2 Deploying the Connector

Deploying the connector involves the following steps:

• Section 2.1, "Preinstallation"

• Section 2.2, "Installation"

• Section 2.3, "Postinstallation"

2.1 Preinstallation

Preinstallation information is divided across the following sections:

• Section 2.1.1, "Preinstallation on Oracle Identity Manager"

• Section 2.1.2, "Preinstallation on the Target System"

2.1.1 Preinstallation on Oracle Identity Manager

This section contains the following topics:

• Section 2.1.1.1, "Files and Directories on the Installation Media"

• Section 2.1.1.2, "Determining the Release Number of the Connector"

• Section 2.1.1.3, "Creating a Backup of the Existing Common.jar File"

2.1.1.1 Files and Directories on the Installation Media

Table 2-1 lists the files and directories on the installation media.

Table 2-1 Files and Directories on the Installation Media

File in the Installation Media Directory	Description
configuration/Peoplesoft_User-Management-CI.xml	This XML file contains configuration information that is used during connector installation.
lib/PSFTUM.jar	This JAR file contains the class files that are specific to PeopleSoft reconciliation and provisioning. During connector deployment, this file is copied to the following location: For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/JavaTasks For Oracle Identity Manager release 11.1.1: Oracle Identity Manager database
lib/Common.jar	This JAR file contains the class files that are common to all connectors. During connector deployment, this file is copied to the following location: For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/JavaTasks For Oracle Identity Manager release 11.1.1: Oracle Identity Manager database
lib/PSFTCommon.jar	This JAR file contains PeopleSoft-specific files common to both Employee Reconciliation and User Management versions of the connector. During connector deployment, this file is copied to the following location: For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/JavaTasks For Oracle Identity Manager release 11.1.1: Oracle Identity Manager database
lib/CustomClassLoader.jar	This JAR file contains the class files that are needed to load the target system-specific JAR files at run time, for example psjoa.jar.
lib/PeopleSoftOIMListener.war lib/PeopleSoftOIMListener.ear	This Web Archive (WAR) file contains the classes and configuration files required to implement incremental reconciliation. This Enterprise Archive (EAR) file contains one or more entries representing the modules of the Web application to be deployed onto an application server. During connector deployment: On Oracle Identity Manager release 9.1.0.x, the PeopleSoft listener is deployed as a WAR file. On Oracle Identity Manager release 11.1.1, the PeopleSoft listener is deployed as an EAR file.
The following files in the peoplecode directory: CurrencyCode.txt EmailType.txt LanguageCode.txt PermissionList.txt UserRoles.txt The following project files in the peoplecode directory: OIM_UM OIM_UM_DELETE	These files contain the PeopleCode for the steps that you define for the Application Engine program. This is explained in "Creating the Application Engine Program". The project files contain the PeopleCode for the steps that you define for importing a Project from Application Designer. This is explained in Section 2.1.2.1, "Importing a Project from Application Designer." Each project file contains two files with .ini and .xml extension that has the same name as the project. They are listed as follows: OIM_UM.ini OIM_UM.xml OIM_UM_DELETE.ini OIM_UM_DELETE.xml
test/scripts/InvokeListener.bat test/scripts/InvokeListener.sh	This BAT file and the UNIX shell script call the testing utility for reconciliation.
test/scripts/PeoplesoftTestingUtility.bat test/scripts/PeoplesoftTestingUtility.sh	This BAT file and the UNIX shell script call the testing utility for provisioning.
test/config/reconConfig.properties test/config/log.properties	These files are used by theInvokeListener.bat file. The reconConfig.properties file contains configuration information for running the InvokeListener.bat file. The log.properties file contains logger information.
test/config/config.properties	This file is used to specify the parameters and settings required to connect, create, update, and delete users in the target system by using the testing utility for provisioning.
Files in the resources directory	Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied to the following location: For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/ConnectorResources For Oracle Identity Manager release 11.1.1: Oracle Identity Manager database Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages.
xml/PeoplesoftUserManagement-ConnectorConfig.xml	This XML file contains definitions for the connector components: IT resource type Scheduled tasks IT resource Resource objects (This file contains the configurations of the resource objects for the target resource.) Process definition Process tasks Adapters Process form
JavaDoc	This directory contains information about the Java APIs used by the connector.

2.1.1.2 Determining the Release Number of the Connector

Note: If you are using Oracle Identity Manager release 9.1.0.x, then the procedure described in this section is optional. If you are using Oracle Identity Manager release 11.1.1, then skip this section.

You might have a deployment of an earlier release of the connector. While deploying the current release, you might want to know the release number of the earlier release. To determine the release number of a connector that has been deployed:

1. In a temporary directory, extract the contents of the following JAR file:

   OIM_HOME/xellerate/JavaTasks/PSFTUM.jar

2. Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the PSFTUM.jar file.

   In the Manifest.mf file, the release number of the connector is displayed as the value of the Version property.

2.1.1.3 Creating a Backup of the Existing Common.jar File

The Common.jar file is in the deployment package of each 9.1.x release of the connector. With each new release, code corresponding to that particular release is added to the existing code in this file. For example, the Common.jar file shipped with Connector Y on 12-July contains:

• Code specific to Connector Y

• Code included in the Common.jar files shipped with all other 9.1.x release of the connectors that were released before 12-July

If you have installed a release 9.1.x connector that was released after the current release of the PeopleSoft User Management connector, back up the existing Common.jar file, install the PeopleSoft User Management connector, and then restore the Common.jar file. The steps to perform this procedure are as follows:

Caution: If you do not perform this procedure, then your release 9.1.x connectors might not work.

1. Determine the release date of your existing release 9.1.x connector as follows:

   1. Extract the contents of the following file in a temporary directory:

      OIM_HOME/xellerate/JavaTasks/Common.jar

      
      

      Note: On Oracle Identity Manager release 11.1.1, use either DownloadJars.sh or DownloadJars.bat to download the common.jar file from the database, and then extract the contents of this file into a temporary directory. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for instructions about using the Download JARs utility.

      
      

   2. Open the Manifest.mf file in a text editor.

   3. Note down the Build Date and Build Version values.

2. Determine the Build Date and Build Version values of the current release of the PeopleSoft User Management connector as follows:

   1. On the installation media for the connector, extract the contents of the lib/Common.jar and then open the Manifest.mf file in a text editor.

   2. Note down the Build Date and Build Version values.

3. If the Build Date and Build Version values for the PeopleSoft User Management connector are less than the Build Date and Build Version values for the connector that is installed, then:

   • If you are using Oracle Identity Manager release 9.1.0.x, then:

     1. Copy the OIM_HOME/xellerate/JavaTasks/Common.jar to a temporary location.

     2. After you perform the procedure described in Section 2.2, "Installation" overwrite the new Common.jar file in the OIM_HOME/xellerate/JavaTasks directory with the Common.jar file that you backed up in the preceding step.

   • If you are using Oracle Identity Manager release 11.1.1, then run the Oracle Identity Manager Upload JARs utility to post the Common.jar file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

     
     

     Note: Before you use the utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

     
     

     For Microsoft Windows:

     OIM_HOME/server/bin/UploadJars.bat
     

     For UNIX:

     OIM_HOME/server/bin/UploadJars.sh
     

     When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.

     
     

     See Also: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about the Upload JARs utility

     
     

2.1.2 Preinstallation on the Target System

Permission lists, roles, and user profiles are building blocks of PeopleSoft security. Each user of the system has an individual user profile, which in turn is linked to one or more roles. To each role, you can add one or more permission lists, which defines what a user can access. So, a user inherits permissions through the role that is attached to a user profile.

You must create limited rights users who have restricted rights to access resources in the production environment to perform PeopleSoft-specific installation or maintenance operations. A limited rights user has the privilege to invoke PeopleSoft User Profile Component Interface Java APIs for provisioning.

The preinstallation steps consist of creating a user account with limited rights. Permission lists may contain any number of accesses, such as the Web libraries permission, Web services permissions, page permissions, and so on. You attach this permission list to a role, which in turn is linked to a user profile.

This section describes the following procedures, which have to be performed on the target system to create a user account with limited rights:

• Section 2.1.2.1, "Importing a Project from Application Designer"

• Section 2.1.2.2, "Creating a Target System User Account for Connector Operations"

2.1.2.1 Importing a Project from Application Designer

A PeopleSoft Application Designer project is an efficient way to configure your application.

You can import the OIM_UM project created in Application Designer to automate the steps for creating a permission list. You can also create a permission list by manually performing the steps described in Section 2.1.2.2.1, "Creating a Permission List." If you import the OIM_UM project, then you need not perform the steps mentioned in this section. You must perform a separate set of instructions for creating an Application Engine program if you have imported the project. See "Creating the Application Engine Program" for details.

Note: If you install, uninstall, or upgrade the same project repeatedly, the earlier project definition will be overwritten in the database.

To import a project from Application Designer:

Note: You can access the project files from the following directory: For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/XLIntegrations/PSFTUM/peoplecode/OIM_UM OIM_HOME/xellerate/XLIntegrations/PSFTUM/peoplecode/OIM_UM_DELETE For Oracle Identity Manager release 11.1.1: OIM_HOME/server/XLIntegrations/PSFTUM/peoplecode/OIM_UM OIM_HOME/server/XLIntegrations/PSFTUM/peoplecode/OIM_UM_DELETE Copy these files to a directory on your computer from where you can access Application Designer.

1. To open Application Designer in 2-tier mode, click Start, Programs, Peoplesoft8.x, and then Application Designer.

2. From the Tools menu, click Copy Project and then From File.

   
   

   The Copy From File : Select Project dialog box appears.

3. Navigate to the directory in which the PeopleSoft project file is placed.

   The project files are present in the /peoplecode directory of the installation media. Place these files in a new folder so that is accessible by the Application Designer program. Ensure that the folder name is the same as that of the project you are importing.

   For example, place the OIM_UM.ini and OIM_UM.xml in OIM_UM folder.

4. Select the project from the Select Project from the List Below region. The name of the project file is OIM_UM.

   
   

5. Click Select.

6. Click Copy.

Note: You can remove the PeopleSoft project file and all its objects from the target system if needed. To do so, repeat the steps described in the preceding procedure. When you reach Step 4, select OIM_UM_DELETE from the Select Project from the List Below region.

2.1.2.2 Creating a Target System User Account for Connector Operations

You must create a target system account with privileges required for connector operations. The user account created on the target system has the permission to perform all the configurations required for connector operations. This includes configuring the PeopleSoft Integration Broker for full reconciliation and incremental reconciliation. This account does not have access to pages or components that are not required by the connector.

The following section describes the procedures to create a target system account:

Note: For creating the target system account, you must log in to PeopleSoft Internet Architecture with administrator credentials.

• Section 2.1.2.2.1, "Creating a Permission List"

• Section 2.1.2.2.2, "Creating a Role for a Limited Rights User"

• Section 2.1.2.2.3, "Assigning the Required Privileges to the Target System Account"

2.1.2.2.1 Creating a Permission List

To create a permission list:

Note: You can skip this section if you have imported a project from Application Designer. See Section 2.1.2.1, "Importing a Project from Application Designer" for more information.

1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:

   http://IPADDRESS:PORT/psp/ps/?cmd=login
   

   For example:

   http://172.21.109.69:9080/psp/ps/?cmd=login
   

2. In the PeopleSoft Internet Architecture window, click PeopleTools, Security, Permissions & Roles, and then click Permission Lists.

3. Click Add a new Value. On the Add a New Value tab, enter the permission list name, for example, OIMUM and then click Add.

4. On the General tab, enter a description for the permission list in the Description field.

5. On the Component Interfaces tab, click the search icon for the Name field and perform the following:

   1. In the Name lookup, enter USER_PROFILE and then click Lookup. From the list, select USER_PROFILE. The application returns to the Component Interfaces tab. Click Edit.

   2. On the Component Interface Permissions page, click Full Access(All).

   3. Click OK and then click Save.

   4. Click the plus sign (+) to add a row for the Name field and repeat Steps a through c for the DELETE_USER_PROFILE component interface.

6. On the Pages tab, click the search icon for Menu Name and perform the following:

   1. In the Menu Name lookup, enter APPLICATION_ENGINE and then click Lookup. From the list, select APPLICATION_ENGINE. The application returns to the Pages tab. Click Edit Components.

   2. On the Component Permissions page, click Edit Pages for the AE_REQUEST component name.

   3. Click Select All, and then click OK. Click OK on the Components Permissions page.

   4. On the Pages tab, click the plus sign (+) to add a row for Menu Name. Click the search icon for Menu Name. In the Menu Name lookup, enter IB_PROFILE and then click Lookup. From the list, select IB_PROFILE. The application returns to the Pages tab. Click Edit Components.

   5. On the Component Permissions page, click Edit Pages for each of the following component names:

      IB_GATEWAY

      IB_MESSAGE_BUILDER

      IB_MONITOR_QUEUES

      IB_NODE

      IB_OPERATION

      IB_QUEUEDEFN

      IB_ROUTINGDEFN

      IB_SERVICE

      IB_SERVICEDEFN

      IB_MONITOR

   6. Click Select All, and then click OK for each of the components. Click OK on the Components Permissions page.

   7. On the Pages tab, click the plus sign (+) to add another row for Menu Name.

   8. In the Menu Name lookup, enter PROCESSMONITOR and then click Lookup. From the list, select PROCESSMONITOR. The application returns to the Pages tab. Click Edit Components.

   9. On the Component Permissions page, click Edit Pages for the PROCESSMONITOR component name.

   10. Click Select All, and then click OK. Click OK on the Components Permissions page.

   11. On the Pages tab, click the plus sign (+) to add another row for Menu Name.

   12. In the Menu Name lookup, enter PROCESS_SCHEDULER and then click Lookup. From the list, select PROCESS_SCHEDULER. The application returns to the Pages tab. Click Edit Components.

   13. On the Component Permissions page, click Edit Pages for the PRCSDEFN component name.

   14. Click Select All, and then click OK. Click OK on the Components Permissions page.

7. On the People Tools tab, select the Application Designer Access check box and click the Definition Permissions link. The Definition Permissions page is displayed.

8. On this page, grant full access to the following object types by selecting Full Access from the Access list:

   • App Engine Program

   • Message

   • Component Interface

   • Project

   • Application Package

9. Click OK.

10. Click the Tools Permissions link. The Tools Permissions page is displayed. On this page, grant full access to the SQL Editor tool by selecting Full Access from the Access list.

11. Click OK. The application returns to the People Tools tab.

12. On the Web Libraries tab, click the search icon for the Web Library Name field and perform the following:

    1. In the Web Library Name lookup, enter WEBLIB_PORTAL and then click Lookup. From the list, select WEBLIB_PORTAL. The application returns to the Web Libraries tab. Click the Edit link.

    2. On the WebLib Permissions page, click Full Access(All).

    3. Click OK and then click Save.

    4. Click the plus sign (+) to add a row for the Web Library Name field and repeat Steps a through c for the WEBLIB_PT_NAV library.

    5. Click Save to save all the settings specified for the permission list.

13. On the Process tab, click the Process Group Permissions link. The Process Group Permission page is displayed.

14. In the Process Group lookup, click the search icon. From the list, select TLSALL. The application returns to the Process Group Permission page.

15. Click the plus sign (+) to add another row for Process Group.

16. In the Process Group lookup, click the search icon. From the list, select STALL. The application returns to the Process Group Permission page.

17. Click OK.

18. Click Save.

2.1.2.2.2 Creating a Role for a Limited Rights User

To create a role for a limited rights user:

1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:

   http://IPADDRESS:PORT/psp/ps/?cmd=login
   

   For example:

   http://172.21.109.69:9080/psp/ps/?cmd=login
   

2. In the PeopleSoft Internet Architecture window, click PeopleTools, Security, Permissions & Roles, and then click Roles.

3. Click Add a new Value. On the Add a New Value tab, enter the role name, for example, OIMUM, and then click Add.

4. On the General tab, enter a description for the role in the Description field.

5. On the Permission Lists tab, click the search icon and perform the following:

   1. In the Permission Lists lookup, enter OIMUM and then click Lookup. From the list, select OIMUM.

   2. Click the plus sign (+) to add another row.

   3. In the Permission Lists lookup, enter EOEI9000 and then click Lookup. From the list, select EOEI9000.

   4. Click the plus sign (+) to add another row.

   5. In the Permission Lists lookup, enter EOCO9000 and then click Lookup. From the list, select EOCO9000.

   6. Click Save.

2.1.2.2.3 Assigning the Required Privileges to the Target System Account

To assign the required privileges to a user:

1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:

   http://IPADDRESS:PORT/psp/ps/?cmd=login
   

   For example:

   http://172.21.109.69:9080/psp/ps/?cmd=login
   

2. In the PeopleSoft Internet Architecture window, click PeopleTools, Security, User Profiles, and then click User Profiles.

