Oracle® Identity Manager Audit Report Developer's Guide Release 9.1.0.1 Part Number E14045-03 |
|
|
View PDF |
You can configure Oracle Identity Manager to use one database for current transactional data and a secondary database for historical data. The secondary database eases the load on the transactional database.
You can use different data sources for the secondary database. The following sections describe how to configure Oracle Identity Manager and your application server to use a secondary data source.
This chapter discusses the following topics:
Using IBM WebSphere Application Server with a Secondary Data Source
Using Oracle Application Server with a Secondary Data Source
User profile audit data can increase in size quickly. Oracle recommends that you use a secondary database to store this information. The following system property enables reading and writing to this database directly:
XL.UserProfileAuditInSecondaryDS
.
By default, the XL.UserProfileAuditInSecondaryDS
property is set to false
. If this property is set to true
, the system reads and writes all user profile data directly to and from the secondary database.
If you configure a secondary database, all historical reports are automatically configured to run against it.
The user profile audit interacts directly with the secondary database. You must replicate other tables from the transactional database because the report needs them for access control and filtering of the report. You can disable these tables and constraints for ease of data backup, restore, or replication.
Table 6-1 lists the tables and constraints.
Table 6-1 Tables and Constraints Used in Historical Reports
Table Name | Foreign Key Constraint Name | Referenced Table Name | Referenced Column Name |
---|---|---|---|
AAD |
FK_AAD_FK_AAD_AC_ACT |
ACT |
ACT_KEY |
FK_AAD_FK_AAD_UG_UGP |
UGP |
UGP_KEY |
|
ACT |
FK_ACT_ACT |
ACT |
PARENT_KEY |
FK_ACT_SRP |
SRP |
SRP_KEY |
|
GPG |
FK_GPG_UGP |
UGP |
UGP_KEY |
FK_GPG_UGP_KEY_UGP |
UGP |
GPG_UGP_KEY |
|
OUG |
FK_OUG_OBJ |
OBJ |
OBJ_KEY |
FK_OUG_UGP |
UGP |
UGP_KEY |
|
POL |
|||
PTY |
|||
REQ |
FK_REQ_ORC |
ORC |
ORC_KEY |
FK_REQ_OST |
OST |
OST_KEY |
|
FK_REQ_USR |
USR |
USR_KEY |
|
UGP |
|||
USG |
FK_USG_RUL |
RUL |
RUL_KEY |
FK_USG_UGP |
UGP |
UGP_KEY |
|
FK_USG_USR |
USR |
USR_KEY |
|
USR |
FK_USR_ACT |
ACT |
ACT_KEY |
OSI |
FK_OSI_ACT |
ACT |
ACT_KEY |
FK_OSI_ASSIGNED_TO_USR |
USR |
USR_KEY |
|
FK_OSI_MIL |
MIL |
MIL_KEY |
|
FK_OSI_ORC |
ORC |
ORC_KEY |
|
FK_OSI_ORD |
ORD |
ORD_KEY |
|
FK_OSI_PKG |
PKG |
PKG_KEY |
|
FK_OSI_REQ |
REQ |
REQ_KEY |
|
FK_OSI_RSC |
RSC |
RSC_KEY |
|
FK_OSI_SCH |
SCH |
SCH_KEY |
|
FK_OSI_SCH_OSI_RECOVERY_FOR |
SCH |
SCH_KEY |
|
FK_OSI_SCH_OSI_RETRY_FOR |
SCH |
SCH_KEY |
|
FK_OSI_TLG |
TLG |
TLG_KEY |
|
FK_OSI_TOS |
TOS |
TOS_KEY |
|
FK_OSI_TO_UGP |
UGP |
UGP_KEY |
|
FK_OSI_TO_USR |
USR |
USR_KEY |
|
OST |
