| Oracle® Role Manager Integration Guide Release 10g (10.1.4.2) Part Number E14611-07 |
|
|
View PDF |
| Oracle® Role Manager Integration Guide Release 10g (10.1.4.2) Part Number E14611-07 |
|
|
View PDF |
This chapter describes the manual steps to configure Oracle Role Manager for the Oracle Role Manager Integration Library (Integration Library). The procedures in this chapter are expected to be performed in the sequence they are presented.
Note:
This chapter assumes that an instance of Oracle Role Manager is installed with the standard model following the instructions in Oracle Role Manager Installation Guide.Note:
If you are configuring on WebLogic and have run the automated configuration scripts as described in Chapter 4, you do not need to perform the manual steps in this chapter.This chapter includes the following sections:
The procedure in this section deploys the Integration Library model and configuration in the Oracle Role Manager system.
Note:
If you want to modify the standard configuration of the Integration Library components, for example, to bring over additional data elements, it is recommended that you make your changes before performing the procedure in this section. For more information, see Section 5.6, "Modifying Component Configuration."To deploy the Integration Library configuration:
On the Oracle Role Manager installation host, copy the oim_integration.car file from ORM_HOME/Integration_Library/config to ORM_HOME/config.
On the Oracle Role Manager installation host, ensure that the db.properties file in ORM_HOME/config contains the correct information. If it does not, modify it so it contains the following two lines:
db.driverClass=oracle.jdbc.driver.OracleDriver db.connection_string=jdbc:oracle:thin:@$HOST$:$PORT$:$SERVICE$
where $HOST$ is the database host name, $PORT$ is the database listener port, and $SERVICE$ is the database instance on which the Oracle Role Manager users were created.
Stop the Oracle Role Manager application server if it is running.
In a command window, navigate to ORM_HOME/bin.
Run the deploy command to load configuration data to the Oracle Role Manager database.
If you have no Integration Library customizations:
deploy.bat "../config/oim_integration.car" orm-owner ormapp-user admin-user
In this command:
orm-owner is the user name of the Oracle Role Manager database owner user/schema
ormapp-user is the user name of the Oracle Role Manager application user/schema
admin-user is the user name of the Oracle Role Manager system administrator
If you have Integration Library customizations:
deploy.bat "collection_of_cars" orm-owner ormapp-user admin-user
In this command:
collection_of_cars contains the relative paths and file names of the CAR files to deploy, separated by semicolon (for Windows) or colon (UNIX-based systems).
For example, in a customized deployment, the collection of CAR files on a UNIX-based system might be similar to:
"../config/configurations_custom.car:../config/oim_integration_custom.car"
orm-owner is the user name of the Oracle Role Manager database owner user/schema
ormapp-user is the user name of the Oracle Role Manager application user/schema
admin-user is the user name of the Oracle Role Manager system administrator
Note:
The collection must be enclosed within double quotation marks. The delimiters to be used are:For Windows systems, use semicolon (;)
For UNIX-based systems, use a colon (:)
(For information about modifying the standard configuration for components affecting the Integration Library, see Section 5.6, "Modifying Component Configuration.")
At the prompts, enter the passwords of the Oracle Role Manager database owner, Oracle Role Manager application user, and Oracle Role Manager administrator.
You should see the message "Deployment successfully completed" in the command window.
The procedure in this section creates the oimSystem system identity to use for access to the Oracle Role Manager system by Oracle Identity Manager.
System identities are system user objects that are created for access the Oracle Role Manager system. System identities normally represent external systems, such as a user provisioning system that accesses Oracle Role Manager for role resolution for workflows or access provisioning.
To create the oimSystem system identity:
On the Oracle Role Manager installation host, copy the following files from ORM_HOME/Integration_Library/config to ORM_HOME/config:
oim_systemIdentity.car oim_systemIdentity.dar
Stop the Oracle Role Manager application server if it is running.
In a command window, navigate to ORM_HOME/bin on the Oracle Role Manager host.
Run the deploy command to load the system identity data and relationships to the Oracle Role Manager database.