3. Click Add a new Value. On the Add a New Value tab, enter the user profile name, for example, OIMUM, and then click Add.

4. On the General tab, perform the following:

   1. From the Symbolic ID list, select the value that is displayed, for example, SYSADM1.

   2. Enter valid values for the Password and Confirm Password fields.

   3. Click the search icon for the Process Profile permission list.

   4. In the Process Profile lookup, enter OIMUM and then click Lookup. From the list, select OIMUM. The application returns to the General tab.

5. On the ID tab, select none as the value of the ID type.

6. On the Roles tab, click the search icon and perform the following:

   1. In the Roles lookup, enter OIMUM and then click Lookup. From the list, select OIMUM.

   2. Click the plus sign (+) to add another row.

   3. In the Roles lookup, enter ProcessSchedulerAdmin and then click Lookup. From the list, select ProcessSchedulerAdmin.

   4. Click the plus sign (+) to add another row.

   5. In the Roles lookup, enter EIR Administrator and then click Lookup. From the list, select EIR Administrator.

   6. Click Save to save this user profile.

      Oracle Identity Manager uses this profile for the Admin user parameter in IT resource to enable the connector to perform provisioning operations. This profile is also used for a user with limited rights in PeopleSoft for performing all reconciliation-related configurations.

2.2 Installation

Installation information is divided across the following sections:

• Section 2.2.1, "Installation on Oracle Identity Manager"

• Section 2.2.2, "Installation on the Target System"

2.2.1 Installation on Oracle Identity Manager

Installation on Oracle Identity Manager consists of the following procedures:

• Section 2.2.1.1, "Running the Connector Installer"

• Section 2.2.1.2, "Copying the Connector Files and External Code Files"

• Section 2.2.1.3, "Configuring the IT Resource"

• Section 2.2.1.4, "Configuring the Connector to Support Multiple Versions of the Target System"

• Section 2.2.1.5, "Deploying the PeopleSoft Listener"

• Section 2.2.1.6, "Removing the PeopleSoft Listener"

2.2.1.1 Running the Connector Installer

Note: In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Administrative and User Console. Direct provisioning is automatically enabled after you run the Connector Installer. If required, you can enable request-based provisioning in the connector. Direct provisioning is automatically disabled when you enable request-based provisioning. See Section 2.3.1.8, "Enabling Request-Based Provisioning" if you want to use the request-based provisioning feature for this target system.

To run the Connector Installer:

1. Copy the contents of the connector installation media directory into the following directory:

   
   

   Note: In an Oracle Identity Manager cluster, perform this step on each node of the cluster.

   
   

   • For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/ConnectorDefaultDirectory

   • For Oracle Identity Manager release 11.1.1: OIM_HOME/server/ConnectorDefaultDirectory

2. Log in to the Administrative and User Console by using the user account described in the "Creating the User Account for Installing Connectors" section of Oracle Identity Manager Administrative and User Console Guide.

3. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 9.1.0.x:

     Click Deployment Management, and then click Install Connector.

   • For Oracle Identity Manager release 11.1.1:

     On the Welcome to Identity Manager Advanced Administration page, under the System Management section, click Install Connector.

4. From the Connector List list, select PeopleSoft User Management 9.1.1. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.

   If you have copied the installation files into a different directory, then:

   1. In the Alternative Directory field, enter the full path and name of that directory.

   2. To repopulate the list of connectors in the Connector List list, click Refresh.

   3. From the Connector List list, select PeopleSoft User Management 9.1.1.

5. Click Load.

6. To start the installation process, click Continue.

   The following tasks are performed, in sequence:

   1. Configuration of connector libraries

   2. Import of the connector XML files (by using the Deployment Manager)

   3. Compilation of adapters

   On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure is displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:

   • Retry the installation by clicking Retry.

   • Cancel the installation and begin again from Step 1.

7. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of steps that you must perform after the installation is displayed. These steps are as follows:

   
   

   Note: At this stage, run the PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Section 2.3.1.1, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for information about running the PurgeCache utility. There are no prerequisites for some predefined connectors.

   
   

   1. Ensuring that the prerequisites for using the connector are addressed

   2. Configuring the IT resource for the connector

      Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.

   3. Configuring the scheduled tasks

      Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2-2.

Table 2-2 Files Copied to Oracle Identity Manager

File in the Installation Media Directory	Destination for Oracle Identity Manager Release 9.1.0.x	Destination for Oracle Identity Manager Release 11.1.1
lib/Common.jar	OIM_HOME/xellerate/JavaTasks	Oracle Identity Manager database
lib/PSFTCommon.jar	OIM_HOME/xellerate/JavaTasks	Oracle Identity Manager database
lib/PSFTUM.jar	OIM_HOME/xellerate/JavaTasks	Oracle Identity Manager database
lib/CustomClassLoader.jar	OIM_HOME/xellerate/JavaTasks	Oracle Identity Manager database
lib/PesopleSoftOIMListener.war lib/PesopleSoftOIMListener.ear	To be deployed on the application server To deploy the application on Oracle Identity Manager release 9.1.0.x, see Section 2.2.1.5.1, "Deploying the PeopleSoft Listener on Oracle Identity Manager Release 9.1.0.x."	To be deployed on the application server To deploy the application on Oracle Identity Manager release 11.1.1, see Section 2.2.1.5.2, "Deploying the PeopleSoft Listener on Oracle Identity Manager Release 11.1.1."

Installing the Connector in an Oracle Identity Manager Cluster

While installing the connector in a cluster, you must copy all the JAR files and the contents of the resources directory into the destination directories on each node of the cluster. Then, restart each node. See Section 2.1.1.2, "Determining the Release Number of the Connector" for information about the files that you must copy and their destination locations on the Oracle Identity Manager host computer.

Restoring the Common.jar File

If required, restore the Common.jar file that you had backed up by following the procedure described in Section 2.1.1.3, "Creating a Backup of the Existing Common.jar File."

2.2.1.2 Copying the Connector Files and External Code Files

Table 2-3 lists all the files that you must copy manually and the directories on the Oracle Identity Manager host computer to which you must copy them.

Note: While installing Oracle Identity Manager in a cluster, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the contents of the connectorResources directory and the JAR files to the corresponding directories on each node of the cluster. The directory paths given in the first column of this table correspond to the location of the connector files on the installation media. See Section 2.1.1.1, "Files and Directories on the Installation Media" for more information about these files. If a particular destination directory does not exist on the Oracle Identity Manager host computer, then create it.

Table 2-3 Files to Be Copied to the Oracle Identity Manager Host Computer

File in the Installation Media Directory	Destination for Oracle Identity Manager Release 9.1.0.x	Destination for Oracle Identity Manager Release 11.1.1
lib/PeopleSoftOIMListener.war lib/PeopleSoftOIMListener.ear	OIM_HOME/xellerate/XLIntegrations/PSFTUM/WAR	OIM_HOME/server/XLIntegrations/PSFTUM/EAR
Files in the peoplecode directory	OIM_HOME/xellerate/XLIntegrations/PSFTUM/peoplecode	OIM_HOME/server/XLIntegrations/PSFTUM/peoplecode
Files in the test/scripts directory	OIM_HOME/xellerate/XLIntegrations/PSFTUM/scripts	OIM_HOME/server/XLIntegrations/PSFTUM/scripts
Files in the test/config directory	OIM_HOME/xellerate/XLIntegrations/PSFTUM/config	OIM_HOME/server/XLIntegrations/PSFTUM/config

After you copy the connector files, copy the following files from the PEOPLESOFT_HOME/web/psjoa directory on the target system computer into the OIM_HOME/xellerate/ThirdParty directory.

Note: These files should be copied only if one version of the target system is supported, and the Multiple Version Support parameter in Lookup.PSFT.Configuration is set to No.

• psjoa.jar

  This JAR file contains the compiled Java classes required by Oracle Identity Manager to remotely connect to the target system.

• peoplesoft.jar

  This JAR file contains APIs for the USER_PROFILE and DELETE_USER_PROFILE component interfaces.

  The Section 2.2.2.4, "Configuring the Target System for Provisioning" provides information about the procedure to generate this file for the specific release of PeopleTools (8.49) that you are using.

  
  

  Note: The supported JDK and JRE versions are linked to the PeopleTools version you are using. For PeopleTools 8.49, the supported JDK version is 1.5.0.

  
  

2.2.1.3 Configuring the IT Resource

The IT resource for the target system contains connection information about the target system. Oracle Identity Manager uses this information during provisioning and reconciliation.

When you run the Connector Installer, the PSFT Server IT resource is automatically created in Oracle Identity Manager. You must specify values for the parameters of this IT resource as follows:

1. Log in to the Administrative and User Console.

2. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, expand Resource Management, and then click Manage IT Resource.

   • If you are using Oracle Identity Manager release 11.1.1, then:

     1. On the Welcome to Oracle Identity Manager Self Service page, click Advanced.

     2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.

3. In the IT Resource Name field on the Manage IT Resource page, enter PSFT UM Server and then click Search.

4. Click the edit icon for the IT resource.

5. From the list at the top of the page, select Details and Parameters.

6. Specify values for the parameters of the IT resource. Table 2-4 describes each parameter.

   Table 2-4 IT Resource Parameters

   Parameter	Description
   Admin	Enter the user name of the target system account to be used for connector operations. You create this account by performing the procedure described in the Section 2.1.2.2, "Creating a Target System User Account for Connector Operations" section. Sample value: PS
   AdminCredentials	Enter the password of the target system account specified by the Admin ID parameter.
   Configuration Lookup	This parameter holds the name of the lookup definition that contains configuration information. Default value: Lookup.PSFT.Configuration Note: You must not change the value of this parameter. However, if you create a copy of all the connector objects, then you can specify the unique name of the copy of this lookup definition as the value of the Configuration Lookup Name parameter in the copy of the IT resource.
   IsActive	This parameter is used to specify whether the specified IT Resource is in use or not. When Yes, the message from PeopleSoft is validated against this parameter apart from the IT Resource name. If it is No, then the message from the PeopleSoft target is rejected and is not parsed. Default value: Yes
   JAR File Location	Location of JAR files to support multiple PeopleSoft versions. Sample value: C:\psft849Jars Note: The connector reads the value of this attribute when the Multiple Version Support parameter in the Lookup.PSFT.Configuration lookup definition is set to Yes. See Section 2.2.1.4, "Configuring the Connector to Support Multiple Versions of the Target System" for more information.
   Jolt URL	URL of the computer hosting the PeopleSoft application server. Format: TARGET COMPUTER IPADDRESS or HOSTNAME:PORT Sample value: 172.21.109.65:9070 See "Determining the Jolt Listener Port" for instructions to locate the Jolt Listener port. Note: If you have implemented high availability for PeopleSoft Application Servers, then you need not perform any additional step on Oracle Identity Manager for provisioning to work. You have to provide the correct Jolt URL according to your high availability set up for PeopleSoft Application Servers. For more information about high availability, see Red Paper on Clustering and High Availability for Enterprise Tools 8.4x on Oracle Support and Working with Jolt Configuration Options in the PeopleBook Enterprise PeopleTools 8.49 PeopleBook: System and Server Administration.
   TopologyName	If you have installed the OAACG SIL provider, then enter oaacgpsft. Default value: None See Section 2.3.1.7.2, "Specifying a Value for the TopologyName IT Resource Parameter" for more information.
   Connection Pooling Parameters
   Abandoned connection timeout	Time (in seconds) after which a connection must be automatically closed if it is not returned to the pool Note: You must set this parameter to a value that is high enough to accommodate processes that take a long time to complete (for example, full reconciliation). Default value: 600
   Connection wait timeout	Maximum time (in seconds) for which the connector must wait for a connection to be available Default value: 60
   DelayBetweenRetries	Use this parameter to specify the time difference between consecutive retries (in milliseconds). Default value: 20000
   Inactive connection timeout	Time (in seconds) of inactivity after which a connection must be dropped and replaced by a new connection in the pool Default value: 600
   Initial pool size	Number of connections that must be established when the connection pool is initialized The pool is initialized when it receives the first connection request from a connector. Default value: 1 Sample value: 3
   Max pool size	Maximum number of connections that must be established in the pool at any point of time This number includes the connections that have been borrowed from the pool. Default value: 100 Sample value: 30
   Min pool size	Minimum number of connections that must be in the pool at any point of time This number includes the connections that have been borrowed from the pool. Default value: 5
   Validate connection on borrow	Specifies whether a connection must be validated before it is lent by the pool The value can be true or false. It is recommended that you set the value to true. Default value: true
   Timeout check interval	Time interval (in seconds) at which the timeouts specified by the other parameters must be checked Default value: 30
   Pool preference	Preferred connection pooling implementation Value: Default Note: Do not change the value of this parameter.
   Connection pooling supported	Enter true to enable connection pooling for this target system installation. Otherwise, enter False. Default value: False
   Target supports only one connection	Indicates whether the target system can support one or more connections at a time Value: false Note: Do not change the value of this parameter.
   ResourceConnection class definition	Implementation of the ResourceConnection class Default value: oracle.iam.connectors.psft.usermgmt.integration.PSFTResourceConnectionImpl Note: Do not change the value of this parameter.
   Native connection pool class definition	Wrapper to the native pool mechanism that implements the GenericPool Note: Do not specify a value for this parameter.
   NumberOfRetries	Use this parameter to specify the number of times Oracle Identity Manager must try connecting to the target system. Default value: 2 Note: The timeout feature is enabled only for full reconciliation.
   Pool excluded fields	Comma-separated list of IT parameters whose change should not trigger a refresh of the connector pool Default value: Is Active,Configuration Lookup Note: You must not change the value of this parameter.

   
   

7. To save the values, click Update.

Determining the Jolt Listener Port

You can obtain the Jolt Listener port number from the PeopleSoft Application Server configuration file, psappsrv.cfg.

To locate the Jolt Listener Port:

1. Log in to the computer where you have deployed the Application Server.

2. Navigate to the folder where you have deployed PeopleTools, for example, the PT8.49 folder for PeopleTools 8.49.

3. Navigate to the appserv folder.

4. Navigate to the folder that corresponds to the name of your application server.

5. Open the psappsrv.cfg file using WordPad.

   The following is an example location for the file:

   C:\PT8.49\appserv\HR8DMO\psappsrv.cfg
   

   
   

   Note: You must not modify the contents of the file.

   
   

6. Search for the following text in the file:

   [JOLT Listener]
   ;=========================================================================
   ; Settings for JOLT Listener
   ;=========================================================================
   

   Search for the string Port. This provides you the value for the Jolt Listener port.

2.2.1.4 Configuring the Connector to Support Multiple Versions of the Target System

You might want to configure the connector for different versions of the target system simultaneously. For example, you can use the connector to perform provisioning operations on both PeopleTools 8.48 and PeopleTools 8.49 simultaneously. The following example illustrates this requirement:

To meet the requirement posed by such a scenario:

The London and New York offices of Example Multinational Inc. have their own installations of the target system. The London office has PeopleTools 8.48 installation, while the New York office has PeopleTools 8.49 installation. You have to provision resources on both installations of PeopleTools simultaneously.

Now, with this release, you can configure a single version of the connector to simultaneously provision the resources on both the versions of the target system. The connector uses a class loading mechanism, which toggles between the different versions of the installation. You only need to place the target system-specific JAR files on the computer that hosts Oracle Identity Manager.

To configure the connector to support multiple versions of the target system:

1. Copy lib/PSFTUM.jar in a temporary directory, and extract the following class from the JAR file:

   PSFTUMUserProxyProvisonManager.class

   Sample temporary directory: c:\temp

2. Run the following command to extract the class file from the JAR file:

   jar -xvf PSFTUM.jar
   

   
   

   Note: You can also run the WinZip or WinRAR utility to extract the contents from the JAR file.

   
   

3. Copy PSFTUMUserProxyProvisonManager.class to another location.

   For example:

   c:\temp1\oracle\iam\connectors\psft\usermgmt\integration

4. Create a new JAR file, PeopleSoftProxy.jar that contains the extracted PSFTUMUserProxyProvisonManager.class file present in the directory defined in Step 3 as follows:

   1. Open the command prompt and navigate to the following directory:

      c:\temp1

   2. Run the following command:

      Jar -cvf PeopleSoftProxy.jar oracle .
      

5. Create a new JAR file, PSFTUM.jar, which contains the manifest file as follows:

   1. Open the command prompt and navigate to the following directory:

      c:\temp

   2. Run the following command:

      jar -cMvf PSFTUM.jar manifest-inclusion-file ./META-INF/MANIFEST.MF ./oracle
      

      
      

      Note: You must ensure that the PSFTUM.jar file does not contain the PSFTUMUserProxyProvisonManager.class file.

