Sun Java System Identity Installation Pack 2005Q4M3 SP2 Release Notes |
Documentation Additions and Corrections
About the Identity System Software GuidesIdentity system software documentation is arranged in multiple guides, which are provided in Acrobat (.pdf) format on the Identity Install Pack CD. The release includes the following guides.
Identity System Software
Install Pack Installation (Identity_Install_Pack_Installation_2005Q4M3.pdf) — Describes how to install and update Identity system software.
Identity Manager
- Identity Manager Administration (IDM_Administration_2005Q4M3.pdf) — Provides an introduction to the Identity Manager Administrator and User interfaces.
- Identity Manager Upgrade (IDM_Upgrade_2005Q4M3.pdf) — Provides information to assist in planning for and executing upgrades.
Note For this release, Identity Manager Technical Deployment and Identity Manager Technical Reference were reorganized into the following publications:
- Identity Manager Technical Deployment Overview (IDM_Deployment_Overview_2005Q4M3.pdf) — Conceptual overview of the Identity Manager product (including object architectures) with an introduction to basic product components.
- Identity Manager Workflows, Forms, and Views (IDM_Workflows_Forms_Views_2005Q4M3.pdf) — Reference and procedural information that describe how to use the Identity Manager workflows, forms, and views — including information about the tools you need to customize these objects.
- Identity Manager Deployment Tools (IDM_Deployment_Tools_2005Q4M3.pdf) — Reference and procedural information that describe how to use different Identity Manager deployment tools; including rules and rules libraries, common tasks and processes, dictionary support, and the SOAP-based Web service interface provided by the Identity Manager server.
- Identity Manager Resources Reference (IDM_Resources_Reference_2005Q4M3.pdf) — Reference and procedural information that describe how to load and synchronize account information from a resource into Sun Java System Identity Manager. Additional adapters are documented in ResourcesRef_Addendum_2005Q4M3SP1.pdf
- Identity Manager Audit Logging (IDM_Audit_Logging_2005Q4M3.pdf) — Reference and procedural information that describe how to load and synchronize account information from a resource into Sun Java System Identity Manager.
- Identity Manager Tuning, Troubleshooting, and Error Messages (IDM_Troubleshooting_2005Q4M3.pdf) — Reference and procedural information that describe Identity Manager error messages and exceptions, and provide instructions for tracing and troubleshooting problems you might encounter as you work.
Identity Auditor
Identity Auditor Administration (IDA_Administration_2005Q4M3.pdf) - Provides an introduction to the Identity Auditor Administrator interface.
Identity Manager Service Provider Edition
Navigating the Online GuidesUse the Acrobat Bookmarks feature to navigate the guides. Click a section name in the bookmark panel to jump to that section location in the document.
The Identity Manager documentation set can be seen from any Identity Manager installation by navigating to idm/doc in your web browser.
Install Pack InstallationCorrections
Preface
Removed the erroneous cross reference to Appendix H from How to Find Information in this Guide. (ID-12369)
Chapter 1: Before You Install
- Removed Microsoft Exchange 5.5 as a Supported Resource from the Supported Resources table. It has been deprecated. (ID-12682)
- Added Lotus Notes® 6.5.4 (Domino) as a Supported Resource to the Supported Resources table. (ID-12226)
- Added JDK 1.5 as a supported Java version in multiple instances. (ID-12984)
- Modified the ERP Systems SAP information in the Supported Resources table to: (ID-12635)
- Modified the Red Hat information in the Supported Resources table to:
- Added the section Repository Database Servers and the following information under Supported Software and Environments: (ID-12425)
Chapter 2: Installing Identity Install Pack for Tomcat
The chapter now supports Apache Tomcat application server, Versions 4.1.x or 5.0.x.
Chapter 4: Installing Identity Install Pack for WebSphere
- The chapter now deals with installing Websphere 5.1 express and 6.0. (ID-12655, 12656) The following notes and information have been added at the points indicated:
Note The following step is not necessary when installing Identity Install Pack 6.0 or later.
4. Change to the staging directory, and delete the following files, if they exist:
WEB-INF\lib\cryptix-jce-provider.jar
WEB-INF\lib\cryptix-jce-api.jar
25. Download the latest jlog package from WebSphere at:
http://www.alphaworks.ibm.com/tech/loggingtoolkit4j
Note The jlog package is now incorporated in WebSphere’6.0. Download this only for earlier versions.
- Because you must install JDK 1.4.2 for this release, the section For JDK 1.3.x: is no longer applicable. In the same chapter, the section For JDK 1.4 should be changed to For JDK 1.4.2.
Chapters 7/8: Installing Identity Install Pack for Sun ONE/Sun Java System Application Server 7/8
- Added the following corrected information under Installation Steps > Step 5: Edit the server.policy File > example permissions: (ID-12292)
permission java.io.FilePermission "/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/ idm/config/trace1.log", "read,write,delete";
permission java.io.FilePermission "$(java.io.tmpdir)$(/)*", "read,write,delete";
- Added the following information under Installation Steps > Step 5: Edit the server.policy File > example permissions:
If you want to run with Identity Manager Service Provider Edition, add the following permission to the above server.policy file entries.
permission java.lang.RuntimePermission "shutdownHooks";
Chapter 14: UnInstalling Applications
Removed _Version_ from the syntax example under Remove the Software > On UNIX > Step 3. (ID-7762)
Chapter 15: Installing The Applications (Manual Installation)
Corrected syntax example under Installation Steps > Step 3: Configure the Identity Install Pack Index Database Connection > Non-Xwindows Environments > Step 3 to: (ID-5821)
3. Set your license key with the following commands:
cd idm/bin
./lh license set -f LicenseKeyFileAppendix A: Index Database Reference
Changed syntax example under table entry SQL Server to: (ID-12784)
URL:
“sqlserver://host.your.com:1433; DatabaseName=dbname;SelectMethod=Cursor”Appendix C: Configuring Data Sources for Identity Manager
- Multiple IIOP URLs are not supported. (ID-12499) Removed the following incorrect information under Configuring a WebSphere Data Source for Identity Manager > Configuring a Websphere 5 Data Source > Configure the DataSource in a Websphere Cluster:
If the application servers do not have the same port specified in the BOOTSTRAP_ADDRESS property, the java.naming.provider.url can specify multiple URLs, for example:
iiop://localhost:9812,iiop://localhost:9813.
- All j2c.properties which were used in WebSphere version 5 are now part of the resources.xml file in WebSphere version 6. Added information about Configuring a Websphere 5.1/6.x Data Source and Configuring the 6.x Authentication Data. Removed Configuring a Websphere 4.x Data Source information. (ID-12767) Changes involved the following sections:
Configuring a JDBC Provider
Use WebSphere's administration console to configure a new JDBC Provider.
- Click the Resources tab in the left pane to display a list of resource types.
- Click JDBC Providers to display a table of configured JDBC providers.
- Click the New button above the table of configured JDBC providers.
- Select from the list of JDBC database types, jdbc type and implementation type. Click Next.
Oracle, Oracle JDBC Drive, and Connection pool Data Source will be used for this example.
- Continue configuring general properties.
- Specify the name.
- Specify the path to the JAR that contains the JDBC driver in the Classpath field. For example, to specify the Oracle thin driver, specify a path similar to the following:
/usr/WebSphere/AppServer/installedApps/idm/idm.ear/idm.war/WEB- INF/lib/oraclejdbc.jar
Note You can use the administration console to specify the path to the JAR that contains the JDBC Driver. From the menu labeled Environment, select the WebSphere Variable menu item. On that pane, first choose the cell, node, and server for which to define this environment variable. Then specify the path to the JAR as the value of this variable.
- Specify the fully qualified name of the JDBC Driver class in the Implementation ClassName field.
- You may also change the name or description of the provider to anything you choose.
When you are finished, click the OK button at the bottom of the table. The right pane should display the provider you added.
To configure a data source that uses this JDBC provider, see “Point the Identity Manager Repository to the Data Source.”
Configuring a Websphere JDBC Data Source
Before you can finish configuring the data source, you must configure authentication data. These aliases contain credentials that are used to connect to the DBMS.
Configure the 5.1 Authentication Data
- Click on the Security tab in the left pane to display a list of security configuration types.
- Click on the JAAS Configuration tab in the left pane to display a list of JAAS configuration types.