For UNIX-based systems:
sh deploy.sh "../config/oim_systemIdentity.car" orm-owner ormapp-user admin-user
For Windows systems:
deploy.bat "..\config\oim_systemIdentity.car" orm-owner ormapp-user admin-user
In this command:
orm-owner is the user name of the Oracle Role Manager database owner user/schema
ormapp-user is the user name of the Oracle Role Manager application user/schema
admin-user is the user name of the Oracle Role Manager system administrator
At the prompts, enter the passwords of the Oracle Role Manager database owner, Oracle Role Manager application user, and Oracle Role Manager administrator.
You should see the message "Deployment successfully completed" in the command window.
The oimSystem system identity is not fully functional until the relationships it needs are created. Those relationships are defined in data files and loaded through the Oracle Role Manager Administrative Console.
To load the oimSystem system identity relationship data:
Start the Oracle Role Manager application server.
From the Oracle Role Manager installation host, using a Web browser, go to the Oracle Role Manager Administrative Console. By default:
WebLogic: http://host:7001/ormconsole
WebSphere: http://host:9080/ormconsole
JBoss: http://host:8080/ormconsole
Enter the user name and password of the Oracle Role Manager administrator, then click Log In.
Click Upload.
Click Browse, and navigate to select the oim_systemIdentity.dar file found in ORM_HOME/config.
Click Load.
You can click refresh to verify that all processes are finalized.
It is recommended that you reset the password for the oimSystem system identity in order for the system to store an encrypted value.
To reset the oimSystem system identity password:
Stop the Oracle Role Manager server.
On the Oracle Role Manager installation host, navigate to ORM_HOME/config.
Create a text file named oimSystemProps.txt containing the following system identity properties:
displayName = oimSystem status = active description = The System Identity used by the Integration Library for OIM
Navigate to ORM_HOME/bin and run the following command to update the system identity.
For UNIX-based systems:
sh systemidentity_update.sh ormapp-user oimSystem ../config/oimSystemProps.txt
For Windows systems:
systemidentity_update.bat ormapp-user oimSystem ..\config\oimSystemProps.txt
In this command, ormapp-user is the user name of the database Oracle Role Manager application user/schema.
Note:
The name of the system identity must be oimSystem and must not be changed.At the prompt, enter the password of the Oracle Role Manager application user/schema.
At the prompt, enter a new password for the oimSystem system identity.
It is recommended that you configure the Integration Library so that your system uses digital signatures to authenticate the oimSystem system identity when sending messages from Oracle Identity Manager to Oracle Role Manager.
The procedure in this section first creates the key store password on the Oracle Identity Manager host and stores it to a file named keystore.store, then creates a random symmetric key for that password and serializes it to a file named keystore.key, and finally, creates a property file named keystore.properties and adds a single property whose value is a base64-encoded encrypted value of the key store password, encrypted using the symmetric key.
Note:
Encryption must be enabled before you can perform this procedure. By default, encryption is enabled when the Integration Library is installed. For more information, see Section 5.5.1.To configure encryption:
On the Oracle Identity Manager host, navigate to ORMINT_HOME/bin.
Run the following command to create the Oracle Identity Manager key store.
For UNIX-based systems:
sh create_keystore.sh
For Windows systems:
create_keystore.bat
Note:
If you have trouble running this command, ensure that the JAVA_HOME environment variable is set to an existing Java JRE location (version 1.4 or later). For WebSphere, ensure that it is set to the IBM WebSphere JDK.The JDK used while creating the signature must be same as the application server is running on. For example, WebSphere runs by default on the IBM JDK, so while configuring the Integration Library with Oracle Identity Manager on WebSphere, signatures must be also created using the IBM JDK.
At the prompt, enter a password for the Oracle Identity Manager key store.
You should see three files created by this command as follows:
keystore.store
This file contains the private key or the public certificate of each pair of asymmetric encryption keys for passing credentials from the integration system to Oracle Role Manager.
keystore.key
This file contains the serialized form of a symmetric key that is used for encrypting the passwords necessary for key store and private key access.
keystore.properties
This file contains a set of key store passwords, the values of which have been encrypted by the symmetric key in the key file and base64-encoded.
