2 Deploying the Connector

The procedure to deploy the connector can be divided into the following stages:

• Preinstallation

• Installation

• Postinstallation

This chapter provides information about each stage of connector deployment.

2.1 Preinstallation

Preinstallation information is divided across the following sections:

• Preinstallation on Oracle Identity Manager

• Preinstallation on the Target System

2.1.1 Preinstallation on Oracle Identity Manager

This section contains the following topics:

• Files and Directories That Comprise the Connector

• Determining the Release Number of the Connector

2.1.1.1 Files and Directories That Comprise the Connector

The contents of the connector installation media are described in Table 2-1.

Table 2-1 Files and Directories That Comprise the Connector

File in the Installation Media Directory	Description
configuration/PeopleSoft User Management-CI.xml For the connector with the Remote Manager: configuration/PeopleSoft User ManagementRM-CI.xml	This is the connector installer content file.
ext/csv.jar	This JAR file is a library that is used to parse and read the flat file used for full reconciliation.
lib/PSFTUMReconciliation.jar	This JAR file contains the class files that are used to implement full reconciliation.
lib/PSFTUMProvisioning.jar For the connector with the Remote Manager: lib/PSFTUM_RMProvisioning.jar	This JAR file contains the class files that are required for provisioning.
lib/PSFTUM_RMProvisioning.ear	This EAR file is used for running the testing utility for provisioning on IBM WebSphere Application Server.
lib/peopleSoftUMApp.war	This Web Archive (WAR) file contains the classes and configuration files required to implement incremental reconciliation.
The following files in the peoplecode directory: CurrencyCode.txt EmailType.txt LanguageCode.txt PermissionList.txt UserRoles.txt	These files contain the PeopleCode for the steps that you define for the Application Engine program. This is explained in "Creating the Application Engine Program".
peoplecode/UserMgmtCBRecon_8.49.txt peoplecode/UserMgmtBulkRecon_8.49.txt peoplecode/DeleteUsrProfileCBRecon_8.49.txt	These files contain the code that you must add to the PeopleCode for the SavePostChange event while performing the procedure described in "Publishing the Messages".
test/cbrecon/psft-xel-test.vbs	You can use this VBScript file to test the incremental reconciliation functionality of the connector. This file creates a dummy XML message similar to the ones created by PeopleSoft Enterprise Applications when a user account is created or modified in the target system. For information about testing incremental reconciliation, see "Testing Incremental Reconciliation".
test/cbrecon/psft-del-xel-test.vbs	You can use this VBScript file to test the delete reconciliation functionality during incremental reconciliation. This file creates a dummy XML message similar to the ones created by PeopleSoft Enterprise Applications when a user is deleted from the target system. For information about testing incremental reconciliation, see "Testing Incremental Reconciliation".
The following files in the test/cbrecon directory: pingRequest.xml pingResponse.xml publishRequest.xml publishResponse.xml	These XML files are used by the psft-xel-test.vbs file to communicate with the connector by using XML over HTTP.
test/cbrecon/USR_MGMT_MSG.xml	This XML file is used by the psft-xel-test.vbs file to define the template of the XML message that is received from the target system when a user is created or modified on the target system.
test/cbrecon/USR_DEL_MSG.xml	This XML file is used by the psft-del_xel-test.vbs file to define the template of the XML message that is received from the target system when a user is deleted from the target system.
test/config/config.properties	This file is used to specify the parameters and settings required to connect, create, update, and delete users in the target system by using the testing utility for provisioning.
test/config/config_Recon.properties	This file is used to specify the parameters required to perform a reconciliation run. This file stores the scheduled task attributes and the IT resource parameters.
test/config/attribute_prov.properties Note: This file is used only for the connector without the Remote Manager.	This file stores the attribute mappings used during provisioning. This file is used by the testing utility.
test/config/attributeMap_Recon.properties	This file stores the attribute mappings used during reconciliation. This file is used by the testing utility.
test/config/attributeChildMap_Recon.properties	This file stores the attribute mappings used during reconciliation for child tables. This file is used by the testing utility.
test/config/log.properties	This file is used to specify the log level and the directory in which the log file is to be created when you run the testing utility.
test/scripts/psftUM.bat test/scripts/psftUM.sh For the connector with the Remote Manager: test/scripts/psftUM_RM.bat test/scripts/psftUM_RM.sh	The BAT file or UNIX shell script calls the testing utility for provisioning.
For the connector with the Remote Manager: test/scripts/was_psftUM_RM.bat test/scripts/was_psftUM_RM.sh	This batch file or shell script is used to run the testing utility for provisioning running on IBM WebSphere Application Server.
For the connector with the Remote Manager: test/scripts/wasBasecp.bat test/scripts/wasBasecp.sh	This batch file or shell script is used by was_psftUM_RM.bat or was_psftUM_RM.sh for setting the classpath.
test/scripts/psftUM_Recon.bat test/scripts/psftUM_Recon.sh	The BAT file or UNIX shell script calls the testing utility for reconciliation.
The files in the resources directory	Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, these resource bundles are copied into the following directory: OIM_HOME/connectorResources Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the user interface of Oracle Identity Manager. These text strings include GUI element labels and messages displayed on the Administrative and User Console.
xml/PSFTUM-ConnectorConfig.xml For the connector with the Remote Manager: xml/PSFTUM_RM-ConnectorConfig.xml	This XML file contains definitions for the following components of the connector: IT resource type Scheduled tasks IT resource Resource objects (this file contains the configurations of the resource objects for the target resource) Process definition Process tasks Adapters Process form
For the connector with the Remote Manager: config/attribute_RMprov.properties	This properties file contains the attribute mappings used during provisioning if you are using the connector with the Remote Manager.

2.1.1.2 Determining the Release Number of the Connector

You might have a deployment of an earlier release of the connector. While deploying the current release, you might want to know the release number of the earlier release. To determine the release number of a connector that has already been deployed:

1. In a temporary directory, extract the contents of the following JAR file:

   OIM_HOME/ScheduleTask/PSFTUMReconciliation.jar

2. Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the PSFTUMReconciliation.jar file.

   In the Manifest.mf file, the release number of the connector is displayed as the value of the Version property.

2.1.2 Preinstallation on the Target System

Preinstallation on the target system consists of creating a target system account with appropriate privileges for connector operations. This special account created on the target system will be able to perform all the configurations required for connector operations. This includes configuring the PeopleSoft Integration Broker for incremental reconciliation, and configuring and running the Application Engine for the flat file generation. This account will not have access to any other pages or components that are not required by the connector. For creating this account, you must log in to PeopleSoft Internet Architecture with administrator credentials. The procedure to create a target system account is provided in the following section:

2.1.2.1 Creating a Target System Account for Connector Operations

Note:

If a target system account with the required privileges exists, then you can skip this section.

Creating a target system account for connector operations involves the procedures described in the following sections:

• Creating a Permission List

• Creating Definition Security for a Group

• Creating a Role for a Limited Rights User

• Assigning Limited Rights to a User

2.1.2.1.1 Creating a Permission List

To create a permission list:

1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:

   http://SERVER_NAME/psp/ps/DATABASE_NAME/?cmd=login
   

   For example:

   http://psftserver.example.com/psp/ps/TestDB/?cmd=login
   

2. In the PeopleSoft Internet Architecture window, click PeopleTools, Security, Permissions & Roles, and then click Permission Lists.

3. Click Add a new Value. On the Add a New Value tab, enter the permission list name, for example, OIMUM, and then click Add.

4. On the General tab, enter a description for the permission list in the Description field.

5. On the Component Interfaces tab, click the search icon for the Name field and perform the following:

   1. In the Name lookup, enter USER_PROFILE and then click Lookup. From the list, select USER_PROFILE. The application returns to the Component Interfaces tab. Click the Edit link.

   2. On the Component Interface Permissions page, click Full Access(All).

   3. Click OK and then click Save.

   4. Click on the plus sign (+) to add a row for the Name field and repeat Steps a through c for the DELETE_USER_PROFILE component interface.

6. On the Pages tab, click the search icon for Menu Name and perform the following:

   1. In the Menu Name lookup, enter APPLICATION_ENGINE and then click Lookup. From the list, select APPLICATION_ENGINE. The application returns to the Pages tab. Click the Edit Components link.

   2. On the Component Permissions page, click Edit Pages for the AE_REQUEST component name.

   3. Click Select All, and then click OK. Click OK on the Components Permissions page. The application returns to the Pages tab.

   4. Click on the plus sign (+) to add a row for Menu Name. Click the search icon for Menu Name. In the Menu Name lookup, enter IB_PROFILE and then click Lookup. From the list, select IB_PROFILE. The application returns to the Pages tab. Click the Edit Components link.

   5. On the Component Permissions page, click Edit Pages for each of the following component names:

      IB_GATEWAY

      IB_MESSAGE_BUILDER

      IB_MONITOR_QUEUES

      IB_NODE

      IB_OPERATION

      IB_QUEUEDEFN

      IB_ROUTINGDEFN

      IB_SERVICE

      IB_SERVICEDEFN

   6. Click Select All, and then click OK for each of the components. Click OK on the Components Permissions page. The application returns to the Pages tab.

   7. Click on the plus sign (+) to add another row for Menu Name.

   8. In the Menu Name lookup, enter PROCESSMONITOR and then click Lookup. From the list, select PROCESSMONITOR. The application returns to the Pages tab. Click the Edit Components link.

   9. On the Component Permissions page, click Edit Pages for the PROCESSMONITOR component name.

   10. Click Select All, and then click OK. Click OK on the Components Permissions page. The application returns to the Pages tab.

   11. Click on the plus sign (+) to add another row for Menu Name.

   12. In the Menu Name lookup, enter PROCESS_SCHEDULER and then click Lookup. From the list, select PROCESS_SCHEDULER. The application returns to the Pages tab. Click the Edit Components link.

   13. On the Component Permissions page, click Edit Pages for the PRCSDEFN component name.

   14. Click Select All, and then click OK. Click OK on the Components Permissions page. The application returns to the Pages tab.

7. On the People Tools tab, select the Application Designer Access check box and click the Definition Permissions link. The Definition Permissions page is displayed.

8. On this page, grant full access to the following object types by selecting Full Access from the Access list:

   • App Engine Program

   • Message

   • Component

   • Project

9. Click OK.

10. Click the Tools Permissions link. The Tools Permissions page is displayed. On this page, grant full access to the SQL Editor tool by selecting Full Access from the Access list.

11. Click OK. The application returns to the People Tools tab.

12. On the Process tab, click the Process Group Permissions link. The Process Group Permission page is displayed.

13. In the Process Group lookup, click the search icon. From the list, select TLSALL. The application will return to the Process Group Permission page.

14. Click on the plus sign (+) to add another row for Process Group.

15. In the Process Group lookup, click the search icon. From the list, select STALL. The application will return to the Process Group Permission page.

16. Click OK.

17. On the Web Libraries tab, click the search icon for the Web Library Name field and perform the following:

    1. In the Web Library Name lookup, enter WEBLIB_PORTAL and then click Lookup. From the list, select WEBLIB_PORTAL. The application returns to the Web Libraries tab. Click the Edit link.

