Oracle® Identity Manager Connector Guide for Microsoft Exchange Release 9.1.1 Part Number E11198-06 |
|
|
View PDF |
The procedure to deploy the connector can be divided into the following stages:
Note:
Some of the procedures described in this chapter are meant to be performed on the target system. The minimum permissions required to perform the target system procedure are those assigned to members of the Domain Admins group. To perform the target system-specific procedures, you can use the same user account that you create for deploying the Microsoft Active Directory User Management connector.See the "Deploying the Connector" chapter of Oracle Identity Manager Connector Guide for Microsoft Active Directory User Management for information about creating that user account.
Preinstallation information is divided across the following sections:
This section contains the following topics:
The contents of the connector installation media directory are described in Table 2-1.
Table 2-1 Files and Directories On the Connector Installation Media
You might have a deployment of an earlier release of the connector. While deploying the current release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:
In a temporary directory, extract the contents of the following JAR file:
OIM_HOME/xellerate/JavaTasks/xliExchange.jar
Open the Manifest.mf file in a text editor. The Manifest.mf file is one of the files bundled inside the xliExchange.jar file and the xliExchangeRecon.jar file.
In the Manifest.mf file, the release number of the connector is displayed as the value of the Version property.
Preinstallation on the target system involves creating a target system user account with appropriate permissions for connector operations. Oracle Identity Manager requires this account to connect to the target system during reconciliation and provisioning operations.
You can use a Microsoft Windows 2003 Server (Domain Controller) administrator account as a target system user account. Alternatively, you can create a user account and assign the minimum required rights to that user account, if Microsoft Active Directory and Microsoft Exchange are not installed on the same system.
The procedure to create a target system user account is provided in the following section.
To create the Microsoft Exchange user account for connector operations:
Note:
You need not perform this procedure if Microsoft Active Directory and Microsoft Exchange are installed on the same system.Create a group, for example OIMEXCConGroup, on Microsoft Active Directory.
Make this group a member of the Account Operators group.
Assign all read permissions for the OIMEXCConGroup group.
Note:
You assign read permissions on the Security tab of the dialog box for creating the user account. This tab is displayed only in Advanced Features view. To switch to this view, select Advanced Features from the View menu in the Microsoft Active Directory console.Assign the OIMEXCConGroup group to be a member of the Exchange View-Only Administrators group. Users in this group have permission to read all Exchange configuration.
Create a user, for example OIMEXCConUser on the target system.
Assign this user to the OIMEXCConGroup group. Using OIMEXCConUser, you can perform provisioning and reconciliation. You can also enable, disable, and delete a mailbox on Microsoft Exchange.
Installation information is divided across the following sections:
Installation on Oracle Identity Manager involves the following procedures:
Note:
In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.Ensure that the Microsoft Active Directory User Management connector is installed before you proceed to install the connector.
To run the Connector Installer:
Copy the contents of the connector installation media directory into the following directory:
OIM_HOME/xellerate/ConnectorDefaultDirectory
Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Identity Manager Administrative and User Console Guide.
Click Deployment Management, and then click Install Connector.
From the Connector List list, select Exchange 9.1.1. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory:
OIM_HOME/xellerate/ConnectorDefaultDirectory
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select Exchange 9.1.1.
Click Load.
To start the installation process, click Continue.
The following tasks are performed, in sequence:
Configuration of connector libraries
Import of the connector XML files (by using the Deployment Manager)
Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 0.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed
Note:
At this stage, run the PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility.There are no prerequisites for some predefined connectors.
Configuring the IT resource for the connector
Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.
Configuring the scheduled tasks
Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-2.
Table 2-2 Files Copied During Connector Installation
File in the Installation Media Directory | Destination Directory |
---|---|
lib/xliExchange.jar |
OIM_HOME/xellerate/JavaTasks |
lib/xliExchangeRecon.jar |
OIM_HOME/xellerate/ScheduleTask |
Files in the resources directory |
OIM_HOME/xellerate/connectorResources |
Note:
For a clustered environment, copy the files listed in Table 2-2 into their respective destination directories on each node of the cluster.The ldapbp.jar file is used by the connector to enable LDAP-based search of user records on the target system. During the installation of the Microsoft Active Directory User Management connector, this file is copied into the ThirdParty directory of Oracle Identity Manager.