In the same location, run the command to create the private key for the Integration Library alias and to generate the certificate containing the public key.
For UNIX-based systems:
sh create_key_pair.sh oimSystem oim_orm_cert
For Windows systems:
create_key_pair.bat oimSystem oim_orm_cert
In this command, oim_orm_cert is the name to use for the certificate file.
Note:
The alias must be oimSystem.You should see the resulting certificate file named as specified with the command.
At the prompt, enter the key store password set in step 3.
At the prompt, enter a new password for the private key pair, then re-enter to confirm.
On the Oracle Identity Manager host, copy the new certificate file from ORMINT_HOME/bin to ORM_HOME/bin on the Oracle Role Manager host.
On the Oracle Role Manager host, navigate to ORM_HOME/bin.
Modify create_keystore.sh and import_certificate.sh files.
For UNIX-based systems:
Open create_keystore.sh using vi editor.
Search and replace "../jdk/bin/java" with "$JAVA_HOME/bin/java".
Save and close.
Repeat the steps a,b, and c for import_certificate.sh.
Set JAVA_HOME variable with the java used by ORMServer.
Run the command to create the Oracle Role Manager key store.
For UNIX-based systems:
sh create_keystore.sh
For Windows systems:
create_keystore.bat
At the prompt, enter a password for the Oracle Role Manager key store.
For automated WebLogic configuration, you can stop here. The automated configuration scripts will complete the necessary configuration.
To continue with automated configuration, return to Section 4.3, "Running the Configuration Script for Oracle Identity Manager."
Run the command to import the certificate that was generated earlier into the Oracle Role Manager key store.
For UNIX-based systems:
sh import_certificate.sh oimSystem oim_orm_cert
For Windows systems:
import_certificate.bat oimSystem oim_orm_cert
In this command:
oim_orm_cert is the certificate file named and generated in step 4.
Note:
The alias must be oimSystem.At the prompt, enter the keystore password set in step 11.
For WebLogic manual configuration, set the system property for the Oracle Role Manager key store directory as follows:
Log on to the WebLogic Server Console using a Web browser.
From Environment, select Servers, then select the server on which Oracle Role Manager is deployed.
On the Configuration tab, click the Server Start subtab.
In the Arguments field, append the following argument to any existing arguments:
-Doracle.iam.rm.encryption.keystore_dir=ORM_HOME/bin
where ORM_HOME is the Oracle Role Manager installation directory
Apply and save your changes.
If you are configuring a clustered server environment, repeat these steps for each server on which Oracle Role Manager is deployed.
For WebSphere, set the system property for the Oracle Role Manager key store directory as follows:
Log on to the WebSphere Administrative Console using a Web browser.
From Servers, select Application Servers, then select the server on which Role Manager is deployed.
Under Server Infrastructure, expand Java and Process Management, then click Process Definition.
Under Additional Properties, click Java Virtual Machine.
Under Additional Properties, click Custom Properties.
Click New.
In the Name field, enter oracle.iam.rm.encryption.keystore_dir.
In the Value field, enter ORM_HOME/bin where ORM_HOME is the Role Manager installation directory.
In the Description field, enter Location of the Oracle Role Manager encryption directory.
Click Apply, then save your changes.
If you are configuring a clustered server environment, repeat these steps for each server on which Oracle Role Manager is deployed.
For JBoss, set the system property for the Oracle Role Manager key store directory as follows:
On the Oracle Role Manager application server host, navigate to JBOSS_HOME/bin.
On Windows, open the run.bat file for editing, and set the system property as follows:
set JAVA_OPTS=-Doracle.iam.rm.encryption.keystore_dir=ORM_HOME/bin %JAVA_OPTS%
where ORM_HOME is the Oracle Role Manager installation directory.