      
      

6. Depending on the Oracle Identity Manager release that you are using, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then copy the PSFTUM.jar file to OIM_HOME/xellerate/JavaTasks.

   • If you are using Oracle Identity Manager release 11.1.1, then run the Upload JARs utility to post the Common.jar file to the Oracle Identity Manager database. This utility is copied to the following location when you install Oracle Identity Manager:

     
     

     Note: Before you use this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

     
     

     For Microsoft Windows:

     OIM_HOME/server/bin/UploadJars.bat
     

     For UNIX:

     OIM_HOME/server/bin/UploadJars.sh
     

     When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.

     
     

     See Also: Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about the Upload JARs utility

     
     

7. Create a directory, for example PSFT849, which is accessible from Oracle Identity Manager.

   
   

   Note: Ensure that the directory resides outside the Oracle Identity Manager classpath. In other words, the directory should be created outside the Oracle Identity Manager installation directory.

   
   

8. Copy the following JAR files in the directory created in Step 5:

   • PeopleSoftProxy.jar

   • lib/common.jar

   • lib/PSFTCommon.jar

   • psjoa.jar (target specific)

   • peoplesoft.jar (target specific)

9. Provide the full path of the directory created in Step 5 in the IT resource attribute, Jar File Location, of the ITResource instance for PeopleSoft 8.49.

   Repeat the preceding procedure for the other version of the target system, PeopleSoft 8.48 with the following information:

   • When you reach Step 5, create a directory with the following name: PSFT848.

   • You can reuse the PeopleSoftProxy.jar, lib/common.jar, and lib/PSFTCommon.jar files. In addition, copy the target-specific psjoa.jar and peoplesoft.jar files in the directory created in Step 5.

   
   

   Note: Each target system directory should contain the same version of the following JAR files: PeopleSoftProxy.jar common.jar PSFTCommon.jar For validation and transformation in case of multiple versions of the target system, you must not put these jar files in the java task, but you must place them in the jar location provided in IT resource.

   
   

10. Set the Multiple Version Support parameter in the Lookup.PSFT.Configuration lookup definition to Yes.

    
    

    Note: Ensure that the following JAR files are not present in OIM_HOME/xellerate/ThirdParty for Oracle Identity Manager release 9.1.0.x and OIM_HOME/server/ThirdParty for Oracle Identity Manager release 11.1.1 or in any other directory inside the Oracle Identity Manager installation directory: psjoa.jar peoplesoft.jar

    
    

2.2.1.5 Deploying the PeopleSoft Listener

The PeopleSoft listener is a Web application that is deployed on an Oracle Identity Manager host computer. The PeopleSoft listener parses the XML message and creates a reconciliation event in Oracle Identity Manager.

This section is classified based on the Oracle Identity Manager releases. Perform the procedure described in one of the following sections:

• Section 2.2.1.5.1, "Deploying the PeopleSoft Listener on Oracle Identity Manager Release 9.1.0.x"

• Section 2.2.1.5.2, "Deploying the PeopleSoft Listener on Oracle Identity Manager Release 11.1.1"

2.2.1.5.1 Deploying the PeopleSoft Listener on Oracle Identity Manager Release 9.1.0.x

To deploy the PeopleSoft listener on Oracle Identity Manager release 9.1.0.x:

1. Copy the OIM_HOME/xellerate/XLIntegrations/PSFTUM/WAR/PeopleSoftOIMListener.war file into a temporary folder. Enter the following command to extract the contents of the PeopleSoftOIMListener.war file.

   jar -xvf PeopleSoftOIMListener.war
   

   
   

   Note: All the files mentioned in the remaining steps of this procedure are extracted from the PeopleSoftOIMListener.war file.

   
   

2. Copy the following files from the OIM_HOME/xellerate/lib directory to the WEB-INF/lib directory in the temporary folder:

   
   

   Note: Before you copy these files from the OIM_HOME/xellerate/lib directory, check whether these files exist in the WEB-INF/lib directory of the temporary folder. If these files exist, then first delete them from the WEB-INF/lib directory. If the lib folder does not exist in WEB-INF directory, then you must create it.

   
   

   • xlAPI.jar

   • xlAuthentication.jar

   • xlCache.jar

   • xlCrypto.jar

   • xlLogger.jar

   • xlVO.jar

   • xlDataObjectBeans.jar (For IBM WebSphere Application Server, copy this file from the OIM_CLIENT/xlclient/lib directory.)

   • xlUtils.jar (For Oracle Application Server)

3. Copy Common.jar from the /lib directory on the installation media to the WEB-INF/lib directory in the temporary folder.

4. Edit the web.xml file as follows:

   1. Locate the Login Name of the OIM Admin User details.

      <param-value>OIM_ADMIN_USER</param-value>
      

      Replace OIM_ADMIN_USER with the Oracle Identity Manager administrator credentials.

      For example, if the administrative account on Oracle Identity Manager is xelsysadm, then update the line as follows:

      <param-value>xelsysadm</param-value>
      

   2. Locate the XL Home Dir details, and replace OIM_HOME with the Oracle Identity Manager Home location.

   3. Locate the java security policy details.

      <param-name>java.security.policy</param-name>
      <param-value>OIM_HOME/config/xl.policy</param-value>
      

      Here, java.security.policy property is used to specify the fully qualified file name of the policy file. Typically, this file is located in the OIM_HOME/designconsole/config directory.

      Replace OIM_HOME with the path to the design console directory as specified in Step 4 b.

      <param-value>E:/OIM11g_Installations/MAY1202010/Middleware/OIM_HOME/designconsole/config/xl.policy</param-value>
      

   4. Locate the java security login config details.

      <param-name>java.security.auth.login.config</param-name>
      <param-value>OIM_HOME/xellerate/config/auth(ws/wl/oc4j).conf</param-value>
      

      Here, the java.security.auth.login.config property is used to specify the fully qualified file name of the authentication configuration file. Typically, this file is located in the OIM_HOME/xellerate/config directory.

      Each application server uses a different authentication configuration file:

      IBM WebSphere Application Server: authws.conf

      JBoss Application Server: auth.conf

      Oracle WebLogic Server: authwl.conf

      Oracle Application Server: authoc4j.conf

      You must edit the auth(ws/wl/oc4j).conf value in the preceding line to the application server-specific configuration file.

   5. Locate the Message Handler Impl classes details.

      <param-name>IT_RESOURCE_NAME</param-name>
      

      Replace IT_RESOURCE_NAME with the name of the IT resource.

      For example, if the name of the IT resource is PSFT Server, then update the line as follows:

      <param-name>PSFT Server</param-name>
      

   6. Locate the following line:

      <param-value>MESSAGE~IMPLEMENTATION_CLASS;MESSAGE~IMPLEMENTATION_CLASS;MESSAGE~IMPLEMENTATION_CLASS</param-value>
      

      In this format, the message name and its implementation class must be separated by a tilde (~). For multiple messages, each pair must be separated by a semicolon (;). For default implementation, you must modify the line as follows:

      <param-value>PERSON_BASIC_SYNC~oracle.iam.connectors.psft.common.handler.impl.PSFTPersonSyncReconMessageHandlerImpl;USER_PROFILE~oracle.iam.connectors.psft.common.handler.impl.PSFTUserProfileReconMessageHandlerImpl;WORKFORCE_SYNC~oracle.iam.connectors.psft.common.handler.impl.PSFTWorkForceSyncReconMessageHandlerImpl;DELETE_USER_PROFILE~oracle.iam.connectors.psft.common.handler.impl.PSFTDeleteUserReconMessageHandlerImpl</param-value>
      

      If PeopleSoft is sending the USER_PROFILE.VERSION_84 message instead of USER_PROFILE, then modify the line as follows:

      <param-value>PERSON_BASIC_SYNC~oracle.iam.connectors.psft.common.handler.impl.PSFTPersonSyncReconMessageHandlerImpl;USER_PROFILE.VERSION_84~oracle.iam.connectors.psft.common.handler.impl.PSFTUserProfileReconMessageHandlerImpl;WORKFORCE_SYNC~oracle.iam.connectors.psft.common.handler.impl.PSFTWorkForceSyncReconMessageHandlerImpl;DELETE_USER_PROFILE~oracle.iam.connectors.psft.common.handler.impl.PSFTDeleteUserReconMessageHandlerImpl</param-value>
      

   7. Locate the java provider details.

      <param-name>java.naming.provider.url</param-name>
      <param-value>For valid value Check xlConfig.xml</param-value>
      

      Typically, the xlConfig.xml file is located in the OIM_HOME/designconsole/config directory.

      Replace For valid value Check xlConfig.xml with the value obtained from the XML file.

      For example, is the value for Java provider in the XML file is t3://172.21.109.102:8003/oim, then update the line as follows:

      <param-value>t3://172.21.109.102:8003/oim</param-value>
      

5. Delete the PeopleSoftOIMListener.war file from the temporary directory into which you extracted it, and then use the following command to re-create the file:

   jar –cvf PeopleSoftOIMListener.war .
   

6. Ensure that the old version of the PeopleSoftOIMListener.war file is deleted from the application server deployment directory.

7. Deploy the newly created PeopleSoftOIMListener.war file in the deployment directory of the application server as follows:

   For IBM WebSphere Application Server:

   1. Log in to the WebSphere Admin console.

   2. Expand Applications.

   3. Click Install New Application.

   4. Click the Browse button to locate the WAR file.

   5. In the Context root field, enter PeopleSoftOIMListener.

   6. Click Next.

   7. In the Select installation options field, enter PeopleSoftOIMListener as the application name and click Next.

   8. On the Map modules to servers page, select PeopleSoftOIMListener.war and click Next.

   9. On the Map virtual hosts page, select PeopleSoftOIMListener.war and click Next.

   10. Click Finish.

   11. Click Save to save all the configurations to the master configuration in IBM WebSphere Application Server.

   12. Click Enterprise Applications.

   13. On the Enterprise Applications page, select PeopleSoftOIMListener and then click Start to restart the application.

   For JBoss Application Server:

   1. Copy the modified WAR file to the JBOSS_HOME/server/default/deploy directory.

      In a JBoss cluster, copy the modified WAR file to the JBOSS_HOME/server/all/deploy directory.

   2. Restart JBoss Application Server.

   For Oracle WebLogic Server:

   1. Log in to the Oracle WebLogic admin console.

   2. From the Domain Structure list, select OIM_DOMAIN.

      Where OIM_DOMAIN is the domain on which Oracle Identity Manager is installed.

   3. Click the Deployments tab.

   4. On Microsoft Windows, in the Change Centre window, click Lock & Edit. This enables the Install button of the Monitoring tab in the Summary Of Deployments section.

   5. Click Install.

   6. In the Install Application Assistant, enter the full path of the directory in which the WAR file is placed. Then, click Next.

   7. Select the WAR file to install.

   8. Click Next.

   9. Select the Install this deployment as an application option, and then click Next.

   10. In the Name of deployment field, enter PeopleSoftOIMListener.

   11. In the Security section, select the DD Only: Use only roles and policies that are defined in the deployment descriptors option.

   12. In the Source accessibility window, select the Use the defaults defined by the deployments targets option.

   13. Click Finish.

       On Microsoft Windows, the "The deployment has been successfully installed" message is displayed.

   14. On UNIX platforms, click Save. The following messages are displayed:

       Success All changes have been activated. No restarts are necessary.

       Success Settings updated successfully.

   15. On Microsoft Windows, to activate the changes that you have made up to this point:

       i. Select the check box corresponding to the newly installed application.

       ii. In the Change centre window, click Activate Changes.

   16. On Microsoft Windows, select the check box for the newly installed application, select the Servicing all requests option from the Start list, and then click Yes.

   For Oracle Application Server

   1. Log in to the Oracle Application Server Control.

   2. Click on OC4J instance where Oracle Identity Manager is deployed and running.

   3. Click Applications, Deploy. The Select Archive step is displayed.

   4. Enter PeopleSoftOIMListener.war file location and click Next.

   5. In the Application Name field, enter PeopleSoftOIMListener and click Next.Click Deploy.

   6. Click Return when the application "PeopleSoftOIMListener" has been successfully deployed.

8. Restart Oracle Identity Manager and the Design Console.

2.2.1.5.2 Deploying the PeopleSoft Listener on Oracle Identity Manager Release 11.1.1

To deploy the PeopleSoft listener on Oracle Identity Manager release 11.1.1:

1. Copy the OIM_HOME/server/XLIntegrations/PSFTER/EAR/PeopleSoftOIMListener.ear folder into a temporary folder, for example temp.

2. Copy the Common.jar file from the /lib directory on the installation media to the temp/PeopleSoftOIMListener.ear/PeopleSoftOIMListener.war/WEB-INF/lib folder.

3. Copy the following files from the OIM_HOME/server/client to the WEB-INF/lib folder in the temporary folder:

   • oimclient.jar

4. Copy the following files from the OIM_HOME/server/platform folders to the WEB-INF/lib folder in the temporary folder:

   • iam-platform-auth-client.jar

   • iam-platform-utils.jar

5. Edit the web.xml file present in temp/PeopleSoftOIMListener.ear/PeopleSoftOIMListener.war/WEB-INF folder as follows:

   1. Locate the Login Name of the OIM Admin User details.

      <param-name>oimLoginUserName</param-name>
      <param-value>OIM_ADMIN_USER</param-value>
      

      Replace OIM_ADMIN_USER with Oracle Identity Manager administrator credentials.

      For example, if the administrative account on Oracle Identity Manager is xelsysadm, then update the line as follows:

      <param-value>xelsysadm</param-value>
      

   2. Locate the Message Handler Impl classes details.

      <param-name>IT_RESOURCE_NAME</param-name>
      

      Replace IT_RESOURCE_NAME with the name of the IT resource.

      For example, if the name of IT resource is PSFT Server, then update the line as follows:

      <param-name>PSFT Server</param-name>
      

   3. Locate the following line:

      <param-value>MESSAGE~IMPLEMENTATION_CLASS;MESSAGE~IMPLEMENTATION_CLASS;MESSAGE~IMPLEMENTATION_CLASS</param-value>
      

      In this format, the message name and its implementation class must be separated by a tilde (~). For multiple messages, each pair must be separated by a semicolon (;). For default implementation, you must modify the line as follows:

      <param-value>PERSON_BASIC_SYNC~oracle.iam.connectors.psft.common.handler.impl.PSFTPersonSyncReconMessageHandlerImpl;USER_PROFILE~oracle.iam.connectors.psft.common.handler.impl.PSFTUserProfileReconMessageHandlerImpl;WORKFORCE_SYNC~oracle.iam.connectors.psft.common.handler.impl.PSFTWorkForceSyncReconMessageHandlerImpl;DELETE_USER_PROFILE~oracle.iam.connectors.psft.common.handler.impl.PSFTDeleteUserReconMessageHandlerImpl</param-value>
      

      If PeopleSoft is sending the USER_PROFILE.VERSION_84 message for USER_PROFILE, then modify the line as follows:

      <param-value>PERSON_BASIC_SYNC~oracle.iam.connectors.psft.common.handler.impl.PSFTPersonSyncReconMessageHandlerImpl;USER_PROFILE.VERSION_84~oracle.iam.connectors.psft.common.handler.impl.PSFTUserProfileReconMessageHandlerImpl;WORKFORCE_SYNC~oracle.iam.connectors.psft.common.handler.impl.PSFTWorkForceSyncReconMessageHandlerImpl;DELETE_USER_PROFILE~oracle.iam.connectors.psft.common.handler.impl.PSFTDeleteUserReconMessageHandlerImpl</param-value>
      

6. Ensure that the old version of the PeopleSoftOIMListener.ear file is deleted from the application server deployment directory.

7. Deploy the newly created PeopleSoftOIMListener.ear file in the deployment directory of the application server as follows:

   1. Log in to the Oracle WebLogic admin console.

   2. On the left navigation pane, expand Domain Structure, and then click Deployments.

   3. Click Lock & Edit. It enables the Install button of the Monitoring tab in the Summary Of Deployments section.

   4. Click Install.

   5. On the Install Application Assistant page, in the Path field, enter the full path of the directory in which the EAR file is placed. Then, click Next.

   6. Select the Install this deployment as an application option, and then click Next.

   7. From the Servers list, select the server on which Oracle Identity Manager is deployed, for example oim_server1 and then click Next.

   8. On the Optional Settings page, select I will make the deployment accessible from the following location, and then click Next.

   9. Review your choices, and then click Finish.

   10. Click Activate Changes.

       On Microsoft Windows, a message that reads "All changes have been activated. No restarts are necessary" is displayed.