    2. On the WebLib Permissions page, click Full Access(All).

    3. Click OK and then click Save.

    4. Click on the plus sign (+) to add a row for the Web Library Name field and repeat Steps a through c for the WEBLIB_PT_NAV library.

    5. Click Save to save all the settings specified for the permission list.

2.1.2.1.2 Creating Definition Security for a Group

For the USERMAINT and PURGE_USR_PROFILE components, you must create a definition security for a group. To do so:

1. Log in to the Application Designer in 2 tier mode with administrator credentials.

2. On the Go tab, select Definition Security.

3. On the PS Definition Security page, click File and then click New Group.

4. On the window that is displayed, select Components from the list.

5. From the Excluded Components list on the right side, select USERMAINT and PURGE_USR_PROFILE, and then click the left arrow button. This will add these components for your group.

6. From the File menu, click Save As and save this group as OIMUM.

7. From the File menu, click Open and then click Permission List. All the existing permission lists are displayed.

8. Select OIMUM as the permission list and click OK. Details of the permission list along with the groups are displayed on the right side in the Excluded Group ID list.

9. From the list, select the group that you created in Step 6. Click the left arrow to include this group in your permission list.

10. From the File menu, click Save.

2.1.2.1.3 Creating a Role for a Limited Rights User

To create a role for a limited rights user:

1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:

   http://SERVER_NAME/psp/ps/DATABASE_NAME/?cmd=login
   

   For example:

   http://psftserver.example.com/psp/ps/TestDB/?cmd=login
   

2. In the PeopleSoft Internet Architecture window, click PeopleTools, Security, Permissions & Roles, and then click Roles.

3. Click Add a new Value. On the Add a New Value tab, enter the role name, for example, OIMUM, and then click Add.

4. On the General tab, enter a description for the role in the Description field.

5. On the Permission Lists tab, click the search icon and perform the following:

   1. In the Permission Lists lookup, enter OIMUM and then click Lookup. From the list, select OIMUM.

   2. Click Save.

2.1.2.1.4 Assigning Limited Rights to a User

To assign limited rights to a user:

1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:

   http://SERVER_NAME/psp/ps/DATABASE_NAME/?cmd=login
   

   For example:

   http://psftserver.example.com/psp/ps/TestDB/?cmd=login
   

2. In the PeopleSoft Internet Architecture window, click PeopleTools, Security, User Profiles, and then click User Profiles.

3. Click Add a new Value. On the Add a New Value tab, enter the user profile name, for example, OIMUM, and then click Add.

4. On the General tab, perform the following:

   1. From the Symbolic ID list, select the value that is displayed, for example, SYSADM1.

   2. Enter valid values for the Password and Confirm Password fields.

   3. Click the search icon for the Process Profile permission list.

   4. In the Process Profile lookup, enter OIMUM and then click Lookup. From the list, select OIMUM. The application returns to the General tab.

5. On the ID tab, select none as the value of the ID type.

6. On the Roles tab, click the search icon and perform the following:

   1. In the Roles lookup, enter OIMUM and then click Lookup. From the list, select OIMUM.

   2. Click on the plus sign (+) to add another row.

   3. In the Roles lookup, enter ProcessSchedulerAdmin and then click Lookup. From the list, select ProcessSchedulerAdmin.

   4. Click Save to save this user profile. This user profile is used by Oracle Identity Manager as an admin user in the IT resource to enable the connector to perform provisioning operations. This user profile is also used as a limited rights user at the target system for performing all reconciliation-related configurations.

2.2 Installation

Installation information is divided across the following sections:

• Installation on Oracle Identity Manager

• Installation on the Target System

2.2.1 Installation on Oracle Identity Manager

Installation on Oracle Identity Manager consists of the following procedures:

• Running the Connector Installer

• Copying the Connector Files and External Code Files

• Configuring the IT Resource

• Deploying the PeopleSoft Listener

2.2.1.1 Running the Connector Installer

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

To run the Connector Installer, refer to the instructions given in the "Installing Predefined Connectors" chapter of Oracle Identity Manager Administrative and User Console Guide. The following instructions are specific to individual steps of the procedure described in the "Installing a Predefined Connector" section of that chapter:

• When you reach Step 3 of that procedure, apply the following instructions:

  The following is the default connector installation directory:

  OIM_HOME/ConnectorDefaultDirectory

  If you have copied the installation files into this directory, then select PeopleSoft User Management 9.1.0 from the Connector List list.

  For the connector with the Remote Manager, select PeopleSoft User Management RM 9.1.0 from the list.

  Note:

  The connector with the Remote Manager and the connector without the Remote Manager can exist together in a single deployment environment. If you want to support multiple versions of the target system, then you can deploy the connector with the Remote Manager along with the connector without the Remote Manager.

  If you have copied the installation files into a different directory, then:

  1. In the Alternative Directory field, enter the full path and name of that directory.

  2. To repopulate the list of connectors in the Connector List list, click Refresh.

  3. From the Connector List list, select the connector that you want to install.

• Perform Steps 1 through 5 of that procedure. When you reach Step 6 of that procedure, see "Configuring the IT Resource" in this guide. Instructions to Step 6 of that procedure are described in detail in this section.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-2.

Table 2-2 Files Copied to Oracle Identity Manager

File in the Installation Media Directory	Destination Directory
ext/csv.jar	OIM_HOME/ThirdParty
lib/PSFTUMProvisioning.jar	OIM_HOME/JavaTasks
For the connector with the Remote Manager: lib/PSFTUM_RMProvisioning.jar	OIM_HOME/JavaTasks
lib/PSFTUMReconciliation.jar	OIM_HOME/ScheduleTask
Files in the resources directory	OIM_HOME/connectorResources

Note:

For a clustered environment, copy the files listed in Table 2-2 into their respective destination directories on each node of the cluster.

2.2.1.2 Copying the Connector Files and External Code Files

Table 2-3 lists all the files that you must copy manually, and the directories on the Oracle Identity Manager host computer to which you must copy them.

Note:

- The directory paths given in the first column of this table correspond to the location of the connector files on the installation media. See "Files and Directories That Comprise the Connector" for more information about these files.

- If a particular destination directory does not already exist on the Oracle Identity Manager host computer, then create it.

Table 2-3 Files to be Copied to the Oracle Identity Manager Host Computer

File in the Installation Media Directory	Destination Directory
lib/peopleSoftUMApp.war	OIM_HOME/cbrecon_webapp/lib
For the connector with the Remote Manager: lib/PSFTUM_RMProvisioning.jar	RM_HOME/JavaTasks
Files in the peoplecode directory	OIM_HOME/XLIntegrations/PSFTUM/peoplecode
Files in the test/cbrecon directory	OIM_HOME/XLIntegrations/PSFTUM/cbrecon
Files in the test/scripts directory	OIM_HOME/XLIntegrations/PSFTUM/scripts
Files in the test/config directory	OIM_HOME/XLIntegrations/PSFTUM/config
For the connector with the Remote Manager: Files in the config directory	RM_HOME/XLIntegrations/PSFTUM/config
For the connector with the Remote Manager and if your Oracle Identity Manager installation is running on IBM WebSphere Application Server: lib/PSFTUM_RMProvisioning.ear	OIM_HOME/JavaTasks

After you copy the connector files, copy the following files from the PEOPLESOFT_HOME/web/psjoa directory on the target system computer into the OIM_HOME/ThirdParty directory and into the RM_HOME/JavaTasks directory for the connector with the Remote Manager.

• psjoa.jar

  This is the PeopleSoft Java object adapter file containing the compiled Java classes required by Oracle Identity Manager to remotely connect to the target system.

• peoplesoft.jar

  This JAR file contains APIs for the USER_PROFILE and DELETE_USER_PROFILE component interfaces.

  The "Configuring the Target System for Provisioning" section provides information about the procedure to generate this file for the specific release of PeopleTools (8.49) that you are using.

  Note:

  The supported JDK and JRE versions are linked to the PeopleTools version you are using. For PeopleTools 8.49, the supported JDK version is 1.5.0.

While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, after you install the connector, you must copy all the JAR files and the contents of the connectorResources directory into the corresponding directories on each node of the cluster.

2.2.1.3 Configuring the IT Resource

The IT resource for the target system contains connection information about the target system. Oracle Identity Manager uses this information during provisioning and reconciliation.

When you run the Connector Installer, the PSFT UM Server IT resource is automatically created in Oracle Identity Manager. You must specify values for the parameters of this IT resource as follows:

1. Log in to the Administrative and User Console.

2. Expand Resource Management.

3. Click Manage IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter PSFT UM Server and then click Search.

5. Click the edit icon for the IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Specify values for the parameters of the IT resource. Table 2-4 describes each parameter:

   Table 2-4 Parameters of the IT Resource for the Target System

   Parameter	Description
   Admin	User ID of the PeopleSoft Enterprise Applications limited rights user profile. Oracle Identity Manager uses this target system account to connect to and exchange data with the target system. Sample value: OIMUM
   AdminCredentials	Enter the password of the PeopleSoft Enterprise Applications administrator.
   AttributeMapLookUpForProv Note: This parameter is used only in the connector without the Remote Manager.	This parameter holds the name of the lookup definition containing attribute field mappings between Oracle Identity Manager and the target system. This mapping information is used during provisioning. Default value: Lookup.PSFTUM.Attr.Map.Prov Note: You must not change the value of this parameter.
   ComponentInterfaceName	Component interface used to load user data in PeopleSoft Enterprise Applications Default value: USER_PROFILE
   ServerName	Enter the IP address or host name of the computer hosting the PeopleSoft application server. Sample value: ServerName = 172.21.109.48
   ServerPort	JOLT Listener port: BEA JOLT acts as the communication layer between the Web server and the application server installed on the target system. Default value: 9000 Note: The JOLT Port can be determined by either using the PSADMIN utility or by locating the Port parameter in the JOLT Listener section in the psappsrv.cfg file. Figure 2-1 shows the psappsrv.cfg file.
   IsSecure	This parameter is deprecated in the current release. Modifying the values for this parameter will not affect the functionality of the connector.
   SymbolicId	Enter the AccessId associated with the PeopleSoft Enterprise Applications limited rights user profile. The AccessId specifies whether or not the user has sufficient privileges on the PeopleSoft Enterprise Applications database. Sample value: SYSADM1
   NumberOfRetries	Enter the number of times Oracle Identity Manager must try connecting to the target system before the InvocationTargetException error is thrown. Default value: 2 Note: The timeout feature is enabled only for full reconciliation and provisioning. It is not applied during incremental reconciliation.
   DelayBetweenRetries	Use this parameter to specify the time difference (in milliseconds) between consecutive retries. Default value: 20000
   RecordName	Use this parameter to add the Employee ID for a new user profile or update the Employee ID for an existing a user profile. Default value: PERSONAL_DATA
   UnsupportedCharacters	List of characters or strings that are not supported by PeopleSoft in the value specified for any user profile field Default value: ,##;## ##:##&##(##)##\##[##]##/##<##>##PPLSOFT These characters are separated by ## (two number sign characters).
   PIAServerName	Enter the IP address or host name of the computer hosting the PeopleSoft Internet Architecture. Note: The IP address or the host name must be followed by the port number on which PeopleSoft Internet Architecture is running. Sample value: 172.21.109.48:90

   
   

   Figure 2-1 PSAPPSRV.CFG File

   
   Description of "Figure 2-1 PSAPPSRV.CFG File"
   
   

8. To save the values, click Update.

Note:

The procedure to configure the IT resource for the connector with the Remote Manager is described later in this chapter.

