracle Identity Manager Design Console Guide for information about creating UDFs.
The following are the standard OIM User fields:
User ID
First Name
Last Name
Organization Name
Employee Type
Role
Password
Middle Name
Status
Provisioned Date
Creation Date
Manager ID
End Date
Start Date
Note:
This is an optional procedure. Perform this procedure only if you want to use lookup definitions as the input source for some of the fields on the process form during provisioning operations.If you are configuring the connector for provisioning, then you may want to create lookup fields on the process form. For example, during provisioning operations, you may want to select the Country Code value from a lookup field. While creating the connector, you can set up this field as a lookup field by specifying an input source (other than the target system) for the field.
You can use a lookup definition as the input source. For example, you can create a lookup definition containing country codes and then set up the lookup definition as the input source for the Country field. If you want to use a lookup definition as the input source, then you must first create it.
See Also:
The "Lookup Definition Form" section in Oracle Identity Manager Design Console Guide for information about creating lookup definitionsAlternatively, you can create a lookup field that uses columns from Oracle Identity Manager database tables as its input source. For example, if country code values are stored in any Oracle Identity Manager database table, then you can use the columns of that table as the input source for the Country Code lookup field.
While performing the procedure described in "Step 3: Modify Connector Configuration Page", you specify the custom lookup definition as the input source.
Note:
If the target system version is the same as the version of the database that Oracle Identity Manager is using, then you need not perform the procedure described in this section. This is because the JDBC drivers have already been copied into the specified application server directories on Oracle Identity Manager.Depending on the target system that you use, download one of the following sets of JDBC drivers from the vendor's Web site:
For all platforms: db2jcc.jar
For Microsoft Windows and UNIX platforms: db2jcc_license_cu.jar
For IBM z/OS platforms: db2jcc_license_cisuz.jar
sqljdbc.jar version 1.2
Oracle Database 10g release 2 (10.2.0.1), (10.2.0.2), or (10.2.0.3) drivers
Oracle Database 11g release 1 (11.1.0.6) drivers
Depending on the application server that you use, copy the JDBC drivers into one of the following directories:
Note:
In a clustered environment, copy the JDBC drivers into this directory on each node of the cluster.For BEA WebLogic Server:
WEBLOGIC_HOME/java/jre/lib/ext
For JBoss Application Server:
JAVA_HOME/jre/lib/ext
For IBM WebSphere Application Server:
WEBSPHERE_HOME/java/jre/lib/ext
For Oracle Application Server:
ORACLE_HOME/jdk/jre/lib/ext
This section discusses the following topics:
For a target system that you configure as a target resource, Oracle Identity Manager expects the following account status values during reconciliation:
Enabled
Disabled
If you are configuring the target system as a target resource and if the target system uses the same status values, then you need not perform the procedure to configure account status reconciliation.
Similarly, for a target system that you configure as a trusted source, Oracle Identity Manager expects the following account status values during reconciliation:
Active
Disabled
If you are configuring the target system as a trusted source and if the target system uses the same status values, then you need not perform the procedure to configure account status reconciliation.
However, if the target system does not use status values that are compatible with Oracle Identity Manager, then you must configure account status reconciliation as follows:
Note:
For detailed instructions to perform these steps, see "Configuring Account Status Reconciliation" in the "Predefined Generic Technology Connector Providers Shipped with Oracle Identity Manager" chapter of Oracle Identity Manager Administrative and User Console Guide. The latest version of this guide is available on Oracle Technology Network.Create a lookup definition that maps the status values used in the target system with the status values used in Oracle Identity Manager.
While creating the connector, use the Translation Transformation Provider to create a transformation mapping between the fields that hold account status values in the Source and Reconciliation Staging data sets. The Translation Transformation Provider converts the target system status values into values that are compatible with Oracle Identity Manager.