8. Edit the $DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml file as follows:

   1. Add the following block in the file:

            <grant>
                  <grantee>
                      <codesource>
                          <url>file:{samplelocation}/PeopleSoftOIMListener.ear/PeopleSoftOIMListener.war/WEB-INF/lib/-</url>
                      </codesource>
                  </grantee>
                        <permissions>
                      <permission>
                          <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
                          <name>context=SYSTEM,mapName=oim,keyName=*</name>
                          <actions>read,write,delete</actions>
                      </permission>
              </permissions>
                  <permission-set-refs>
                  </permission-set-refs>
              </grant> 
      

   2. Locate the sample location details, and replace it with the path of the PeopleSoftOIMListener.ear file location.

      For example, if the EAR file is placed in the /temp folder, then replace {samplelocation} in the preceding block as follows:

      <url>file:/temp/PeopleSoftOIMListener.ear/PeopleSoftOIMListener.war/WEB-INF/lib/-</url>
      

9. Restart Oracle Identity Manager and the Admin Server.

2.2.1.6 Removing the PeopleSoft Listener

Note: This section is not a part of installation on Oracle Identity Manager. You might need this procedure to extend the connector.

To remove the PeopleSoft listener:

For IBM WebSphere Application Server:

1. Log in to the WebSphere Admin console.

2. Expand Applications.

3. Select Enterprise Applications from the list.

   A list of deployed applications is shown on the right pane.

4. Select the PeopleSoftOIMListener.war check box.

5. Specify the Context root as PeopleSoftOIMListener.

6. Click Uninstall.

   An Uninstall Application confirmation screen appears with the name of the application to be uninstalled. In this scenario, the application would be PeopleSoftOIMListener.

7. Click OK.

For JBoss Application Server:

1. Delete the WAR file from the JBOSS_HOME/server/default/deploy directory.

   In a JBoss cluster, delete the WAR file from the JBOSS_HOME/server/all/deploy directory.

2. Restart JBoss Application Server.

For Oracle WebLogic Server:

1. Log in to the Oracle WebLogic admin console.

2. From the Domain Structure list, select OIM_DOMAIN.

   Where OIM_DOMAIN is the domain on which Oracle Identity Manager is installed.

3. Click the Deployments tab.

4. On Microsoft Windows, in the Change Centre window, click Lock & Edit.

5. Select PeopleSoftOIMListener.war or PeopleSoftOIMListener.ear depending on Oracle Identity Manager release. This enables the Delete button of the Control tab in the Summary Of Deployments region.

6. Click Stop. A list appears.

7. Select Force Stop Now.

   The Force Stop Application confirmation screen appears.

8. Click Yes.

9. On the Control tab in the Summary Of Deployments region, select PeopleSoftOIMListener.war or PeopleSoftOIMListener.ear depending on Oracle Identity Manager release.

10. Click Delete.

    A confirmation message appears on successful deletion of the WAR file.

11. On the left pane, click the Active Changes button.

For Oracle Application Server

1. Log in to the Oracle Application Server Control.

2. Click on OC4J instance where Oracle Identity Manager is deployed and running.

3. Click Applications.

4. Select the PeopleSoftOIMListener application and click Undeploy. You will be prompted to confirm the removal of PeopleSoftOIMListener application.

5. Click Yes. A message confirming the removal of PeopleSoftOIMListener application will be displayed.

6. Click Return.

2.2.2 Installation on the Target System

During this stage, you configure the target system to enable it for reconciliation and provisioning operations. This information is provided in the following sections:

• Section 2.2.2.1, "Configuring the Target System for Lookup Reconciliation"

• Section 2.2.2.2, "Configuring the Target System for Full Reconciliation"

• Section 2.2.2.3, "Configuring the Target System for Incremental Reconciliation"

• Section 2.2.2.4, "Configuring the Target System for Provisioning"

• Section 2.2.2.5, "Configuring Oracle Identity Manager Server as a Non-Proxy Host on PeopleSoft Server"

2.2.2.1 Configuring the Target System for Lookup Reconciliation

Lookup reconciliation is used to reconcile lookup definitions for currency codes, languages, roles, permissions, and e-mail types corresponding to the lookup fields on the target system created into Oracle Identity Manager.

Configuring the target system for lookup reconciliation involves creating the properties file by performing the procedure described in the following section:

Creating the Application Engine Program

The Application Engine program populates the .properties file with lookup data that is required for look up reconciliation. This is a one-time procedure.

You can create the Application Engine program based on whether you have imported the PeopleSoft Application Designer project. Perform the procedure described in one of the following sections:

• Creating the Application Engine Program If PeopleSoft Application Designer Project Is Not Imported

• Creating the Application Engine Program If PeopleSoft Application Designer Project Is Imported

Creating the Application Engine Program If PeopleSoft Application Designer Project Is Not Imported

To create the Application Engine program if you have not imported the PeopleSoft Application Designer Project as described in Section 2.1.2.1, "Importing a Project from Application Designer," you must perform the following tasks:

1. To open Application Designer in 2-tier mode, click Start, Programs, Peoplesoft8.x, and then Application Designer.

   
   

   Note: To open Application Designer in 2-tier mode, the database client (client of the database that PeopleSoft is using) must be installed on the server. In addition, you must select the appropriate database type from the Connection Type field (for example, Oracle Database) while providing sign-on information in the PeopleSoft Application Designer Signon window.

   
   

2. From the File menu, click New.

3. In the New Definition dialog box, select App Engine Program from the Definition list.

4. On the App Engine Program page, a plus sign (+) is displayed besides the MAIN section. The MAIN section may contain multiple steps. Expand MAIN. A step named Step01 is added to MAIN.

5. Rename Step01 to Language.

6. Click Action in the Insert menu. An action is added to the Language step.

7. Select PeopleCode from the list for the new action.

8. Click Save in the File menu, and save the Application Engine program as LOOKUP_RECON.

9. Double-click the PeopleCode action. A new PeopleCode window is displayed.

10. Copy the code from the OIM_HOME/xellerate/XLIntegrations/PSFTUM/peoplecode/languageCode.txt file into the PeopleCode window.

11. Change the path to a directory location on the PeopleSoft server as follows:

    &DataFile = GetFile("absolute path where you want to generate the DataFile", "w", %FilePath_Absolute);
    &LOGFile = GetFile("absolute path where you want to generate the LogFile", "w", "a", %FilePath_Absolute);
    

    For example:

    &DataFile = GetFile("C:\PSFT_849_LOOKUPS\language.properties", "w", %FilePath_Absolute);
    &LOGFile = GetFile("C:\PSFT_849_LOOKUPS\language.log", "w", "a", %FilePath_Absolute);
    

    
    

    Note: Ensure that the name of the file ends in .properties, for example, language.properties.

    
    

12. Save the PeopleCode action, and close the window.

13. On the App Engine Program page, select the language step and then select Step/Action from the Insert menu.

14. Repeat Steps 5 through 12 to create the remaining steps, which are listed in the following table:

    Step Name	File Containing the Required PeopleCode
    Currency	CurrencyCode.txt
    userrole	UserRoles.txt
    permiss	PermissionList.txt
    EmailType	EmailType.txt

    
    

15. Save the Application Engine program.

Creating the Application Engine Program If PeopleSoft Application Designer Project Is Imported

To create the Application Engine program if you have imported the PeopleSoft Application Designer Project as described in Section 2.1.2.1, "Importing a Project from Application Designer," you must perform the following tasks:

1. To open Application Designer in 2-tier mode, click Start, Programs, Peoplesoft8.x, and then Application Designer.

2. From the File menu, select Open and then select Project. Search for and open the project OIM_UM.

   The Open Definition dialog box appears.

3. In the Name field, enter OIM_UM as the project name and then click Open.

   The project appears on the left pane.

4. Click the plus sign (+) below Application Engine Programs.

5. Double-click LOOKUP_RECON on the left pane.

   The LOOKUP_RECON (App Engine Program) window appears on the right pane.

6. Double-click the PeopleCode action associated with Step01 - "Currency Code". A new PeopleCode window is displayed.

7. Change the path to a directory location on the PeopleSoft server as follows:

   &DataFile = GetFile("absolute path where you want to generate the DataFile", "w", %FilePath_Absolute);
   &LOGFile = GetFile("absolute path where you want to generate the LogFile", "w", "a", %FilePath_Absolute);
   

   For example:

   &DataFile = GetFile("C:\PSFT_849_LOOKUPS\currencycodes.properties", "w", %FilePath_Absolute);
   &LOGFile = GetFile("C:\PSFT_849_LOOKUPS\lcurrencycodes.log", "w", "a", %FilePath_Absolute);
   

   
   

   Note: Ensure that the name of the file ends in .properties, for example, language.properties.

   
   

8. Save the PeopleCode action, and close the window.

9. Repeat Steps 6 through 8 for the remaining steps, such as Email Types, Language Codes, Permission Lists, and Roles.

10. Save the Application Engine program.

2.2.2.2 Configuring the Target System for Full Reconciliation

Configuring the target system for full reconciliation involves configuring the USER_PROFILE message by performing the following procedures:

Note: The procedure remains the same for PeopleTools 8.49 and for PeopleTools 8.50. The screenshots are taken on PeopleTools 8.49 version.

• Section 2.2.2.2.1, "Displaying the EI Repository Folder"

• Section 2.2.2.2.2, "Activating the USER_PROFILE Messages"

• Section 2.2.2.2.3, "Activating the Full Data Publish Rule"

• Section 2.2.2.2.4, "Configuring the PeopleSoft Integration Broker"

• Section 2.2.2.2.5, "Configuring the USER_PROFILE Service Operation"

2.2.2.2.1 Displaying the EI Repository Folder

EI Repository is a hidden folder in PeopleSoft. Therefore, you must display this folder.

To display the EI Repository folder:

Note: Perform this procedure using the PeopleSoft administrator credentials.

1. In the PeopleSoft Internet Architecture, expand People Tools, Portal, and then Structure and Content.

2. Click the Enterprise Components link.

3. Click the Edit link for EI Repository, and then uncheck Hide from portal navigation.

   The Hide from portal navigation check box is shown in the following screenshot:

   
   

4. Click Save.

5. Log out, and then log in.

2.2.2.2.2 Activating the USER_PROFILE Messages

You must activate the USER_PROFILE message so that it can be processed.

To activate the USER_PROFILE messages:

1. In the PeopleSoft Internet Architecture, expand Enterprise Components, EI Repository, and then click Message Properties.

2. Search for and open the USER_PROFILE message.

3. Click Activate All.

   The message to be activated is shown in the following screenshot:

   
   

4. Click the Subscription tab, and activate the Subscription PeopleCode if it exists.

   
   

   Note: To perform this step, your user profile must have the EIR Administrator role consisting of EOEI9000 and EOCO9000 permission lists.

   
   

2.2.2.2.3 Activating the Full Data Publish Rule

You must define and activate this rule, because it acts as a catalyst for the Full Reconciliation process. This rule provides the Full Reconciliation process the desired information to initiate reconciliation.

To activate the full data publish rule:

1. In the PeopleSoft Internet Architecture, expand Enterprise Components, Integration Definitions, and then click Full Data Publish Rules.

2. Search for and open the USER_PROFILE message.

3. In the Publish Rule Definition region:

   1. In the Publish Rule ID field, enter OIM_USER_PROFILE.

   2. In the Description field, enter OIM_USER_PROFILE.

   3. From the Status list, select Active.

   The following screenshot displays the preceding steps:

   
   

4. Click Save.

2.2.2.2.4 Configuring the PeopleSoft Integration Broker

The following sections explain the procedures to configure the PeopleSoft Integration Broker:

Configuring the PeopleSoft Integration Broker Gateway

PeopleSoft Integration Broker is installed as part of the PeopleTools installation process. The Integration Broker Gateway is a component of PeopleSoft Integration Broker, which runs on the PeopleSoft Web Server. It is the physical hub between PeopleSoft and the third-party system. The integration gateway manages the receipt and delivery of messages passed among systems through PeopleSoft Integration Broker.

To configure the PeopleSoft Integration Broker gateway:

1. Open a Web browser and enter the URL for PeopleSoft Internet Architecture.

   The URL for PeopleSoft Internet Architecture is in the following format:

   http://IPADDRESS:PORT/psp/ps/?cmd=login
   

   For example:

   http://172.21.109.69:9080/psp/ps/?cmd=login
   

2. To display the Gateway component details, expand PeopleTools, Integration Broker, Configuration, and then Gateways. The Gateway component details are displayed.

3. In the Integration Gateway ID field, enter LOCAL and then click Search. The LOCAL gateway is a default gateway that is created when you install PeopleSoft Internet Architecture.

4. Ensure that the IP address and host name specified in the URL of the PeopleSoft listener are those on which the target system is installed. The URL of the PeopleSoft listener is in one of the following formats:

   http://HOSTNAME_of_the_PeopleSoft_Web_Server or
   IP_address:port/PSIGW/PeopleSoftListeningConnector
   

   For example:

   http://10.121.16.42:80/PSIGW/PeopleSoftListeningConnector
   

5. To load all target connectors that are registered with the LOCAL gateway, click Load Gateway Connectors. A window is displayed mentioning that the loading process is successful. Click OK.

6. Click Save.

7. Click Ping Gateway to check whether the gateway component is active. The PeopleTools version and the status of the PeopleSoft listener are displayed. The status should be ACTIVE.

Configuring PeopleSoft Integration Broker

PeopleSoft Integration Broker provides a mechanism for communicating with the outside world using XML files. Communication can take place between different PeopleSoft applications or between PeopleSoft and third-party systems. To subscribe to data, third-party applications can accept and process XML messages posted by PeopleSoft by using the available PeopleSoft connectors. The Integration Broker routes messages to and from PeopleSoft.

A remote node that you create within the Integration Broker acts as the receiver for XML messages from PeopleSoft. This remote node accepts XML messages and posts them as XML files to a folder that you specify. During a reconciliation run, a scheduled task running on Oracle Identity Manager uses the data in these XML files to Oracle Identity Manager.

To create the remote node:

1. While creating the remote node, you use the value of the ig.fileconnector.password property in the integrationGateway.properties file. Determine the value of this property as follows:

   1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Configuration, and then click Gateways.

   2. In the Integration Gateway ID field, enter LOCAL and then click Search.

   3. Click the Gateway Setup Properties link.

   4. Enter the user ID and password for accessing the integrationGateway.properties file, and then click OK.

   5. On the PeopleSoft Node Configuration page, click Advanced Properties Page.

      The contents of the integrationGateway.properties file are displayed.

   6. Search for ig.fileconnector.properties in the file contents. The line displayed in the file may be similar to the following sample line:

      ig.fileconnector.password={V1.1}%5GhbfJ89bvNT1HzF98==
      

   7. Copy the text after (that is, to the right of) the equal sign of the property. For example, copy {V1.1}%5GhbfJ89bvNT1HzF98== from the line given in the preceding sample.

      This is the password that you specify while creating the remote node. The sample password given here is encrypted. If the password displayed on your PeopleSoft installation is not encrypted, then you can encrypt it by following the steps given later in this section.

2. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Nodes.

3. On the Add a New Value tab, enter the node name, for example, OIM_FILE_NODE, and then click Add.

4. On the Node Definition tab, provide the following values:

   In the Description field, enter a description for the node.

   In the Default User ID field, enter PS.

5. Make this node a remote node by deselecting the Local Node check box and selecting the Active Node check box.

6. Make the Node Type as PIA.

7. On the Connectors tab, search for the following information by clicking the Lookup icon:

   Gateway ID: LOCAL

   Connector ID: FILEOUTPUT

8. On the Properties page in the Connectors tab, enter the following information:

   Property ID: HEADER

   Property Name: sendUncompressed

   Required value: Y

   Property ID: PROPERTY

   Property Name: Method

   Required value: PUT

   Property ID: PROPERTY

   Property Name: FilePath

   Required value: Enter the full path of any folder on which the Integration Broker has Write permissions. The remote node will post XML files to this folder.

   Property ID: PROPERTY

   Property Name: Password

   Required value: Enter the value of the ig.fileconnector.password property in the integrationGateway.properties file. This is the password that you determine by performing Step 1. If the password is not already encrypted, that you can encrypt it as follows:

   1. In the Password Encrypting Utility region, enter the value of the ig.fileconnector.password property in the Password and Confirm Password fields.

   2. Click Encrypt.

   3. From the Encrypted Password field, copy the encrypted password to the Value field for the Password property.

9. Click Save.

10. Click Ping Node to check whether a connection is established with the specified IP address.

2.2.2.2.5 Configuring the USER_PROFILE Service Operation

To configure the USER_PROFILE service operation perform the following procedures:

Note: The procedure remains the same for PeopleTools 8.49 and for PeopleTools 8.50. The screenshots are taken on PeopleTools 8.49 version.