- Click on the J2C Authentication Data tab in the left pane. The right pane displays a table of authentication data entries.
- Click the New button above the table of authentication data entries. The right pane displays a table of general properties that can be configured.
- Configure the general properties for the new authentication data entry. Note the following:
Next, configure the data source.
Configure the 6.x Authentication Data
- Click Security > Global security.
- Under Authentication, click JAAS configuration > J2C authentication data. The J2C Authentication Data Entries panel is displayed.
- Click New.
- Enter a unique alias, a valid user ID, a valid password, and a short description (optional).
- Click OK or Apply. No validation for the user ID and password is required.
- Click Save.
Note The newly created entry is visible without restarting the application server process to use in the data source definition. But the entry is only in effect after the server is restarted.
Configure the Data Source
Note If configuring a data source in a Websphere 5.x cluster, see “Configure the DataSource in a Websphere Cluster” for more information.
- Click the Resources tab in the left pane to display a list of resource types.
- Click JDBC Providers to display a table of configured JDBC providers.
- Click on the name of a JDBC provider in the table. The right pane displays a table of general properties configured for the selected JDBC provider.
- Scroll down to a table of additional properties. Click on Data Sources. The right pane displays a table of data sources configured for use with this JDBC provider.
Note Be aware of the Scope field at the top of the frame in the WebSphere administration console. Ensure that Node and Server are blank so that the cell information is presented for configuration underneath the New and Delete buttons.
- Click the New button above the table of data sources. The right pane displays a table of general properties to configure.
- Configure the general properties for the new data source. Note the following:
- The JNDI Name is the path to the DataSource object in the directory service.
You must specify this same value as the -f argument in
setRepo -tdbms -iinitCtxFac -ffilepath.- Container-managed persistence should be left unchecked. Identity Install Pack does not use Enterprise Java Beans (EJBs).
- Component-managed Authentication Alias points to the credentials that will be used to access the DBMS (to which this DataSource points).
- Select from the drop-down list the alias that contains the appropriate set of DBMS credentials. See Configure the 5.1 Authentication Data for more information.
- Container-managed Authentication Alias is not used. Set this value to (none). Identity Install Pack makes its own connection to the DBMS (to which this DataSource points).
- Click OK when you have configured this panel. The Data Sources page is displayed.
- Click the DataSource you created. Then scroll down to the table of Additional Properties near the bottom. Click the Custom Properties link.
The right pane displays a table of DBMS-specific properties.
- Configure the custom properties for this DataSource. Click on the link for each property to set its value. Note the following:
- URL is the only required property. This database URL identifies the database instance and contains driverType, serverName, portNumber and databaseName.You may also specify some of these as individual properties.
- driverType in this example is thin.
- serverName is a host name (or an IP address).
- databaseName is usually a short database name.
- portNumber is 1521 by default for Oracle.
- preTestSQLString may be worth configuring to a value such as SELECT 1 FROM USEROBJ. This SQL query confirms that the USERJOB table exists and is accessible.
- From the table of Additional Properties, you may also click the Connection Pool link if you wish to configure these properties for performance tuning.
Appendix E: Configuring JCE
A note should appear as follows:
Note Because you must install JDK 1.4.2 for this release, all supported environments should now have a JCE 1.2 included and information in this appendix is no longer applicable.
Additions
Chapter 1: Before You Install
- Added the following note under Setup Task Flow > Bullet Install and configure the Identity Install Pack software: (ID-8431)
Note On Unix or Linux systems:
- Added the following note to Prerequisite Tasks > Set Up an Index Database > Setting Up SQL Server > step 3b: (ID-11835)
Note The following files that need to be in the $WSHOME/WEB-INF/lib directory:
db2jcc
db2jcc_license_cisuz.jar or db2jcc_license_cu.jar- Added the following note under Supported Software and Environments > Application Servers: (ID-12385)
Note Your current application server container must support UTF-8.
Chapter 2: Installing Identity Install Pack for Tomcat
- Added the following step to Installation Steps > Step 1: Install the Tomcat Software > Installing on UNIX: (ID-12487)
2. Add the Java mail.jar and activation.jar files to the ./tomcat/common/lib directory. The mail and activation jar files can be found at:
http://java.sun.com/products/javamail
http://java.sun.com/products/beans/glasgow/jaf.html- Added the following steps to Installation Steps > Step 1: Install the Tomcat Software > Installing on UNIX: (ID-12462)
3. When configuring Tomcat to support UTF-8, add the URIEncoding="UTF-8" attribute to the connector element in the TOMCAT DIRconf/server.xml file, for example:
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on the port specified during installation -->
<Connector port="8080"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" redirectPort="8443"
acceptCount="100" debug="0" connectionTimeout="20000"
disableUploadTimeout="true"
URIEncoding="UTF-8" />
4. When configuring Tomcat to support UTF-8, also add -Dfile.encoding=UTF-8 in your java vm options.
Chapter 13: Updating Identity Manager
Added a cross reference to Identity Manager Upgrade to assist users in finding complete upgrade information. (ID-12366)
Chapter 15: Installing The Applications (Manual Installation)
Added the following note under Installation Steps > Step 2: Install the Application Software: (ID-8344)
Note As of the 5.0 SP3 release the adapter classes are now contained in the idmadapter.jar file. If you have a custom adapter, you might need to update your class path.
Appendix B: Configuring MySQL
Added the following information under Configuring MySQL > step 3 Start the MySql process: (ID-12461)
If this process has not been started, then use the following steps to register and start MySQL.
On Windows, if you are installing in a directory other than c:\mysql then create a file called c:\my.cnf with the following content:[mysqld]
basedir=d:/mysql/
default-character-set=utf8
default-collation=utf8_binOn Windows, install and start the service:
cd <MySQL_Install_Dir>/bin
mysqld-nt --install
net start mysqlAppendix C: Configuring Data Sources for Identity Manager
Added the following information under Configuring a WebSphere Data Source for Identity Manager > Point the Identity Manager Repository to the Data Source: (ID-12071)
8. Point the repository to the new location. For example:
lh -Djava.ext.dirs=$JAVA_HOME/jre/lib/ext:$WAS_HOME/lib setRepo
-tdbms -iinitCtxFac
-ffilepath -uiiop://localhost:bootstrap_port
-Uusername
-Ppassword
-toracle icom.ibm.websphere.naming.WsnInitialContextFactory - fDataSourcePathIn the above example the DataSourcePath might be jdbc/jndiname. The bootstrap_port is the WebSphere server bootstrap address port.
The -Djava.ext.dirs option adds all of the JAR files all of the JAR files in WebSphere's lib/ and java/jre/lib/ext/ directories to the CLASSPATH. This is necessary in order for the setrepo command to run normally.
Change the -f option to match the value you specified for the JNDI Name field when configuring the data source. See setrepo Reference for more information about this command.
Identity Manager UpgradeAdditions
Chapter 1: Upgrade Overview
Added the following item to the section Example Upgrade: (ID-12467)
Use care when editing the super role field in the Role Form. The super role itself may be a nested role. The super and sub roles fields indicate a nesting of roles and their associated resources or resource groups. When applied to a user, the super role includes the resources associated with any designated sub role. The super role field is displayed to indicate the roles that include the displayed role.
Chapter 3: Develop the Upgrade Plan
Added the following to the section Upgrade the Environment Upgrade From Identity Manager 5.x to 6.x. (ID-12361)
Step 2: Update the Repository Database Schema
Identity Manager 6.0 involves a schema change that introduces new tables for tasks, groups, organizations, and the syslog table. You must create these new table structure and move your existing data.
Note Before updating the repository schema, make a full backup of your Repository tables.
- Identity Manager uses two tables to store user objects. Sample scripts (in the sample directory) can be used to make schema changes.
Refer to the sample/upgradeto2005Q4M3.DatabaseName script to update your repository tables.
Note The update of MySQL databases is highly involved. Refer to sample/upgradeto2005Q4M3.mysql for further details.
Identity Manager Administration GuideAdditions
- If sunrise is configured, creating a user creates a work item that can be viewed from the Approvals tab. Approving this item overrides the sunrise date and creates the account; rejecting the item cancels account creation.