2.2.1.4 Deploying the PeopleSoft Listener

To deploy the PeopleSoft Listener:

1. Copy the OIM_HOME/cbrecon_webapp/lib/peopleSoftUMApp.war file into a temporary directory. Enter the following command to extract the contents of the peopleSoftUMApp.war file.

   jar –xvf peopleSoftUMApp.war
   

   Note:

   All the files mentioned in the remaining steps of this procedure are extracted from the peopleSoftUMApp.war file.

2. Edit the deployment.properties file. This file contains the message property that corresponds to the name of the XML message sent by the target system. The default value of this property is USR_MGMT_MSG.

3. Edit the xlsession.properties file. This file contains the UserName Oracle Identity Manager connection parameter. The value that you specify for this parameter is the user name for logging in to Oracle Identity Manager. The default value is xelsysadm.

4. Edit the xlConnection.properties file. This file contains the following system properties that enable an API client to communicate with Oracle Identity Manager:

   • XL.HomeDir: Use this property to specify the full path and name of the OIM_HOME directory. Specify the following value for this parameter:

     -DXL.HomeDir=OIM_HOME
     

   • java.security.policy: Use this property to specify the fully qualified file name of the security policy file. Typically, this file is located in the OIM_HOME/config directory.

   • java.security.auth.login.config: Use this property to specify the fully qualified file name of the authentication configuration file. Typically, this file is located in the OIM_HOME/config directory.

     Each application server uses a different authentication configuration file:

     IBM WebSphere Application Server: authws.conf

     Oracle WebLogic Server: authwl.conf

     JBoss Application Server: auth.conf

     Oracle Application Server: auth.conf

   • java.naming.provider.url: Use this property to specify the JNP URL of the application server. This URL is located in the <Discovery><CoreServer><java.naming.provider.url> tag of the OIM_HOME/config/xlconfig.xml file. Each application server uses a different JNP URL:

     • Oracle WebLogic Server: t3://localhost:7001

     • IBM WebSphere Application Server: corbaloc:iiop:host:2809

     • JBoss Application Server: jnp://localhost:1099

     • Oracle Application Server: ormi://localhost:12401/Xellerate

5. Edit the following properties in the configureReconciliation.properties file:

   • reconciliationMode: Use this property to specify the mode of reconciliation that you want to use. Set value of this property to target.

   • ITResourceType: Use this property to fetch IT Resource instances. The default value is PSFT UM. For the connector with the Remote Manager, this value is PSFTUM_RM. The XML message generated by PeopleSoft contains the IP and the PORT of the computer on which the message is generated.

     Note:

     This information is compared against all the IT resources that match the value you provide for this property. The PIAServerName attribute is compared with the PeopleSoft IP. The value of the PIAServerName attribute must be in the following format:

     PIA_SRVR_IP_ADDRESS:PIA_PORT

     For example, 172.21.109.62:90

   • ReconcilingRO: Use this property to specify the name of the resource object used for reconciliation:

     ReconcilingRO=PSFT_UM_RO (by default)

     For the connector with the Remote Manager:

     ReconcilingRO=PSFTUM_RM

   • PIA_IP: Use this property to specify the Xpath to fetch the IP address of the target system, which generates the XML message. The default value is //Transaction/PSOPRDEFN/PIA_IP.

     Note:

     XPath describes how to locate specific elements in a document. It allows you to locate specific content within an XML document. XPATH treats an XML document as a logical ordered tree.

   • PIA_PORT: Use this property to specify the Xpath to fetch the port on which PeopleSoft Internet Architecture is running. The default value is //Transaction/PSOPRDEFN/PIA_PORT.

   • DEL_USER_OPRID: Use this property to specify the Xpath to fetch the deleted User ID. The default value is //Transaction/PRG_USR_PROFILE/OPERID.

   • FiltersToBeApplied: Use this property to specify the comma-separated list of filters that are applied on the target system field names during reconciliation.

   • FiltersValues: Use this property to specify the comma-separated list of values for the filters that you specify as the values of the FiltersToBeApplied property.

     Note:

     In the FiltersValues property, data is separated by a comma. However, if a comma is part of the values specified, then it will be treated as a different value. Consider the following example:

     IsFilterApplied = yes, FiltersToBeApplied = Users.OPRID,Users.DESCRIPTION, and FiltersValues = SFCA001, This is a, test

     In this scenario, you have entered the value of Users.DESCRIPTION as "This is a, test". The reconciliation engine will consider it as two different values, "This is a", and "test". The FiltersToBeApplied property contains two filters while the FiltersValues property contains three. As a result of this inconsistency, the "Filters are not synchronized" error message will be displayed.

     For information about how these filters are applied during reconciliation, see Chapter 4, "Using the Connector".

   • IsFilterApplied: Use this property to specify whether or not filters must be applied during reconciliation. Valid values are yes and no. If invalid values are provided, then the default value no is used.

   • SearchCriteria: Use this property to specify the search algorithm to be applied on the filters that you enter. Valid values are INDEX_OF, EXACT_MATCH. Consider the following example.

     You specify a filter in which the value of Users.OPRID must contain JO and you also set a value for the SearchCriteria property. If you specify INDEX_OF, then all records containing "JO" will be reconciled. If you specify EXACT_MATCH, then only those records in which the value of Users.OPRID is "JO" will be reconciled.

     If invalid values are provided, then by default the value of this property is considered as INDEX_OF.

   • CaseSensitive: Use this property to specify if the filters that search the records are case sensitive or not. Consider the following example:

     You specify the value of this property as yes. In this case, if the filter specifies that Users.Name=JOHN, then only JOHN will match. The values John or john will be ignored. If you specify the value as no, then the value will be accepted regardless of the case in which it is specified.

     If invalid values are provided, then the default value no is used.

   • Operator: Use this property to specify the operator that you want to apply to the filters. Valid values are AND or OR. Depending on the value specified, data is joined accordingly for any combination of the target system fields specified in the FiltersToBeApplied property. However, if invalid values are provided, then the "Invalid Operators" error message is displayed and no records are reconciled.

6. Copy the following files from the OIM_HOME/lib directory to the WEB-INF/lib directory:

   Note:

   Before you copy these files from the OIM_HOME/lib directory, check if these files exist in the WEB-INF/lib directory. If these files exist, then first delete them from the WEB-INF/lib directory.

   • xlAPI.jar

   • xlAuthentication.jar

   • xlBackOfficeBeans.jar

   • xlBackofficeClient.jar

   • xlCache.jar

   • xlCrypto.jar

   • xlDataObjectBeans.jar (for IBM WebSphere Application Server, copy this file from the OIM_CLIENT/xlclient/lib directory)

   • xlDataObjects.jar

   • xlLogger.jar

   • xlUtils.jar

   • xlVO.jar

   • xlAdapterUtilities.jar

   • xlRemoteManager.jar

   • xlScheduler.jar

   Copy the following files from the OIM_HOME/ext directory to the WEB-INF/lib directory:

   • oscache.jar

   • javagroups-all.jar

   • commons-collections.jar

   • commons-digester.jar

   • commons-logging.jar

   • commons-validator.jar

   • commons-beanutils.jar

   • jdbcpool-0.99.jar

   • log4j-1.2.8.jar

   • struts.jar

   • xerces.jar

   • xercesImpl.jar

   • velocity-dep.jar (only for UNIX)

   Copy the following files from the OIM_HOME/ThirdParty directory to the WEB-INF/lib directory:

   • peoplesoft.jar

   • psjoa.jar

7. Delete the peopleSoftUMApp.war file from the temporary directory into which you extract it, and then use the following command to re-create the file:

   jar –cvf  peopleSoftUMApp.war .
   

8. Ensure that the old version of the peopleSoftUMApp.war file is deleted from the application server deployment directory.

9. Deploy the newly created peopleSoftUMApp.war file in the deployment directory of the application server as follows:

   For Oracle WebLogic Server:

   1. Log in to the Oracle WebLogic admin console.

   2. From the Domain Structure list, select OIM_DOMAIN.

      Where OIM_DOMAIN is the domain on which Oracle Identity Manager is installed

   3. Click the Deployments tab

   4. On Microsoft Windows, in the Change Centre window, click Lock & Edit. This enables the Install button of the Monitoring tab in the Summary Of Deployments section.

   5. Click Install.

   6. In the Install Application Assistant, enter the full path of the directory in which the WAR file is placed. Then, click Next.

   7. Select the WAR file that you want to install.

   8. Click Next.

   9. Select the Install this deployment as an application option, and then click Next.

   10. In the Name of deployment field, enter peopleSoftUMApp.

   11. In the Security section, select the DD Only: Use only roles and policies that are defined in the deployment descriptors option.

   12. In the Source accessibility window, select the Use the defaults defined by the deployments targets option.

   13. Click Finish.

       On Microsoft Windows, the "The deployment has been successfully installed" message is displayed.

   14. On UNIX platforms, click Save. The following messages are displayed:

       Success All changes have been activated. No restarts are necessary.

       Success Settings updated successfully.

   15. On Microsoft Windows, to activate the changes that you have made up to this point:

       i. Select the check box corresponding to the newly installed application.

       ii. In the Change centre window, click Activate Changes.

   16. On Microsoft Windows, select the check box for the newly installed application, select the Servicing all requests option from the Start list, and then click Yes.

   For IBM WebSphere Application Server:

   1. Log in to the WebSphere Admin console.

   2. Expand Applications.

   3. Click Install New Application.

   4. Locate the WAR file by using the Browse button.

   5. In the Context root field, enter peopleSoftUMApp.

   6. Click Next.

   7. In the Select installation options field, enter peopleSoftUMApp as the application name and click Next.

   8. On the Map modules to servers page, select peopleSoftUMApp.war and click Next.

   9. On the Map virtual hosts page, select peopleSoftUMApp.war and click Next.

   10. Click Finish.

   11. Click Save to save all the configurations to the master configuration in IBM Websphere Application Server.

   12. Click Enterprise Applications.

   13. On the Enterprise Applications page, select peopleSoftUMApp and then click Start to restart the application.

   For JBoss Application Server:

   1. Copy the modified WAR file to the JBOSS_HOME/server/default/deploy directory

   2. Restart JBoss Application Server.

   For Oracle Application Server:

   1. Log in to the Oracle Application Server Administrative Console.

   2. Select the name of the instance on which the Oracle Identity Manager server is running.

   3. Select the Applications tab.

   4. Click Deploy.

   5. Locate the WAR file by using the Browse button.

   6. Click Next.

   7. Specify the application name as peopleSoftUMApp.

   8. Click Next.

   9. To accept the default deployment settings, click Deploy.

   10. When the WAR file is successfully deployed, restart Oracle Application Server.

10. Restart Oracle Identity Manager and the Design Console.

Note:

You can add new fields to be reconciled during incremental reconciliation. However, you must complete the deployment procedure before you can add new fields.