• Activating the USER_PROFILE Service Operation

• Verifying the Queue Status for the USER_PROFILE Service Operation

• Setting Up the Security for the USER_PROFILE Service Operation

• Defining the Routing for the USER_PROFILE Service Operation

Activating the USER_PROFILE Service Operation

The service operation is a mechanism to trigger, receive, transform, and route messages that provide information about updates in the PeopleSoft or an external application. You must activate the service operation for successful transmission and receipt of messages.

To activate the USER_PROFILE service operation:

1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.

2. On the Find Service Operation tab, enter USER_PROFILE in the Service field, and then click Search.

3. Click the USER_PROFILE link.

   
   

   Note: In PeopleSoft HRMS, there are two versions of the message associated with this service operation. But, when you integrate PeopleSoft HRMS 9.0 and Oracle Identity Manager, you must send version_84. So, you must use the default version, VERSION_84, for HRMS 9.0.

   
   

4. In the Default Service Operation Version region, click Active. The following screenshot displays the default version of the USER_PROFILE service operation:

   
   

5. Click Save.

Verifying the Queue Status for the USER_PROFILE Service Operation

All messages in PeopleSoft are sent through a queue. This is done to ensure that the messages are delivered in the correct sequence. Therefore, you must ensure that the queue is in the Run status.

To ensure that the status of the queue for the USER_PROFILE service operation is Run:

1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Queues.

2. Search for the USER_PROFILE queue.

3. In the Queue Status list, ensure that Run is selected.

   
   

   Note: If the queue status is not Run: From the Queue Status list, select Run. Click Save.

   
   

   The queue status is shown in the following screenshot:

   
   

4. Click Return to Search.

Setting Up the Security for the USER_PROFILE Service Operation

The target system user who has the permission to modify, add, or delete personal or job information of an employee might not have access to send messages regarding these updates. Therefore, it is imperative to explicitly grant security to enable operations.

To set up the security for the USER_PROFILE service operation:

1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.

2. Search for and open the USER_PROFILE service operation.

3. On the General tab, click the Service Operation Security link. The link is shown in the following screenshot:

   
   

4. Attach the permission list OIMUM to the USER_PROFILE service operation. This list is created in Step 3 of the preinstallation procedure discussed in Section 2.1.2.2.1, "Creating a Permission List."

   To attach the permission list:

   
   

   Note: This procedure describes how to grant access to the OIMUM permission list. The OIMUM permission list is used as an example. However, to implement this procedure you must use the permission list (attached through a role) to the user profile of the actual user who maintains the user profile information or the user who performs full reconciliation.

   
   

   1. Click the plus sign (+) to add a row to the Permission List field.

   2. In the Permission List field, enter OIM and then click the Look up Permission List icon.

      The OIMUM permission list appears.

   3. From the Access list, select Full Access.

      The following screenshot displays the Access list with Full Access:

      
      

   4. Click Save.

   5. Click Return to Search.

Defining the Routing for the USER_PROFILE Service Operation

Routing is defined to inform PeopleSoft about the origin and the intended recipient of the message. You might have to transform the message being sent or received according to the business rules.

To define the routing for the USER_PROFILE service operation:

1. On the Routing tab, enter USER_PROFILE_HR_TO_UMFILE as the routing name and then click Add.

   The following screenshot displays the Routing Name field:

   
   

2. On the Routing Definition tab, enter the following:

   Sender Node: PSFT_HR

   
   

   Note: The Sender Node is the default active local node. To locate the sender node: Click the Lookup icon. Click Default to sort the results in descending order. The default active local node should meet the following criteria: Local Node: 1 Default Local Node: Y Node Type: PIA Only one node can meet all the above conditions at a time. Select the node. Click Save.

   
   

   Receiver Node: OIM_FILE_NODE

   The following screenshot displays the Sender and Receiver nodes:

   
   

3. Click Save.

4. Click Return to go back to the Routings tab of the Service Operation, and verify whether your routing is active.

2.2.2.3 Configuring the Target System for Incremental Reconciliation

Configuring the target system for incremental reconciliation involves configuration of USER_PROFILE and DELETE_USER_PROFILE service operations, nodes, and routing to send messages from PeopleSoft Integration Broker to other systems, and configuring PeopleSoft Integration Broker.

The USER_PROFILE message contains information about user accounts that are created or modified. The DELETE_USER_PROFILE message contains information about user accounts that have been deleted.

A message is the physical container for the XML data that is sent from the target system. Message definitions provide the physical description of data that is sent from the target system. This data includes fields, field types, and field lengths. A queue is used to carry messages. It is a mechanism for structuring data into logical groups. A message can belong to only one queue.

Setting the PeopleSoft Integration Broker gateway is mandatory when you configure PeopleSoft Integration Broker. To subscribe to XML data, Oracle Identity Manager can accept and process XML messages posted by PeopleSoft by using PeopleSoft connectors located in the PeopleSoft Integration Broker gateway. These connectors are Java programs that are controlled by the Integration Broker gateway.

This gateway is a program that runs on the PeopleSoft Web server. It acts as a physical hub between PeopleSoft and PeopleSoft applications (or third-party systems, such as Oracle Identity Manager). The gateway manages the receipt and delivery of messages passed among systems through PeopleSoft Integration Broker.

To configure the target system for incremental reconciliation, perform the following procedures:

Note: You must use an administrator account to perform the following procedures.

• Section 2.2.2.3.1, "Configuring PeopleSoft Integration Broker"

• Section 2.2.2.3.2, "Configuring the Service Operations"

• Section 2.2.2.3.3, "Preventing Transmission of Unwanted Fields During Incremental Reconciliation"

2.2.2.3.1 Configuring PeopleSoft Integration Broker

The following sections explain the procedures to configure PeopleSoft Integration Broker:

Configuring the PeopleSoft Integration Broker Gateway

The Integration Broker Gateway is a component of PeopleSoft Integration Broker (a messaging system), which is deployed at the PeopleSoft Web server. The Integration Broker Gateway is used for sending messages from PeopleSoft and for receiving messages for PeopleSoft. The "Configuring the PeopleSoft Integration Broker Gateway" describes the procedure to configure the PeopleSoft Integration Broker gateway.

Configuring PeopleSoft Integration Broker

Integration Broker is the inherent messaging system of PeopleSoft. You must configure Integration Broker to send and receive messages from and to PeopleSoft.

To configure PeopleSoft Integration Broker:

1. Create a remote node by performing the following steps:

   1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Nodes.

   2. On the Add a New Value tab, enter the node name, for example, OIM_NODE, and then click Add.

   3. On the Node Definition tab, enter a description for the node in the Description field. In addition, enter PS in the Default User ID field.

   4. Make this node a remote node by deselecting the Local Node check box and selecting the Active Node check box.

   5. Make the Node Type as PIA.

   6. On the Connectors tab, search for the following information by clicking the Lookup icon:

      Gateway ID: LOCAL

      Connector ID: HTTPTARGET

   7. On the Properties page in the Connectors tab, enter the following information:

      Property ID: HEADER

      Property Name: sendUncompressed

      Required value: Y

      Property ID: HTTP PROPERTY

      Property Name: Method

      Required value: POST

      Property ID: HEADER

      Property Name: Host

      Required value: Enter the value of the IT resource name as configured for the target system.

      Sample value: PSFT Server

      Property ID: PRIMARYURL

      Property Name: URL

      Required value: Enter the URL of the PeopleSoft listener that is configured to receive XML messages. This URL must be in the following format:

      http://HOSTNAME_of_OIM_SERVER or IPADDRESS:PORT/
      PeopleSoftOIMListener
      

      The URL depends on the application server that you are using. For an environment on which SSL is not enabled, the URL must be in the following format:

      For IBM WebSphere Application Server:

      http://10.121.16.42:9080/PeopleSoftOIMListener
      

      For JBoss Application Server:

      http://10.121.16.42:8080/PeopleSoftOIMListener
      

      For Oracle WebLogic Server:

      http://10.121.16.42:7001/PeopleSoftOIMListener
      

      For Oracle Application Server:

      http://10.121.16.42:7200/PeopleSoftOIMListener/
      

      For an environment on which SSL is enabled, the URL must be in the following format:

      https://COMMON_NAME:PORT/PeopleSoftOIMListener
      

      For IBM WebSphere Application Server:

      https://example088196:9443/PeopleSoftOIMListener
      

      For JBoss Application Server:

      https://example088196:8443/PeopleSoftOIMListener
      

      For Oracle WebLogic Server:

      https://example088196:7002/PeopleSoftOIMListener
      

      For Oracle Application Server

      https://example088916:7200/PeopleSoftOIMListener/
      

   8. Click Save to save the changes.

   9. Click Ping Node to check whether a connection is established with the specified IP address.

   
   

   Note: You might encounter the following error when you send a message from PeopleSoft Integration Broker over HTTP PeopleTools 8.50 target system: HttpTargetConnector:PSHttpFactory init or setCertificate failed This happens because the Integration Broker Gateway Web server tries to access the keystore even if SSL is not enabled using the parameters defined in the integrationgateway.properties file as follows: secureFileKeystorePath=<path to pskey> secureFileKeystorePasswd=password If either the <path to pskey> or the password (unencrypted) is incorrect, you will receive the preceding error message. Perform the following steps to resolve the error: Verify if secureFileKeystorePath in the integrationgateway.properties file is correct. Verify if secureFileKeystorePasswd in the integrationgateway.properties file is correct. Access the pskeymanager to check the accuracy of the path and the password. You can access pskeymanager from the following location: <PIA_HOME>\webserv\peoplesoft\bin Usually, a new PeopleTools 8.50 instance throws the preceding error when you message over the HTTP target connector. The reason is that the default password is not in the encrypted format in the integrationgateway.properties file.

   
   

2.2.2.3.2 Configuring the Service Operations

Perform the following procedures to configure the service operations:

• Configuring the USER_PROFILE Service Operation

• Configuring the DELETE_USER_PROFILE Service Operation

Before configuring the service operations for PeopleTools 8.50, ensure that the following setting is enabled:

1. In PeopleSoft Internet Architecture, expand PeopleTools, Security, Security Objects, and then click Security PeopleCode Options.

2. Select CopyRowsetDelta check box.

   
   

Configuring the USER_PROFILE Service Operation

Note: The procedure remains the same for PeopleTools 8.49 and for PeopleTools 8.50. The screenshots are taken on PeopleTools 8.49 version.

The USER_PROFILE message contains information about user accounts that are created or modified.

To configure the USER_PROFILE service operation:

Note: See Section 2.2.2.2.5, "Configuring the USER_PROFILE Service Operation" for performing the initial configuration steps. This section describes the additional steps required for configuration.

1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.

2. Search for and open the USER_PROFILE service operation.

3. On the Routing tab, enter USER_PROFILE_HR_TO_OIM as the routing name and then click Add.

   The following screenshot displays the Routing Name field:

   
   

4. On the Routing Definition tab, enter the following:

   Sender Node: PSFT_HR

   
   

   Note: The sender node is the default active local node. To locate the sender node: Click the Look up icon. Click Default to sort the results in descending order. The default active local node should meet the following criteria: Local Node: 1 Default Local Node: Y Node Type: PIA Only one node can meet all the above conditions at a time. Select the node. Click Save.

   
   

   Receiver Node: OIM_NODE

   The following screenshot displays the Sender and Receiver nodes:

   
   

5. Click Save.

6. Click Return to go back to the Routings tab of the Service Operation and verify whether your routing is active.

Configuring the DELETE_USER_PROFILE Service Operation

The DELETE_USER_PROFILE message contains information about user accounts that have been deleted. To configure the DELETE_USER_PROFILE service operation perform the following procedures:

Note: The procedure remains the same for PeopleTools 8.49 and for PeopleTools 8.50. The screenshots are taken on PeopleTools 8.49 version.

• Activating the DELETE_USER_PROFILE Service Operation

• Verifying the Queue Status for the DELETE_USER_PROFILE Service Operation

• Setting Up the Security for the DELETE_USER_PROFILE Service Operation

• Defining the Routing for the DELETE_USER_PROFILE Service Operation

Activating the DELETE_USER_PROFILE Service Operation

To activate the DELETE_USER_PROFILE service operation:

1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.

2. On the Find Service Operation tab, enter DELETE_USER_PROFILE in the Service field, and then click Search.

3. Click the DELETE_USER_PROFILE link.

4. In the Default Service Operation Version region, click Active.

   The following screenshot displays the Active check box:

   
   

5. Click Save.

Verifying the Queue Status for the DELETE_USER_PROFILE Service Operation

To ensure that the status of the queue for the DELETE_USER_PROFILE service operation is Run:

1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Queues.

2. Search for the DELETE_USER_PROFILE queue.

3. In the Queue Status List, ensure that Run is selected.

   
   

   Note: If the queue status is not Run: From the Queue Status list, select Run. Click Save.

   
   

   The following screenshot displays the queue status:

   
   

4. Click Return to Search.

Setting Up the Security for the DELETE_USER_PROFILE Service Operation

To set up the security for the DELETE_USER_PROFILE service operation:

1. In PeopleSoft Internet Architecture, expand PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.

2. Search for and open the DELETE_USER_PROFILE service operation.

3. On the General tab, click the Service Operation Security link.

   The link is shown in the following screenshot:

   
   

4. Attach the permission list OIMUM, created as a part of the preinstalltion, in Step 3, (See Section 2.1.2.2.1, "Creating a Permission List") to the USER_PROFILE service operation.

   To attach the permission list:

   
   

   Note: This procedure describes how to grant access to the OIMUM permission list. The OIMUM permission list is used as an example. However, to implement this procedure, you must use the permission list (attached through a role) to the user profile of the actual user who maintains the user profile information.

   
   

   1. Click the plus sign (+) to add a row for the Permission List field.

   2. In the Permission List field, enter OIM and then click the Look up Permission List icon.

      The OIMUM permission list appears.

   3. From the Access list, select Full Access.

      The following screenshot displays the Access list:

      
      

   4. Click Save.

   5. Click Return to Search.

Defining the Routing for the DELETE_USER_PROFILE Service Operation

To define the routing for the DELETE_USER_PROFILE service operation:

1. On the Routing tab, enter DELETE_USER_PROFILE_HR_TO_OIM as the routing name and then click Add. The following screenshot displays the routing information:

   
   

2. On the Routing Definition tab, enter the following:

   Sender Node: PSFT_HR

   
   

   Note: The sender node is the default active local node. To locate the sender node: Click the Look up icon. Click Default to sort the results in descending order. The default active local node should meet the following criteria: Local Node: 1 Default Local Node: Y Node Type: PIA Only one node can meet all the above conditions at a time. Select the node. Click Save.

   
   

   Receiver Node: OIM_NODE

   The following screenshot displays the Sender and Receiver nodes:

   
   

3. Click Save.

4. Click Return to go back to the Routings tab of the Service Operation, and verify whether your routing is active.

2.2.2.3.3 Preventing Transmission of Unwanted Fields During Incremental Reconciliation

By default, Peoplesoft messages contain fields that are not needed in Oracle Identity Manager. If there is a strong use case that these fields should not be published to Oracle Identity Manager, then do the following:

Locate if there are any local-to-local or local-to-third party PeopleSoft active routings for the service operations using the message under study.

• If none, then you can safely remove the unwanted fields at message level. See "Removing Unwanted Fields at Message Level" section for more information.

• If active routings exist, analyze the subscription or handler code of the routing to determine the fields they are utilizing and the ones not needed in Oracle Identity Manager. If so, remove the unwanted fields at message level. See "Removing Unwanted Fields at Message Level" section for more information.

• Lastly, if there are active routings that use these sensitive fields that you do not want to transmit to Oracle Identity Manager, then you need to write a transformation.

  For more information about implementing transformation, refer to Chapter 21 of Integration Broker PeopleBook on Oracle Technology Network at the following location

  http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tibr/book.htm

  In addition, refer to Chapter 43 of PeopleCode API Reference PeopleBook on Oracle Technology Network at the following location

  http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tpcr/book.htm

Removing Unwanted Fields at Message Level

1. Expand PeopleTools, Integration Broker, Integration Setup, and then click Messages.

2. Search for and open the desired message, for example, DELETE_USER_PROFILE.VERSION_1 used for incremental reconciliation.

3. Expand the message.

   
   

4. Navigate to the field that you do not want to transmit to Oracle Identity Manager, for example, USRPROF_PRG_STAT.

   
   

5. Click the field and clear the Include check box.

   
   

6. Click OK, return and save the message.

2.2.2.4 Configuring the Target System for Provisioning

To configure the target system for provisioning, create the APIs for the component interface as follows:

1. To open the Application Designer, click Start and then select Programs, Peoplesoft8.x, and Application Designer.

2. On the Application Designer page, click Open from the File menu.

3. In the Open Definition dialog box, select Component Interface from the Definition list.

4. Enter USER_PROFILE in the Name field, and then press Enter.

   All the component interfaces with names that start with USER_PROFILE are displayed in the Open Definition dialog box.

