6 Configuring Oracle Identity Manager

This chapter contains the manual procedures for configuring Oracle Identity Manager in preparation for the deployment of the Oracle Role Manager Integration Library. The procedures in this chapter are expected to be performed in the sequence they are presented.

Note:

If you are configuring on WebLogic and have run the automated configuration scripts as described in Chapter 4, you do not need to perform the manual steps in this chapter.

This chapter includes the following sections:

• Before You Configure

• Configuring the Oracle Identity Manager Home Directory

• Creating the System User and User Group for Oracle Role Manager (WebLogic)

• Creating the System User and User Group for Oracle Role Manager (WebSphere and JBoss)

• Creating the Proxy User for Role Grant Approval Workflow

• Importing the Prepared Configuration

• Assigning the System User to the User Group

• Assigning the Proxy User to the System Group

• Configuring the IT Resource

• Configuring Role Grant Approval Workflow

6.1 Before You Configure

The Oracle Role Manager Integration Library is intended to be deployed on the application server on which Oracle Identity Manager is deployed.

The procedures in this chapter assume the following:

• You have the appropriate permission to modify files in the ORMINT_HOME directory on the Oracle Identity Manager host.

• You have the appropriate permission to stop and start the application server on which Oracle Identity Manager is deployed.

• You know the administrator user name and password to access the Oracle Identity Manager Administrative and User Console and the Oracle Identity Manager Design Console.

6.2 Configuring the Oracle Identity Manager Home Directory

The home directory for Oracle Identity Manager is the directory that contains the xellerate directory. Depending on where Oracle Identity Manager is installed on the file system, you might need to reconfigure the Integration Library to point to the correct location for the home directory. This configuration allows localized values (such as active or deleted) to be interpreted properly when sent to Oracle Role Manager.

Note:

If Oracle Identity Manager is installed in C:\oim, the default value for the Integration Library configuration, you can skip this procedure.

Note:

If you have a clustered server configuration, this procedure must be performed on all managed nodes.

To configure the Oracle Identity Manager home directory:

1. On the Oracle Identity Manager host, navigate to ORMINT_HOME/config.

2. Open the IMConfig.xml file for editing.

3. In the policies section, edit the oimRootdir policy to change C:\oim to the Oracle Identity Manager installation directory as follows:

   <policy> 
     <parameters>
       <parameter>
         <id>oimRootdir</id>
         <string>OIM_HOME</string>
       </parameter>
     </parameters>
   </policy>
   

   where OIM_HOME is the full path to the installation directory of Oracle Identity Manager.

4. Save and close the IMConfig.xml file.

6.3 Creating the System User and User Group for Oracle Role Manager (WebLogic)

The configuration of Oracle Identity Manager running on the WebLogic application server requires specific naming for system users and groups for integrations. This procedure creates a user in Oracle Identity Manager to receive messages from Oracle Role Manager for user group additions, modifications or deletions.

Note:

If you have a clustered server configuration, this procedure must be performed on all managed nodes.

To create and configure the Oracle Role Manager user:

1. On the Oracle Identity Manager host, navigate to ORMINT_HOME/config.

2. Open the IMConfig.xml file for editing.

3. In the policies section, edit the oimORMUser policy to change ormSystem to Internal as follows:

   <policy> 
     <parameters>
       <parameter>
         <id>oimORMUser</id>
         <string>Internal</string>
       </parameter>
     </parameters>
   </policy>
   

4. Save and close the IMConfig.xml file.

5. Start the Oracle Identity Manager server if it is not running.

6. Connect to the Oracle Identity Manager Administrative and User Console. By default:

   http://host:port/xlWebApp

7. If the user named Internal does not exist, create it as follows:

   1. Select Users, then select Create.

      Note:

      For Oracle Identity Manager on WebLogic, the user ID must be Internal and should not be changed.

   2. In the User ID field, enter Internal.

   3. In the Password field, enter a password for the user.

   4. In the Confirm Password field, enter the same password.

   5. In the First Name field, enter a value.

   6. In the Last Name field, enter a value.

   7. In the Organization field, click the Lookup icon.

   8. Select the organization in which you want to create the Internal user., for example, Xellerate Users.

   9. Click Select, then click Create User.

6.4 Creating the System User and User Group for Oracle Role Manager (WebSphere and JBoss)

This procedure creates a user in Oracle Identity Manager to receive messages from Oracle Role Manager for user group additions, modifications or deletions.