On UNIX-based systems, open the run.sh file for editing, and set the system property as follows:
JAVA_OPTS="-Doracle.iam.rm.encryption.keystore_dir=ORM_HOME\bin $JAVA_OPTS"
where ORM_HOME is the Oracle Role Manager installation directory.
Save and close the file.
If you are configuring a clustered server environment, repeat these steps for each server on which Oracle Role Manager is deployed.
Encryption is enabled by default the Integration Library is installed. Use this procedure to re-enable encryption if encryption had been disabled previously.
Note:
If you have a clustered server configuration, this procedure must be performed on all managed nodes.On the Oracle Identity Manager host, navigate to ORMINT_HOME/config.
Open the IMConfig.xml file for editing.
In the ormEncrypt policy definition, set the value of the boolean element to true as follows:
<policy>
<parameters>
<parameter>
<id>ormEncrypt</id>
<boolean>true</boolean>
</parameter>
</parameters>
</policy>
Save and close the IMConfig.xml file.
Note:
If this is the first time the Integration Library is installed, perform the procedures described in this section only to change the configuration from the default settings. Default settings are described in the subsections below for each configurable component.The Integration Library component configuration is deployed in the same way as other Oracle Role Manager component configuration. Configuration settings are defined in XML files and packaged as a CAR (configuration archive) file that is deployed to Oracle Role Manager system. To simplify the deployment process, it is recommended that you make all your changes to the XML files for all components that you want to reconfigure before packaging the CAR file.
This section includes the following topics:
It is recommended that the standard configuration files be used as a starting place for your configuration changes as a convenience.
To view or edit these configuration XML files, you must extract them from CAR files. There are two CAR files that contain configuration that pertains to Integration Library components: configurations.car, which includes the Batch Resolution Timer configuration (described in Section 5.6.2) and the configuration files for all the configurable Oracle Role Manager server components; and oim_integration.car, which includes the configuration files described in the subsequent sections of this chapter.
To get the standard configuration files:
On the Oracle Role Manager host, copy the oim_integration.car file in ORM_HOME/Integration_Library/config directory to ORM_HOME/config.
Navigate to the ORM_HOME/config directory.
Using a utility like WinZip or jar, extract the entire contents of oim_integration.car into a temporary location, such as ORM_HOME/config/oim_integration_custom.
The oim_integration_custom directory contains subdirectories for all the configurable components of the Integration Library. Once expanded, the files that contain configuration pertaining to the Integration Library can be found in the following layout:
oim_integration_custom/
config/
oracle.iam.rm.approval.def/
approval.oim_integration.xml
oracle.iam.rm.bizlogic.def/
bizlogic.oim_integration.xml
oracle.iam.rm.event.incoming/
oim_integration.xml
oracle.iam.rm.event.outgoing/
oim_integration.xml
oracle.iam.rm.temporal/
oim_integration.xml
oracle.iam.rm.timer/
approverRolePublishingTimer.xml
businessRolePublisingTimer.xml
itRolePublishingTimer.xml
The settings in these files are described in Section 5.6.3 through Section 5.6.6
If not performed previously, extract the entire contents of configurations.car into the temporary location, such as ORM_HOME/config/configurations_custom.
The configurations_custom directory contains many subdirectories for all the configurable components of the Oracle Role Manager. The one subdirectory that pertains to the Integration Library can be found in the following layout:
configurations_custom/
config/
oracle.iam.rm.timer/
batchResolutionTimer.xml
For more information about the settings in this file, see Section 5.6.2. For information about the other configurable Oracle Role Manager server components, see Oracle Role Manager Administrator's Guide.
The batch resolution timer is included with the standard Oracle Role Manager configuration bundle and sets preferences for the batch resolution job for periodic update of user-to-role assignments calculated for complex dynamic roles (roles that have complex rules that dynamically determine membership). The batch resolution timer can have multiple jobs configured (identified by the job ID), used for integrations with external systems.
To modify the Batch Resolution Timer configuration:
Navigate to ORM_HOME on the Oracle Role Manager installation host.
From the temporary location where configurations.car was extracted, navigate to configurations/config/oracle.iam.rm.timer.