See the "Running the Connector Installer" section of Oracle Identity Manager Connector Guide for Microsoft Active Directory User Management for details.
Note:
for a clustered environment, this JAR file must be copied into the ThirdParty directory on each node of the cluster.While installing the connector in a clustered environment, you must copy all the JAR files and the contents of the resources directory into their destination directories on each node of the cluster. See Table 2-2, "Files Copied During Connector Installation" for information about the files that you must copy and their destination locations on the Oracle Identity Manager host computer.
The IT resource for the target system contains connection information about the target system. Oracle Identity Manager uses this information for reconciliation and provisioning.
For reconciliation and provisioning in Microsoft Exchange 2000 and Microsoft Exchange 2003, Oracle Identity Manager uses the Microsoft Active Directory IT resource. See Oracle Identity Manager Connector Guide for Microsoft Active Directory User Management for instructions to create Microsoft Active Directory IT resources.
For reconciliation in Microsoft Exchange 2007, Oracle Identity Manager uses the Microsoft Active Directory IT resource. For provisioning in Microsoft Exchange 2007, Oracle Identity Manager uses the Microsoft Active Directory IT resource and Microsoft Exchange Server IT resource values.
To create the Microsoft Exchange Server IT resource:
Log in to the Administrative and User Console.
Expand Resource Management.
Click Create IT Resource.
On the Step 1: Provide IT Resource Information section, perform the following steps:
IT Resource Name: Enter Exchange Server IT Resource
.
IT Resource Type: Select Exchange Server from the IT Resource Type list.
Remote Manager: At this point, do not enter a value in this field.
Note:
After you install a Remote Manager for the target system, specify the name of the IT resource for the Remote Manager as the value of the Remote Manager parameter. See "Installing the Remote Manager" for information about whether or not you need to install a Remote Manager.Click Continue. Figure 2-1 shows IT resource values added in the Create IT Resource page.
Figure 2-1 Step 1: Provide IT Resource Information
On the Step 2: Specify IT Resource Parameter Values section, specify values for the parameters of the IT resource and click Continue. Figure 2-2 shows IT resource parameter values added in the Create IT Resource page.
Figure 2-2 Step 2: Specify IT Resource Parameter Values
Table 2-3 describes the parameters for this IT resource.
Table 2-3 Parameters of the IT Resource
The Step 3: Set Access Permission to IT Resource page is displayed. On this page, the SYSTEM ADMINISTRATORS group is displayed by default in the list of groups that have Read, Write, and Delete permissions on the IT resource that you are creating.
Note:
This step is optional.If you want to assign groups to the IT resource and set access permissions for the groups, then:
a. Click Assign Group.
b. For the groups that you want to assign to the IT resource, select Assign and the access permissions that you want to set. For example, if you want to assign the ALL USERS
group and set the Read and Write permissions to this group, then you must select the respective check boxes in the row, as well as the Assign check box, for this group.
c. Click Assign.
On the Step 3: Set Access Permission to IT Resource page, if you want to modify the access permissions of groups assigned to the IT resource, then:
Note:
- This step is optional.
- You cannot modify the access permissions of the SYSTEM ADMINISTRATORS
group. You can modify the access permissions of only other groups that you assign to the IT resource.
a. Click Update Permissions.
b. Depending on whether you want to set or remove specific access permissions for groups displayed on this page, select or deselect the corresponding check boxes.
c. Click Update.
On the Step 3: Set Access Permission to IT Resource page, if you want to unassign a group from the IT resource, then:
Note:
- This step is optional.
- You cannot unassign the SYSTEM ADMINISTRATORS
group. You can unassign only other groups that you assign to the IT resource.
a. Select the Unassign check box for the group that you want to unassign.
b. Click Unassign.
Click Continue.
On the Step 4: Verify IT Resource Details page, review the information that you provided on the first, second, and third pages. If you want to make changes in the data entered on any page, click Back to revisit the page and then make the required changes.
To proceed with the creation of the IT resource, click Continue. Figure 2-3 shows the IT resource details that you created in the Create IT Resource page.