See "Adding New Fields for Incremental Reconciliation" for information about the procedure to add new fields for incremental reconciliation.

2.2.2 Installation on the Target System

During this stage, you configure the target system to enable it for reconciliation and provisioning operations. This information is provided in the following sections:

• Configuring the Target System for Full Reconciliation

• Configuring the Target System for Incremental Reconciliation

• Configuring the Target System for Provisioning

• Installing the Remote Manager

• Enabling Logging in the Remote Manager

• Enabling Client-Side Authentication for the Remote Manager

2.2.2.1 Configuring the Target System for Full Reconciliation

As described in Chapter 1, "About the Connector", full reconciliation is used to reconcile all data that are added, modified, or deleted in the target system into Oracle Identity Manager. The PeopleCode that is activated extracts the required user data through the USERMAINT and PURGE_USR_PROFILE components.

Configuring the target system for full reconciliation involves preparing the flat file for full reconciliation by performing the following procedures:

• Creating the Application Engine Program

  This is a one-time procedure.

• Configuring the Record Delimiter

  Depending on your requirements, you may configure the record delimiter once, or each time you want to perform full reconciliation.

2.2.2.1.1 Creating the Application Engine Program

The Application Engine program populates a flat file with user data that requires reconciliation. To create the Application Engine program:

1. To open Application Designer in 2-tier mode, click Start, Programs, Peoplesoft8.x, and then Application Designer.

   Note:

   To open Application Designer in 2-tier mode, the database client (client of the database that PeopleSoft is using) must be installed on the server. In addition, you must select the appropriate database type from the Connection Type field (for example, Oracle Database) while providing sign-on information in the PeopleSoft Application Designer Signon window.

2. From the File menu, click New.

3. In the New Definition dialog box, select App Engine Program from the Definition list.

4. On the App Engine Program page, a plus sign (+) is displayed besides the MAIN section. The MAIN section may contain multiple steps. Expand MAIN. A step named Step01 is added to MAIN.

5. Rename Step01 to BLKRecon.

6. Click Action in the Insert menu. An action is added to the BLKRecon step.

7. Select PeopleCode from the list for the new action.

8. Click Save in the File menu, and save the Application Engine program as BLKPRCS_USER.

9. Double-click the PeopleCode action. A new PeopleCode window is displayed.

10. Copy the code from the OIM_HOME/XLIntegrations/PSFTUM/peoplecode/UserMgmtBulkRecon_8.49.txt file into the PeopleCode window.

    Note:

    You must create the BLKRecon step before creating the other steps. This will help you set the delimiter value only once in the code. Otherwise, the delimiter value will be set to "*"(asterisk) by default.

11. Change the path to a directory location on the PeopleSoft server as follows:

    &DataFile = GetFile("path where you want to generate the comma-separated flat file\BulkRecon.txt", "w", %FilePath_Absolute);
    &LOGFile = GetFile("path where you want to generate the comma-separated flat file\BulkRecon.log", "w", "a", %FilePath_Absolute);
    

    For example:

    &DataFile = GetFile("C:\PSFT_849_LOOKUPS\BulkRecon.txt", "w", %FilePath_Absolute);
    &LOGFile = GetFile("C:\PSFT_849_LOOKUPS\BulkRecon.log", "w", "a", %FilePath_Absolute);
    

12. Save the PeopleCode action, and close the window.

13. On the App Engine Program page, select the BLKRecon step and then select Step/Action from the Insert menu.

14. Repeat Steps 5 through 12 to create the remaining steps, which are listed in the following table:

    Step Name	File Containing the Required PeopleCode
    language	LanguageCode.txt
    Currency	CurrencyCode.txt
    userrole	UserRoles.txt
    permiss	PermissionList.txt
    EmailType	EmailType.txt
    BLKRecon (already created in Step 5.)	UserMgmtBulkRecon_8.49.txt

    
    

15. Save the Application Engine program.

2.2.2.1.2 Configuring the Record Delimiter

If the record delimiter is part of any data that is reconciled, then you must configure the record delimiter to specify an appropriate value:

1. To open Application Designer in 2-tier mode, click Start, Programs, Peoplesoft8.x, and then Application Designer.

   Note:

   To open Application Designer in 2-tier mode, the database client (client of the database that PeopleSoft is using) must be installed on the server. In addition, you must select the appropriate database type from the Connection Type field (for example, Oracle Database) while providing sign-on information in the PeopleSoft Application Designer Signon window.

2. From the File menu, click Open.

3. In the Open Definition dialog box, select App Engine Program from the Definition list, and enter BLKPRCS_USER as the name of the Application Engine program.

   See Also:

   "Configuring the Target System for Full Reconciliation" for the procedure to create and run an Application Engine program

4. On the App Engine Program page, a plus sign (+) is displayed besides the MAIN section. The MAIN section may contain multiple steps. Expand MAIN. A step named Step01 is added to MAIN.

5. Double-click the PeopleCode action. A new PeopleCode window is displayed.

6. In the PeopleCode window, search for the following string:

   &Sepratr = Left("*",1);

   In this string, the asterisk character (*) represents the source string and 1 represents the numerical character.

7. In the Left (source_str, num_chars) function, change the first parameter to a new delimiter value. For example, if you want to change the delimiter value from the asterisk character (*), to the ampersand (&), then change the line to the following:

   &Sepratr = Left("&",1);

8. Click Save.

2.2.2.2 Configuring the Target System for Incremental Reconciliation

Configuring the target system for incremental reconciliation involves creating messages and queues, publishing messages by writing PeopleCode that is used to populate and send messages from PeopleSoft Integration Broker to other systems, and configuring PeopleSoft Integration Broker.

A message is the physical container for the XML data that is sent from the target system. Message definitions provide the physical description of data that is sent from the target system. This data includes fields, field types, and field lengths. A queue is used to carry messages. It is a mechanism for structuring data into logical groups. A message can belong to only one queue.

Note:

For this connector, two messages must be created, USR_MGMT_MSG, and OIM_DEL_MESSAGE. USR_MGMT_MSG contains information of user accounts that are created or modified. OIM_DEL_MESSAGE contains information of user accounts that are deleted.

The two separate messages are created because USR_MGMT_MSG contains all information about a user account. However, when a user account is deleted, only OPRID of the user is required to be sent to Oracle Identity Manager.

After messages are created and associated with their respective queues, they must be published. Publishing a message involves adding the required PeopleCode in Application Designer. This is because PeopleSoft Integration Broker and Oracle Identity Manager communicate through the exchange of XML messages and a message can only be generated by using specific instructions in the PeopleCode.

Setting the PeopleSoft Integration Broker gateway is mandatory when you configure PeopleSoft Integration Broker. To subscribe to XML data, Oracle Identity Manager can accept and process XML messages posted by PeopleSoft by using PeopleSoft connectors located in the PeopleSoft Integration Broker gateway. These connectors are Java programs that are controlled by the Integration Broker gateway.

This gateway is a program that runs on the PeopleSoft Web server. It acts as a physical hub between PeopleSoft and PeopleSoft applications (or third-party systems, such as Oracle Identity Manager). The gateway manages the receipt and delivery of messages passed among systems through PeopleSoft Integration Broker.

To configure the target system for incremental reconciliation, perform the following procedures:

Note:

You must use an administrator account to perform the following procedures.

1. Creating the Queues

2. Creating the Messages

3. Publishing the Messages

4. Configuring PeopleSoft Integration Broker

2.2.2.2.1 Creating the Queues

To create queues:

1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:

   http://SERVER_NAME/psp/ps/DATABASE_NAME/?cmd=login
   

   For example:

   http://psftserver.example.com/psp/ps/TestDB/?cmd=login
   

2. In the PeopleSoft Internet Architecture window, expand People Tools, Integration Broker, and Integration Setup, and then click Queues.

3. On the Add a New Value tab, enter the queue name, for example, OIM_UM_QUEUE, and then click Add.

4. On the Queue Definitions tab, select archive.

5. Select Run from the Queue Status list.

6. Click Save to save the changes.

2.2.2.2.2 Creating the Messages

To create messages:

1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:

   http://SERVER_NAME/psp/ps/DATABASE_NAME/?cmd=login
   

   For example:

   http://psftserver.example.com/psp/ps/TestDB/?cmd=login
   

2. In the PeopleSoft Internet Architecture window, expand People Tools, Integration Broker, and Integration Setup, and then click Messages.

3. On the Add a New Value tab, enter USR_MGMT_MSG as the message name VERSION_1 or v1 as the version.

4. Click Add.

5. On the Message Definition tab, select Nonrowset-based as the message type.

6. Click Save to save the changes.

7. Repeat Steps 1 through 5 to create the OIM_DEL_MESSAGE message.

2.2.2.2.3 Publishing the Messages

To publish messages:

1. Click Start, Programs, Peoplesoft8.x, and then Application Designer. The Application Designer window is displayed in 2-tier mode.

   Note:

   To open Application Designer in 2-tier mode, the database client (client of the database that PeopleSoft is using) must be installed on the server. In addition, you must select the appropriate database type from the Connection Type field (for example, Oracle Database) while providing sign-on information in the PeopleSoft Application Designer Signon window.

2. From the File menu, click Open. The Open Definition dialog box is displayed.

3. Select Component from the Definition list, enter USERMAINT in the Name Selection Criteria field, and then click Enter. All component names starting with the text USERMAINT are displayed.

4. Select USERMAINT from the list, and then click Open. The details of the USERMAINT component are displayed.

5. Click the Structure tab, right-click USERMAINT, and then select View PeopleCode. The PeopleCode for the USERMAINT component is displayed.

6. Select the SavePostChange event from the list in the upper-right corner of the window. The PeopleCode for this event is displayed.

7. Copy the code given in the following file and paste it after the import definitions in the PeopleCode for the SavePostChange event:

   OIM_HOME/XLIntegrations/PSFTUM/peopleCode/UserMgmtCBRecon_8.49.txt

   Note:

   While creating the message by following the procedures described in the "Creating the Messages" section, if you change the name of the message to something other than USR_MGMT_MSG, then you must use the same name in the code that you copy.

8. Add the following function call at the end of the PeopleCode for the SavePostChange event:

   Note:

   Perform this step only after you copy the code from the text file.

   /**********************************************************************/
   /* Calling the GENERATEUSER function to generate the 
   USR_MGMT_MSG message*/
   /**********************************************************************/
   If Len(%CompIntfcName) = 0 Then 
   Local string &OPID;
   &OPID = PSOPRDEFN.OPRID;
   &s_ipadd = %Request.ServerName;
   &n_port = %Request.ServerPort;
   GENERATEUSR(&OPID);
   End-If;
   

9. From the File menu, click Save to save the changes to the USERMAINT component.

10. Repeat Steps 1 through 6 for the PURGE_USR_PROFILE component, and then perform the following:

    1. Copy the code given in the following file and paste it in the PeopleCode for the SavePostChange event:

       OIM_HOME/XLIntegrations/PSFTUM/peopleCode/DeleteUsrProfileCBRecon_8.49.txt

       Note:

       While creating the message by following the procedures described in the "Creating the Messages" section, if you change the name of the message to something other than OIM_DEL_MESSAGE, then you must use the same name in the code that you copy.