- When scheduling reconciliation, you can now provide the name of a Rule to be used to customize the schedule. For example, the Rule can push Reconciliations scheduled for a Saturday to the following Monday. (ID-11391)
Chapter 4: Administration
Delegating Approvals
If you have approver capabilities, then you can delegate your future approval requests to one or more users (delegates) for a specified period of time. Users do not need approver capabilities to be delegates.
The delegation feature applies only to future approval requests. Existing requests (those listed under the Awaiting Approval tab) are forwarded through the forwarding feature.
To set up delegation, select the Delegate My Approvals tab in the Approvals area.
Notes
- Access to the delegation feature is available if you are assigned any capability that grants you the Delegate right to either WorkItem or any authType extension of WorkItem, including Approval, OrganizationApproval, ResourceApproval, and RoleApproval; or any custom subtype that extends WorkItem or one of its authTypes.
- You also can delegate approvals from the Security form tab of the Create/Edit/View User pages, and from the User Interface main menu.
Delegates can approve any requests during the effective delegation period on your behalf. Delegated approval requests include the name of the delegate.
Audit Log Entries for Requests
Audit log entries for approved and rejected approval requests include your (the delegator’s) name if the request was delegated. Changes to a user's delegate approver information will be logged in the detailed changes section of the audit log entry when a user is created or modified.
Chapter 5: Configuration
Configuring Identity Attributes from Resource Changes
Identity Attributes define how attributes on resources relate to each other. When you create or modify a resource, it can affect these attribute relationships.
When you save a resource, Identity Manager displays the Configure Identity Attributes? page. From here, you can choose to:
- Continue to the Configure Identity Attributes from Resource Changes page and configure attributes. Click Yes to continue.
- Return to the resource list. Click No to return.
- Disable this page for future resource updates. Click Do not ask me again to disable the page.
Note Do not ask me again button is visible only to users with capabilities to modify the MetaView.
Re-enabling the Configure Identity Attributes? Page
If this page is disabled, then use one of these methods to re-enable it:
- Use the Identity Manager debug facility to edit the logged-in user's WSUser object. Change the value of the idm_showMetaViewFromResourceChangesPage property to a value of true.
- Add a field similar to the following sample to the user form (for example, the Tabbed User Form), and then use the Edit User page to change the value of this setting:
<Field name='accounts[Lighthouse].properties.displayMetaViewPage'>
<Display class='Checkbox'>
<Property name='label' value='Display Meta View?'/>
</Display>
</Field>Configuring Attributes
Use the Configure Identity Attributes from Resource Changes page to select attributes from the schema maps of modified resources to be used as sources and targets for the Identity Attributes. In some cases, you cannot select attributes in the Source and Target columns. You cannot select an attribute as a source if:
You cannot select an attribute as a target if:
- There is an Identity Attribute stored globally with the same name. For example, if there is a global Identity Attribute named "firstname", then the firstname target option is selected and cannot be de-selected.
- The attribute is marked as read-only in the schema map.
- The resource's create and update account features are disabled or not supported by the resource.
Chapter 7: Security
Limiting Concurrent Login Sessions
By default, an Identity Manager user can have concurrent login sessions. However, you can limit concurrent sessions to one per login application by changing the value of the security.authn.singleLoginSessionPerApp configuration attribute in the system configuration object. This attribute is an object that contains one attribute for each login application name (for example, the Administrator Interface, User Interface, or BPE). Changing the value of this attribute to true enforces a single login session for each user.
If enforced, then a user can log in to more than one session; however, only the last logged-in session remains active and valid. If the user performs an action on an invalid session, then he is automatically forced off the session and the session terminates.
Chapter 8: Reporting
In the section titled Summary Reports, the description of user report now includes ability to search for users by manager: (ID-12690)
Chapter 10: PasswordSync
- Added instructions for configuring Windows PasswordSync with a Sun JMS server. See the Configuring PasswordSync with a Sun JMS Server document that accompanies these release notes. (ID-11788)
- Added the following new section to describe High Availability architecture with failover for PasswordSync. (ID-12634)
- Added a section that describes how to implement PasswordSync without using a Java Messaging Server. (ID-14974)
Failover Deployment for Windows PasswordSync
PasswordSync’s architecture provides for the elimination of any single point of failure in the Windows password synchronization deployment for Identity Manager.
If you configure each Active Directory Domain Controller (ADC) to connect to one in a series of JMS clients through a Load Balancer (see the following figure), the JMS clients can send messages to a Message Queue Broker cluster, which ensures that no messages will be lost if any Message Queue fails.
Note Your Message Queue cluster will probably require a database for persistence of messages. (Instructions for configuring a Message Queue broker cluster should be provided in your vendor’s product documentation.)
The Identity Manager server that is running the JMS Listener adapter configured for automatic failover will contact the Message Queue broker cluster. Although the adapter executes on only one Identity Manager at a time, if the primary ActiveSync server fails, the adapter will begin polling for password-related messages on a secondary Identity Manager server and propagating password changes out to downstream resources.
Implementing PasswordSync without a Java Messaging Service
To implement PasswordSync without a JMS, launch the configuration application with the following flag:
Configure.exe -direct
When the -direct flag is specified, the configuration application displays the User tab. Configure PasswordSync using the procedures described in “Configuring PasswordSync”, with the following exceptions:
If you implement PasswordSync without a JMS, you do not need to create a JMS Listener adapter. Therefore, you should omit the procedures listed in “Deploying PasswordSync”. If you want to set up notifications, you may need to alter the Change User Password workflow.
Note If you subsequently run the configuration application without specifying the
-direct flag, PasswordSync will require a JMS to be configured. Relaunch the application with the -direct flag to bypass the JMS again.
Corrections
Chapter 5: Resources
In the custom resource class table, the custom resource class for the ClearTrust resource adapter is corrected as follows: (ID-12681)
com.waveset.adapter.ClearTrustResourceAdapter
Chapter 10: PasswordSync
In the section titled Configuring PasswordSync, under JMS Settings Dialog, the following description of Queue Name is corrected as follows:
lh Reference
Command syntax has been updated to correctly indicate a space after specified options. (ID-12798)
When using the -p option, for security reasons, Password should be specified as a path to a text file containing a password, rather than specified directly at the command line.
Examples
license command
Usage
license [options] { status | set {parameters} }
Options
Parameters for the set option must be in the form -f File.
Identity Manager Workflows, Forms, and ViewsChapter 1: Workflows
The discussion of manual actions in this chapter should contain the following information:
If a work item's itemType is set to wizard, the work item will, by default, bypass getting forwarding approvers when checking out the WorkItem view. If the itemType is anything other than wizard, then Identity Manager still fetches the forwarding approvers unless CustomUserList is set to true as a property of the form that is being used with the manual action. (ID-10777)
To do this, include the following code in the form:
<Form>
<Properties>
Property name='CustomUserLists' value='true'/>
</Properties>
Chapter 2: Workflow Services
Identity Manager provides the checkStringQualityPolicy Workflow Service method, which checks the value of a designated string against string policy. (ID-12428, 12440)
The method returns a checkPolicyResult object. A value of true indicates that the string passes the policy test. If the string does not pass the policy test, the method returns an error message. If you have set the returnNull option to true on the map parameter, the method returns a null object upon success.
Chapter 3: Forms
Identity Manager can identify in the display whether an attribute in a resource's schema map is required. Edit User form identifies these attributes by a * (asterisk). By default, Identity Manager displays this asterisk after the text field that follows the attribute name. (ID-10662)
To customize the placement of the asterisk, follow these steps:
- Using the Identity Manager BPE or your XML editor of choice, open the Component Properties configuration object.
- Add EditForm.defaultRequiredAnnotationLocation=left to the <SimpleProperties> tag.
Valid values for defaultRequiredAnnotationLocation include left, right, and none.
- Save your changes, and restart your application server.
Chapter 4: FormUtil Methods
This method returns a value of true indicates that the string passes the policy test. If the string does not pass the policy test, the method returns an error message. If you have set the returnNull option to true on the map parameter, the method returns a null object upon success.
- Identity Manager now provides the controlsAtLeastOneOrganization FormUtil method. (ID-9260)
controlsAtLeastOneOrganization(LighthouseContext s, List organizations)
throws WavesetException {
Determines whether a currently authenticated user controls any of the organizations specified on a list of one or more organization (ObjectGroup) names. The supported list of organizations include those returned by listing all objects of type ObjectGroup.