Figure 2-3 Step 4: Verify IT Resource Details
The Step 5: IT Resource Connection Result page displays the results of a connectivity test that is run using the IT resource information. If the test is successful, then click Create. If the test fails, then you can perform one of the following steps:
Click Back to revisit the previous pages and then make corrections in the IT resource creation information.
Click Cancel to stop the procedure, and then begin from the first step onward.
Proceed with the creation process by clicking Continue. You can fix the problem later, and then rerun the connectivity test by using the Diagnostic Dashboard. Figure 2-4 shows the IT resource connection result in the Create IT Resource page.
Figure 2-4 Step 5: IT Resource Connection Result Page
The Step 6: IT Resource Created page displays the details of the IT resource that you created. Click Finish. Figure 2-5 shows the IT resource created in the Create IT Resource page.
Figure 2-5 IT Resource Created Page of Oracle Identity Manager
This section discusses the following topics:
Note:
The procedure to configure the Remote Manager is described in "Configuring the Remote Manager".The Remote Manager enables mailbox provisioning operations on Microsoft Exchange 2007.
Note:
If Microsoft Exchange 2007 is running on 64-bit Microsoft Windows Server, then you must install the 64-bit version of JDK 1.4.2_15 or JDK 1.5 before you install the Remote Manager.You must install the Remote Manager for Microsoft Exchange 2007 if you have not installed the Remote Manager for Microsoft Active Directory. See Oracle Identity Manager Connector Guide for Microsoft Active Directory User Management for information about this Remote Manager.
A single Remote Manager can be used with multiple Microsoft Exchange installations (on multiple host computers) that are configured for a single Microsoft Active Directory installation. The Remote Manager can be installed on any Microsoft Exchange host on which Exchange Management tools are installed.
Note:
See the "Deploying the Connector" chapter of Oracle Identity Manager Connector Guide for Microsoft Active Directory User Management for information about installing and configuring the Remote Manager for Microsoft Active Directory.
In this guide, the directory in which you install the Remote Manager is referred to as RM_HOME.
To deploy the Remote Manager:
The Remote Manager installation files are shipped along with the Oracle Identity Manager installation files. Depending on the application server that you use, perform the procedure to install the Remote Manager on the target system computer by following the instructions given in one of the following guides:
Oracle Identity Manager Installation and Configuration Guide for Oracle WebLogic Server
Oracle Identity Manager Installation and Configuration Guide for IBM WebSphere Application Server
Oracle Identity Manager Installation and Configuration Guide for JBoss Application Server
Oracle Identity Manager Installation and Configuration Guide for Oracle Application Server
Copy the following JAR files into the RM_HOME/xlremote/JavaTasks directory:
OIM_HOME/xellerate/lib/xlVO.jar
OIM_HOME/xellerate/lib/xlScheduler.jar
OIM_HOME/xellerate/lib/xlAPI.jar
OIM_HOME/xellerate/JavaTasks/xliActiveDirectory.jar
OIM_HOME/xellerate/ScheduleTask/xliADRecon.jar
OIM_HOME/xellerate/JavaTasks/xliExchange.jar
OIM_HOME/xellerate/ScheduleTask/xliExchangeRecon.jar
Copy the CreateMailboxExchange2007.vbs file from the following directory on the installation media to the RM_HOME/scripts directory:
scripts/CreateMailboxExchange2007.vbs
Note:
Ensure that the RM_HOME directory is secured using Microsoft Windows best practices. Only the target system user account for Oracle Identity Manager must have permissions to access the RM_HOME directory.To enable logging in the Remote Manager, create a log directory and file inside the RM_HOME directory. For example:
RM_HOME/Log/Report.log
Specify the name of the Remote Manager as the value of the Remote Manager IT resource parameter. This parameter is described in "Creating the IT Resource".
See Oracle Identity Manager Administrative and User Console Guide for information about modifying the value of an IT resource parameter.
To enable client-side authentication for the Remote Manager:
Note:
If you have already enabled client-side authentication for the Remote Manager in Microsoft Active Directory, then you need not perform the procedure described in this section.Open the RM_HOME/xlremote/config/xlconfig.xml file in a text editor.