FK_OST_OBJ |
OBJ |
OBJ_KEY |
OBI |
FK_OBI_OBJ |
OBJ |
OBJ_KEY |
FK_OBI_ORC |
ORC |
ORC_KEY |
|
FK_OBI_QUE |
QUE |
QUE_KEY |
|
FK_OBI_REQ |
REQ |
REQ_KEY |
|
FK_OBI_USR |
USR |
USR_KEY |
|
OBJ |
FK_OBJ_SDK |
SDK |
SDK_KEY |
OBA |
FK_OBA_OBJ |
OBJ |
OBJ_KEY |
FK_OBA_UGP |
UGP |
UGP_KEY |
|
RCE |
FK_RCE_ACT |
ACT |
ACT_KEY |
FK_RCE_ADMIN_UGP |
UGP |
UGP_KEY |
|
FK_RCE_ADMIN_USR |
USR |
USR_KEY |
|
FK_RCE_OBJ |
OBJ |
OBJ_KEY |
|
FK_RCE_ORC |
ORC |
ORC_KEY |
|
FK_RCE_USR |
USR |
USR_KEY |
|
MIL |
FK_MIL_DEFAULT_ASSIGNEE_USR |
USR |
USR_KEY |
FK_MIL_EVT |
EVT |
EVT_KEY |
|
FK_MIL_TOS |
TOS |
TOS_KEY |
|
RCX |
|||
ORC |
FK_ORC_ACT |
ACT |
ACT_KEY |
FK_ORC_ORC_PARENT_KEY |
ORC |
ORC_KEY |
|
FK_ORC_ORD |
ORD |
ORD_KEY |
|
FK_ORC_PKG |
PKG |
PKG_KEY |
|
FK_ORC_PKH |
PKH |
PKH_KEY |
|
FK_ORC_REQ |
REQ |
REQ_KEY |
|
FK_ORC_TOS |
TOS |
TOS_KEY |
|
FK_ORC_USR |
USR |
USR_KEY |
|
OIU |
FK_OIU_LAST_ATTESTED_USR |
USR |
USR_KEY |
FK_OIU_OBI |
OBI |
OBI_KEY |
|
FK_OIU_ORC |
ORC |
ORC_KEY |
|
FK_OIU_OST |
OST |
OST_KEY |
|
FK_OIU_POL |
POL |
POL_KEY |
|
FK_OIU_REQ |
REQ |
REQ_KEY |
|
FK_OIU_USR |
USR |
USR_KEY |
|
OSH |
FK_OSH_BY_USR |
USR |
USR_KEY |
FK_OSH_SCH |
SCH |
SCH_KEY |
|
FK_OSH_STA |
STA |
STA_KEY |
|
FK_OSH_TO_UGP |
UGP |
UGP_KEY |
|
FK_OSH_TO_USR |
USR |
USR_KEY |
|
SCH |
|||
RQU |
FK_RQU_REQ |
REQ |
REQ_KEY |
FK_RQU_USR |
USR |
USR_KEY |
|
RQO |
FK_RQO_OBI |
OBI |
OBI_KEY |
FK_RQO_OBJ |
OBJ |
OBJ_KEY |
|
FK_RQO_POL |
POL |
POL_KEY |
|
FK_RQO_REQ |
REQ |
REQ_KEY |
|
STA |
To set up a secondary database:
Create the secondary database.
You can back up and restore the transactional database under a different database name, or you can replicate the transactional database.
Set up the application server to use the secondary database.
See the following sections for details.
Set the system property XL.UserProfileAuditInSecondaryDS
to True
.
This stores user profile audit data in the secondary database.
Configure daily replication of the data so that the tables in the secondary database listed in Table 6-1 are updated from the primary database. After the secondary database is functional, do not replicate the entire primary database in the secondary database or any audit data that has been stored in the secondary database will be deleted.
Or, set up either a full restore or replication.
Ensure that all stored procedures are replicated correctly in the secondary database.
Define a connection URL as follows:
For Oracle Database:
jdbc:oracle:thin:@
IP of database
:
SID
For Microsoft SQL Server:
jdbc:sqlserver://
IP_Address_of_Database_Computer
:
Port_No
;DatabaseName=
SID
To create a new data source on JBoss Application Server, a new file called xlreportds-service.xml
is created by the setup in the deployment directory. This file creates an alias to the transactional database by using the java:jdbc/xlXAReportingDS
setting.