This method returns:
true – Indicates that the current authenticated Identity Manager user controls any one of the organizations in the list.
false – Indicates that the current authenticated Identity Manager user does not control any organizations in the list.
Chapter 5: Views
Account Types
This release of Identity Manager provides support for assigning users multiple accounts on a resource with account types. (ID-12697) You can now optionally assign an account type on a resource when assigning resources to a user, with the following limitations:
An administrator must first define an account type on a resource before you can associate it with a resource. An IdentityRule must also be defined. (See samples/identityRules.xml for examples of Identity rules.)
Identity Manager uses the IdentityRule subtype to associate a rule with an account type. This rule generates accountIds as needed. (These rules function similarly to the Identity Template, but are implemented in XPRESS and have access to the LighthouseContext API).
Consult Identity Manager Administration for a discussion on how to use the Identity Manager Administrator Interface to assign account types to resources.
Omitting the Account Type
If you omit an account type on a resource, Identity Manager assigns the default account type, which provides backwards compatibility. However, if no resource has an account type defined, this function is disabled.
The default account type uses the Identity Template. However, you can also specify that the default type use a specified rule instead of the Identity Template.
The default account type is unique in that a user can assign multiple accounts of that type. However, best practice suggests not assigning multiple accounts of the same type.
View-Related Changes
The following changes to Identity Manager views support account types.
- The Resource view now has an accountType attribute (List). Each
entry is an object with an identityRule attribute, which names the
rule used to generate accountIds for this type.- The resources attribute of both the Role and Application views now allow the use of qualified resource assignments. The syntax for these qualified assignments is <resource name>|<account type>.
- The User view now contains the waveset.resourceAssignments attribute, which takes qualified resource assignments. (waveset.resources contains only unqualified references.) You can change either attribute, but best practice suggests using only waveset.resourceAssignment for updates and waveset.resources for read-only purposes.)
How you access the objects in the User view accounts attribute has not changed with the addition of this new feature. Use qualified resource names to index the accounts list (for example, accounts[resource|type] selects the resource account for that resource and type combination. If you are not specifying a type, you can still access these objects through accounts[resource].)
- Related views, including Deprovision and Change Password, also use this type of addressing. The objects in this list also now have a new attribute accountType, which specifies the account type of the resource account.
Delegate Approvers View
Use this view to assign one or more Identity Manager users as delegate approvers to an existing approver. This enables an approver to delegate his approval capabilities for a specified period of time to users who may not be approvers themselves.High-level attributes include: (ID-12754)
Note The User view contains these same attributes, (with the exception of the name attribute). These new attributes are contained within the accounts[Lighthouse]. namespace.
name
Identifies the user who is delegating approvals.
delegateApproversTo
Specifies to whom the user is delegating approvals where valid values include manager, selectedUsers, or delegateApproversRule.
delegateApproversSelected
delegateApproversStartDate
Specifies the date on which to start approval delegation. By default, the selected start date’s hours and minutes are 12:01 am of that day.
delegateApproversEndDate
Specifies the date to end approval delegation. By default, the selected end date’s hours and minutes are 11:59 pm of that day
The Role view documentation has been updated as follows. (ID-12390)
Role View
Used to define Identity Manager role objects.
When checked in, this view launches the Manage Role workflow. By default, this workflow simply commits the view changes to the repository, but it also provides hooks for approvals and other customizations.
The following table lists the high-level attributes of this view.
Table 1. Role View Attributes
name
Identifies the name of the role. This corresponds to the name of a Role object in the Identity Manager repository.
resources
Specifies the names of locally assigned resources.
applications
Specifies the names of locally assigned applications (Resource Groups).
roles
Specifies the names of locally assigned roles.
assignedResources
Flattened list of all assigned resources via resources, applications, and roles.
resourceNameIdentifies the name of the assigned resource.
nameIdentifies the resource name or ID (preferably ID).
attributesIdentifies the characteristics of the resource. All subattributes are strings and are editable.
Table 2. attribute Options (Role View)
- notifications -- Lists the names of administrators that must approve the assignment of this role to a user.
- approvers -- Specifies the names of the approvers that must approve the assignment of this role to a user.
- properties -- Identifies the user-defined properties that are stored on this role.
- organizations -- Lists organizations of which this role is a member.
- The Resource Account views (Deprovision view, Disable view, Enable view, Password view, Rename User view, Reprovision view, and Unlock view) now support two new view options that you can use to fetch resource account attributes for the user. (ID-12482)
- fetchAccounts – (Boolean) Causes the view to include account attributes for the resources assigned to the user
- fetchAccountResources – Lists resource names to fetch from. If unspecified, all assigned resources will be used.
You can most easily set these options as form properties. (For more information, see the discussion of the WorkItem List view in the Views chapter of this guide).
Chapter 6: XPRESS Language
- The instanceOf function is not currently documented in the XPRESS language chapter. This function identifies whether an object is an instance of the type specified in the name parameter. (ID-12700)
name – identifies the object type you are checking against.
This function returns 1 or 0 (true or false) depending on whether the sub expression object is an instance of the type specified in the name parameter.
The following expression returns 1 because ArrayList is a List
<instanceof name='List'>
<new class='java.util.ArrayList'/>
</instanceof>
Chapter 8: HTML Display Components
- The description of the SortingTable component has been revised as follows:
Use to create a table whose contents can be sorted by column header. Child components determine the content of this table. Create one child component per column (defined by the columns property). Columns are typically contained within a FieldLoop.
This component respects the align, valign, and width properties of the children components when rendering the table cells. (ID-12606)
- Identity Manager now provides the InlineAlert display component. (ID-12606)
Displays an error, warning, success, or informative alert box. This component is typically located at the top of a page. You can display multiple alerts in a single alert box by defining child components of type InlineAlert$AlertItem.
Properties for this display component include:
- alertType – Specifies the type of alert to display. This property determines the styles and images to use. Valid values are error, warning, success, and info. The value of this property defaults to info. This property is valid only for InlineAlert.
- header – Specifies the title to display for the alert box. This can be either a string or a message object. This property is valid for InlineAlert or InlineAlert$AlertItem.
- value – Specifies the alert message to display. This value can either be a string or a message object. This property is valid for InlineAlert or InlineAlert$AlertItem.
- linkURL – Specifies an optional URL to display at the bottom of the alert. This property is valid for InlineAlert or InlineAlert$AlertItem.
- linkText – Specifies the text for the linkURL. This can be either a string or a message object. This property is valid for InlineAlert or InlineAlert$AlertItem.
- linkTitle – Specifies the title for the linkURL. This can be either a string or a message object. This property is valid for InlineAlert or InlineAlert$AlertItem.
Examples
Single alert message<Field>
<Display class='InlineAlert'>
<Property name='alertType' value='warning'/><Property name='header' value='Data not Saved'/>
<Property name='value' value='The data entered is not yet saved.
Please click Save to save the information.'/></Display>
</Field>
Multiple alert messagesDefine alertType only within the InlineAlert property. You can define other properties in the InlineAlert$AlertItems.
<Field>
<Display class='InlineAlert'>
<Property name='alertType' value='error'/>
</Display>
<Field>
<Display class='InlineAlert$AlertItem'>
<Property name='header' value='Server Unreachable'/>
<Property name='value' value='The specified server could not
be contacted. Please view the logs for more information.'/>
<Property name='linkURL' value='viewLogs.jsp'/>
<Property name='linkText' value='View logs'/>
<Property name='linkTitle' value='Open a new window with
the server logs'/>
</Display>
</Field>
<Field>
<Display class='InlineAlert$AlertItem'>
<Property name='header' value='Invalid IP Address'/>
<Property name='value' value='The IP address entered is
in an invalid subnet. Please use the 192.168.0.x subnet.'/> </Display>
</Field>
</Field>
- Identity Manager now provides the Selector display component. (ID-12729)
Provides a single- or multi- valued field (similar to Text or ListEditor components, respectively) with search fields below. After a search is executed, Identity Manager displays results beneath the search fields and populates the results into the value field.
Unlike other container components, Selector has a value (the field we are populating with search results). The contained fields are typically search criteria fields. Selector implements a property to display the contents of the search results.