5. Double-click the USER_PROFILE entry.

   If you are not authorized to perform any action on the USER_PROFILE component interface:

   1. Log in to Application Designer with administrator credentials.

   2. From the Go menu, select Definition Security.

      A new console, PS Definition Security appears.

   3. From the File menu, select Open, and then select Group.

      The Definition Security Open dialog box appears.

   4. From the Group ID list, select PEOPLETOOLS, and then click OK.

      The PS Definition Security - Group ID : PEOPLETOOLS window appears.

   5. From the list, select Component Interfaces.

   6. From the Component Interfaces list, select USER_PROFILE and DELETE_USER_PROFILE. Click the right arrow to move these to the Excluded Component Interfaces: list.

   7. From the File menu, select Save.

6. From the File menu, select Open.

   The Open Definition window appears.

7. In the Name field, enter USER_PROFILE, and then click Open.

   The properties of the USER_PROFILE component interface are displayed in the Definition matching selection criteria: region.

8. Double-click the USER_PROFILE entry.

9. From the Build menu, select PeopleSoft APIs. The Build PeopleSoft API Bindings dialog box is displayed.

10. In the Java Classes region of the Build PeopleSoft API Bindings dialog box, select the Build check box.

    
    

    Note: Ensure that the other check boxes are unchecked.

    
    

11. From the Select APIs to Build list, select the following APIs:

    • CompIntfc.CompIntfcPropertyInfo

    • CompIntfc.CompIntfcPropertyInfoCollection

    • PeopleSoft.CompintfcCollection

    • PeopleSoft.Property

    • PeopleSoft.PropertyList

    • PeopleSoft.PSMessage

    • PeopleSoft.PSMessageCollection

    • PeopleSoft.RegionalSettings

    • PeopleSoft.Session

    • PeopleSoft.TraceSettings

    • CompIntfc.DELETE_USER_PROFILE

    • CompIntfc.DELETE_USER_PROFILECollection

    • APIs with names that start with CompIntfc.USER_PROFILE

12. In the Target Directory field, enter the path for the directory where you want to create the Java API classes, and then click OK.

13. Ensure that the psjoa.jar file is included in the CLASSPATH environment variable. This file is located in the PEOPLESOFT_HOME/web/psjoa directory.

14. Compile the APIs from the target directory specified in Step 11. To do so:

    1. Specify the JAVA_HOME environment variable.

    2. In the command prompt, run the following command in the directory that you specified in Step 10 of this procedure:

       %JAVA_HOME%\bin\javac PeopleSoft\Generated\CompIntfc\*.java
       

       
       

       Note: You must ensure that the OC4J JDK version and Oracle Identity Manager JDK version are same, for example, create a peoplesoft.jar with JAVA_HOME set to JDK 1.5 as used in OC4J.

       
       

15. Bundle the compiled class files into a JAR file named peoplesoft.jar, as follows:

    1. Copy all the .class files into the following directory:

       temp\PeopleSoft\Generated\CompIntfc

       
       

       Note: This directory should contain only .class files.

       
       

    2. Run the following command from the temp directory:

       jar -cvf peoplesoft.jar *.*
       

2.2.2.5 Configuring Oracle Identity Manager Server as a Non-Proxy Host on PeopleSoft Server

To configure Oracle Identity Manager server as a non-proxy host on PeopleSoft server:

1. Update PT_HOME/webserv/INSTANCE_NAME/bin/setEnv.sh file with OIM server value for the following parameter:

   HTTP_PROXY_NONPROXY_HOSTS=OIM_SERVER_HOST_NAME
   

2. Update integrationGateway.properties, for example, /slot/ems1725/appmgr/pt850/webserv/h91c306/applications/peoplesoft/PSIGW.war/WEB-INF file with the following parameter:

   ig.nonProxyHosts=OIM_SERVER_HOST_NAME
   

2.3 Postinstallation

Postinstallation information is divided across the following sections:

• Section 2.3.1, "Postinstallation on Oracle Identity Manager"

• Section 2.3.2, "Postinstallation on the Target System"

2.3.1 Postinstallation on Oracle Identity Manager

Postinstallation on Oracle Identity Manager consists of the following procedures:

Note: In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster.

• Section 2.3.1.1, "Clearing Content Related to Connector Resource Bundles from the Server Cache"

• Section 2.3.1.2, "Enabling Logging"

• Section 2.3.1.3, "Setting Up the Lookup.PSFT.UM.ExclusionList Lookup Definition"

• Section 2.3.1.4, "Setting Up the Lookup.PSFT.UM.UserProfile.UserStatus Lookup Definition"

• Section 2.3.1.5, "Setting Up the Lookup.PSFT.Configuration Lookup Definition"

• Section 2.3.1.6, "Configuring SSL"

• Section 2.3.1.8, "Enabling Request-Based Provisioning"

2.3.1.1 Clearing Content Related to Connector Resource Bundles from the Server Cache

Note: In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the OIM_HOME/xellerate/connectorResources directory for Oracle Identity Manager release 9.1.0.x and Oracle Identity Manager database for Oracle Identity Manager release 11.1.1. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, perform one of the following steps:

   • If you are using Oracle Identity Manager release 9.1.0.x, then switch to the OIM_HOME/xellerate/bin directory.

   • If you are using Oracle Identity Manager release 11.1.1, then switch to the OIM_HOME/server/bin directory.

   
   

   Note: You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows: For Oracle Identity Manager release 9.1.0.x: OIM_HOME/xellerate/bin/SCRIPT_FILE_NAME For Oracle Identity Manager release 11.1.1: OIM_HOME/server/bin/SCRIPT_FILE_NAME

   
   

2. Enter one of the following commands:

   
   

   Note: You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged. For example, the following commands purge Metadata entries from the server cache: PurgeCache.bat MetaData PurgeCache.sh MetaData

   
   

   • For Oracle Identity Manager release 9.1.0.x:

     On Microsoft Windows: PurgeCache.bat ConnectorResourceBundle

     On UNIX: PurgeCache.sh ConnectorResourceBundle

     
     

     Note: You can ignore the exception that is thrown when you perform Step 2. This exception is different from the one mentioned in Step 1.

     
     

     In this command, ConnectorResourceBundle is one of the content categories that you can delete from the server cache. See the following file for information about the other content categories:

     OIM_HOME/xellerate/config/xlconfig.xml

   • For Oracle Identity Manager release 11.1.1:

     On Microsoft Windows: PurgeCache.bat All

     On UNIX: PurgeCache.sh All

     When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:

     t3://OIM_HOST_NAME:OIM_PORT_NUMBER
     

     In this format:

     • Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.

     • Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

       Sample value: t3://localhost:8003

   See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

2.3.1.2 Enabling Logging

Depending on the Oracle Identity Manager release you are using, perform instructions in one of the following sections:

• Section 2.3.1.2.1, "Enabling Logging on Oracle Identity Manager Release 9.1.0.x"

• Section 2.3.1.2.2, "Enabling Logging on Oracle Identity Manager Release 11.1.1"

2.3.1.2.1 Enabling Logging on Oracle Identity Manager Release 9.1.0.x

Note: In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during provisioning and reconciliation operations. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• ALL

  This level enables logging for all events.

• DEBUG

  This level enables logging of information about fine-grained events that are useful for debugging.

• INFO

  This level enables logging of messages that highlight the progress of the application at a coarse-grained level.

• WARN

  This level enables logging of information about potentially harmful situations.

• ERROR

  This level enables logging of information about error events that might allow the application to continue running.

• FATAL

  This level enables logging of information about very severe error events that could cause the application to stop functioning.

• OFF

  This level disables logging for all events.

The file in which you set the log level depends on the application server that you use:

• IBM WebSphere Application Server

  To enable logging:

  1. Make the following changes in the OIM_HOME/xellerate/config/log.properties:

     • Search for the following line:

       log4j.rootLogger=WARN,stdout
       

       Make this line a comment and remove the comment from the line preceding this line.

     • Locate and remove the comment from following lines:

       #log4j.appender.logfile=org.apache.log4j.DailyRollingFileAppender
       #log4j.appender.logfile.DatePattern='.'yyyy-MM-dd
       #log4j.appender.logfile.File=DIRECTORY_PATH/xel.log
       #log4j.appender.logfile.MaxBackupIndex=20
       #log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
       #log4j.appender.logfile.layout.ConversionPattern=%p %t %c - %m%n
       

  2. Specify the name and the location of the file to which the preceding logs have to be written. You can do this by changing the value of the following line:

     log4j.appender.logfile.File=c:/oracle/xellerate/logs/xel.log
     

     Replace c:/oracle/xellerate/logs with a valid directory location.

  3. Add the following line in the OIM_HOME/xellerate/config/log.properties file:

     log4j.logger.OIMCP.PSFTUM=log_level
     log4j.logger.OIMCP.PSFTCOMMON=LOG_LEVEL
     

  4. In this line, replace log_level with the log level to set.

     For example:

     log4j.logger.OIMCP.PSFTUM=DEBUG
     log4j.logger.OIMCP.PSFTCOMMON=DEBUG
     

  After you enable logging, the log information is written to the following file:

  DIRECTORY_PATH/xel.log
  

• JBoss Application Server

  To enable logging:

  1. In the JBOSS_HOME/server/default/conf/jboss-log4j.xml file, add the following lines:

     <category name="OIMCP.PSFTUM">
        <priority value="log_level"/>
     </category>
     <category name="OIMCP.PSFTCOMMON">
        <priority value="LOG_LEVEL"/>
     </category>
     

     In an Oracle Identity Manager cluster, make the changes in the following file:

     JBOSS_HOME/server/all/conf/jboss-log4j.xml
     

  2. In these lines, replace log_level with the log level that you want to set. For example:

     <category name="OIMCP.PSFTUM">
        <priority value="DEBUG"/>
     </category>
     <category name="OIMCP.PSFTCOMMON">
        <priority value="DEBUG"/>
     </category>
     

  After you enable logging, the log information is written to the following file:

  JBOSS_HOME\server\default\log\server.log
  

  In an Oracle Identity Manager cluster, the log information is written to the following file:

  JBOSS_HOME\server\all\log\server.log
  

• Oracle WebLogic Server

  To enable logging:

  1. Make the following changes in the OIM_HOME/xellerate/config/log.properties:

     • Search for the following line:

       log4j.rootLogger=WARN,stdout
       

       Make this line a comment and remove the comment from the line preceding this line.

     • Locate and remove the comment from the following lines:

       #log4j.appender.logfile=org.apache.log4j.DailyRollingFileAppender
       #log4j.appender.logfile.DatePattern='.'yyyy-MM-dd
       #log4j.appender.logfile.File=DIRECTORY_PATH/xel.log
       #log4j.appender.logfile.MaxBackupIndex=20
       #log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
       #log4j.appender.logfile.layout.ConversionPattern=%p %t %c - %m%n
       

  2. Specify the name and the location of the file to which the preceding logs have to be written. You can do this by changing the value of the following line:

     log4j.appender.logfile.File=c:/oracle/xellerate/logs/xel.log
     

     Replace c:/oracle/xellerate/logs with a valid directory location.

  3. Add the following line in the OIM_HOME/xellerate/config/log.properties file:

     log4j.logger.OIMCP.PSFTUM=log_level
     

  4. In this line, replace log_level with the log level that you want to set.

     For example:

     log4j.logger.OIMCP.PSFTUM=DEBUG
     

  After you enable logging, the log information is written to the following file:

  DIRECTORY_PATH/xel.log
  

• Oracle Application Server

  To enable logging:

  1. Make the following changes in the OIM_HOME/xellerate/config/log.properties:

     • Search for the following line:

       log4j.rootLogger=WARN,stdout
       

       Make this line a comment and remove the comment from the line preceding this line.

     • Locate and remove the comment from following lines:

       #log4j.appender.logfile=org.apache.log4j.DailyRollingFileAppender
       #log4j.appender.logfile.DatePattern='.'yyyy-MM-dd
       #log4j.appender.logfile.File=DIRECTORY_PATH/xel.log
       #log4j.appender.logfile.MaxBackupIndex=20
       #log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
       #log4j.appender.logfile.layout.ConversionPattern=%p %t %c - %m%n
       

  2. Specify the name and the location of the file to which the preceding logs have to be written. You can do this by changing the value of the following line:

     log4j.appender.logfile.File=c:/oracle/xellerate/logs/xel.log
     

     Replace c:/oracle/xellerate/logs with a valid directory location.

  3. Add the following line in the OIM_HOME/xellerate/config/log.properties file:

     log4j.logger.OIMCP.PSFTUM=log_level
     log4j.logger.OIMCP.PSFTCOMMON=LOG_LEVEL
     

  4. In this line, replace log_level with the log level to set.

     For example:

     log4j.logger.OIMCP.PSFTUM=DEBUG
     log4j.logger.OIMCP.PSFTCOMMON=DEBUG
     

  After you enable logging, the log information is written to the following file:

  DIRECTORY_PATH/xel.log
  

2.3.1.2.2 Enabling Logging on Oracle Identity Manager Release 11.1.1

Note: In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.

Oracle Identity Manager release 11.1.1 uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• SEVERE.intValue()+100

  This level enables logging of information about fatal errors.

• SEVERE

  This level enables logging of information about errors that may allow Oracle Identity Manager to continue running.

• WARNING

  This level enables logging of information about potentially harmful situations.

• INFO

  This level enables logging of messages that highlight the progress of the application.

• CONFIG

  This level enables logging of information about fine-grained events that are useful for debugging.

• FINE, FINER, FINEST

  These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These message types are mapped to ODL message type and level combinations as shown in Table 2-5.

Table 2-5 Log Levels and ODL Message Type:Level Combinations

Java Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SEVER are the domain name and server name specified during the installation of Oracle Identity Manager.

To enable logging in Oracle WebLogic Server:

1. Edit the logging.xml file as follows:

   1. Add the following blocks in the file:

      <log_handler name='psft-um-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='[FILE_NAME]'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      

      <logger name="OIMCP.PSFTCOMMON" level="[LOG_LEVEL]" useParentHandlers="false">
           <handler name="psft-um-handler"/>
           <handler name="console-handler"/>
         </logger>
      

      <logger name="OIMCP.PSFTUM" level="[LOG_LEVEL]" useParentHandlers="false">
      <handler name="psft-um-handler"/>
      <handler name="console-handler"/>
      </logger>
      

   2. Replace all occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-5 lists the supported message type and level combinations.

      Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

      The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:

      <log_handler name='psft-um-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/>
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      

      <logger name="OIMCP.PSFTCOMMON" level="NOTIFICATION:1" useParentHandlers="false">
           <handler name="psft-um-handler"/>
           <handler name="console-handler"/>
         </logger>
      

      <logger name="OIMCP.PSFTUM" level="NOTIFICATION:1" useParentHandlers="false">
      <handler name="psft-um-handler"/>
      <handler name="console-handler"/>
      </logger>
      

      With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

2. Save and close the file.

3. Set the following environment variable to redirect the server logs to a file:

   For Microsoft Windows:

   set WLS_REDIRECT_LOG=FILENAME
   

   For UNIX:

   export WLS_REDIRECT_LOG=FILENAME
   

   Replace FILENAME with the location and name of the file to which you want to redirect the output.

4. Restart the application server.

2.3.1.3 Setting Up the Lookup.PSFT.UM.ExclusionList Lookup Definition

In the Lookup.PSFT.UM.ExclusionList lookup definition, enter the user IDs of target system accounts for which you do not want to perform reconciliation and provisioning. See Section 1.5.2.3.4, "Lookup.PSFT.UM.ExclusionList" for more information about this lookup definition.

1. On the Design Console, expand Administration and then double-click Lookup Definition.

2. Search for and open the Lookup.PSFT.UM.ExclusionList lookup definition.

3. Click Add.

   
   

   Note: The Code Key represents the resource object field name on which the exclusion list is applied during reconciliation. In provisioning, the exclusion list is applied to User Id (OPRID), by default.

   
   

4. In the Code Key and Decode columns, enter the first user ID to exclude.

5. Repeat Steps 3 and 4 for all the user IDs to exclude.

   For example, if you do not want to provision users with user ID 's User001, User002, and User088 then you must populate the lookup definition with the following values:

   Code Key	Decode
   User ID	User001~User002~User088

   
   

6. Click the Save icon.

2.3.1.4 Setting Up the Lookup.PSFT.UM.UserProfile.UserStatus Lookup Definition

The lookup provides the mapping between the ACCTLOCK node in the USER_PROFILE message XML and the status to be shown on Oracle Identity Manager for the employee. See Section 1.5.2.1.4, "Lookup.PSFT.UM.UserProfile.UserStatus" for more information about this lookup definition.