To point to a secondary database on JBoss Application Server:
Add the following to xell-ds.xml as a second xa-datasource
tag for the Oracle database:
<xa-datasource> <jndi-name>jdbc/xlXAReportingDS</jndi-name> <track-connection-by-tx>true</track-connection-by-tx> <isSameRM-override-value>false</isSameRM-override-value> <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource </xa-datasource- class> <xa-datasource-property name="URL">jdbc:oracle:thin:@<IP of database system>: 1521:XELL </xa-datasource-property> <xa-datasource-property name="User">sysadm</xa-datasource-property> <xa-datasource-property name="Password">sysadm</xa-datasource-property> <exception-sorter-class-name> org.jboss.resource.adapter.jdbc.vendor. OracleExceptionSorter </exception-sorter-class-name> <no-tx-separate-pools/> <valid-connection-checker-class-name> org.jboss.resource.adapter.jdbc.vendor. OracleValidConnectionChecker </valid-connection-checker-class-name> </xa-datasource>
For Microsoft SQL Server, the secondary database tag is as follows:
<xa-datasource> <jndi-name>jdbc/xlXAReportingDS</jndi-name> <track-connection-by-tx>true</track-connection-by-tx> <xa-datasource-class>com.microsoft.sqlserver.jdbc.SQLServerXADataSource</xa-datasource-class> <xa-datasource-property name="ServerName"><IP of database system></xa-datasource-property> <xa-datasource-property name="DatabaseName">secondary_database_name</xa-datasource-property> <xa-datasource-property name="PortNumber">1433</xa-datasource-property> <user-name>secondary_database_user_name</user-name> <password>secondary_database_password</password> <check-valid-connection-sql>select 1 from USR where 1=2</check-valid-connection-sql> </xa-datasource>
The class names for Oracle Database and Microsoft SQL Server are as follows:
Oracle:
oracle.jdbc.xa.client.OracleXADataSource
Microsoft SQL Server:
com.microsoft.sqlserver.jdbc.SQLServerXADataSource
Change the database name, user name, and password to connect to the database you set up as the secondary database.
Restart the JBoss server.
Note:
Do not add thexa-datasource
block in this section or point the jdbc/xlXAReportingDS
to the transactional database because it causes errors. To point to the same transactional database, keep the xlreportds-service.xml
file as is.In a standalone setup, the xell-ds.xml and xlreportds-service.xml files are in the JBOSS_HOME
/server/default/deploy/
directory.
In a clustered setup, the xell-ds.xml
file is in the JBOSS_HOME
/server/all/farm/
directory, and xlreportds-service.xml
in the JBOSS_HOME
/server/all/deploy/
directory.
To configure a cluster for JBoss Application Server:
Copy the changes to the xell-ds.xml
file to all computers in the cluster.
Restart the JBoss servers on all computers in the cluster.
Before changing the data source that Oracle Identity Manager uses for reporting, create a new data source in Oracle WebLogic Server. Perform the procedure given in Oracle WebLogic Server documentation to set up a new data source.
To configure Oracle WebLogic Server with a secondary data source by using the Oracle and Microsoft SQL Server databases:
Log in to the administrative console of the application server.
In the Change Center region, click Lock & Edit.
In the Domain Structure region, navigate to Services, JDBC, and Data Sources.
In the Data Sources region on the right pane, click New.
Set the following properties under Create a New JDBC Data Source:
For Oracle:
Name: xlXAReportingDS
JNDI name: jdbc/xlXAReportingDS
Database type: Oracle
Database Driver: *Oracle's Driver(Thin XA)Versions:9.0.1,9.2,10,11
For Microsoft SQL Server:
Name: xlXAReportingDS
JNDI name: jdbc/xlXAReportingDS
Database type: MicroSoft SQL Server
Database Driver: Microsoft SQL Server Driver (Type 4 XA) Version:2005
Click Next.
On the Transaction Options page, click Next.
Set the following properties under the Connection Pool tab:
Database Name: SID
Host Name: @
Database_IP_Address
Port: @
port_no
Database User Name: secondary_database_user_name
Password: secondary_database_password
Confirm Password: secondary_database_password
Click Next.