Properties include:
- fixedWidth – Specifies whether the component should have a fixed width (same behavior as Multiselect). (Boolean)
- multivalued – Indicates whether the value is a List or a String. (The value of this property determines whether a ListEditor or Text field is rendered for the value). (Boolean)
- allowTextEntry – Indicates whether values must be selected from the supplied list or can be entered manually. (Boolean)
- valueTitle – Specifies the label to use on the value component. (String)
- pickListTitle – Specifies the label to use on the picklist component. (String)
- pickValues – the available values in the picklist component (if null, the picklist is not shown). (List)
- pickValueMap – a map of display labels for the values in the picklist. (Map or List)
- sorted – Indicates that the values should be sorted in the picklist (if multivalued and not ordered, the value list will also be sorted). (Boolean)
- clearFields – Lists the fields that should be reset when the Clear button is selected. (List)
The following properties are valid only in a multi-valued component:
- ordered – Indicates that the order of values is important. (Boolean)
- allowDuplicates – Indicates whether the value list can contain duplicates. (Boolean)
- valueMap– Provides a map of display labels for the values in the list. (Map)
These properties are valid only in a single-valued component:
- nullLabel – Specifies a label to use to indicate a value of null. (String)
- The descriptions of the Select and MultiSelect components have been revised as follows to include discussion of the caseInsensitive property. (ID-13364)
MultiSelect Component
Displays a multi-selection object, which Identity Manager displays as two side-by-side text selection keys in which a defined set of values in one box can be moved to another box. Values in the left box are defined by the allowedValues property, values are often obtained dynamically by calling a Java method such as FormUtil.getResources. The values displayed in the right multi-selection box are populated from the current value of the associated view attribute, which is identified through the field name.
You can set the form titles for each box in this multi-selection object through the availabletitle and selectedtitle properties.
If you want a MultiSelect component that does not use an applet, set the noApplet property to true.
Note If you are running Identity Manager on a system running the Safari browser, you must customize all forms containing MultiSelect components to set the noApplet option. Set this option as follows:
<Display class='MultiSelect'>
<Property name='noApplet' value='true'/>
...
Properties for this display component include:
- availableTitle – Specifies the title of the available box.
- selectedTitle – Specifies the title of the selected box.
- ordered – Defines whether selected items can be moved up or down within the list of items in the text box. A true value indicates that additional buttons will be rendered to permit selected items to be moved up or down.
- allowedValues – Specifies the values associated with the left box of the multi-selection object. This value must be a list of strings. Note: The <Constraints> element can be used to populate this box, but its use is deprecated.
- sorted – Specifies that the values in both boxes will be sorted alphabetically.
- noApplet – Specifies whether the MultiSelect component will be implemented with an applet or with a pair of standard HTML select boxes. The default is to use an applet, which is better able to handle long lists of values. See preceding note for information on using this option on systems running the Safari browser.
- typeSelectThreshold – (Available only when the noApplet property is set to true.) Controls whether a type-ahead select box appears under
the allowedValue list. When the number of entries in the left select
box reaches the threshold defined by this property, an additional text entry field appears under the select box. As you type characters into this text field, the select box will scroll to display the matching entry if one exists. For example, if you enter w, the select box scrolls to the first entry that begins with w.- width – Specifies the width of the selected box in pixels. The default value is 150.
- height – Specifies the width of the selected box in pixels. The default value is 400.
- caseInsensitive -- Use to perform case-insensitive comparisons.
Select Component
Displays a single-selection object. Values for the list box must be supplied by the allowedValues property.
Properties for this display component are:
- allowedValues – Specifies the list of selectable values for display in the list box.
- allowedOthers – When set, specifies that initial values that were not on the allowedValues list should be tolerated and silently added to the list.
- autoSelect – When set to true, this property causes the first value in the allowedValues list to be automatically selected if the initial value for the field is null.
- caseInsensitive -- Use to perform case-insensitive comparisons.
- multiple – When set to true, allows more than one value to be selected.
- nullLabel – Specifies the text that displays at the top of the list box when no value is selected.
- optionGroupMap – Allows the selector to render options in groups using the <optgroup> tag. Format the map such that the keys of the maps are the group labels, and the elements are lists of items to be selectable. (Values must be members of allowedValues in order to render.)
- size – (Optional) Specifies the maximum number of rows to display. If the number of rows exceeds this size, a scroll bar is added.
- sorted – When set to true, causes the values in the list to be sorted.
- valueMap – Maps raw values to displayed values.
The component supports the command and onChange properties.
- The discussion of the DatePicker component should describe the following new properties. (ID-14802)
The DatePicker HTML component now permits you to select discrete dates. You can specify a date range set that allows for particular dates to be picked from the calendar.
DatePicker implements the following two new properties:
SelectAfter -- Limits the selectable dates that are displayed in the calendar to dates on or after the entered date. This property value can be a date string or a Java Date object.
<Property name='SelectAfter' value='**/**/****'/>
SelectBefore -- Limits the selectable dates displayed in the calendar to dates on or before the entered date. This property value can be a date string or a Java Date object.
<Property name='SelectBefore' value='**/**/****'/>
Wherever you use a form that implements the <Display class='DatePicker'> tag, add these variables to the form to set up the date range. If you do not set these properties, the calendar will not be limited in the dates that can be selected.
Identity Manager Technical Deployment OverviewThe following discussion of associated workflows, forms, and JSPs belongs to the architectural overview of the Identity Manager Technical Deployment Overview (ID-7332).
Process Execution
When a user enters data into a field on a page and clicks Save, view, workflow and form components work together to execute the processes necessary to process the data.
Each page in Identity Manager has a view, workflow and form associated with it that performs the necessary data processing. These workflow, view, and form associations are listed in the following two tables.
Identity Manager User Interface Processes
The following tables indicate the forms, views and workflows that are involved in processes initiated from the following Identity Manager User Interface pages:
Administrator Interface Processes
The following tables identify the forms, views, workflows, and JSPs that are involved in processes initiated from these Identity Manager Administrator Interface pages:
Java Server Pages (JSPs) and Their Role in Identity Manager
The following tables describe the JSPs that are shipped with the system as well as their Administrator and User Interface pages.
JSPs for Identity Manager User Interface
JSPs for Admin Interface
Identity Manager 6.0 Resources Reference
- The list of Supported Account Attributes under Resources Reference > Active Directory > Account Attributes > Account Attribute Support is more current in the PDF version of the document than the HTML version. Please refer to the PDF version. (ID-12630)
- The Identity Manager 6.0 Resources Reference 2005Q4M3 top level node at the following URL does not contain a link to the section titled Domino: (ID-12636)
http://docs.sun.com/app/docs/doc/819-4520
Please find the Domino section by opening Contents at this node or at the following URL:
http://docs.sun.com/source/819-4520/Domino_Exchange.html#wp999317
Access Manager Adapter
Step 5 in the procedure “General Configuration” should state the following:
5. Add the following lines to the java.security file, if they do not already exist:
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.net.ssl.internal.ssl.ProviderThe number that follows security.provider in each line specifies the order in which Java consults security provider classes and should be unique. The sequence numbers may vary in your environment. If you already have multiple security providers in the java.security file, insert the new security providers in the order given above and renumber any existing security providers. Do not remove the existing security providers and do not duplicate any providers. (ID-12044)
Active Directory Adapter
Active Directory now supports the thumbnailPhoto (Windows 2000 Server and greater) and jpegPhoto (Windows 2003) binary attributes.
BridgeStream SmartRoles Adapter
Identity Manager now provides a BridgeStream SmartRoles resource adapter that provisions users in SmartRoles. This adapter places users in the appropriate organizations within SmartRoles so that SmartRoles can determine which business roles those users should have.
When retrieving a user from SmartRoles, the adapter retrieves the user's business roles. These business roles can be used within Identity Manager to determine the Identity Manager roles, resources, attributes, and access that user should be assigned.
Additionally, SmartRoles can be a source of user changes using Active Sync. You can load SmartRoles users into Identity Manager and reconcile them.
For detailed information about this adapter, see the Sun Java System Identity Manager Resources Reference Addendum. (ID-12714)
ClearTrust Adapter
Database Table Adapter
This adapter supports binary data types, including BLOBs, in Oracle. The corresponding attributes must be marked as binary on the schema map. Sample binary attributes include graphics files, audio files, and certificates.