Edit the values in the batchResolutionTimer.xml file as needed.
For detailed information about the configuration settings, see Section 5.6.2.1
Using a utility like WinZip or jar, repackage everything in the configurations directory and create a file appended with the .car extension, for example, configurations_custom.car.
Ensure that the CAR file directory layout is as follows:
configurations/
config/
oracle.iam.rm.timer/
batchResolutionTimer.xml
If it does not match this layout, fix the layout, then repackage the CAR file.
Include this file in the collection of CAR files as part of the deploy command described in Section 5.1, "Deploying the Integration Library Configuration."
Table 5-1 shows the default configuration values for the implementing Java class and whether the timer type is simple (defining a repeat interval of n milliseconds between invocations) or a cron timer (defining a UNIX-style cron timer). The default is the simple timer type. (For more information about cron expressions, see Appendix A.)
Table 5-1 Batch Resolution Timer Configuration Values
| Element | Default Value |
|---|---|
|
oracle.iam.rm.resolution.impl.BatchResolutionTimerFactory |
|
|
job-id |
BatchResolutionJob |
|
singleton |
true |
|
14400000 |
|
|
cron cron-expression |
N/A |
Note:
For repeat intervals, use 3600000 for 1 hour, 7200000 for 2 hours, 14400000 for 4 hours, 28800000 for 8 hours, 86400000 for 1 day, and so forth.The following example shows the default configuration in XML format. If you want, you can use this as a starting place for customization.
Example 5-1 Batch Resolution Timer Default Values in XML
<?xml version="1.0" encoding="UTF-8"?>
<timer-config xmlns="http://xmlns.oracle.com/iam/rm/timer/config/1_0">
<job-configs>
<job-config>
<factory-classname>
oracle.iam.rm.resolution.impl.BatchResolutionTimerFactory
</factory-classname>
<job-id>BatchResolutionJob</job-id>
<group-id>BatchGroup</group-id>
<parameters/>
<singleton>true</singleton>
<simple>
<repeat-interval>14400000</repeat-interval>
</simple>
</job-config>
</job-configs>
</timer-config>
The role membership update timers control the periodic process on Oracle Role Manager responsible for creating the messages for updates of role membership information (user-to-role assignments) from Oracle Role Manager to external systems. For example, for Oracle Identity Manager, this timer triggers the update of User Group memberships based on role memberships in Oracle Role Manager.
There are three separately configurable timers for role membership updates of the following roles in Oracle Role Manager:
Approval Roles
Business Roles
IT Roles
The three role membership update timer configuration files are included with the oim_integration.car configuration bundle and set preferences for the role membership resolution jobs. Each role membership update timer can have multiple jobs configured (identified by the job ID), used for integrations with different external systems.
It is recommended that the timer interval for any of the role membership updates is equal to or longer than the batch resolution timer interval.
To modify the Role Membership Update Timers:
Navigate to ORM_HOME on the Oracle Role Manager installation host.
From the temporary location where oim_integration.car was extracted, navigate to oim_integration/config/oracle.iam.rm.timer.
Edit the values in the any of the three timer configuration files as needed:
approverRolePublishingTimer.xml
businessRolePublishingTimer.xml
itRolePublishingTimer.xml
For detailed information about the settings in these files, see Section 5.6.3.1.
Package your configuration changes with any other changes as described in Section 5.6.7 for deployment.
The three configuration files for role membership update share the same default configuration. Table 5-2 shows the default configuration values for the implementing Java class and whether the timer type is simple (defining a repeat interval of n milliseconds between invocations) or a cron timer (defining a UNIX-style cron timer). The default is the simple timer type. (For more information about cron expressions, see Appendix A.)
Table 5-2 Role Membership Update Timers Configuration Values
| Element | Default Value |
|---|---|
|
|
|
job-id |
|
|
singleton |
true |
|
14400000 |
|
|
cron cron-expression |
N/A |
Note:
For repeat intervals, use 3600000 for 1 hour, 7200000 for 2 hours, 14400000 for 4 hours, 28800000 for 8 hours, 86400000 for 1 day, and so forth.The following example shows the default configuration in XML format. If you want, you can use this as a starting place for customization.