Set the ClientAuth property to true
as follows:
<ClientAuth>true</ClientAuth>
Ensure that the RMIOverSSL property is set to true as follows:
<RMIOverSSL>true</RMIOverSSL>
Perform Steps 2 through 3 in the OIM_HOME/config/xlconfig.xml file.
Postinstallation information is divided across the following sections:
Postinstallation on Oracle Identity Manager consists of the following procedures:
Note:
In a clustered environment, you must perform these procedures on each node of the cluster.While you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME
/xellerate/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
In a command window, go to the OIM_HOME/xellerate/bin directory.
Note:
You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:OIM_HOME/xellerate/bin/BATCH_FILE_NAME
Enter one of the following commands:
On Microsoft Windows:
PurgeCache.bat ConnectorResourceBundle
On UNIX:
PurgeCache.sh ConnectorResourceBundle
Note:
You can ignore the exception that is thrown when you perform Step 2.In this command, ConnectorResourceBundle
is the content category that you must delete from the server cache.
See Also:
The following file for information about content categories:OIM_HOME/config/xlconfig.xml
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
ALL
This level enables logging for all events.
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
INFO
This level enables logging of messages that highlight the progress of the application at a coarse-grained level.
WARN
This level enables logging of information about potentially harmful situations.
ERROR
This level enables logging of information about error events that may allow the application to continue running.
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
OFF
This level disables logging for all events.
The file in which you set the log level and the log file path depend on the application server that you use:
Oracle WebLogic Server
To enable logging:
Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.XELLERATE=LOG_LEVEL log4j.logger.OIMCP.MEXC=LOG_LEVEL
In these lines, replace LOG_LEVEL
with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.OIMCP.MEXC=INFO
After you enable logging, log information is displayed on the server console.
IBM WebSphere Application Server
To enable logging:
Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.XELLERATE=LOG_LEVEL log4j.logger.OIMCP.MEXC=LOG_LEVEL
In these lines, replace LOG_LEVEL
with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.OIMCP.MEXC=INFO
After you enable logging, log information is written to the following file:
WEBSHERE_HOME/AppServer/logs/SERVER_NAME/SystemOut.log
JBoss Application Server
To enable logging:
In the JBOSS_HOME/server/default/conf/log4j.xml file, locate or add the following lines:
<category name="XELLERATE">
<priority value="LOG_LEVEL"/>
</category>
<category name="OIMCP.MEXC">
<priority value="LOG_LEVEL"/>
</category>
In the second XML code line of each set, replace LOG_LEVEL
with the log level that you want to set. For example:
<category name="XELLERATE"> <priority value="INFO"/> </category>
<category name="OIMCP.MEXC"> <priority value="INFO"/> </category>
After you enable logging, log information is written to the following file:
JBOSS_HOME/server/default/log/server.log
Oracle Application Server
To enable logging:
Add the following lines in the OIM_HOME/xellerate/config/log.properties file:
log4j.logger.XELLERATE=LOG_LEVEL log4j.logger.OIMCP.MEXC=LOG_LEVEL
In these lines, replace LOG_LEVEL
with the log level that you want to set.
For example:
log4j.logger.XELLERATE=INFO log4j.logger.OIMCP.MEXC=INFO
After you enable logging, log information is written to the following file:
ORACLE_HOME/opmn/logs/default_group~home~default_group~1.log
Postinstallation on the target system involves the following procedure:
Note:
Perform this procedure only if you have installed the Remote Manager for Microsoft Exchange 2007. The procedure to install the Remote Manager is described in "Installing the Remote Manager".If you have installed multiple Microsoft Exchange 2007 Remote Managers, then you must perform this procedure for each Remote Manager.
The IT resource for the Remote Manager contains connection information about the Remote Manager. The Remote Manager is used by Oracle Identity Manager to invoke the Exchange Management Shell script to create mailboxes in Microsoft Exchange 2007. When you run the Connector Installer, the IT resource for the Remote Manager is created in Oracle Identity Manager for Microsoft Exchange 2007.