You can change the Decode value in this lookup definition for the Code Key value to modify the status of the provisioned resource. For example, you can change the Decode value from Enabled to Provisioned for the Code Key value, 0 defined in this lookup definition. This enables you to modify the status of the provisioned resource from enabled to provisioned.

To modify or set the Decode value in this lookup definition:

1. On the Design Console, expand Administration and then double-click Lookup Definition.

2. Search for and open the Lookup.PSFT.UM.UserProfile.UserStatus lookup definition.

3. Click Add.

4. In the Decode column for the Code Key, enter the following value.

   Code Key: 0

   Decode: Provisioned

5. Click the Save icon.

2.3.1.5 Setting Up the Lookup.PSFT.Configuration Lookup Definition

Every standard PeopleSoft message has a message-specific configuration defined in the Lookup.PSFT.Configuration lookup definition. See Section 1.5.2.3.1, "Lookup.PSFT.Configuration" for more information about this lookup definition.

For example, the mapping for the USER_PROFILE message in this lookup definition is defined as follows:

Code Key: USER_PROFILE

Decode: Lookup.PSFT.Message.UserProfile.Configuration

You can configure the message names, such as USER_PROFILE and DELETE_USER_PROFILE, defined in this lookup definition.

Consider a scenario in which the target system sends the USER_PROFILE.VERSION_3 message. You must change the Code Key value in this lookup definition to implement the message sent by the target system.

To modify or set the Code Key value:

1. On the Design Console, expand Administration and then double-click Lookup Definition.

2. Search for and open the Lookup.PSFT.Configuration lookup definition.

3. Click Add.

4. In the Code Key column, enter the name of the message you want to modify. In this scenario, define the mapping as follows:

   Code Key: USER_PROFILE.VERSION_3

   Decode: Lookup.PSFT.Message.UserProfile.Configuration

5. Repeat Steps 3 and 4 to rename the DELETE_USER_PROFILE message name.

6. Click the Save icon.

2.3.1.6 Configuring SSL

The following sections describe the procedure to configure SSL connectivity between Oracle Identity Manager and the target system:

• Section 2.3.1.6.1, "Configuring SSL on IBM WebSphere Application Server"

• Section 2.3.1.6.2, "Configuring SSL on JBoss Application Server"

• Section 2.3.1.6.3, "Configuring SSL on Oracle WebLogic Server"

• Section 2.3.1.6.4, "Configuring SSL on Oracle Application Server"

2.3.1.6.1 Configuring SSL on IBM WebSphere Application Server

You can configure SSL connectivity on IBM WebSphere Application Server with either a self-signed certificate or a CA certificate. The following sections describe this:

• Configuring SSL on IBM WebSphere Application Server with a Self-Signed Certificate

• Configuring SSL on IBM WebSphere Application Server with a CA Certificate

Configuring SSL on IBM WebSphere Application Server with a Self-Signed Certificate

To configure SSL connectivity between Oracle Identity Manager on IBM WebSphere Application Server and the target system with a self-signed certificate, you must perform the following tasks:

1. Log in to the WebSphere Integrated Solutions Console. The URL may be similar to the following:

   https://localhost:9043/ibm/console/logon.jsp
   

2. Click Security, SSL certificate and key management, Related items, Key stores and certificates, NodeDefaultKeyStore, and then click Personal certificates.

3. Click Create a self-signed certificate.

4. In the Alias field, enter an alias name. You specify the alias name to identify the certificate request in the keystore.

5. In the CN field, enter a value for common name. The common name must be the fully-qualified DNS host name or the name of the computer. The CN of the certificate must match the domain name or the name of the computer. For example, if the name of your domain is us.example.com, then the CN of the SSL certificate that you create for your domain must also be us.example.com.

6. In the Organization field, enter an organization name.

7. In the Organization unit field, specify the organization unit.

8. In the Locality field, enter the locality.

9. In the State or Province field, enter the state.

10. In the Zip Code field, enter the zip code.

11. From the Country or region list, select the country code.

12. Click Apply and then Save.

13. Click Security, SSL certificate and key management, Related items, Key stores and certificates, NodeDefaultKeyStore, and then click Personal certificates.

14. Select the check box for the new alias name.

15. Click Extract.

16. Specify the absolute file path where you want to extract the certificate under the certificate file name, for example, C:\SSLCerts\sslcert.cer.

17. Click Apply and then click OK.

Configuring SSL on IBM WebSphere Application Server with a CA Certificate

To configure SSL connectivity between Oracle Identity Manager on IBM WebSphere Application Server and the target system with a CA certificate, you must perform the following tasks:

1. Log in to the WebSphere Integrated Solutions Console. The URL may be similar to the following:

   https://localhost:9043/ibm/console/logon.jsp
   

2. Click Security, SSL certificate and key management, Related items, Key stores and certificates, NodeDefaultKeyStore.

3. On the Additional Properties tab, click Personal certificate requests.

4. Click New.

5. In the File for certificate request field, enter the full path where the certificate request is to be stored, and a file name, for example, c:\servercertreq.arm (for a computer running on Microsoft Windows).

6. In the Key label field, enter an alias name. You specify the alias name to identify the certificate request in the keystore.

7. In the CN field, enter a value for common name. The common name must be the fully-qualified DNS host name or the name of the computer. The CN of the certificate must match the domain name of your community. For example, if the name of your domain is us.example.com, then the CN of the SSL certificate that you create for your community must also be us.example.com.

8. In the Organization field, enter an organization name.

9. In the Organization unit field, specify the organization unit.

10. In the Locality field, enter the locality.

11. In the State or Province field, enter the state.

12. In the Zip Code field, enter the zip code.

13. From the Country or region list, select the country code.

14. Click Apply and then Save. The certificate request is created in the specified file location in the keystore. This request functions as a temporary placeholder for the signed certificate until you manually receive the certificate in the keystore.

    
    

    Note: Keystore tools such as iKeyman and keyTool cannot receive signed certificates that are generated by certificate requests from IBM WebSphere Application Server. Similarly, IBM WebSphere Application Server cannot accept certificates that are generated by certificate requests from other keystore utilities.

    
    

15. Send the certification request arm file to a CA for signing.

16. Create a backup of your keystore file. You must create this backup before receiving the CA-signed certificate into the keystore. The default password for the keystore is WebAS. The Integrated Solutions Console contains the path information for the location of the keystore. The path to the NodeDefaultKeyStore is listed in the Integrated Solutions Console as:

    was_profile_root\config\cells\cell_name\nodes\node_name\key.p12
    

    Now, you can receive the CA-signed certificate into the keystore to complete the process of generating a signed certificate for IBM WebSphere Application Server.

To receive a signed certificate issued by a CA, perform the following tasks:

1. In the WebSphere Integrated Solutions Console, click Security, SSL certificate and key management, Related items, Key stores and certificates, NodeDefaultKeyStore, and then click Personal Certificates.

2. Click Receive a certificate from a certificate authority.

3. Enter the full path and name of the certificate file.

4. Select the default data type from the list.

5. Click Apply and then Save.

The keystore contains a new personal certificate that is issued by a CA. The SSL configuration is ready to use the new CA-signed personal certificate.

2.3.1.6.2 Configuring SSL on JBoss Application Server

Before configuring SSL on JBoss Application Server, ensure the following:

• JBoss Application Server is installed on the Oracle Identity Manager host computer

• Java Runtime Environment is installed on the JBoss Application Server host

You can configure SSL connectivity on JBoss Application Server with either a self-signed certificate or a CA certificate. The following sections describe this. If you are configuring SSL on JBoss Application Server with a self-signed certificate, then perform the following tasks:

• Creating a Self-Signed Certificate

• Moving the Keystore

• Updating the Configuration File

If you are configuring SSL on JBoss Application Server with a CA certificate, then perform the following tasks:

• Importing a CA Certificate

• Moving the Keystore

• Updating the Configuration File

Creating a Self-Signed Certificate

To create a self-signed certificate, see "Generating Keystore".

Importing a CA Certificate

To import a CA certificate, perform the following tasks:

1. Run the following command:

   keytool -genkey -alias ALIAS_NAME -keystore ABSOLUTE_KEYSTORE_PATH -keyalg KEY_ALGORITHM -storepass KEYSTORE_PASSWORD -keypass PRIVATE_KEY_PASS
   

   For example:

   keytool -genkey -alias example088196 -keystore c:\temp\keys\custom.keystore -keyalg RSA -storepass example1234 -keypass example1234
   

   
   

   Note: The keystore password and the private key password must be the same. Typically, the alias is the name or the IP address of the computer on which you are configuring SSL. The alias used in the various commands of this procedure must be the same.

   
   

2. When prompted, enter information about the certificate, such as company and contact name. This information is displayed to employees attempting to access a secure page in the application. This is illustrated in the following example:

   What is your first and last name?
     [Unknown]:  Must be the name or IP address of the computer
   What is the name of your organizational unit?
     [Unknown]:  example
   What is the name of your organization?
     [Unknown]:  example
   What is the name of your City or Locality?
     [Unknown]:  New York
   What is the name of your State or Province?
     [Unknown]:  New York
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is <CN=Name or IP address of the computer, OU=example, O=example, L=New York, ST=New York, C=US> correct?
     [no]:  yes
   

   When you enter yes in the last line of the preceding example, the custom keystore file is created in the c:\temp\keys\ directory.

3. Generate the certificate signing request by running the following command:

   keytool -certreq -alias ALIAS_NAME -file ABSOLUTE_CSR_PATH  -keystore  ABSOLUTE_KEYSTORE_PATH
   

   For example:

   keytool -certreq -alias example088196 -file c:\temp\keys\certReq.csr -keystore c:\temp\keys\custom.keystore
   

4. Submit the certReq.csr file on a CA Web site for downloading the CA certificate.

   Ensure that your %JAVA_HOME%\jre\lib\security\cacerts has the root certificate of the CA that has generated the CA certificate.

   To check all the root certificates that %JAVA_HOME%\jre\lib\security\cacerts contains, run the following command:

   keytool -list -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass cacerts_store_password
   

   For example:

   %JAVA_HOME%\jre\bin\keytool -list -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit
   

   If the %JAVA_HOME%\jre\lib\security\cacerts keystore does not contain the root certificate of CA that has generated the CA certificate, then you must import the root certificate of CA into %JAVA_HOME%\jre\lib\security\cacerts.

   Run the following command to import the root certificate of CA:

   keytool -import  -alias <cacerts_key_entry_alias> -file <CARootCertificate.cer> -keystore %JAVA_HOME%\jre\lib\security\cacerts  -storepass cacerts_store_password
   

   For example:

   keytool -import -alias cakey -file "C:\temp\Thawte Test Root.cer" -keystore %JAVA_HOME%\jre\lib\security\cacerts -storepass changeit
   

   The certificate is added to the keystore.

5. Import the CA certificate by running the following command:

   keytool -import -alias ALIAS_NAME -keystore ABSOLUTE_KEYSTORE_PATH -trustcacerts -file ABSOLUTE_CACERT_PATH
   

   ABSOLUTE_CACERT_PATH represents the path in which you have stored the certificate downloaded from CA.

   For example:

   keytool -import -alias example088196 -keystore c:\temp\keys\custom.keystore -trustcacerts -file c:\temp\keys\CACert.cer
   

   When you run this command, you are prompted for the keystore password, as shown:

   Enter keystore password:  example1234 [Enter]
   Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
   Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
   Serial number: 0
   Valid from: Thu Aug 01 05:30:00 GMT+05:30 1996 until: Fri Jan 01 03:29:59 GMT+05:30 2021
   Certificate fingerprints:
            MD5:  5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4
            SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA
   Trust this certificate? [no]:  yes [Enter]
   

   In this example, the instances when you can press Enter are shown in bold.

Moving the Keystore

To move the certificate to a JBoss Application Server directory, copy the generated keystore to the conf directory of your JBoss installation. For example, the directory can be C:\Program Files\jboss-4.0.3\server\default\conf\.

Updating the Configuration File

Before updating the configuration file, shut down JBoss Application Server. The JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml file contains information about what Web features to enable when the server starts. Inside this file, there is a part that looks similar to the following:

<!-- SSL/TLS Connector configuration using the admin devl guide keystore
<Connector port="8443" address="${jboss.bind.address}"
  maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
  emptySessionPath="true" 
  scheme="https" secure="true" clientAuth="false" 
  keystoreFile="${jboss.server.home.dir}/conf/chap08.keystore"
  keystorePass="rmi+ssl" sslProtocol = "TLS" />
-->

In the code, make the following changes:

• Remove the comment from the block of code.

• Change the value of Connector port to 443 (default SSL port).

• Change the value of keystoreFile to the absolute path of the keystore generated in "Generating Keystore".

• Change the value of keystorePass to the password of the keystore.

After the changes are made, the code block looks similar to the following:

<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="443" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/ custom.keystore"
keystorePass=" example1234 " sslProtocol = "TLS" />
<!-- -->

SSL is now enabled. You can restart JBoss Application Server and browse to the following URL to verify whether SSL is enabled:

https://localhost:443

2.3.1.6.3 Configuring SSL on Oracle WebLogic Server

You can configure SSL connectivity on Oracle WebLogic Server with either a self-signed certificate or a CA certificate. The following sections describe the procedures:

See Also: Appendix B, "Setting Up SSL on Oracle WebLogic Server"

• Configuring SSL on Oracle WebLogic Server with a Self-Signed Certificate

• Configuring SSL on Oracle WebLogic Server with a CA Certificate

Configuring SSL on Oracle WebLogic Server with a Self-Signed Certificate

To configure SSL connectivity between Oracle Identity Manager on Oracle WebLogic Server and the target system with a self-signed certificate, you must perform the following tasks:

• Generating Keystore

• Configuring Oracle WebLogic Server

Generating Keystore

To generate the keystore:

1. Run the following command:

   keytool -genkey -keystore ABSOLUTE_KEYSTORE_PATH -alias ALIAS_NAME -keyalg KEY_ALGORITHM -storepass KEYSTORE_PASSWORD -keypass PRIVATE_KEY_PASSWORD
   

   For example:

   keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -storepass example1234 -keypass example1234
   

   
   

   Note: The keystore password and the private key password must be the same. Typically, the alias is the name or the IP address of the computer on which you are configuring SSL. The alias used in the various commands of this procedure must be the same.

   
   

2. When prompted, enter information about the certificate. This information is displayed to users attempting to access a secure page in the application. This is illustrated in the following example:

   keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196    -keyalg RSA -storepass example1234 -keypass example1234
   What is your first and last name?
     [Unknown]: Must be the name or IP address of the computer
   What is the name of your organizational unit?
     [Unknown]:  example
   What is the name of your organization?
     [Unknown]:  example
   What is the name of your City or Locality?
     [Unknown]:  New York
   What is the name of your State or Province?
     [Unknown]:  New York
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is <CN=Name or IP address of the computer, OU=example, O=example, L=New York, ST=New York, C=US> correct?
     [no]:  yes
   

   When you enter yes in the last line of the preceding example, the keystore.jks file is created in the c:\temp\keys\directory.

3. Export the keystore to a certificate file by running the following command:

   keytool -export -alias ALIAS_NAME -keystore ABSOLUTE_KEYSTORE_PATH -file CERTIFICATE_FILE_ABSOLUTE_PATH
   

   For example:

   keytool -export -alias example088196 -keystore c:\temp\keys\keystore.jks -file c:\temp\keys\keystore.cert
   

4. When prompted for the private key password, enter the same password used for the keystore, for example, example1234.

5. Import the keystore by running the following command:

   keytool -import -alias ALIAS_NAME -keystore NEW_KEYSTORE_ABSOLUTE_PATH -file CERTIFICATE_FILE_ABSOLUTE_PATH
   

   For example:

   keytool -import -alias example088196 -keystore c:\temp\keys\new.jks -file c:\temp\keys\keystore.cert
   

   When you run this command, it prompts for the keystore password, as shown in the following example:

   Enter keystore password:  example1234 [Enter]
   Trust this certificate? [no]:  yes [Enter]
   Certificate was added to keystore
   

   In this example, the instances when you can press Enter are shown in bold.

Configuring Oracle WebLogic Server

After generating and importing the keystore, start Oracle WebLogic Server. To configure Oracle WebLogic Server:

1. Log in to the Oracle WebLogic Server console at http://localhost:7001/console and perform the following:

   1. Expand the servers node and select the oim server instance.

   2. Select the General tab.

   3. Select the SSL Listen Port Enabled option.

   4. Ensure that a valid port is specified in the SSL Listen Port field. The default port is 7002.

   5. Click Apply to save your changes.

2. Click the Keystore & SSL tab, and then click Change.

3. From the Keystores list, select Custom identity And Java Standard Trust, and then click Continue.

4. Configure the keystore properties. To do so:

   1. In the Custom Identity Key Store File Name column, specify the full path of the keystore generated in Step 1 of "Generating Keystore", for example, c:\temp\keys\keystore.jks. In the Custom Identity Key Store Type column, specify the type of keystore, for example, JKS. In the Custom Identity Key Store Pass Phrase and Confirm Custom Identity Key Store Pass Phrase columns, specify the keystore password.