To create the Oracle Role Manager user:

1. Start the Oracle Identity Manager server if it is not running.

2. Connect to the Oracle Identity Manager Administrative and User Console. By default:

   http://host:port/xlWebApp

3. Create the ormSystem user as follows:

   1. Select Users, then select Create.

   2. In the User ID field, enter ormSystem.

      Note:

      For Oracle Identity Manager on JBoss and WebSphere application servers, the user ID must be ormSystem and must not be changed.

   3. In the Password field, enter ormSystem.

   4. In the Confirm Password field, enter ormSystem.

   5. In the First Name field, enter a first name for the user, such as orm.

   6. In the Last Name field, enter a last name for the user, such as System.

   7. In the Organization field, click the magnifying icon.

   8. In the Lookup Form window, select the organization in which you want to create the ormSystem user.

   9. Click Select.

   10. Click Create User.

6.5 Creating the Proxy User for Role Grant Approval Workflow

Note:

If you have a clustered server configuration, this procedure must be performed on all managed nodes.

To create and configure the Oracle Role Manager proxy user:

1. Start the Oracle Identity Manager server if it is not running.

2. Connect to the Oracle Identity Manager Administrative and User Console.

3. Select Users, then click Create.

4. In the User ID field, enter ormProxyUser.

   Note:

   The user ID must be ormProxyUser and should not be changed.

5. In the Password field, enter a password for the user.

6. In the Password field, enter a password for the user.

7. In the Confirm Password field, enter the same password.

8. In the First Name field, enter a value.

9. In the Last Name field, enter a value.

10. In the Organization field, click the Lookup icon, then select the organization in which you want to create the user, for example, Xellerate Users.

11. Click Select, then click Create User.

6.6 Importing the Prepared Configuration

The Oracle Role Manager Integration Library requires significant configuration of Oracle Identity Manager. For convenience, there are two pre-built XML files to use to easily import configuration data into Oracle Identity Manager. These two files are ormoimBase.xml and ormoimSample.xml.

The first file, ormoimBase.xml, contains the essential configurations for a working integration and includes the configurations for role grant approvals. The second file, ormoimSample.xml, contains configurations for a sample resource and approval process. This sample is helpful in understanding and demonstrating a working approval process that looks to Oracle Role Manager for approvers for a role, before creating similar resources and workflows for a production environment.

Note:

The following procedures assume that the Oracle Identity Manager administrator user ID is xelsysadm. If your installation of Oracle Identity Manager uses a different user for access, you must modify the ormoimBase.xml file and the ormoimSample.xml file to match.

This section includes the following topics:

• Importing the Base Configuration

• Importing the Sample Configuration for Approver Role Resolution

6.6.1 Importing the Base Configuration

The base configuration provides the framework configuration for the Oracle Role Manager Integration Library and is a prerequisite to any additional configuration relating to the integration.

To import the Integration Library base configuration:

1. Start the Oracle Identity Manager server if it is not running.

2. Connect to the Oracle Identity Manager Administrative and User Console.

3. Select Deployment Management, then select Import.

4. In the Select File for Import window, browse to ORMINT_HOME/config and select ormoimBase.xml, then click Add File.

5. On the Substitutions page, click Next to make no substitutions, then click Next again to confirm.

6. Depending on the application server on which Oracle Identity Manager is deployed, define the parameters of the IT Resource for Oracle Role Manager as follows:

   Note:

   All values are case-sensitive and must be entered exactly as shown here.

   • For WebLogic

     Field	Value
     ormJMSConnectionFactory	external/srqueues/orm/QueueConnectionFactory
     ormJMSQueue	orm/queue/IncomingEventQueue
     ormServerURL	t3://ORM_appserver:port
     initialContextFactory	weblogic.jndi.WLInitialContextFactory
     ormServerJNDI	ejb/orm/ServerEJB
     ormAdmin	oimSystem
     ormPassword	Enter the password of the oimSystem system identity that was set in Section 5.2.

     
     

     Note:

     The ormServerURL port value must be the port for access to the Oracle Role Manager Web UI and administrative console.

     Note:

     In a clustered environment, ormServerURL must be populated with all the managed servers for Oracle Role Manager. For example, t3://ORM_appserver1:port1,ORM_appserver2:port2

   • For WebSphere

     Field	Sample Value
     ormServerJNDI	orm/ejb/ServerEJB
     ormAdmin	oimSystem
     ormPassword	Enter the password of the oimSystem system identity that was set in Section 5.2, "Creating the oimSystem System Identity."
     ormServerURL	corbaloc:iiop:orm_appserver:bootstrap_address Note: In a clustered environment, this value must include each managed server for Oracle Role Manager, separated by a comma. For example, corbaloc:iiop:orm_appserver1:bootstrap_address1,:orm_appserver2:bootstrap_address2
     ormJMSQueue	orm/jms/IncomingEventQueue
     initialContextFactory	com.ibm.websphere.naming.WsnInitialContextFactory
     ormJMSConnectionFactory	orm/jms/QueueConFac