For reconciliation in Microsoft Exchange 2007, Oracle Identity Manager uses the Microsoft Active Directory IT resource. For provisioning in Microsoft Exchange 2007, Oracle Identity Manager uses the Microsoft Active Directory IT resource, Exchange IT resource, and the Remote Manager IT resource values. For information about the Exchange IT resource parameters, see "Creating the IT Resource".
This section discusses the following topics:
To create the IT resource for the Remote Manager:
Log in to the Administrative and User Console.
Expand Resource Management.
Click Create IT Resource.
On the Step 1: Provide IT Resource Information page, enter the following information:
IT Resource Name: Enter Exchange Remote Manager IT Resource
.
IT Resource Type: Select Remote Manager from the IT Resource Type list.
Remote Manager: Do not enter a value in this field.
Click Continue.
On the Step 2: Specify IT Resource Parameter Values page, specify values for the parameters of the IT resource and then click Continue. Table 2-4 describes the parameters for this IT resource.
Table 2-4 Parameters of the IT Resource for the Remote Manager
Parameter | Description |
---|---|
service name |
Enter a name for the remote manager. Sample value: |
url |
Enter the IP address of the target system host computer and the port number at which the Remote Manager is listening. Sample value: |
Click Continue.
On the Step 4: Verify IT Resource Details page, review the information that you provided on the first, second, and third pages. If you want to make changes in the data entered on any page, click Back to revisit the page and then make the required changes.
To proceed with the creation of the IT resource, click Continue.
The Step 5: IT Resource Connection Result page displays the results of a connectivity test that is run using the IT resource information. If the test is successful, then click Create. If the test fails, then you can perform one of the following steps:
Click Back to revisit the previous pages and then make corrections in the IT resource creation information.
Click Cancel to stop the procedure, and then begin from the first step onward.
Proceed with the creation process by clicking Continue. You can fix the problem later, and then rerun the connectivity test by using the Diagnostic Dashboard.
The Step 6: IT Resource Created page displays the details of the IT resource that you created. Click Finish.
To configure Oracle Identity Manager to trust the Remote Manager you have installed:
From the computer hosting the Remote Manager, copy the RM_HOME/xlremote/config/xlserver.cert file to a temporary directory on the Oracle Identity Manager host computer.
Note:
The server certificate in the OIM_HOME directory is also named xlserver.cert. Ensure that you do not overwrite that certificate.To import the certificate by using the keytool utility, run the following command:
JAVA_HOME/jre/bin/keytool -import -alias ALIAS -file RM_CERT_LOCATION/xlserver.cert -keystore OIM_HOME/xellerate/config/.xlkeystore -storepass PASSWORD
In the preceding command, replace:
JAVA_HOME
with the location of the Java directory for your application server.
ALIAS
with an alias for the certificate in the store.
RM_CERT_LOCATION
with the full path of the temporary directory where you copied the certificate.
PASSWORD
with the password of the keystore.
Copy the OIM_HOME/xellerate/config/xlserver.cert file to a temporary directory on the Remote Manager host computer.
To import the certificate by using the keytool utility on the Remote Manager host computer, run the following command:
JAVA_HOME/jre/bin/keytool -import -alias ALIAS -file OIM_CERT_LOCATION/xlserver.cert -keystore RM_HOME/xlremote/config/.xlkeystore -storepass PASSWORD
In the preceding command, replace:
JAVA_HOME
with the location of the Java directory for your application server.
ALIAS
with an alias for the certificate in the store.
OIM_CERT_LOCATION
with the full path of the temporary directory where you copied the certificate.
PASSWORD
with the password of the keystore.
Note:
It is recommended that you follow security best practices and change the default passwords used for the Remote Manager keystore. To change the Remote Manager keystore password, follow the instructions given in Oracle Identity Manager Installation and Configuration Guide for your application server.To ensure that the Remote Manager is running:
Use the following script to start the Remote Manager:
RM_HOME/xlremote/remotemanager.bat
Log in to the Design Console.
Expand Administration, and double-click Remote Manager.
Search for and open the Remote Manager that you have created.
Click the Refresh icon. The screen displays details of the Remote Manager that you have configured. The running check box should be selected for the Remote Manager. This implies that the status of the Remote Manager is active.