Ensure that the Test Database Connection page shows the following properties:
For Oracle:
Driver Class Name: oracle.jdbc.xa.client.OracleXADataSource
URL: jdbc:oracle:thin:@
Database_IP_Address
:port_no
:SID
Database User Name: secondary_database_user_name
Password: secondary_database_password
Confirm Password: secondary_database_password
Properties: User=
secondary_database_user_name
For Microsoft SQL Server:
Driver Class Name: com.microsoft.sqlserver.jdbc.SQLServerXADataSource
URL: jdbc:sqlserver:@
Database_IP_Address
:
port_no
:SID
Database User Name: secondary_database_user_name
Password: secondary_database_password
Confirm Password: secondary_database_password
Properties: User=
secondary_database_user_name
Click Test Configuration.
The "Connection test succeeded" message is displayed.
Click Next.
On the Select Targets page, select Admin Server and then click Finish.
In the Change Center region, click Active Changes.
Edit the weblogic.profile
file, and add the JNDI information that points to the new data source in the OIM_HOME/xellerate/Profiles
directory.
Comment out the existing data source entry for xlXADS
and add the information for xlXAReportingDS
as follows:
# Reporting data source
# datasource.report=jdbc/xlXADS
datasource.report=jdbc/xlXAReportingDS
Ensure that the Design Console System property is set to True
as follows:
XL.UserProfileAuditInSecondaryDS=True
Restart the server. For information about restarting the server, see Oracle Identity Manager Installation and Configuration Guide for BEA WebLogic Server for release 9.1.0.1.
Run the following command for the changes to take effect:
OIM_HOME
/xellerate/setup/patch_weblogic.cmd/sh WEBLOGIC_ADMIN_PASSWORD
OIM_DATASOURCE_PASSWORD
Note:
If the patch application process fails, then Oracle Weblogic might have some files locked. Perform the following steps to redeploy Oracle Identity Manager:Create a backup of the applications before deleting.
Delete the WLXellerateFull.ear and WLNexaweb.ear files from the OIM_HOME
/xellerate/OIMApplications
directory.
Run the patch_Weblogic.cmd/sh
script.
Restart the server.
Before changing the data source used by Oracle Identity Manager for reporting, you must create a new data source in IBM WebSphere Application Server. See the IBM WebSphere Application Server manuals for information about setting up a new data source.
To configure IBM WebSphere Application Server with a secondary data source by using the Oracle database:
Log in to the WebSphere administrator console.
Create a new data source with the following details:
Define the connection URL as follows:
jdbc:oracle:thin:@
IP_of_database
:
port_number
:
SID
For example: jdbc:oracle:thin:@192.168.161.134:1521:xeltest
Use the following J2C authentication data values:
Alias: secondary_user_alias
User: secondary_user
Password: secondary_user_password
Description: Descriptive_text_for_the_data
Select the component-managed authentication aliases for XAReportingDatasource
with the following values:
Component-managed authentication alias: J2C_Authentication_Data Entries
Container-managed authentication alias: J2C_Authentication_Data Entries
Save and synchronize changes among all nodes.
Open the websphere.profile
file, and add the JNDI information that points to the new data source in the OIM_HOME
/xellerate/Profiles/
directory.
Comment out the existing data source entry for xlXADS
and add the information for xlXAReportingDS
as follows:
# Reporting data source #datasource.report=jdbc/xlXADS datasource.report=jdbc/xlXAReportingDS
Set the following Java Client System property to true:
XL.UserProfileAuditInSecondaryDS=True
Run patch_websphere.cmd
or patch_websphere.sh
as applicable from the OIM_HOME
/xellerate/setup
directory.
To configure IBM WebSphere Application Server with a secondary data source by using the Microsoft SQL Server database:
Login to the WebSphere administrator console as the administrator.
Create a new JDBC provider with scope as cell:
DataBase Type: SQL Server
Provider Type: DataDirect ConnectJDBC type 4 driver for MS SQL Server
Implementation Type: XA Data Source
Name: <XL XA Reporting Provider>
Description: <XL XA Reporting Provider>
Click Next.
Specify the path for the sqljdbc.jar file and click Next.
Click Finish.
Save all the changes.
Click the JDBC provider created in step 2.
Change the classpath to the path of the sqljdbc.jar file.
Change the Implement Class Name to the JDBC Driver.