     
     

   • For JBoss

     Field	Value
     ormJMSQueue	queue/orm/IncomingEventQueue
     ormAdmin	oimSystem
     ormPassword	Enter the password of the oimSystem system identity that was set in Section 5.2, "Creating the oimSystem System Identity."
     initialContextFactory	org.jnp.interfaces.NamingContextFactory
     ormServerJNDI	ejb/orm/ServerEJB
     ormServerURL	jnp://orm_appserver:jndi_port where orm_appserver is the IP address or host name of the Oracle Role Manager host, and jndi_port is the JNDI port of that host. Note: In a clustered environment, this value must include each managed server for Oracle Role Manager, separated by a comma. For example, jnp://orm_appserver1:jndi_port1,orm_appserver2:jndi_port2. The default JNDI port in JBoss is 1100.
     ormJMSConnectionFactory	queue/QueueConnectionFactory

     
     

7. Click Next, then click Skip to skip the current resource instance.

8. On the Confirmation page, ensure that the information is correct.

   To make changes, click Back.

9. Click View Selections.

10. Click Import, then click Import to confirm.

    You should see a confirmation message that import was successful.

11. Click OK, then close the Import window.

6.6.2 Importing the Sample Configuration for Approver Role Resolution

This procedure is necessary only if you want to test the Oracle Role Manager Integration Library with a sample workflow for role approvals using the configuration provided as a convenience for demonstration purposes.

To import the Integration Library sample configuration:

1. From the Oracle Identity Manager Administration and User Console, select Deployment Management, then select Import.

2. Browse to the ORMINT_HOME/samples directory, select ormoimSample.xml, then click Add File.

3. Click Next to make no substitutions, then click Next again to confirm.

   In the Summary pane, you should see that six objects are ready to be imported, including one resource, one data object definition, one process form, one task adapter, and two processes.

4. Click Import, then click Import to confirm.

5. Click OK, then close the Import window.

6.7 Assigning the System User to the User Group

Depending on the application server on which Oracle Identity Manager is deployed, perform either of the two following procedures.

(WebLogic) To assign the Internal system user to the User user group:

1. From the Oracle Identity Manager Administration and User Console, select Users, then select Manage.

2. Search for the user named Internal.

3. Click INTERNAL to view details.

4. On the User Details page, select Group Membership from the list.

5. Click Assign.

6. Select the box in the row for the group named User.

7. Click Assign Group.

8. Click Confirm Assign to confirm.

(WebSphere and JBoss) To assign the ormSystem user to the ormSystem user group:

1. From the Oracle Identity Manager Administration and User Console, select Users, then select Manage.

2. Search for the user named ormSystem (created in Section 6.4).

3. Click ormSystem to view details.

4. On the User Details page, select Group Membership from the list.

5. Click Assign.

6. Select the box in the row for the group named ormSystem.

7. Click Assign Group.

8. Click Confirm Assign to confirm.

6.8 Assigning the Proxy User to the System Group

Depending on the application server on which Oracle Identity Manager is deployed, perform either of the two following procedures.

(WebLogic) To assign the proxy user to the User user group:

1. From the Oracle Identity Manager Administration and User Console, select Users, then select Manage.

2. Search for the user named ormProxyUser (created in Section 6.5).

3. Click ORMPROXYUSER to view details.

4. On the User Details page, select Group Membership from the list.

5. Click Assign.

6. Select the box in the row for the group named User.

7. Click Assign Group.

8. Click Confirm Assign to confirm.

(WebSphere and JBoss) To assign the proxy user to the ormSystem user group:

1. From the Oracle Identity Manager Administration and User Console, select Users, then select Manage.

2. Search for the user named ormProxyUser (created in Section 6.5).

3. Click ORMPROXYUSER to view details.

4. On the User Details page, select Group Membership from the list.

5. Click Assign.

6. Select the box in the row for the group named ormSystem.

7. Click Assign Group.

8. Click Confirm Assign to confirm.

6.9 Configuring the IT Resource

The IT Resource system property provides the name of the IT Resource in Oracle Identity Manager to access the Oracle Role Manager Integration Library software through the Oracle Role Manager IT Resource.

Note:

The Oracle Identity Manager Design Console is not available on UNIX-based systems. To perform this procedure, use an installation on a Windows host.

To configure the IT Resource

1. Start the Oracle Identity Manager server if it is not already running.

2. Start the Oracle Identity Manager Design Console, either from the Windows Start menu or with the xlclient.cmd command.