Flat File Active Sync Adapter
- The administrative user must have read and write access to the directory that contains the flat file. This user must also have delete access if the Process Differences Only Active Sync parameter is enabled.
In addition, the administrator account must have read, write, and delete permissions on the directory specified in the Active Sync Log File Path field. (ID-12477)
- If the flat file format is LDIF, then binary attributes, such as graphics files, audio files, and certificates may be specified. Binary attributes are not supported for CSV and pipe-delimited files.
HP OpenVMS Adapter
Identity Manager now provides an HP OpenVMS resource adapter that supports VMS version 7.0 and later. For detailed information about this adapter, see the Sun Java System Identity Manager Resources Reference Addendum. (ID-8556)
JMS Listener Adapter
The JMS Listener adapter now supports synchronous message processing instead of asynchronous processing. As a result, the second paragraph in the Connections section of the Usage Notes should read as follows:
The JMS Listener adapter operates in synchronous mode. It establishes a synchronous message consumer on the queue or topic destination specified by the JNDI name of Destination field. During each poll interval, the adapter will receive and process all available messages. Messages can be (optionally) additionally qualified by defining a valid JMS message selector string for the Message Selector field.
The Message Mapping section should contain the following:
When the adapter processes a qualified message, the received JMS message is first converted to a map of named values using the mechanism specified by the Message Mapping field. Refer to this resulting map as the message value map.
The message value map is then translated to the Active Sync map using the account attributes schema map. If the adapter has account attributes specified, the adapter searches the message value map for key names that also appear as a resource user attribute in the schema map. If present, the value is copied to the Active Sync map, but the entry name in the Active Sync map is translated to the name specified in the Identity system user attribute column in the schema map.
If the message value map has an entry that cannot be translated using the account attributes schema map, then the entry from the message value map is copied unaltered to the Active Sync map.
LDAP Adapter
Binary Account Attribute Support
The following binary account attributes from the inetOrgPerson object class are now supported:
Resource User Attribute
LDAP Syntax
Description
audio
Audio
An audio file.
jpegPhoto
JPEG
An image in JPEG format.
userCertificate
certificate
A certificate, in binary format.
Other binary accounts might be supported, but they have not been tested.
Disabling and Enabling Accounts
The LDAP adapter provides several ways to disable accounts on an LDAP resource. Use one of the following techniques to disable accounts.
Change the password to an unknown valueTo disable accounts by changing the password to an unknown value accounts, leave the Activation Method and Activation Parameter fields blank. This is the default method for disabling accounts. The account can be re-enabled by assigning a new password.
Assign the nsmanageddisabledrole roleTo use the nsmanageddisabledrole LDAP role to disable and enable accounts, configure the LDAP resource as follows:
- On the Resource Parameters page, set the Activation Method field to nsmanageddisabledrole.
- Set the Activation Parameter field to IDMAttribute=CN=nsmanageddisabledrole,baseContext. (IDMAttribute will be specified on the schema in the next step.)
- On the Account Attributes page, add IDMAttribute as an Identity System User attribute. Set the Resource User attribute to nsroledn. The attribute must be of type string.
- Create a group named nsAccountInactivationTmp on the LDAP resource and assign CN=nsdisabledrole,baseContext as a member.
LDAP accounts can now be disabled. To verify using the LDAP console, check the value of the nsaccountlock attribute. A value of true indicates the account is locked.
If the account is later re-enabled, the account is removed from the role.
Set the nsAccountLock attributeTo use the nsAccountLock attribute to disable and enable accounts, configure the LDAP resource as follows:
- On the Resource Parameters page, set the Activation Method field to nsaccountlock.
- Set the Activation Parameter field to the name of the attribute that you will define in the next step. Also assign a value to test for. For example, accountLockAttr=true.
- On the Account Attributes page, add the value specified in the Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to nsaccountlock. The attribute must be of type string.
LDAP accounts can now be disabled. To verify using the LDAP console, check the value of the nsaccountlock attribute. A value of true indicates the account is locked.
If the account is later re-enabled, the attribute is removed.
Disable accounts without the nsmanageddisabledrole and nsAccountLock attributesIf the nsmanageddisabledrole and nsAccountLock attributes are not available on your directory server, but the directory server has a similar method of disabling accounts, enter one of the following class names into the Activation Method field. The value to enter in the Activation Parameter field varies, depending on the class.
Oracle/Oracle ERP Adapters
The Oracle/Oracle ERP chapter in the Identity Manager Resources Reference was divided into two separate chapters for this release. See the Sun Java System Identity Manager Resources Reference Addendum to view these two new chapters.
(ID-12758)Oracle Adapter
- Support for Oracle 8i was erroneously removed from the adapters table and from the Oracle adapter section in Chapter 1 of the Identity Manager Resources Reference. Identity Manager still supports Oracle 8i as a resource. (ID-13078)
- The updateableAttributes section name was corrected to updatableAttributes in step one of the Cascade Deletes section of this chapter, as follows (ID-13075):
The noCascade account attribute indicates whether to perform cascade drops when deleting users. By default, cascade drops are performed. To disable cascade drops:
Oracle ERP Adapter
The Oracle ERP adapter now provides an employee_number account attribute that represents an employee_number from the per_people_f table (ID-12796):
- When you enter a value on create, the adapter tries to lookup a user record in the per_people_f table, retrieve the person_id into the create API, and insert the person_id into the fnd_user table's employee_id column.
- If no employee_number is entered on create, no linking is attempted.
- If you enter and employee_number on create and that number is not found, then the adapter throws an exception.
- The adapter will try to return the employee_number on a getUser, if employee_number is in the adapter schema.
Auditing Responsibilities
Added multiple attributes to the Oracle ERP adapter to support auditing features. (ID-11725)
To audit the sub-items (such as forms and functions) of responsibilities assigned to users, add the auditorObject to the schema map. auditorObject is a complex attribute that contains a set of responsibility objects. The following attributes are always returned in a responsibility object:
- responsibility
- userMenuNames
- menuIds
- userFunctionNames
- functionIds
- formIds
- formNames
- userFormNames
- readOnlyFormIds
- readWriteOnlyFormIds
- readOnlyFormNames
- readOnlyUserFormNames
- readWriteOnlyFormNames
- readWriteOnlyUserFormNames
- functionNames
- readOnlyFunctionNames
- readWriteOnlyFunctionNames
Note readOnly and ReadWrite attributes are identified by querying the PARAMETERS column in the fnd_form_functions table for one of the following:
If the Return Set of Books and/or Organization resource parameter is set to TRUE, the following attributes are also returned:
With the exception of the responsibility, setOfBooksName, setOfBooksId, organizationalUnitId, and organizationalUnitName attributes, the attribute names match account attribute names that may be added to the schema map.The account attributes contain an aggregate set of values that are assigned to the user. The attributes that are contained in the responsibility objects are specific to the responsibility.
The auditorResps[] view provides access to the responsibility attributes. The following form snippet returns all the active responsibilities (and their attributes) assigned to a user .
<defvar name='audObj'>
<invoke name='get'>
<ref>accounts[Oracle ERP 11i VIS].auditorObject</ref>
</invoke>
</defvar>
<!-- this returns list of responsibility objects -->
<defvar name='respList'>
<invoke name='get'>
<ref>audObj</ref>
<s>auditorResps[*]</s>
</invoke>
</defvar>
For example:
SAP Adapter
- In the Account Attributes section, the table describing the default iDoc infotypes supported by the SAP HR Active Sync adapter was corrected. The supported subtype listed for the 0105 Communication infotype was changed from EMAIL to MAIL as follows (ID-12880):
By default, the following infotypes are supported:
The SAPHRActiveSyncAdapter now supports mySAP ERP ECC 5.0 (SAP 5.0).
As a result, the following changes were made to Resource Configuration Notes
(ID-12769):SAP Resource Adapter
The following resource configuration notes are applicable to the SAP resource adapter only.
To enable the ability for a user to change his or her own SAP password, perform the following steps:
SAP HR Active Sync Adapter
The following resource configuration notes are applicable to the SAP HR Active Sync adapter only.