    2. Add the following function call at the end of the PeopleCode for the SavePostChange event:

       Note:

       Perform this step only after you copy the code from the text file.

       /**********************************************************************/
       /* Calling the DELETEUSR function to generate the 
       OIM_DEL_MESSAGE message*/
       /**********************************************************************/
       If Len(%CompIntfcName) = 0 Then 
       Local string &OPID;
       &OPID = PSOPRDEFN.OPRID;
       &s_ipadd = %Request.ServerName;
       &n_port = %Request.ServerPort;
       DELETEUSR(&OPID);
       End-If;
       

    3. From the File menu, click Save to save the changes to the PURGE_USR_PROFILE component.

2.2.2.2.4 Configuring PeopleSoft Integration Broker

The following sections explain the procedures to configure PeopleSoft Integration Broker:

• Configuring PeopleSoft Integration Broker Gateway

• Configuring PeopleSoft Integration Broker

Configuring PeopleSoft Integration Broker Gateway

To configure the PeopleSoft Integration Broker gateway:

1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture.

   The URL for PeopleSoft Internet Architecture is in the following format:

   http://servername/psp/ps/Databasename/?cmd=login
   

   For example:

   http://psftserver.example.com/psp//ps/TestDB/?cmd=login
   

2. To display the Gateway component details, expand PeopleTools, Integration Broker, Configuration, and then Gateways. The Gateway component details are displayed.

3. Enter LOCAL in the Integration Gateway ID field, and then click Search. The LOCAL gateway is a default gateway that is created when you install PeopleSoft Internet Architecture.

4. Ensure that the IP address and host name specified in the URL of the PeopleSoft listener are that of the computer on which the target system is installed. The URL of the PeopleSoft listener is in the following format:

   http://computer_name_of_the_PeopleSoft_Web_server or IP_address:port/PSIGW/PeopleSoftListeningConnector
   

   For example:

   http://10.121.16.42:80/PSIGW/PeopleSoftListeningConnector
   

5. To load all target connectors that are registered with the LOCAL gateway, click Load Gateway Connectors. A window is displayed mentioning that the loading process is successful. Click OK.

6. Click Save.

7. Click Ping Gateway to check if the gateway component is active. The PeopleTools version and the status of the PeopleSoft listener are displayed. The status should be ACTIVE.

Configuring PeopleSoft Integration Broker

To configure PeopleSoft Integration Broker:

1. Create a remote node by performing the following steps:

   1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Nodes.

   2. On the Add a New Value tab, enter the node name, for example, OIM_UM_NODE, and then click Add.

   3. On the Node Definition tab, enter a description for the node in the Description field. In addition, enter PS in the Default User ID field.

   4. Make this node a remote node by deselecting the Local Node check box and selecting the Active Node check box.

   5. On the Connectors tab, search for the following information by clicking on the Lookup icon:

      Gateway ID: LOCAL

      Connector ID: HTTPTARGET

   6. On the Properties subpage in the Connectors tab, enter the following information:

      Property ID: PRIMARYURL

      Property Name: URL

      Required value: Enter the URL of the PeopleSoft listener that is supposed to receive the XML message. This URL must be in the following format:

      http://computer_name_of_OIM_SERVER or IP address:port/peopleSoftUMApp/do/peopleSoftUM
      

      The URL depends on the application server that you are using. For an environment on which SSL is not enabled, the URL must be in the following format:

      For Oracle WebLogic Server:

      http://10.121.16.42:7001/peopleSoftUMApp/do/peopleSoftUM
      

      For IBM WebSphere Application Server:

      http://10.121.16.42:9080/peopleSoftUMApp/do/peopleSoftUM
      

      For JBoss Application Server:

      http://10.121.16.42:8080/peopleSoftUMApp/do/peopleSoftUM
      

      For Oracle Application Server:

      http://10.121.16.42/peopleSoftUMApp/do/peopleSoftUM
      

      For an environment on which SSL is enabled, the URL must be in the following format:

      https://COMMON_NAME:PORT/peopleSoftUMApp/do/peopleSoftUM
      

      For Oracle WebLogic Server:

      https://example088196:7002/peopleSoftUMApp/do/peopleSoftUM
      

      For IBM WebSphere Application Server:

      https://example088196:9443/peopleSoftUMApp/do/peopleSoftUM
      

      For JBoss Application Server:

      https://example088196:8443/peopleSoftUMApp/do/peopleSoftUM
      

   7. Click Save to save the changes.

   8. Click Ping Node to check if a connection is established with the specified IP address.

2. Create a service by performing the following steps:

   1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Services.

   2. On the Add a New Value tab, enter the service name, for example, OIM_UM_SERVICE, and then click Add.

   3. On the Service Definition tab, enter a description for the service in the Description field.

   4. Click Save to save the changes.

3. Create a service operation by performing the following steps:

   1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.

   2. On the Add Service Operation tab, enter the service name for which you are creating the service operation. In addition, enter the service operation name. The name of the service operation must be the same as that of the messages you created in Step 2 of the "Creating the Messages" section, for example, USR_MGMT_MSG and OIM_DEL_MESSAGE.

   3. From the Operation type list, select Asynchronous-Oneway, and then click Add.

   4. On the General tab of the Service Operation Definition page, enter a description for the Operation type in the Operation Description field. In addition, enter USR_MGMT_MSG.VERSION_1 in the Message.Version field and OIM_UM_QUEUE in the Queue Name field.

   5. Click Save to save the changes.

   6. On the Routing tab, enter OIM_UM_ROUTING as the routing name and then click Add.

   7. On the Routing Definition tab, enter the following:

      Sender Node: PSFT_HR

      Receiver Node: OIM_UM_NODE

      Service Operation: USR_MGMT_MSG

   8. Add another routing definition for OIM_DEL_MESSAGE and enter the following:

      Sender Node: PSFT_HR

      Receiver Node: OIM_UM_NODE

      Service Operation: OIM_DEL_MESSAGE

      Note:

      PSFT_HR is the default local node for PeopleSoft HCM applications. If you are using other PeopleSoft applications, verify the default local node by using the procedure described in Step 1a. For example, if you are using PeopleSoft CRM applications, then the default local node is PSFT_CR.

   9. Click Save to save the changes.

   Before the XML messages are sent from the target system to Oracle Identity Manager, you must verify if the PeopleSoft node is running. You can do so by clicking the Ping Node button in the Connectors tab. To access the Connectors tab, click PeopleTools, Integration Broker, Integration Setup, and then Nodes.

   If Oracle Identity Manager is not running when a message is published, then the message is added to a queue. You can check the status of the message in the queue in the Message Instance tab. This tab lists all the published messages in queue. When you check the details of the particular message, you will find the status listed as Timeout or Error.

   To publish a message in the queue to Oracle Identity Manager, resubmit the message when Oracle Identity Manager is running. See "Publishing the Messages" for more information.

   If the status of the message is New or Started and it does not change to Timeout or Done, then you must restart the PeopleSoft application server after you restart the Oracle Identity Manager server.

2.2.2.3 Configuring the Target System for Provisioning

To configure the target system for provisioning, create the APIs for the component interface as follows:

1. To open the Application Designer, click Start and then select Programs, Peoplesoft8.x, and Application Designer.

2. On the Application Designer page, click Open from the File menu.

3. In the Open Definition dialog box, select Component Interface from the Definition list.

4. Enter USER_PROFILE in the Name field, and then press Enter.

   All the component interfaces with names that start with USER_PROFILE are displayed in the Open Definition dialog box.

5. Select the USER_PROFILE entry, and then click Open.

6. Click Yes in the message that is displayed. The properties of the USER_PROFILE component interface are displayed.

7. In the window for the USER_PROFILE component interface, select PeopleSoft APIs from the Build menu. The Build PeopleSoft API Bindings dialog box is displayed.

8. In the Java Classes region, select Build.

9. From the Select APIs to Build list, select CompIntfc.CompIntfcPropertyInfo, CompIntfc.CompIntfcPropertyInfoCollection, CompIntfc.DELETE_USER_PROFILE, CompIntfc.DELETE_USER_PROFILECollection, and the APIs with names that start with CompIntfc.USER_PROFILE.

10. In the Target Directory field, specify the path of the directory in which you want the Java API classes to be created, and then click OK.

11. Ensure that the psjoa.jar file is included in the CLASSPATH environment variable. This file is located in the PEOPLESOFT_HOME/web/psjoa directory.

12. Compile the APIs from the target directory specified in the preceding step. To do so:

    1. Specify the JAVA_HOME environment variable.

    2. In the command prompt, run the following command in the directory that you specified in Step 10 of this procedure:

       %JAVA_HOME%\bin\javac PeopleSoft\Generated\CompIntfc\*.java
       

13. Bundle the compiled class files in a JAR named peoplesoft.jar as follows:

    jar -cvf peoplesoft.jar PeopleSoft/Generated/CompIntfc/*.class

2.2.2.4 Installing the Remote Manager

Note:

Ensure that the Remote Manager is installed on JRE version 1.5.x. By default, the Remote Manager uses bundled JRE version 1.4.2_11.

In this guide, the directory in which you install the Remote Manager is referred to as RM_HOME.

The procedures to configure the Remote Manager are described in "Configuring the Remote Manager".

To install the Remote Manager:

1. The Remote Manager installation files are shipped along with the Oracle Identity Manager installation files. Depending on the application server that you use, perform the procedure to install the Remote Manager on the target system computer by following the instructions given in one of the following guides:

   • Oracle Identity Manager Installation and Configuration Guide for Oracle WebLogic Server

   • Oracle Identity Manager Installation and Configuration Guide for IBM WebSphere Application Server

   • Oracle Identity Manager Installation and Configuration Guide for JBoss Application Server

   • Oracle Identity Manager Installation and Configuration Guide for Oracle Application Server

2. Copy the following JAR files into the RM_HOME/JavaTasks directory:

   • OIM_HOME/lib/xlVO.jar

   • OIM_HOME/lib/xlAPI.jar

2.2.2.5 Enabling Logging in the Remote Manager

To enable logging in the Remote Manager:

1. Add the following lines in the RM_HOME/config/log.properties file:

   log4j.logger.OIMCP.PSFTUM=LOG_LEVEL
   

2. In these lines, replace LOG_LEVEL with the log level that you want to set.

   For example:

   log4j.logger.OIMCP.PSFTUM=DEBUG
   

After you enable logging, when you start using the connector, the log information is written to the file whose name and location you specify in the log.properties file.