3. Log in as the Oracle Identity Manager Administrator.

4. On the left pane, expand the Administration folder.

5. Double-click System Configuration.

6. Choose the Server option.

7. In the Name field, enter ORMITResourceName as the name of the system property to create.

8. In the Keyword field, enter XL.ORMITResourceName.

9. In the Value field, enter ORM ITResource.

   Note:

   The key should not be supplied as it is generated automatically the system.

10. Click the Save icon on the toolbar.

11. Ensure that the values for the IT resource parameters are correct:

    1. Connect to the Oracle Identity Manager Administrative and User Console. By default:

       http://host:port/xlWebApp

    2. Select Resource Management, then click Manage IT Resource.

    3. Search for and select the IT resource named ORM ITResource.

    4. On the View IT Resource Details and Parameters page, verify that the values displayed in the fields are the same as the values mentioned in step 6 of Section 6.6.1.

       If the values are different, Click Edit to modify the values, as appropriate, then click Update.

    5. For WebLogic, if you have used the automated configuration, click Edit to enter a new password in the ormPassword field for the oimSystem system identity, then click Update.

12. If Oracle Identity Manager is installed on WebLogic, assign permissions as follows:

    1. From the You can view additional information about this IT resource list, select Administrative Groups.

    2. Click Assign Group.

    3. For the User user group, select Write Access, Delete Access, and Assign.

    4. Click the Assign button.

6.10 Configuring Role Grant Approval Workflow

Note:

The Oracle Identity Manager Design Console is not available on UNIX-based systems. To perform this procedure, use an installation on a Windows host. Refer to Oracle Identity Manager Installation Guide for more information.

To configure the role grant approval workflow:

1. Start the Oracle Identity Manager server if it is not already running.

2. Connect to the Oracle Identity Manager Administrative and User Console. By default:

   http://host:port:/xlWebApp

3. Assign the User and ormSystem user groups as administrative groups as follows:

   1. Select User Groups, then select Manage.

   2. Search for and select System Administrators.

   3. Select Members and Sub-Groups from the list.

   4. Click Assign Subgroups.

   5. If your deployment is on WebLogic, for the User user group, select Assign.

   6. If your deployment is on WebSphere or JBoss, for the ormSystem user group, select Assign.

   7. Click the Assign button, then click Confirm Assign.

4. Start the Oracle Identity Manager Design Console, either from the Windows Start menu or with the xlclient.cmd command, then log in as the Oracle Identity Manager Administrator.

5. Suppress the standard approval as follows:

   1. On the left pane, expand the Process Management folder.

   2. Double-click Process Definition.

   3. Click the Lookup icon, then click the right arrow to navigate to the Standard Approval process definition.

   4. On the Tasks tab, double-click the row number to the left of the Approve task.

   5. On the Integration tab, click Add.

   6. Choose the System option, select tcCompleteTask, then click the Save icon.

   7. Click OK, then close the window.

      You should see the tcCompleteTasks event handler listed for the Approve task in the process definition.

6. Assign the proxy user as the default assignee for the Role Grant Approval task as follows:

   1. Click the right arrow and navigate to the RoleGrantApprovalApProcDef process definition.

   2. On the Tasks tab, double-click the row number to the left of the Approval Task task.

   3. On the Assignment tab, double-click the User field that contains XELSYSADM.

   4. Select ORMPROXYUSER, then click OK.

   5. Click the Save icon, click OK, then close the window.

   6. Click the Save icon on the toolbar.

7. Optionally, change the assignee for Second Approval as follows:

   1. In the same process definition, on the Tasks tab, double-click the row number to the left of the Second Approval task.

   2. On the Assignment tab, double-click the User field that contains XELSYSADM.

   3. Select the user that would be the second approval, then click OK.

   4. Click the Save icon, click OK, then close the window.

   5. Click the Save icon on the toolbar.

8. Optionally, change the assignee for Third Approval as follows:

   1. In the same process definition, on the Tasks tab, double-click the row number to the left of the Third Approval task.

   2. On the Assignment tab, double-click the User field that contains XELSYSADM.

   3. Select the user that would be the third approval, then click OK.

   4. Click the Save icon, click OK, then close the window.

   5. Click the Save icon on the toolbar.

9. Configure the OfflineRequestSubmission system property as follows:

   1. In the left pane, expand Administration.

   2. Double-click System Configuration.

   3. Choose the Server option.

   4. In the Name field, enter OfflineRequestSubmission.

   5. In the Keyword field, enter XL.OfflineRequestSubmission.

   6. In the Value field, enter off.

   7. Click the Save icon on the toolbar.

      You should see that the key value has been generated automatically.