Create a mapping between the field that holds account status values in the Reconciliation Staging data set and one of the following fields:
For a target system that you configure as a target resource, Oracle Identity Manager sends the following account status values during provisioning:
enable
disable
If the target system does not use the same values, then you must perform the following steps:
Create a lookup definition that maps the status values used in Oracle Identity Manager with the status values used in the target system.
See Also:
Oracle Identity Manager Design Console Guide for information about creating lookup definitionsThe following table shows the Code Key and Decode values for the lookup definition that you must create:
| Code Key | Decode |
|---|---|
| enable | Status value used in the target system for an account that is in the Enabled state |
| disable | Status value used in the target system for an account that is in the Disabled state |
While performing the procedure described in "Step 2: Specify Parameter Values Page":
While performing the procedure described in "Step 3: Modify Connector Configuration Page", remove the status field from the Provisioning Staging data sets and from the OIM - Account data set.
Note:
In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.The files that contain the definitions of the predefined providers are placed in the Database Application Tables directory on the installation media. You must run the Connector Installer to copy these files to specified directories on the Oracle Identity Manager computer.
To copy the provider files to Oracle Identity Manager:
Copy the Database Application Tables directory from the installation media into the following directory:
OIM_HOME/xellerate/ConnectorDefaultDirectory
Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Identity Manager Administrative and User Console Guide. The latest version of this guide is available on Oracle Technology Network.
Click Deployment Management, and then click Install Connector.
From the Connector List list, select the connector that you want to install. This list displays the names and release numbers of connectors whose installation files you copy into the ConnectorDefaultDirectory directory.
If you have copied the Database Application Tables directory into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select the connector that you want to install.
Click Load.
To start the installation process, click Continue.
You can ignore the messages that are displayed after the process is completed.
Click Finish.
Restart Oracle Identity Manager.
Table 2-1 lists the provider files and their destination directories on Oracle Identity Manager.
Table 2-1 Provider Files for the Connector
| File in the Installation Media Directory | Description | Destination Directory |
|---|---|---|
|
lib/DatabaseApplicationTables.jar |
This file contains the code implementation of all the providers. |
OIM_HOME/xellerate/JavaTasks |
|
Files in the ProviderDefinitions directory
|
Each XML file in this directory contains the definition of one of the predefined providers. |
OIM_HOME/xellerate/GTC/ProviderDefinitions |
|
Files in the resources directory |
Each of these resource bundles contains language-specific information that is used by the connector. Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console. |
OIM_HOME/xellerate/connectorResources |
Configuring the target system involves performing the following optional procedures:
Note:
This is an optional procedure. Perform this procedure only if the target system is composed of read-only views.Provisioning involves updating data stored in the target system. If the target system is composed of read-only views, then you must create INSTEAD OF triggers to enable modification of the read-only views during provisioning operations. For information about creating INSTEAD OF triggers, refer to the documentation for the target system database.
Note:
This is an optional procedure. Perform this procedure only if you are creating a connector for target resource reconciliation.When you start creating the connector by using the Administrative and User Console, the ID field is added by default to the OIM - Account data set. Database Application Tables connectors do not need to use this field. If the target system were to contain a column named ID, then that column would overwrite the default ID field and the connector would not be created correctly. As a workaround, you can create a view based on the table and provide a different name for the column named ID.
During a provisioning operation, the connector runs Java stored procedures to perform the required action on the target system. If your IBM DB2/UDB installation is running on IBM z/OS, then you must configure the WLM to enable the running of these stored procedures. See IBM z/OS documentation for detailed information about configuring the WLM.
Note:
It is recommended that you perform the procedure described in this section to secure communication between the target system and Oracle Identity Manager.The procedure to secure communication depends on the database that you are using:
Configuring Secure Communication Between IBM DB2/UDB and Oracle Identity Manager
Configuring Secure Communication Between Microsoft SQL Server and Oracle Identity Manager
Configuring Secure Communication Between Oracle Database and Oracle Identity Manager
Note:
IBM DB2/UDB version 9.1 Fix Pack 2 and later support secure communication over SSL.SSL communication is not supported if IBM DB2/UDB is running on IBM z/OS. This has been mentioned in the "Known Issues" chapter.