2.2.2.6 Enabling Client-Side Authentication for the Remote Manager

To enable client-side authentication for the Remote Manager:

1. Open the RM_HOME/xlremote/config/xlconfig.xml file in a text editor.

2. Set the ClientAuth property to true as follows:

   <ClientAuth>true</ClientAuth>
   

3. Ensure that the RMIOverSSL property is set to true as follows:

   <RMIOverSSL>true</RMIOverSSL>
   

4. Perform Steps 2 through 3 in the OIM_HOME/config/xlconfig.xml file.

2.3 Postinstallation

Postinstallation information is divided across the following sections:

• Postinstallation on Oracle Identity Manager

• Postinstallation on the Target System

• Configuring the Remote Manager

2.3.1 Postinstallation on Oracle Identity Manager

Postinstallation on Oracle Identity Manager consists of the following procedures:

Note:

In a clustered environment, you must perform these procedures on each node of the cluster.

• Clearing Content Related to Connector Resource Bundles from the Server Cache

• Enabling Logging

• Configuring SSL

2.3.1.1 Clearing Content Related to Connector Resource Bundles from the Server Cache

While you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME/connectorResources directory. Whenever you add a new resource bundle in the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, change to the OIM_HOME/bin directory.

   Note:

   You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:

   OIM_HOME/bin/script_file_name
   

2. Enter one of the following commands:

   • On Microsoft Windows:

     PurgeCache.bat ConnectorResourceBundle
     

   • On UNIX:

     PurgeCache.sh ConnectorResourceBundle
     

   Note:

   You can ignore the exception that is thrown when you perform Step 2. This exception is different from the one mentioned in Step 1.

   In this command, ConnectorResourceBundle is one of the content categories that you can delete from the server cache. Refer to the following file for information about the other content categories:

   OIM_HOME/config/xlconfig.xml

2.3.1.2 Enabling Logging

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• ALL

  This level enables logging for all events.

• DEBUG

  This level enables logging of information about fine-grained events that are useful for debugging.

• INFO

  This level enables logging of messages that highlight the progress of the application at a coarse-grained level.

• WARN

  This level enables logging of information about potentially harmful situations.

• ERROR

  This level enables logging of information about error events that may allow the application to continue running.

• FATAL

  This level enables logging of information about very severe error events that could cause the application to stop functioning.

• OFF

  This level disables logging for all events.

The file in which you set the log level depends on the application server that you use:

• Oracle WebLogic Server

  To enable logging:

  1. Make the following changes in the OIM_HOME/config/log.properties:

     • Search for the following line:

       log4j.rootLogger=WARN,stdout
       

       Make this line a comment and uncomment the line preceding this line.

     • Locate and uncomment the following lines:

       #log4j.appender.logfile=org.apache.log4j.DailyRollingFileAppender
       #log4j.appender.logfile.DatePattern='.'yyyy-MM-dd
       #log4j.appender.logfile.File=DIRECTORY_PATH/xel.log
       #log4j.appender.logfile.MaxBackupIndex=20
       #log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
       #log4j.appender.logfile.layout.ConversionPattern=%p %t %c - %m%n
       

  2. Specify the name and the location of the file to which the preceding logs will be written. You can do this by changing the value of the following line:

     log4j.appender.logfile.File=DIRECTORY_PATH/xel.log
     

  3. Add the following line in the OIM_HOME/config/log.properties file:

     log4j.logger.OIMCP.PSFTUM=log_level
     

  4. In this line, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.OIMCP.PSFTUM=DEBUG
     

  After you enable logging, the log information is written to the following file:

  DIRECTORY_PATH/xel.log
  

• IBM WebSphere Application Server

  To enable logging:

  1. Make the following changes in the OIM_HOME/config/log.properties:

     • Search for the following line:

       log4j.rootLogger=WARN,stdout
       

       Make this line a comment and uncomment the line preceding this line.

     • Locate and uncomment the following lines:

       #log4j.appender.logfile=org.apache.log4j.DailyRollingFileAppender
       #log4j.appender.logfile.DatePattern='.'yyyy-MM-dd
       #log4j.appender.logfile.File=DIRECTORY_PATH/xel.log
       #log4j.appender.logfile.MaxBackupIndex=20
       #log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
       #log4j.appender.logfile.layout.ConversionPattern=%p %t %c - %m%n
       

  2. Specify the name and the location of the file to which the preceding logs will be written. You can do this by changing the value of the following line:

     log4j.appender.logfile.File=DIRECTORY_PATH/xel.log
     

  3. Add the following line in the OIM_HOME/config/log.properties file:

     log4j.logger.OIMCP.PSFTUM=log_level
     

  4. In this line, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.OIMCP.PSFTUM=DEBUG
     

  After you enable logging, the log information is written to the following file:

  DIRECTORY_PATH/xel.log
  

• JBoss Application Server

  To enable logging:

  1. In the OIM_HOME/config/log.properties file, add the following lines:

     <category name="OIMCP.PSFTUM">
        <priority value="log_level"/>
     </category>
     

  2. In these lines, replace log_level with the log level that you want to set. For example:

     <category name="OIMCP.PSFTUM">
        <priority value="DEBUG"/>
     </category>
     

  After you enable logging, the log information is written to the following file:

  JBOSS_HOME/server/default/log/server.log
  

• Oracle Application Server

  To enable logging:

  1. Add the following line in the OIM_HOME/config/log.properties file:

     log4j.logger.OIMCP.PSFTUM=log_level
     

  2. In this line, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.OIMCP.PSFTUM=DEBUG
     

  After you enable logging, the log information is written to the following file:

  ORACLE_HOME/opmn/logs/default_group~home~default_group~1.log
  

2.3.1.3 Configuring SSL

The following sections describe the procedure to configure SSL connectivity between Oracle Identity Manager and the target system:

• Configuring SSL on Oracle WebLogic Server

• Configuring SSL on IBM WebSphere Application Server

• Configuring SSL on JBoss Application Server

2.3.1.3.1 Configuring SSL on Oracle WebLogic Server

You can configure SSL connectivity on Oracle WebLogic Server with either a self-signed certificate or a CA certificate. The following sections describe the procedures:

• Configuring SSL on Oracle WebLogic Server with a Self-Signed Certificate

• Configuring SSL on Oracle WebLogic Server with a CA Certificate

Configuring SSL on Oracle WebLogic Server with a Self-Signed Certificate

To configure SSL connectivity between Oracle Identity Manager on Oracle WebLogic Server and the target system with a self-signed certificate, you must perform the following tasks:

• Generating Keystore

• Configuring Oracle WebLogic Server

Generating Keystore

To generate the keystore:

1. Run the following command:

   keytool -genkey -keystore ABSOLUTE_KEYSTORE_PATH -alias ALIAS_NAME -keyalg KEY_ALGORITHM -storepass KEYSTORE_PASSWORD -keypass PRIVATE_KEY_PASSWORD
   

   For example:

   keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -storepass example1234 -keypass example1234
   

   Note:

   - The keystore password and the private key password must be the same.

   - Typically, the alias is the name or IP address of the computer on which you are configuring SSL.

   - The alias used in the various command of this procedure must be the same.

2. When prompted, enter information about the certificate. This information is displayed to users attempting to access a secure page in the application. This is illustrated in the following example:

   keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196    -keyalg RSA -storepass example1234 -keypass example1234
   What is your first and last name?
     [Unknown]: Must be the name or IP address of the computer
   What is the name of your organizational unit?
     [Unknown]:  example
   What is the name of your organization?
     [Unknown]:  example
   What is the name of your City or Locality?
     [Unknown]:  New York
   What is the name of your State or Province?
     [Unknown]:  New York
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is <CN=Name or IP address of the computer, OU=example, O=example, L=New York, ST=New York, C=US> correct?
     [no]:  yes
   

   When you enter yes in the last line of the preceding example, the keystore.jks file is created in the c:\temp\keys\ directory.

3. Export the keystore to a certificate file by running the following command:

   keytool -export -alias ALIAS_NAME -keystore ABSOLUTE_KEYSTORE_PATH -file CERTIFICATE_FILE_ABSOLUTE_PATH
   

   For example:

   keytool -export -alias example088196 -keystore c:\temp\keys\keystore.jks -file c:\temp\keys\keystore.cert
   

4. When prompted for the private key password, enter the same password used for the keystore, for example, example1234.

5. Import the keystore by running the following command:

   keytool -import -alias ALIAS_NAME -keystore NEW_KEYSTORE_ABSOLUTE_PATH -file CERTIFICATE_FILE_ABSOLUTE_PATH
   

   For example:

   keytool -import -alias example088196 -keystore c:\temp\keys\new.jks -file c:\temp\keys\keystore.cert
   

   When you run this command, it will prompt for the keystore password, as shown in the following example:

   Enter keystore password:  example1234 [Enter]
   Trust this certificate? [no]:  yes [Enter]
   Certificate was added to keystore
   

   In this example, the instances when you may press Enter are shown in bold.

Configuring Oracle WebLogic Server

After generating and importing the keystore, start Oracle WebLogic Server. To configure Oracle WebLogic Server:

1. Log in to the Oracle WebLogic Server console at http://localhost:7001/console and perform the following:

   1. Expand the servers node and select the server instance.

   2. Select the General tab.

   3. Select the SSL Listen Port Enabled option.

   4. Ensure that a valid port is specified in the SSL Listen Port field. The default port is 7002.

   5. Click Apply to save your changes.

2. Click the Keystore & SSL tab, and then click Change.

3. From the Keystores list, select Custom identity And Java Standard Trust, and then click Continue.

4. Configure the keystore properties. To do so:

   1. In the Custom Identity Key Store File Name column, specify the full path of the keystore generated in Step 1 of "Generating Keystore", for example, c:\temp\keys\keystore.jks. In the Custom Identity Key Store Type column, specify the type of keystore, for example, JKS. In the Custom Identity Key Store Pass Phrase and Confirm Custom Identity Key Store Pass Phrase columns, specify the keystore password.

   2. Provide the Java standard trust keystore pass phrase and Confirm Java standard trust keystore pass phrase. The default password is changeit, unless you change the password.

   3. Click Continue.

5. Specify the private key alias, pass phrase and the confirm pass phrase as the keystore password. Click Continue.

6. Click Finish.

7. Restart Oracle WebLogic Server. If the server starts successfully with the SSL configuration, then lines similar to the following are recorded in the startup log:

   <Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default" listening on port 7001, ip address *.*> 
   <Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
   

   Note:

   7002 is the default SSL port for Oracle WebLogic Server.

Configuring SSL on Oracle WebLogic Server with a CA Certificate

To configure SSL connectivity between Oracle Identity Manager on Oracle WebLogic Server and the target system with a CA certificate, you must perform the following tasks:

Note:

Although this is an optional step of the deployment procedure, Oracle strongly recommends that you configure SSL communication between the target system and Oracle Identity Manager.

• Generating Keystore

• Configuring Oracle WebLogic Server

Generating Keystore

The connector requires Certificate Services to be running on the host computer. To generate the keystore:

1. Run the following command:

   keytool -genkey -keystore ABSOLUTE_KEYSTORE_PATH -alias ALIAS_NAME -keyalg KEY_ALGORITHM -storepass KEYSTORE_PASSWORD -keypass PRIVATE_KEY_PASSWORD
   

   For example:

   keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -storepass example1234 -keypass example1234
   

   Note:

   The keystore password and the private key password must be the same.