The SAP Application Link Enabling (ALE) technology enables communication between SAP and external systems, such as Identity Manager. The SAP HR Active Sync adapter uses an outbound ALE interface. In an outbound ALE interface, the base logical system becomes the sender for outbound messages and the receiver of inbound messages. A SAP user will likely be logged into the base logical system/client when making changes to the database (for example, hiring an employee, updating position data, terminating an employee, etc.) A logical system/client must also be defined for the receiving client. This logical system will act as the receiver of outbound messages. As for the message type between the two systems, the Active Sync adapter uses a HRMD_A message type. A message type characterizes data being sent across the systems and relates to the structure of the data, also known as an IDoc type (for example, HRMD_A05).
The following steps provide the configurations required on SAP for the Active Sync adapter to receive authoritative feeds from SAP HR:
Note You must configure the SAP system parameters to enable Application Link Enabling (ALE) processing of HRMD_A IDocs. This allows for data distribution between two application systems, also referred to as messaging.
Creating a Logical System
Depending on your current SAP environment, you might not need to create a logical system. You might only need to modify an existing Distribution Model by adding the HRMD_A message type to a previously configured Model View. It is important, however, that you follow SAP's recommendations for logical systems and configuring your ALE network. The following instructions assume that you are creating new logical systems and a new model view.
- Enter transaction code SPRO, then display the SAP Reference IMGproject (or the project applicable to your organization).
- Based on the SAP version you are using, perform one of the following:
- For SAP 4.6, click Basis Components > Application Link Enabling (ALE) > Sending and Receiving Systems > Logical Systems > Define Logical System.
- For SAP 4.7, click SAP Web Application Server > Application Link Enabling (ALE) > Sending and Receiving Systems > Logical Systems > Define Logical System.
- For SAP 5.0, click SAP Netweaver > SAP Web Application Server > IDOC Interface/Application Link Enabling (ALE) > Basic Settings > Logical Systems > Define Logical System.
- Click Edit > New Entries.
- Enter a name and a description for the logical system you want to create (IDMGR).
- Save your entry.
Assigning a Client to the Logical System
- Enter transaction code SPRO, then display the SAP Reference IMGproject (or the project applicable to your organization).
- Based on the SAP version you are using, perform one of the following:
- For SAP 4.6, click Basis Components > Application Link Enabling (ALE) > Sending and Receiving Systems > Logical Systems > Assign Client to Logical System.
- For SAP 4.7, click SAP Web Application Server > Application Link Enabling (ALE) > Sending and Receiving Systems > Logical Systems > Assign Client to Logical System.
- For SAP 5.0, click SAP Netweaver > SAP Web Application Server > IDOC Interface/Application Link Enabling (ALE) > Basic Settings > Logical Systems > Assign Client to Logical System.
- Select the client.
- Click GOTO > Details to display the Client Details dialog box.
- In the Logical System field, enter the logical system you want to assign to this client.
- In the Changes and Transports for Clients section, click Automatic Recording of Changes.
- Save your entry.
Creating a Distribution Model
To create a distribution model:
- Verify that you are logged on to the sending system/client.
- Enter transaction code BD64. Ensure that you are in Change mode.
- Click Edit > Model View > Create.
- Enter the short and technical names for your view, as well as the start and end date, then click Continue.
- Select the view you created, then click Add Message Type.
- Define the sender/logical system name.
- Define the receiver/server name.
- In the Protection Client Copier and Comparison Tool section, click Protection Level: No Restriction.
- Define the Message Type you want to use (HRMD_A), then click Continue.
- Click Save.
Registering the RFC Server Module with the SAP Gateway
During initialization, the Active Sync adapter registers with the SAP Gateway. It uses “IDMRFC” for its ID. This value must match the value set in the SAP application. You must configure the SAP application so that the RFC Server Module can create a handle to it. To register the RFC Server Module as an RFC destination:
- In the SAP application, go to transaction SM59.
- Expand the TCP/IP connections directory.
- Click Create (F8).
- In the RFC destination field, enter the name of the RFC destination system. (IDMRFC).
- Set the connection type to T (Start an external program via TCP/IP).
- Enter a description for the new RFC destination, and then click Save.
- Click the Registration button for the Activation Type.
- Set the Program ID. We recommend that you use the same value as the RFC destination (IDMRFC), and then click Enter.
- If the SAP system is a Unicode system, the port must be configured for Unicode. Click the Special Options tab, and look for the Character Width In Target System section. There is a setting for unicode and non-unicode.
- Using the buttons at the top - Test Connection and Unicode Test - test the connection to the Identity Manager resource. You must have the adapter started for the test to pass.
Creating a Port Definition
The port is the communication channel to which IDocs are sent. The port describes the technical link between the sending and receiving systems. You should configure an RFC port for this solution. To create a port definition:
Modifying the Port Definition
When you generated a partner profile, the port definition might have been entered incorrectly. For your system to work properly, you need to modify the port definition.
- Enter transaction code WE20.
- Select Partner Type LS.
- Select your receiving partner profile.
- Select Outbound Parameters, then click Display.
- Select message type HRMD_A.
- Click Outbound Options, then modify the receiver port so it is the RFC port name you created (IDMGR).
- From the Output Mode, select Transfer IDoc Immediately to send IDocs immediately after they are created.
- From the IDoc Type section, select a basictype:
- Click Continue/Save.
Scripted JDBC Adapter
Identity Manager now provides a Scripted JDBC resource adapter to support management of user accounts in any database schema and in any JDBC-accessible database. This adapter also supports Active Sync to poll for account changes in the database. For detailed information about this adapter, see the Sun Java System Identity Manager Resources Reference Addendum. (ID-12506)
Shell Script Adapter
Identity Manager now provides a Shell Script resource adapter to support management of resources controlled by shell scripts that are running on the system hosting the resource. This adapter is a general purpose adapter, and is therefore highly configurable.
Siebel CRM Adapter
Siebel objects that require parent/child business component navigation can now be created and updated. This is an advanced feature that is not typically implemented in Identity Manager.
The advanced navigation feature allows you to optionally specify the following information needed to create and update child business components:
An advanced navigation rule can be used during create and update actions. It cannot be used for other types of actions.
To implement the advanced navigation feature of the Siebel CRM adapter, you must perform the following tasks:
- Add an attribute to the schema map in which the Resource User Attribute (right hand side) is named PARENT_COMP_ID.
- Use the debug page to manually add the following ResourceAttribute to your resource's XML
<ResourceAttribute name='AdvancedNavRule'
displayName='Advanced Nav Rule'
value='MY_SIEBEL_NAV_RULE'></ResourceAttribute>
Replace MY_SIEBEL_NAV_RULE with a valid rule name.
- Write the advanced navigation rule. The rule should expect two variables to be present:
resource.action — The value must be either create or update.
resource.objectType — For normal account maintenance, this value will be account.
The rule must return a map with one or more of the following name/value pairs:
An example navigation rule is provided in $WSHOME/sample/rules/SiebelNavigationRule.xml.
Sun Java System Access Manager Adapter
Installing and Configuring Sun Java System Access Manager (Versions Prior to Access Manager 7.0)
Steps 4 and 8 in the “Installing and Configuring Sun Java System Access Manager” procedure should read as follows (ID-13087):
- Create a directory to place files that will be copied from the Sun Java System Access Manager server. This directory will be called CfgDir in this procedure. The location of the Sun Java System Access Manager will be called AccessMgrHome.
- Copy the following files from AccessMgrHome to CfgDir. Do not copy the directory structure.
- On UNIX, it may be necessary to change the permissions of the jar files in the CfgDir to allow universal read access. Run the following command to change permissions:
chmod a+r CfgDir/*.jar
- Prepend the JAVA classpath with the following:
- If you are using version 6.0, set the Java system property to point to your CfgDir. Use a command similar to the following:
java -Dcom.iplanet.coreservices.configpath=CfgDir
- If you are using version 6.1 or later, add or edit the following lines in the CfgDir/AMConfig.properties file:
com.iplanet.services.configpath=CfgDircom.iplanet.security.
SecureRandomFactoryImpl=com.iplanet.am.util.SecureRandomFactoryImplcom.iplanet.security.SSLSocketFactoryImpl=netscape.ldap.
factory.JSSESocketFactorycom.iplanet.security.encryptor=com.iplanet.services.util.
JCEEncryptionThe first line sets the configpath. The last three lines change security settings.
- Copy the CfgDir/am_*.jar files to $WSHOME/WEB-INF/lib. If you are using version 6.0, also copy the jss311.jar file to the $WSHOME/WEB-INF/lib directory.