Create a new data source with the following details:
Name: <XAReprtingDataSource>
JNDI name: jdbc/xlXAReportingDS
Component-managed authentication alias: <J2C Authentication Data Entries>
Container-managed authentication alias: <J2C Authentication Data Entries>
Use the following J2C authentication data values to authenticate the database credentials:
Alias: <secondary user alias>
User: <secondary user>
Password: <secondary user password>
Description: <Descriptive text for the data>
Select the JDBC Provider created above and click Next.
Enter the following database credentials:
Database Name: <Secondary_DataBase_Name>
Server Name: <Host_Name>
Click Next.
Modify the WebSphere.profile to add the JNDI information that points to the new data source in the /Xellerate/profile
directory, as shown:
datasource.report=jdbc/xlXAReportingDS
Set the following Java Client System property to true:
XL.UserProfileAuditInSecondaryDS=True
After modifying the profile, run the patch command (patch_websphere) for the changes to take effect.
Before changing the data source used by Oracle Identity Manager for reporting, you must create a new data source in Oracle Application Server.
To configure Oracle Application Server with a secondary data source by using the Oracle database:
Log in to the Oracle Enterprise Manager 10g Application Server Console for the Oracle Application Server instance.
Click the Oracle Application Server instance on which Oracle Identity Manager is deployed.
The Administration tab displays the list of administration tasks you can perform on the selected Oracle Application Server instance.
Expand the Services section of the table by either clicking the expand icon or clicking Expand All.
In the JDBC Resources row, click the task icon.
To create a connection pool, in the Connection Pools section, click Create and then select the following values for the Application and Connection Pool Type parameters:
Application: default
Connection Pool Type: New Connection Pool
Click Continue.
For the following parameters, enter (or change to) the specified values:
Name: xlXAReportingConnectionPool
Connection Factory Class: oracle.jdbc.xa.client.OracleXADataSource
JDBC URL: jdbc:oracle:thin:@IP_of_database:port_number:SID
For example: jdbc:oracle:thin:@127.0.0.1:1521:xeltest
Username: Enter the secondary database user name.
Use Cleartext Password: Enter the secondary database password.
See Also:
Oracle Application Server documentation for information about using the Indirect Password featureAlternatively, to view information about this feature, click the i icon displayed next to the Use Indirect Password field in the Credentials section of the same tab.
On the Attributes tab, enter the values specified for xlXAConnectionPool
. To view those values:
Log in to another instance of the Oracle Enterprise Manager 10g Application Server Console for the Oracle Application Server instance.
Click the Oracle Application Server instance on which Oracle Identity Manager is deployed.
On the Administration tab, expand the Services section of the table.
In the JDBC Resources row, click the task icon.
Click xlXAConnectionPool.
The values that you must copy are displayed on the Attributes tab.
Click Finish.
In the Data Sources section, click Create to create a datasource with the following parameters:
Application: default
Datasource Type: Managed Data Source
Click Continue.
For the following parameters, enter (or change to) the specified values:
Name: xlXAReportingDS
JNDI Location: jdbc/xlXAReportingDS
Transaction Level: Global & Local transaction
Connection Pool: xlXAReportingConnectionPool
Click Finish.
Open the oc4j.profile
file, and add the JNDI information that points to the new data source in the OIM_HOME
/Profiles/
directory. Comment out the existing data source entry for xlXADS
and add the information for xlXAReportingDS
as follows:
# Reporting data source #datasource.report=jdbc/xlXADS datasource.report=jdbc/xlXAReportingDS
Based on the operating system on which Oracle Identity Manager is installed, run one of the following scripts:
For UNIX:
patch_oc4j.sh
oc4j_admin_password
oim_db_user_password
For Microsoft Windows:
patch_oc4j.cmd
oc4j_admin_password
oim_db_user_password
Restart Oracle Application Server.
To configure a cluster for Oracle Application Server:
Perform steps 2 through 13 of the procedure to configure Oracle Application Server with a secondary data source in all the Oracle Application Server instances on which Oracle Identity Manager is installed.
Modify each OIM_HOME
/profiles/oc4j.profile
file on all cluster members participating in the cluster.
Based on the operating system on which Oracle Identity Manager is installed, run patch_oc4j.sh
or patch_oc4j.cmd
on all cluster members participating in the cluster.
Stop and restart all cluster members.