   Typically, the alias name is the name or the IP address of the computer on which you are configuring SSL.

2. When prompted, enter the information about the certificate. This information is displayed to users attempting to access a secure page in the application. This is illustrated in the following example:

   keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196    -keyalg RSA -storepass example1234 -keypass example1234
   What is your first and last name?
     [Unknown]:  Must be the name or IP address of the computer
   What is the name of your organizational unit?
     [Unknown]:  example
   What is the name of your organization?
     [Unknown]:  example
   What is the name of your City or Locality?
     [Unknown]:  New York
   What is the name of your State or Province?
     [Unknown]:  New York
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is <CN=Name or IP address of the computer, OU=example, O=example, L=New York, ST=New York, C=US> correct?
     [no]:  yes
   

   When you enter yes in the last line of the preceding example, the keystore.jks file is created in the c:\temp\keys\ directory.

3. Generate the certificate signing request by running the following command:

   keytool -certreq -keystore ABSOLUTE_KEYSTORE_PATH -alias ALIAS_NAME -keyalg KEY_ALGORITHM -file CERTIFICATE_FILE_ABSOLUTE_PATH
   

   For example:

   keytool -certreq -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -file c:\temp\keys\keystore.cert
   

   When prompted for the keystore password, enter the same password used for the keystore in Step 1, for example example1234. This will store a certificate request in the file that you specified in the preceding command.

4. Get the certificate from a CA by using the certificate request generated in the previous step and store the certificate in a file.

5. Export the keystore generated in Step 1 to a new certificate file, for example, myCert.cer, by running the following command:

   keytool –export –keystore ABSOLUTE_KEYSTORE_PATH -alias alias-name specified in step 1 -file CERTIFICATE_FILE_ABSOLUTE_PATH
   

   For example:

   keytool –export –keystore c:\temp\keys\keystore.jks -alias example088196 -file c:\temp\keys\myCert.cer
   

6. Import the CA certificate to a new keystore by running the following command:

   keytool -import -alias ALIAS_NAME -file CERTIFICATE_FILE_ABSOLUTE_PATH -keystore NEW_KEYSTORE_ABSOLUTE_PATH -storepass KEYSTORE_PASSWORD generated in Step 1
   

   For example:

   keytool -import -alias example088196 -file c:\temp\keys\rootCert.cert -keystore c:\temp\keys\rootkeystore.jks 
   

   When you run this command, it will prompt for the keystore password, as shown:

   Enter keystore password:  example1234 [Enter]
   Trust this certificate? [no]:  yes [Enter]
   Certificate was added to keystore
   

   In this example, the instances when you can press Enter are shown in bold.

Configuring Oracle WebLogic Server

After creating and importing the keystore to the system, start Oracle WebLogic Server. To configure Oracle WebLogic Server:

1. Log in to the Oracle WebLogic Server console ((http://localhost:7001/console) and perform the following:

   1. Expand the server node and select the server instance.

   2. Select the General tab.

   3. Select the SSL Port Enabled option.

   4. Ensure that a valid port is specified in the SSL Listen Port field. The default port is 7002.

   5. Click Apply to save your changes.

2. Click the Keystore & SSL tab, and click the Change link.

3. From the Keystores list, select Custom Identity And Custom Trust, and then click Continue.

4. Configure the keystore properties. To do so:

   1. In the Custom Identity Key Store File Name column, specify the full path of the keystore generated in Step 1 of "Generating Keystore", for example, c:\temp\keys\keystore.jks. In the Custom Identity Key Store Type column, specify the type of keystore, for example, JKS. In the Custom Identity Key Store Pass Phrase and Confirm Custom Identity Key Store Pass Phrase columns, specify the keystore password.

   2. In the Custom Trust and Custom Trust Key Store File Name column, specify the full path of the keystore generated in Step 1 of "Generating Keystore", for example, c:\temp\keys\rootkeystore.jks. In the Custom Trust Key Store Type column, specify the type of keystore, for example, JKS. In the Custom Trust Key Store Pass Phrase and Confirm Custom Trust Key Store Pass Phrase columns, specify the keystore password.

   3. Provide the Java standard trust keystore password. The default password is changeit, unless you change the password.

   4. Click Continue.

5. Specify the alias name and private key password. Click Continue.

6. Click Finish.

7. Restart Oracle WebLogic Server. If the server starts successfully with the SSL configuration, then lines similar to the following are recorded in the startup log:

   <Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default" listening on port 7001, ip address *.*> 
   <Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
   

   Note:

   7002 is the default SSL port for Oracle WebLogic Server.

2.3.1.3.2 Configuring SSL on IBM WebSphere Application Server

You can configure SSL connectivity on IBM WebSphere Application Server with either a self-signed certificate or a CA certificate. The following sections describe this:

• Configuring SSL on IBM WebSphere Application Server with a Self-Signed Certificate

• Configuring SSL on IBM WebSphere Application Server with a CA Certificate

Configuring SSL on IBM WebSphere Application Server with a Self-Signed Certificate

To configure SSL connectivity between Oracle Identity Manager on IBM WebSphere Application Server and the target system with a self-signed certificate, you must perform the following tasks:

1. Log in to the WebSphere Integrated Solutions Console. The URL may be similar to the following:

   https://localhost:9043/ibm/console/logon.jsp
   

2. Click Security, SSL certificate and key management, Related items, Key stores and certificates, NodeDefaultKeyStore, and then click Personal certificates.

3. Click Create a self-signed certificate.

4. In the Alias field, enter an alias name. You specify the alias name to identify the certificate request in the keystore.

5. In the CN field, enter a value for common name. The common name must be the fully-qualified DNS host name or the name of the computer. The CN of the certificate must match the domain name or the name of the computer. For example, if the name of your domain is us.example.com, then the CN of the SSL certificate that you create for your domain must also be us.example.com.

6. In the Organization field, enter an organization name.

7. In the Organization unit field, specify the organization unit.

8. In the Locality field, enter the locality.

9. In the State or Province field, enter the state.

10. In the Zip Code field, enter the zip code.

11. From the Country or region list, select the country code.

12. Click Apply and then Save.

13. Click Security, SSL certificate and key management, Related items, Key stores and certificates, NodeDefaultKeyStore, and then click Personal certificates.

14. Select the check box for the new alias name.

15. Click Extract.

16. Specify the absolute file path where you want to extract the certificate under the certificate file name. For example, C:\SSLCerts\sslcert.cer.

17. Click Apply and then click OK.

Configuring SSL on IBM WebSphere Application Server with a CA Certificate

To configure SSL connectivity between Oracle Identity Manager on IBM WebSphere Application Server and the target system with a CA certificate, you must perform the following tasks:

1. Log in to the WebSphere Integrated Solutions Console. The URL may be similar to the following:

   https://localhost:9043/ibm/console/logon.jsp
   

2. Click Security, SSL certificate and key management, Related items, Key stores and certificates, NodeDefaultKeyStore.

3. On the Additional Properties tab, click Personal certificate requests.

4. Click New.

5. In the File for certificate request field, enter the full path where the certificate request is to be stored, and a file name. For example: c:\servercertreq.arm (for a computer running on Microsoft Windows).

6. In the Key label field, enter an alias name. You specify the alias name to identify the certificate request in the keystore.

7. In the CN field, enter a value for common name. The common name must be the fully-qualified DNS host name or the name of the computer. The CN of the certificate must match the domain name of your community. For example, if the name of your domain is us.example.com, then the CN of the SSL certificate that you create for your community must also be us.example.com.

8. In the Organization field, enter an organization name.

9. In the Organization unit field, specify the organization unit.

10. In the Locality field, enter the locality.

11. In the State or Province field, enter the state.

12. In the Zip Code field, enter the zip code.

13. From the Country or region list, select the country code.

14. Click Apply and then Save. The certificate request is created in the specified file location in the keystore. This request functions as a temporary placeholder for the signed certificate until you manually receive the certificate in the keystore.

    Note:

    Keystore tools such as iKeyman and keyTool cannot receive signed certificates that are generated by certificate requests from IBM WebSphere Application Server. Similarly, IBM WebSphere Application Server cannot accept certificates that are generated by certificate requests from other keystore utilities.

15. Send the certification request arm file to a CA for signing.

16. Create a backup of your keystore file. You must create this backup before receiving the CA-signed certificate into the keystore. The default password for the keystore is WebAS. The Integrated Solutions Console contains the path information for the keystore's location. The path to the NodeDefaultKeyStore is listed in the Integrated Solutions Console as:

    was_profile_root\config\cells\cell_name\nodes\node_name\key.p12
    

    Now you can receive the CA-signed certificate into the keystore to complete the process of generating a signed certificate for IBM WebSphere Application Server.

To receive a signed certificate issued by a CA, perform the following tasks:

1. In the WebSphere Integrated Solutions Console, click Security, SSL certificate and key management, Related items, Key stores and certificates, NodeDefaultKeyStore, and then click Personal Certificates.

2. Click Receive a certificate from a certificate authority.

3. Enter the full path and name of the certificate file.

4. Select the default data type from the list.

5. Click Apply and then Save.

The keystore contains a new personal certificate that is issued by a CA. The SSL configuration is ready to use the new CA-signed personal certificate.

2.3.1.3.3 Configuring SSL on JBoss Application Server

Before configuring SSL on JBoss Application Server, ensure the following:

• JBoss Application Server is installed on the Oracle Identity Manager host computer

• Java Runtime Environment is installed on the JBoss Application Server host

You can configure SSL connectivity on JBoss Application Server with either a self-signed certificate or a CA certificate. The following sections describe this. If you are configuring SSL on JBoss Application Server with a self-signed certificate, then perform the following tasks:

• Creating the Self-Signed Certificate

• Moving the Keystore

• Updating the Configuration File

If you are configuring SSL on JBoss Application Server with a CA certificate, then perform the following tasks:

• Importing a CA Certificate

• Moving the Keystore

• Updating the Configuration File

Creating the Self-Signed Certificate

To create the self-signed certificate, see "Generating Keystore".

Importing a CA Certificate

To import a CA certificate, perform the following tasks:

1. Run the following command:

   keytool -genkey -alias ALIAS_NAME -keystore ABSOLUTE_KEYSTORE_PATH -keyalg KEY_ALGORITHM -storepass KEYSTORE_PASSWORD -keypass PRIVATE_KEY_PASS
   

   For example:

   keytool -genkey -alias example088196 -keystore c:\temp\keys\custom.keystore -keyalg RSA -storepass example1234 -keypass example1234
   

   Note:

   - The keystore password and the private key password must be the same.

   - Typically, the alias is the name or IP address of the computer on which you are configuring SSL.

   - The alias used in the various command of this procedure must be the same.

2. When prompted, enter the information about the certificate, such as company and contact name. This information is displayed to employees attempting to access a secure page in the application. This is illustrated in the following example:

   What is your first and last name?
     [Unknown]:  Must be the name or IP address of the computer
   What is the name of your organizational unit?
     [Unknown]:  example
   What is the name of your organization?
     [Unknown]:  example
   What is the name of your City or Locality?
     [Unknown]:  New York
   What is the name of your State or Province?
     [Unknown]:  New York
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is <CN=Name or IP address of the computer, OU=example, O=example, L=New York, ST=New York, C=US> correct?
     [no]:  yes
   

   When you enter yes in the last line of the preceding example, the custom keystore file is created in the c:\temp\keys\ directory.