Example 5-2 Example of Role Membership Update Default Values in XML
<?xml version="1.0" encoding="UTF-8"?>
<timer-config xmlns="http://xmlns.oracle.com/iam/rm/timer/config/1_0">
<job-configs>
<job-config>
<factory-classname>
oracle.iam.rm.resolution.impl.ApproverRolePublishingTimerFactory
</factory-classname>
<job-id>ApproverRolePublishingJob</job-id>
<group-id>BatchGroup</group-id>
<parameters>
<parameter>
<id>roleTypes</id>
<string>approverRole</string>
</parameter>
<parameter>
<id>userAttributes</id>
<string>oimId,givenName,sn,displayName</string>
</parameter>
</parameters>
<singleton>true</singleton>
<simple>
<repeat-interval>14400000</repeat-interval>
</simple>
</job-config>
</job-configs>
</timer-config>
The Incoming Event Manager configuration maps incoming parameters from Oracle Identity Manager to arguments required by the Oracle Role Manager business logic layer.
To modify the Incoming Event Manager component:
Navigate to ORM_HOME on the Oracle Role Manager installation host.
From the temporary location where oim_integration.car was extracted, navigate to oim_integration/config/oracle.iam.rm.event.incoming.
Edit the values in the oim_integration.xml file as needed.
For detailed information about the settings in this file, see Section 5.6.4.1.
Package your configuration changes with any other changes as described in Section 5.6.7 for deployment.
The following example shows the default configuration for the Incoming Event Manager component of the Integration Library. You can use this XML content as a starting place for customization. Note that these mappings are simply samples for demonstration. In a production environment, these mappings most likely encompass custom data fields on Oracle Identity Manager and custom business logic on Oracle Role Manager.
Example 5-3 Incoming Event Manager Default Values in XML
<incoming-action-mapping xmlns="http://xmlns.oracle.com/iam/rm/event/incoming/1_0">
<dependencies>
<business-logic-dependency def-id="bizlogic.oim_integration" version="10.1.4"/>
</dependencies>
<actions>
<action id="OIM_reconcile_user" definition-id="bizlogic.oim_integration" operation="reconcileUser">
<parameters>
<parameter mandatory="true">
<source-name>Users.Key</source-name>
<dest-name>oimId</dest-name>
<dest-type>java.lang.Long</dest-type>
</parameter>
<parameter>
<source-name>Users.First Name</source-name>
<dest-name>givenName</dest-name>
<dest-type>java.lang.String</dest-type>
<default>NULL_IF_NULL</default>
</parameter>
<parameter>
<source-name>Users.Last Name</source-name>
<dest-name>sn</dest-name>
<dest-type>java.lang.String</dest-type>
<default>NULL_IF_NULL</default>
</parameter>
<parameter>
<source-name>displayName</source-name>
<dest-name>displayName</dest-name>
<dest-type>java.lang.String</dest-type>
<default>No display name provided</default>
</parameter>
<parameter>
<source-name>Users.Email</source-name>
<dest-name>mail</dest-name>
<dest-type>java.lang.String</dest-type>
<default>NULL_IF_NULL</default>
</parameter>
<parameter>
<source-name>Users.Xellerate Type</source-name>
<dest-name>jobTitle</dest-name>
<dest-type>java.lang.String</dest-type>
<default>NULL_IF_NULL</default>
</parameter>
<parameter>
<source-name>Users.Status</source-name>
<dest-name>status</dest-name>
<dest-type>java.lang.String</dest-type>
<default>active</default>
</parameter>
<parameter>
<source-name>Users.Manager Key</source-name>
<dest-name>oimManagerKey</dest-name>
<dest-type>java.lang.Long</dest-type>
</parameter>
<parameter>
<source-name>deleted</source-name>
<dest-name>deleteFlag</dest-name>
<dest-type>java.lang.Boolean</dest-type>
<default>false</default>
</parameter>
</parameters>
</action>
</actions>
</incoming-action-mapping>
Note:
If an element is found with an empty value, the default value is used. Two special values of thedefault element indicate one of two possible treatments: 1) A value of NULL_IF_NULL is set to null by the incoming event manager when sent to the consuming function. This behavior is the default if there is an empty element and no default at all. 2) A value of EMPTY_STRING_IF_NULL is sent as an empty String.The Outgoing Event Manager configuration defines how messages generated by Oracle Role Manager for role creation and role membership updates are sent to the appropriate integration queue.