   2. Provide the Java standard trust keystore pass phrase and the Confirm Java standard trust keystore pass phrase. The default password is changeit.

   3. Click Continue.

5. Specify the private key alias, pass phrase and the confirm pass phrase as the keystore password. Click Continue.

6. Click Finish.

7. Restart Oracle WebLogic Server. If the server starts successfully with the SSL configuration, then lines similar to the following are recorded in the startup log:

   <Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default" listening on port 7001, ip address *.*> 
   <Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
   

   
   

   Note: The default SSL port for Oracle WebLogic Server is 7002.

   
   

Configuring SSL on Oracle WebLogic Server with a CA Certificate

To configure SSL connectivity between Oracle Identity Manager on Oracle WebLogic Server and the target system with a CA certificate, you must perform the following tasks:

Note: Although this is an optional step in the deployment procedure, Oracle strongly recommends that you configure SSL communication between the target system and Oracle Identity Manager.

• Generating Keystore

• Configuring Oracle WebLogic Server

Generating Keystore

The connector requires Certificate Services to be running on the host computer. To generate the keystore:

1. Run the following command:

   keytool -genkey -keystore ABSOLUTE_KEYSTORE_PATH -alias ALIAS_NAME -keyalg KEY_ALGORITHM -storepass KEYSTORE_PASSWORD -keypass PRIVATE_KEY_PASSWORD
   

   For example:

   keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -storepass example1234 -keypass example1234
   

   
   

   Note: The keystore password and the private key password must be the same. Typically, the alias name is the name or the IP address of the computer on which you are configuring SSL.

   
   

2. When prompted, enter information about the certificate. This information is displayed to users attempting to access a secure page in the application. This is illustrated in the following example:

   keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196    -keyalg RSA -storepass example1234 -keypass example1234
   What is your first and last name?
     [Unknown]:  Must be the name or IP address of the computer
   What is the name of your organizational unit?
     [Unknown]:  example
   What is the name of your organization?
     [Unknown]:  example
   What is the name of your City or Locality?
     [Unknown]:  New York
   What is the name of your State or Province?
     [Unknown]:  New York
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is <CN=Name or IP address of the computer, OU=example, O=example, L=New York, ST=New York, C=US> correct?
     [no]:  yes
   

   When you enter yes in the last line of the preceding example, the keystore.jks file is created in the c:\temp\keys\directory.

3. Generate the certificate signing request by running the following command:

   keytool -certreq -keystore ABSOLUTE_KEYSTORE_PATH -alias ALIAS_NAME -keyalg KEY_ALGORITHM -file CERTIFICATE_FILE_ABSOLUTE_PATH
   

   For example:

   keytool -certreq -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -file c:\temp\keys\keystore.cert
   

   When prompted for the keystore password, enter the same password used for the keystore in Step 1, for example, example1234. This stores a certificate request in the file that you specified in the preceding command.

4. Get the certificate from a CA by using the certificate request generated in the previous step, and store the certificate in a file.

5. Export the keystore generated in Step 1 to a new certificate file, for example, myCert.cer, by running the following command:

   keytool –export –keystore ABSOLUTE_KEYSTORE_PATH -alias alias-name specified in step 1 -file CERTIFICATE_FILE_ABSOLUTE_PATH
   

   For example:

   keytool –export –keystore c:\temp\keys\keystore.jks -alias example088196 -file c:\temp\keys\myCert.cer
   

6. Import the CA certificate to a new keystore by running the following command:

   keytool -import -alias ALIAS_NAME -file CERTIFICATE_FILE_ABSOLUTE_PATH -keystore NEW_KEYSTORE_ABSOLUTE_PATH -storepass KEYSTORE_PASSWORD generated in Step 1
   

   For example:

   keytool -import -alias example088196 -file c:\temp\keys\rootCert.cert -keystore c:\temp\keys\rootkeystore.jks 
   

   When you run this command, it prompts for the keystore password, as shown:

   Enter keystore password:  example1234 [Enter]
   Trust this certificate? [no]:  yes [Enter]
   Certificate was added to keystore
   

   In this example, the instances when you can press Enter are shown in bold.

Configuring Oracle WebLogic Server

After creating and importing the keystore to the system, start Oracle WebLogic Server. To configure Oracle WebLogic Server:

1. Log in to the Oracle WebLogic Server console (http://localhost:7001/console) and perform the following:

   1. Expand the server node and select the server instance.

   2. Select the General tab.

   3. Select the SSL Port Enabled option.

   4. Ensure that a valid port is specified in the SSL Listen Port field. The default port is 7002.

   5. Click Apply to save your changes.

2. Click the Keystore & SSL tab, and click the Change link.

3. From the Keystores list, select Custom Identity And Custom Trust, and then click Continue.

4. Configure the keystore properties. To do so:

   1. In the Custom Identity Key Store File Name column, specify the full path of the keystore generated in Step 1 of "Generating Keystore", for example, c:\temp\keys\keystore.jks. In the Custom Identity Key Store Type column, specify the type of keystore, for example, JKS. In the Custom Identity Key Store Pass Phrase and Confirm Custom Identity Key Store Pass Phrase columns, specify the keystore password.

   2. In the Custom Trust and Custom Trust Key Store File Name column, specify the full path of the keystore generated in Step 1 of "Generating Keystore", for example, c:\temp\keys\rootkeystore.jks. In the Custom Trust Key Store Type column, specify the type of keystore, for example, JKS. In the Custom Trust Key Store Pass Phrase and Confirm Custom Trust Key Store Pass Phrase columns, specify the keystore password.

   3. Provide the Java standard trust keystore password. The default password is changeit.

   4. Click Continue.

5. Specify the alias name and private key password. Click Continue.

6. Click Finish.

7. Restart Oracle WebLogic Server. If the server starts successfully with the SSL configuration, then lines similar to the following are recorded in the startup log:

   <Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default" listening on port 7001, ip address *.*> 
   <Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
   

   
   

   Note: The default SSL port for Oracle WebLogic Server is 7002.

   
   

2.3.1.6.4 Configuring SSL on Oracle Application Server

See "Oracle Application Server Administrator's Guide" for information about Configuring SSL on Oracle Application server.

2.3.1.7 Configuring SoD

This section discusses the following procedures for configuring SoD on Oracle Identity Manager release 11.1.1.3 BP02:

• Section 2.3.1.7.1, "Configuring the Oracle Applications Access Controls Governor to Act As the SoD Engine"

• Section 2.3.1.7.2, "Specifying a Value for the TopologyName IT Resource Parameter"

• Section 2.3.1.7.3, "Registering PeopleSoft and Oracle Application Access Controls Governor Instance in Oracle Identity Manager"

• Section 2.3.1.7.4, "Updating OAACG IT Resource Instance"

• Section 2.3.1.7.5, "Disabling and Enabling SoD"

2.3.1.7.1 Configuring the Oracle Applications Access Controls Governor to Act As the SoD Engine

See the "Configuring Oracle Application Access Controls Governor" section of the "Configuring SoD Validation" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about this procedure.

2.3.1.7.2 Specifying a Value for the TopologyName IT Resource Parameter

The TopologyName IT resource parameter holds the name of the combination of the following elements that you want to use for SoD validation of entitlement provisioning operations:

• Oracle Identity Manager installation

• Oracle Applications Access Controls Governor installation

• PeopleSoft installation

The value that you specify for the TopologyName parameter must be the same as the value of the topologyName element in the SILConfig.xml file. For Oracle Identity Manager release 11.1.1, if you are using default SIL registration, then specify oaacgpsft as the value of the topologyName parameter.

For more information about this element, see the "Configuring SoD Validation" chapter in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

See Section 2.2.1.3, "Configuring the IT Resource" section for information about specifying values for parameters of the IT resource.

To specify a value for TopologyName in the IT resource:

1. Log in to the Administrative and User Console.

2. On the Welcome page, click Advanced in the upper-right corner of the page.

3. Click Configuration, Manage IT Resource. The Manage IT Resource page is displayed.

4. Search for and edit "PSFT Server" IT resource or open any IT resource, which you have configured for PeopSoft User Management Connector.

5. In the Topology Name attribute, enter oaacgpsft.

6. Click Save.

2.3.1.7.3 Registering PeopleSoft and Oracle Application Access Controls Governor Instance in Oracle Identity Manager

To register PeopleSoft and Oracle Application Access Controls Governor (OAACG) instance in Oracle Identity Manager:

1. Register a new PeopleSoft and OAACG instance using the command:

   $OIM_HOME/server/bin/registration.sh

   The following snippet shows the example commands for registration:

   
   

2. Print the registration IDs of the registered instances using the command:

   $OIM_HOME/server/bin/registration.sh

   The following snippet shows the example commands for printing registration IDs:

   
   

3. Update SILConfig.xml with registration IDs:

   1. Export the SILConfig.xml using the command: $OIM_HOME/server/bin/weblogicExportMetadata.sh

      File Name: metadata/iam-features-sil/db/SILConfig.xml

   2. Update the OAACGPSFT topology with PeopleSoft and OAACG details using the command:

      <Topology>
      <name> oaacgpsft</name>
      <IdmId>1</IdmId>
      <SodId>7</SodId>
      <SDSId>6</SDSId>
      </Topology>
      

   3. Import the file back using weblogicImportMetadata.sh.

   4. Purge the cache using the command "PurgeCache.sh All" in the same directory.

2.3.1.7.4 Updating OAACG IT Resource Instance

To update OAACG IT Resource Instance:

1. Log in to the Administrative and User Console.

2. On the Welcome page, click Advanced in the upper-right corner of the page.

3. Click Configuration, Manage IT Resource. The Manage IT Resource page is displayed.

4. Search for and open OAACG as the resource type. Select PSFT-OAACG-ITRes and edit this IT resource.

5. Provide the OAACG environment details that is configured for PeopleSoft. Table Table 2-6 shows the sample values.

   Table 2-6 OAACG Environment Values

   Field Name	Sample Value	Description
   Source Datastore Name	PSFT 80	Name of the data source that you had specified during PeopleSoft ETL on OAACG server.
   Port	8080	Port of the OAACG server.
   dbuser	oaacg_850	Database user used to configure OAACG.
   dbpassword	ooacg_850	Database user password used to configure OAACG
   username	Admin	Username to log in to OAACG.
   password	Password	Password to log in to OAACG.
   server	10.1.6.82	Host machine where OAACG is running.
   sodServerUrl	http://10.1.6.82/grcc/services/GrccService	SOD Server URL
   sslEnable	False	True or false
   jdbcURL	jdbc:oracle:thin:@172.21.104.74:1521:orcl	Jdbc url to connect to OAACG database.

   
   

6. Click Save.

2.3.1.7.5 Disabling and Enabling SoD

This section describes the procedures to disable and enable SoD.

To disable SoD:

Note: The SoD feature is disabled by default. Perform the following procedure only if the SoD feature is currently enabled and you want to disable it.

1. Log in to the Administrative and User Console.

2. Set the XL.SoDCheckRequired system property to FALSE as follows:

   1. On the Welcome page, click Advanced in the upper-right corner of the page.

   2. On the Welcome to Identity Manager Advanced Administration page, in the System Management section, click Search System Properties.

   3. On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired, which is the name of the system property as the search criterion.

   4. In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.

   5. On the System Property Detail page, in the Value field, enter FALSE.

   6. Click Save to save the changes made.

      A message confirming that the system property has been modified is displayed.

3. Restart Oracle Identity Manager. Figure Figure 2-1 shows the details of disabling SoD.

Figure 2-1 Disable SoD

To enable SoD:

Note: If you are enabling SoD for the first time, then see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information.

1. Log in to the Administrative and User Console.

2. Set the XL.SoDCheckRequired system property to TRUE as follows:

   1. On the Welcome page, click Advanced in the upper-right corner of the page.

   2. On the Welcome to Identity Manager Advanced Administration page, in the System Management section, click Search System Properties.

   3. On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired, which is the name of the system property as the search criterion.

   4. In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.

   5. On the System Property Detail page, in the Value field, enter TRUE.

   6. Click Save to save the changes made.

      A message confirming that the system property has been modified is displayed.

3. Restart Oracle Identity Manager. Figure Figure 2-2 shows the details of enabling SoD.

Figure 2-2 Enable SoD

2.3.1.8 Enabling Request-Based Provisioning

Note: Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.1 and you want to configure request-based provisioning.

In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approver's designated in Oracle Identity Manager.

Note: Do not enable request-based provisioning if you want to use the direct provisioning feature of the connector. See Oracle Identity Manager Connector Concepts for information about direct provisioning.

The following are features of request-based provisioning:

• A user can be provisioned only one resource (account) on the target system.

• Direct provisioning cannot be used if you enable request-based provisioning.

To enable request-based provisioning, perform the following procedures:

• Section 2.3.1.8.1, "Copying Predefined Request Datasets"

• Section 2.3.1.8.2, "Importing Request Datasets into MDS"

• Section 2.3.1.8.3, "Enabling the Auto Save Form Feature"

• Section 2.3.1.8.4, "Running the PurgeCache Utility"

2.3.1.8.1 Copying Predefined Request Datasets

A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation.

The following is the list of predefined request datasets available in the DataSets directory on the installation media:

• ProvisionResource_PeoplesoftUser.xml

• ModifyProvisionedResource_PeoplesoftUser.xml

Copy the files from the DataSets directory on the installation media to the OIM_HOME/DataSet/file directory.

Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets. See the "Configuring Requests" chapter of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about modifying request datasets.

2.3.1.8.2 Importing Request Datasets into MDS

Note: In an Oracle Identity Manager cluster, perform this procedure on any node of the cluster.

All request datasets (predefined or generated) must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.

To import a request dataset definition into the MDS:

1. Ensure that you have set the environment variables for running the MDS Import utility. In the weblogic.properties file, set values for the wls_servername, application_name, and metadata_from_loc properties. See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about setting up the environment for MDS utilities.

2. In a command window, change to the OIM_HOME/server/bin directory.

3. Run one of the following commands:

   • On Microsoft Windows:

     weblogicImportMetadata.bat
     

   • On UNIX:

     weblogicImportMetadata.sh
     

4. When prompted, enter values for the following:

   • Please enter your username [weblogic]

     Enter the username used to log in to the Oracle WebLogic Server

     Sample value: WL_User

   • Please enter your password [weblogic]

     Enter the password used to log in to the WebLogic server

   • Please enter your server URL [t3://localhost:7001]

     Enter the URL of the application server in the following format:

     t3://HOST_NAME_IP_ADDRESS:PORT

     In this format, replace:

     • HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed.

     • PORT with the port on which Oracle Identity Manager is listening.

   The request dataset is imported into MDS.

2.3.1.8.3 Enabling the Auto Save Form Feature

To enable the Auto Save Form feature:

1. Log in to the Design Console.

2. Expand Process Management, and then double-click Process Definition.

3. Search for and open the Peoplesoft User Management process definition.

4. Select the Auto Save Form check box.

5. Click the Save icon.

2.3.1.8.4 Running the PurgeCache Utility

Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Section 2.3.1.1, "Clearing Content Related to Connector Resource Bundles from the Server Cache" for instructions.

The procedure to enable enabling request-based provisioning ends with this step.

2.3.2 Postinstallation on the Target System

Postinstallation on the target system consists of the following procedure:

Configuring SSL

To configure SSL on the target system:

1. Copy the certificate to the computer on which PeopleSoft Enterprise Applications is installed.

   
   

   Note: If you are using IBM WebSphere Application Server, then you must download the root certificate from a CA.

   
   

2. Run the following command:

   PEOPLESOFT_HOME/webserv/peoplesoft/bin/pskeymanager.cmd -import
   

3. When prompted, enter the current keystore password.

4. When prompted, enter the alias of the certificate that you imported while performing the application server specific procedures listed in Section 2.3.1.6, "Configuring SSL."

   
   

   Note: The alias must be the same as the one created when the keystore was generated. If you are using IBM WebSphere Application Server, then enter root as the alias.

   
   

5. When prompted, enter the full path and name of the certificate and press Enter.

   
   

   Note: If you are using IBM WebSphere Application Server, then enter the path of the root certificate.

   
   

6. When prompted for the following:

   Trust this certificate? [no]: yes 
   

   Select yes and press Enter.

7. Restart the Web server of the target system.