3. Generate the certificate signing request by running the following command:

   keytool -certreq -alias ALIAS_NAME -file ABSOLUTE_CSR_PATH  -keystore  ABSOLUTE_KEYSTORE_PATH
   

   For example:

   keytool -certreq -alias example088196 -file c:\temp\keys\certReq.csr -keystore c:\temp\keys\custom.keystore
   

4. Submit the certReq.csr file on a CA Web site for downloading the CA certificate.

   Ensure that your %JAVA_HOME%\jre\lib\security\cacerts has the root certificate of the CA that has generated the CA certificate.

   To check all the root certificates that %JAVA_HOME%\jre\lib\security\cacerts contains, run the following command:

   keytool -list -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass cacerts_store_password
   

   For example:

   %JAVA_HOME%\jre\bin\keytool -list -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit
   

   If the %JAVA_HOME%\jre\lib\security\cacerts keystore does not contain the root certificate of CA that has generated the CA certificate, then you must import the root certificate of CA into %JAVA_HOME%\jre\lib\security\cacerts.

   Run the following command to import the root certificate of CA:

   keytool -import  -alias <cacerts_key_entry_alias> -file <CARootCertificate.cer> -keystore %JAVA_HOME%\jre\lib\security\cacerts  -storepass cacerts_store_password
   

   For example:

   keytool -import -alias cakey -file "C:\temp\Thawte Test Root.cer" -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit
   

   You will see that the certificate has been added to the keystore.

5. Import the CA certificate by running the following command:

   keytool -import -alias ALIAS_NAME -keystore ABSOLUTE_KEYSTORE_PATH -trustcacerts -file ABSOLUTE_CACERT_PATH
   

   ABSOLUTE_CACERT_PATH represents the path in which you have stored the certificate downloaded from CA.

   For example:

   keytool -import -alias example088196 -keystore c:\temp\keys\custom.keystore -trustcacerts -file c:\temp\keys\CACert.cer
   

   When you run this command, it will prompt for the keystore password, as shown:

   Enter keystore password:  example1234 [Enter]
   Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
   Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
   Serial number: 0
   Valid from: Thu Aug 01 05:30:00 GMT+05:30 1996 until: Fri Jan 01 03:29:59 GMT+05:30 2021
   Certificate fingerprints:
            MD5:  5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
            SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA
   Trust this certificate? [no]:  yes [Enter]
   

   In this example, the instances when you can press Enter are shown in bold.

Moving the Keystore

To move the certificate to a JBoss Application Server directory, copy the generated keystore to the conf directory of your JBoss installation. For example, the directory can be C:\Program Files\jboss-4.0.3\server\default\conf\.

Updating the Configuration File

Before updating the configuration file, shut down JBoss Application Server. The JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml file contains information about what web features to turn on when the server starts up. Inside this file, there is a part that looks similar to the following:

<!-- SSL/TLS Connector configuration using the admin devl guide keystore
<Connector port="8443" address="${jboss.bind.address}"
  maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
  emptySessionPath="true" 
  scheme="https" secure="true" clientAuth="false" 
  keystoreFile="${jboss.server.home.dir}/conf/chap08.keystore"
  keystorePass="rmi+ssl" sslProtocol = "TLS" />
-->

In the code, make the following changes:

• Uncomment the block of code.

• Change the value of Connector port to 443 (default SSL port).

• Change the value of keystoreFile to the absolute path of the keystore generated in "Generating Keystore".

• Change the value of keystorePass to the password of the keystore.

After making the changes, the code block will look similar to the following:

<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="443" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/ custom.keystore"
keystorePass=" example1234 " sslProtocol = "TLS" />
<!-- -->

SSL is now enabled. You can restart JBoss Application Server and browse to the following URL to verify if SSL is enabled:

https://localhost:443

2.3.2 Postinstallation on the Target System

Postinstallation on the target system consists of the following procedures:

• Configuring SSL

• Installing the Remote Manager

2.3.2.1 Configuring SSL

To configure SSL on the target system:

1. Copy the certificate to the computer on which PeopleSoft Enterprise Applications is installed.

   Note:

   If you are using IBM WebSphere Application Server, then you must download the root certificate from a CA.

2. Run the following command:

   PEOPLESOFT_HOME/webserv/peoplesoft/bin/pskeymanager.cmd -import
   

3. When prompted, enter the current keystore password.

4. When prompted, enter the alias of the certificate that you imported while performing the application server specific procedures listed in "Configuring SSL".

   Note:

   The alias must be the same as the one created when the keystore was generated.

   If you are using IBM WebSphere Application Server, then enter root as the alias.

5. When prompted, enter the full path and name of the certificate and press Enter.

   Note:

   If you are using IBM WebSphere Application Server, then enter the path of the root certificate.

6. When prompted for the following:

   Trust this certificate? [no]: yes 
   

   Select yes and press Enter.

7. Restart the Web server of the target system.

2.3.3 Configuring the Remote Manager

This section discusses the following topics:

• Configuring the IT Resource for the Connector with the Remote Manager

• Configuring Oracle Identity Manager to Trust the Remote Manager

• Verifying That the Remote Manager Is Running

2.3.3.1 Configuring the IT Resource for the Connector with the Remote Manager

The IT resource for the connector with the Remote Manager contains connection information about the Remote Manager. Oracle Identity Manager uses this information during provisioning.

When you deploy the connector with the Remote Manager, two IT resource instances, PSFTUM_849_RM and PSFT_RM_849, are automatically created in Oracle Identity Manager.

The PSFTUM_849_RM IT resource instance contains the following fields:

• service name

  Sample value: ServiceName= RManager

• url

  The syntax of the url is: rmi://REMOTE_MANGER_HOST:BINDING_PORT

  Sample value: url = rmi://172.21.109.95:12346

  The service name and the binding port of the url are available in the RM_HOME/config/xlconfig.xml file.

You must specify values for the parameters of the PSFT_RM_849 IT resource as follows:

1. Log in to the Administrative and User Console.

2. Expand Resource Management.

3. Click Manage IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter PSFTUM_RM_849 and then click Search.

5. Click the edit icon for the IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Specify values for the parameters of the IT resource. Table 2-5 describes each parameter:

   Table 2-5 Parameters of the IT Resource for the Connector with the Remote Manager

   Parameter	Description
   Admin	User ID of the PeopleSoft Enterprise Applications limited rights user profile. Oracle Identity Manager uses this target system account to connect to and exchange data with the target system. Sample value: OIMUM
   AdminCredentials	Enter the password of the PeopleSoft Enterprise Applications administrator.
   ComponentInterfaceName	Component interface used to load user data in PeopleSoft Enterprise Applications Default value: USER_PROFILE
   ServerName	Enter the IP address or host name of the computer hosting the PeopleSoft application server. Note: The IP address or the host name must be followed by the port number on which PeopleSoft Internet Architecture is running. Sample value: ServerName = 172.21.109.48:90
   ServerPort	JOLT Listener port: BEA JOLT acts as the communication layer between the Web server and the application server installed on the target system. Default value: 9000
   IsSecure	This parameter is deprecated in the current release. Modifying the values for this parameter will not affect the functionality of the connector.
   SymbolicId	Enter the AccessId associated with the PeopleSoft Enterprise Applications limited rights user profile. The AccessId specifies whether or not the limited rights user has sufficient privileges on the PeopleSoft Enterprise Applications database. Sample value: SYSADM1
   NumberOfRetries	Enter the number of times Oracle Identity Manager must try connecting to the target system before the InvocationTargetException error is thrown. Default value: 2 Note: The timeout feature is enabled only for full reconciliation and provisioning. It is not applied during incremental reconciliation.
   DelayBetweenRetries	Use this parameter to specify the time difference (in milliseconds) between consecutive retries. Default value: 20000
   RecordName	Use this parameter to add the Employee ID for a new user profile or update the Employee ID for an existing user profile. Default value: PERSONAL_DATA
   UnsupportedCharacters	List of characters or strings that are not supported by PeopleSoft in the value specified for any user profile field Default value: ,##;## ##:##&##(##)##\##[##]##/##<##>##PPLSOFT These characters are separated by ## (two number sign characters).
   PIAServerName	Enter the IP address or host name of the computer hosting PeopleSoft Internet Architecture. Note: The IP address or the host name must be followed by the port number on which PeopleSoft Internet Architecture is running. Sample value: 172.21.109.48:90

   
   

8. To save the values, click Update.

2.3.3.2 Configuring Oracle Identity Manager to Trust the Remote Manager

To configure Oracle Identity Manager to trust the Remote Manager you have installed:

1. From the computer hosting the Remote Manager, copy the RM_HOME/xlremote/config/xlserver.cert file to a temporary directory on the Oracle Identity Manager host computer.

   Note:

   The server certificate in the OIM_HOME directory is also named xlserver.cert. Ensure that you do not overwrite that certificate.

2. To import the certificate by using the keytool utility, run the following command:

   JAVA_HOME/jre/bin/keytool -import -alias ALIAS -file RM_CERT_LOCATION/xlserver.cert -keystore OIM_HOME/xellerate/config/.xlkeystore -storepass PASSWORD
   

   In the preceding command, replace:

   • JAVA_HOME with the location of the Java directory for your application server.

   • ALIAS with an alias for the certificate in the store.

   • RM_CERT_LOCATION with the full path of the temporary directory where you copied the certificate.

   • PASSWORD with the password of the keystore.

3. Copy the OIM_HOME/xellerate/config/xlserver.cert file to a temporary directory on the Remote Manager host computer.

4. To import the certificate by using the keytool utility on the Remote Manager host computer, run the following command:

   JAVA_HOME/jre/bin/keytool -import -alias ALIAS -file OIM_CERT_LOCATION/xlserver.cert -keystore RM_HOME/xlremote/config/.xlkeystore -storepass PASSWORD
   

   In the preceding command, replace:

   • JAVA_HOME with the location of the Java directory for your application server.

   • ALIAS with an alias for the certificate in the store.

   • OIM_CERT_LOCATION with the full path of the temporary directory where you copied the certificate.

   • PASSWORD with the password of the keystore.

     Note:

     It is recommended that you follow security best practices and change the default passwords used for the Remote Manager keystore. To change the Remote Manager keystore password, follow the instructions given in Oracle Identity Manager Installation and Configuration Guide for your application server.

2.3.3.3 Verifying That the Remote Manager Is Running

To ensure that the Remote Manager is running:

1. Use the following script to start the Remote Manager:

   RM_HOME/xlremote/remotemanager.bat

2. Log in to the Design Console.

3. Expand Administration, and double-click Remote Manager.

4. Search for and open the Remote Manager that you have created.

5. Click the Refresh icon. The screen displays details of the Remote Manager that you have configured. The running check box should be selected for the Remote Manager. This implies that the status of the Remote Manager is active.