To modify the Outgoing Event Manager component:
Navigate to ORM_HOME on the Oracle Role Manager installation host.
From the temporary location where oim_integration.car was extracted, navigate to oim_integration/config/oracle.iam.rm.event.outgoing.
Edit the values in the oim_integration.xml file as needed.
For detailed information about the settings in this file, see Section 5.6.5.1.
Package your configuration changes with any other changes as described in Section 5.6.7 for deployment.
The following example shows a configuration for Oracle Role Manager's Outgoing Event Manager. The configuration shown here is the default configuration supporting the Integration Library with Oracle Identity Manager.
Note:
The two events in this configuration, role_membership and delete_object, are configured in this file to send updates to the specified JMS endpoint using the named connection factory. These named resources must correspond to JNDI names defined on the application server hosting Oracle Identity Manager.Example 5-4 Outgoing Event Manager Configuration Default Values in XML
<event-actions-mapping xmlns="http://xmlns.oracle.com/iam/rm/event/outgoing/1_0">
<event-actions>
<event-action>
<event-type>role_membership</event-type>
<event-dests>
<event-dest>
<endpoint>oim/OIMserver/RoleManagerQueue</endpoint>
<connection-factory>/oim/OIMserver/QueueConnectionFactory
</connection-factory>
<message-version-uri>
http://xmlns.oracle.com/iam/rm/schema/event/event/1_0
</message-version-uri>
</event-dest>
</event-dests>
</event-action>
<event-action>
<event-type>delete_object</event-type>
<event-dests>
<event-dest>
<endpoint>oim/OIMserver/RoleManagerQueue</endpoint>
<connection-factory>/oim/OIMserver/QueueConnectionFactory
</connection-factory>
<message-version-uri>
http://xmlns.oracle.com/iam/rm/schema/event/event/1_0
</message-version-uri>
</event-dest>
</event-dests>
</event-action>
</event-actions>
</event-actions-mapping>
Note:
If Oracle Role Manager is deployed on IBM WebSphere Application Server, the default value of bothconnection-factory elements is orm/jms/QueueConFac.The Business Logic configuration defines the reconcileUser operation by associating incoming event parameters with those required by the underlying reconcileEntity plug-in. You may want to edit this file to add attributes to the user data to be sent to Oracle Role Manager from an external system.
To modify the Business Logic component:
Navigate to ORM_HOME on the Oracle Role Manager installation host.
From the temporary location where oim_integration.car was extracted, navigate to oim_integration/config/oracle.iam.rm.bizlogic.def.
Edit the values in the bizlogic.oim_integration.xml file as needed.
For detailed information about the settings in this file, see Section 5.6.6.1.
Package your configuration changes with any other changes as described in Section 5.6.7 for deployment.
The following example shows the default configuration for the Business Logic component of the Integration Library. You can use this XML content as a starting place for customization.