- If Identity Manager is running on Windows and you are using Identity Server 6.0, copy IdServer\lib\jss\*.dll to CfgDir and add CfgDir to your system path.
Note In an environment where Identity Manager is installed on a different system from Sun Java System Access Manager check the following error conditions. If an error java.lang.ExceptionInInitializerError, followed by java.lang.NoClassDefFoundError, on subsequent attempts, is returned when attempting to connect to the Sun Java System Access Manager resource, then check for incorrect or missing configuration data.
Also, check the jar file for the class indicated by the java.lang.NoClassDefFoundError. Prepend the classpath of the jar file containing the class to the JAVA classpath on the application server.
Installing and Configuring Sun Java System Access Manager (Versions 7.0 and Later in Legacy Mode)
Use the following steps io install and configure the resource adapter for legacy mode.
- Follow the instructions provided in the Sun Java System Access Manager 7 2005Q4 Developer's Guide to build the client SDK from the Sun Access Manager installation.
- Extract the AMConfig.properties and amclientsdk.jar files from the war file that is produced.
- Put a copy of the AMConfig.properties in the following directory:
InstallDir/WEB-INF/classes
- Place a copy of amclientsdk.jar in the following directory:
InstallDir/WEB-INF/lib
Sun Java System Communications Services Adapter
- The sample script that could be run on the proxy resource after creating a user is listed incorrectly. The following script should be used instead: (ID-12536)
SET PATH=c:\Sun\Server-Root\lib
SET SYSTEMROOT=c:\winnt
SET CONFIGROOT=C:/Sun/Server-Root/Config
mboxutil -c -P user/%WSUSER_accountId%.*
- The following binary account attributes from the inetOrgPerson object class are now supported:
Other binary accounts might be supported, but they have not been tested.
Top Secret Adapter
The Identity Manager Resources Reference incorrectly states that the Top Secret adapter supports renaming accounts. The adapter does not support renaming Top Secret accounts.
Identity Manager Tuning, Troubleshooting, and Error MessagesAdditions
- You can now use the standard tracing facility on com.waveset.task.Scheduler to trace the task scheduler if a task is having problems.
See Tracing the Identity Manager Server in Sun Java System Identity Manager Tuning, Troubleshooting, and Error Messages for more information.
- To debug a problem that is occuring at a level below a specific entry method, consider tracing at the method level. Identity Manager now provides the ability to trace only a method and its direct and indirect subcalls. (ID-14967)
To enable this feature, set the trace level for a scope with the subcalls modifier, as shown below:
trace 4,subcalls=2 com.waveset.recon.ReconTask$WorkerThread#reconcileAccount
This will trace the reconcileAccount() method at level 4 and all subcalls at level 2.
See Defining a Trace Configuration in Sun Java System Identity Manager Tuning, Troubleshooting, and Error Messages for more information.
Corrections
Because you must install JDK 1.4.2 for this release, the instruction to remove the Cryptix jars (cryptix-jceapi.jar and cryptix-jce-provider.jar) from the idm\WEB-INF\lib directory in Chapter 1: Performance Tuning, Optimizing the J2EE Environment, no longer applies (unless you are upgrading from a previous version of Identity Manager).
Identity Manager Deployment ToolsCorrections
Chapter 7: Using Identity Manager Web Services
The launchProcess example provided in the ExtendedRequest Examples section was corrected as follows (ID-13044):
launchProcess
The following example, shows a typical format for launchProcess request.
(View — Process view).ExtendedRequest req = new ExtendedRequest();
req.setOperationIdentifier("launchProcess");
req.setAsynchronous(false);
req.setAttribute("process", "Custom Process Name");
req.setAttribute("taskName", "Custom Process Display Name");
SpmlResponse res = client.request(req);
Using helpToolWith the Identity Manager 6.0 release, a new feature has been added that allows you to search the online help and documentation files, which are in HTML format. The search engine is based on the SunLabs “Nova” search engine technology.
There are two stages to using the Nova engine: indexing and retrieval. During the indexing stage, the input documents are analyzed and an index is created which is used during the retrieval stage. During retrieval, it is possible to pull “passages” that consist of the context in which the query terms were found. The passage retrieval process requires the original HTML files to be present, so these files must exist in a location in the file system accessible by the search engine.
helpTool is a Java program that performs two basic functions:
You execute helpTool from the command line, as follows:
$ java -jar helpTool.jar
usage: HelpTool
-d Destination directory
-h This help information
-i Directory or JAR containing input files, no wildcards
-n Directory for Nova index
-o Output file name
-p Indexing properties file
Rebuilding/Re-creating the Online Help Index
The HTML files for online help are packaged in a JAR file. You must extract these files to a directory for the search engine. Use the following procedure:
- Unpack the helpTool distribution to a temporary directory. (Details TBD)
In this example, we will extract the files to /tmp/helpTool.
- In a UNIX shell or Windows command window, change directory to the location where the Identity Manager application was deployed to your web container.
For example, a directory for Sun Java System Application Server might look like the following:
/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm
- Change your current working directory to the help/ directory.
Note It is important to run helpTool from this directory or the index will not build correctly. In addition, you should remove the old index files by deleting the contents of the index/help/ subdirectory.
- Gather the following information for your command line arguments:
- Run the following command:
$ java -jar /tmp/helpTool/helpTool.jar -d html/help/en_US -i ../
WEB-INF/lib/idm.jar -n index/help -o help_files_help.txt -p index/index.propertiesExtracted 475 files.
[15/Dec/2005:13:11:38] PM Init index/help AWord 1085803878
[15/Dec/2005:13:11:38] PM Making meta file: index/help/MF: 0
[15/Dec/2005:13:11:38] PM Created active file: index/help/AL
[15/Dec/2005:13:11:40] MP Partition: 1, 475 documents, 5496 terms.
[15/Dec/2005:13:11:40] MP Finished dumping: 1 index/help 0.266
[15/Dec/2005:13:11:40] IS 475 documents, 6.56 MB, 2.11 s, 11166.66 MB/h
[15/Dec/2005:13:11:40] PM Waiting for housekeeper to finish
[15/Dec/2005:13:11:41] PM Shutdown index/help AWord 1085803878
Rebuilding/Re-creating the Documentation Index
Use the following procedure to rebuild or re-create the documentation index:
- Unpack the helpTool distribution to a temporary directory. (Details TBD)
In this example, we will extract the files to /tmp/helpTool.
- In a UNIX shell or Windows command window, change directory to the location where the Identity Manager application was deployed to your web container.
For example, a directory for Sun Java System Application Server might look like:
/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm
- Change your current working directory to the help/ directory.
Note You must run helpTool from this directory or the index will not build correctly. In addition you should remove the old index files by deleting the contents of the index/docs/ subdirectory.
- Gather the following information for your command line arguments:
- Run the following command:
$ java -jar /tmp/helpTool/helpTool.jar -d html/docs -i ../doc/HTML/en_US -n index/docs -o help_files_docs.txt -p index/index.properties
Copied 84 files.
Copied 105 files.
Copied 1 files.
Copied 15 files.
Copied 1 files.
Copied 58 files.
Copied 134 files.
Copied 156 files.
Copied 116 files.
Copied 136 files.
Copied 21 files.
Copied 37 files.
Copied 1 files.
Copied 13 files.
Copied 2 files.
Copied 19 files.
Copied 20 files.
Copied 52 files.
Copied 3 files.
Copied 14 files.
Copied 3 files.
Copied 3 files.
Copied 608 files.
[15/Dec/2005:13:24:25] PM Init index/docs AWord 1252155067
[15/Dec/2005:13:24:25] PM Making meta file: index/docs/MF: 0
[15/Dec/2005:13:24:25] PM Created active file: index/docs/AL
[15/Dec/2005:13:24:28] MP Partition: 1, 192 documents, 38488 terms.
[15/Dec/2005:13:24:29] MP Finished dumping: 1 index/docs 0.617
[15/Dec/2005:13:24:29] IS 192 documents, 14.70 MB, 3.81 s, 13900.78 MB/h
[15/Dec/2005:13:24:29] PM Waiting for housekeeper to finish
[15/Dec/2005:13:24:30] PM Shutdown index/docs AWord 1252155067