To configure secure communication between IBM DB2/UDB and Oracle Identity Manager:
Refer to IBM DB2/UDB documentation for information about enabling SSL communication between IBM DB2/UDB and a client system. In this context, the client is Oracle Identity Manager.
Export the certificate on the IBM DB2/UDB host computer.
Copy the certificate to the Oracle Identity Manager host computer.
Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.
To import the certificate into the truststore, run the following command:
..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
In this command:
Replace FILE_LOCATION with the full path and name of the certificate file.
Replace ALIAS with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD with a password for the truststore.
Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-3. This table shows the location of the truststore for each of the supported application servers.
Note:
For a clustered configuration, you must import the file into the truststore on each node of the cluster.Table 2-2 Truststore Locations on Supported Application Servers
| Application Server | Truststore Location |
|---|---|
|
BEA WebLogic Server |
BEA_HOME/java/jre/lib/security/cacerts |
|
IBM WebSphere Application Server |
WEBSPHERE_HOME/java/jre/lib/security/cacerts |
|
JBoss Application Server |
JAVA_HOME/jre/lib/security/cacerts |
|
Oracle Application Server |
ORACLE_HOME/jdk/jre/lib/security/cacerts |
To configure secure communication between Microsoft SQL Server and Oracle Identity Manager:
Refer to Microsoft SQL Server documentation for information about enabling SSL communication between Microsoft SQL Server and a client system. In this context, the client is Oracle Identity Manager.
Export the certificate on the Microsoft SQL Server host computer.
Copy the certificate to the Oracle Identity Manager host computer.
Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.
To import the certificate into the truststore, run the following command:
..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
In this command:
Replace FILE_LOCATION with the full path and name of the certificate file.
Replace ALIAS with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD with a password for the truststore.
Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-3. This table shows the location of the truststore for each of the supported application servers.
Note:
For a clustered configuration, you must import the file into the truststore on each node of the cluster.Table 2-3 Truststore Locations on Supported Application Servers
| Application Server | Truststore Location |
|---|---|
|
BEA WebLogic Server |
BEA_HOME/java/jre/lib/security/cacerts |
|
IBM WebSphere Application Server |
WEBSPHERE_HOME/java/jre/lib/security/cacerts |
|
JBoss Application Server |
JAVA_HOME/jre/lib/security/cacerts |
|
Oracle Application Server |
ORACLE_HOME/jdk/jre/lib/security/cacerts |
To secure communication between Oracle Database and Oracle Identity Manager, you can perform either one or both of the following procedures:
Refer to Oracle Database Advanced Security Administrator's Guide for information about configuring data encryption and integrity.
Note:
Database Application Tables connectors do not support SSL communication between an Oracle Database target system and Oracle Identity Manager running on IBM WebSphere Application Server or Oracle Application Server. This is also mentioned in the "Known Issues" chapter (see Bug 6696248).To enable SSL communication between Oracle Database and Oracle Identity Manager:
Refer to Oracle Database Advanced Security Administrator's Guide for information about enabling SSL communication between Oracle Database and Oracle Identity Manager.
Export the certificate on the Oracle Database host computer.
Copy the certificate to Oracle Identity Manager.
Import the certificate into the JVM truststore of the application server on which Oracle Identity Manager is running.
To import the certificate into the truststore, run the following command:
..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
In this command:
Replace FILE_LOCATION with the full path and name of the certificate file.
Replace ALIAS with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD with a password for the truststore.
Replace TRUSTSTORE_LOCATION with one of the truststore paths from Table 2-4. This table shows the location of the truststore for each of the supported application servers.
Note:
For a clustered configuration, you must import the file into the truststore on each node of the cluster.
|
 Copyright © 2009, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|