Example 5-5 Business Logic Configuration Default Values in XML
<config xmlns="http://xmlns.oracle.com/iam/rm/bizlogic/def/1_0"
xmlns:i18n="http://xmlns.oracle.com/iam/rm/i18n/config/1_0"
xmlns:t="http://xmlns.oracle.com/iam/rm/type/def/1_0"
id="bizlogic.oim_integration" version="10.1.4">
<dependencies>
<model-dependency id="standard_permissions" version 3.0.0"/>
</dependencies>
<operations>
<business-transaction id="reconcileUser" related-object-type="person" permission="manage">
<title>Reconcile User</title>
<arguments>
<argument id="startTime">
<title>Start Date</title>
<t:datetime>
<t:default-value>transaction</t:default-value>
</t:datetime>
</argument>
<argument id="deleteFlag">
<title>Delete Flag</title>
<t:boolean/>
</argument>
<argument id="oimId">
<title>OIM Identifier</title>
<related-object-type>person</related-object-type>
<related-object-attribute>oimId</related-object-attribute>
</argument>
<argument id="givenName">
<title>First Name</title>
<related-object-type>person</related-object-type>
<related-object-attribute>givenName</related-object-attribute>
</argument>
<argument id="sn">
<title>Last Name</title>
<related-object-type>person</related-object-type>
<related-object-attribute>sn</related-object-attribute>
</argument>
<argument id="displayName">
<title>Display Name</title>
<related-object-type>person</related-object-type>
<related-object-attribute>displayName</related-object-attribute>
</argument>
<argument id="jobTitle">
<title>Job Title</title>
<related-object-type>person</related-object-type>
<related-object-attribute>jobTitle</related-object-attribute>
</argument>
<argument id="status">
<title>Status</title>
<related-object-type>person</related-object-type>
<related-object-attribute>status</related-object-attribute>
</argument>
<argument id="mail">
<title>Email</title>
<related-object-type>person</related-object-type>
<related-object-attribute>mail</related-object-attribute>
</argument>
<argument id="oimManagerKey">
<title>OIM Manager Key</title>
<related-object-type>person</related-object-type>
<related-object-attribute>oimManagerKey</related-object-attribute>
</argument>
</arguments>
<snapshot-logic-definition plugin-pack-id="oracle.iam.rm.bizlogic.plugin.standard_ext" plugin-id="reconcile_entity">
<ext config-version="1.0">
<config>
<![CDATA[
<reconcile-entity xmlns="http://xmlns.oracle.com/iam/rm/bizlogic/plugin/standard_ext/1_0"
entity-type="person"
identifying-attribute="oimId"
delete-flag-attribute="deleteFlag">
<attributes>
<attribute attribute-id="oimId" argument-id="oimId"/>
<attribute attribute-id="givenName" argument-id="givenName"/>
<attribute attribute-id="sn" argument-id="sn"/>
<attribute attribute-id="displayName" argument-id="displayName"/>
<attribute attribute-id="jobTitle" argument-id="jobTitle"/>
<attribute attribute-id="mail" argument-id="mail"/>
<attribute attribute-id="oimManagerKey"argument-id="oimManagerKey"/>
<attribute attribute-id="status" argument-id="status"/>
</attributes>
</reconcile-entity>
]]>
</config>
</ext>
<effective-date>
<argument-id>startTime</argument-id>
</effective-date>
</snapshot-logic-definition>
</business-transaction>
</operations>
</config>
After you have made your modifications, the modified XML files must be repackaged into a new CAR (configuration archive) file before they can be deployed to the Oracle Role Manager system.
Note:
The layout of files and directories in the new CAR file must match the layout of the original CAR file before extraction.To package the modified configuration:
Navigate to the temporary location where oim_integration.car was extracted and where the XML files were modified.
Using a utility like WinZip or jar, repackage everything in the oim_integration directory and create a file appended with the .car extension, for example, oim_integration_custom.car.
Ensure that the CAR file directory layout is as follows:
oim_integration/
config/
oracle.iam.rm.approval.def/
approval.oim_integration.xml
oracle.iam.rm.bizlogic.def/
bizlogic.oim_integration.xml
oracle.iam.rm.event.incoming/
oim_integration.xml
oracle.iam.rm.event.outgoing/
oim_integration.xml
oracle.iam.rm.temporal/
oim_integration.xml
oracle.iam.rm.timer/
approverRolePublishingTimer.xml
businessRolePublishingTimer.xml
itRolePublishingTimer.xml
If it does not match this layout, fix the layout and repackage the CAR file.
Include this file in the collection of CAR files as part of the deploy command described in Section 5.1, "Deploying the Integration Library Configuration."
|
 Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|