Go to main content
|
|
The procedure to deploy the DBAT connector is divided across three stages namely preinstallation, installation, and postinstallation.
The procedure to install and configure the connector can be divided into the following stages:
Prerequisite for the DBAT connector involves creating a target system user account and configuring the database.
Perform the following preinstallation procedures on your target system:
Oracle Identity Manager uses a target system user account to provision to and reconcile data from the target system. For all target systems certified for this connector, the following are the minimum rights to be assigned to the target system user account:
For reconciliation: The user account must have permissions to run Select statements on the tables that must be managed by this connector.
For provisioning: The user account must have permissions to perform select, insert, update, and delete operations on the tables to be managed by this connector.
If you are configuring the connector to use custom stored procedures to perform connector operations, then the user account must have execute permissions on the relevant stored procedures.
See the target system documentation for the procedure to create a target system user account with the preceding permissions required for performing connector operations.
During a provisioning operation, the connector runs Java stored procedures to perform the required action on the target system. If your IBM DB2 installation is running on IBM z/OS, then you must configure the WLM to enable the running of these stored procedures. See IBM z/OS documentation for detailed information about configuring the WLM.
Note:
This is an optional procedure. Perform this procedure on an Oracle database table only if you want an autoincrementing primary key.
At any time after creating the Oracle database table, you can set up an autoincrementing primary key column for that database table. To set the autoincrementing primary key, create a sequence, and then create a trigger that inserts a unique autogenerated number in the primary key field while inserting a new record into the parent table. The following is a trigger that you can use:
CREATE OR REPLACE TRIGGER trigger_name BEFORE INSERT ON table_name FOR EACH ROW BEGIN SELECT sequence_name.nextval INTO :new.primaty_Key_column_name FROM DUAL; END;
Yu can run the connector code locally in Oracle Identity Manager or remotely in a Connector Server.
Depending on where you want to run the generated connector, the connector provides the following installation options:
To run the connector code locally in Oracle Identity Manager, perform the procedure described in Installing the Connector in Oracle Identity Manager.
To run the connector code remotely in a Connector Server, perform the procedures described in Installing the Connector in Oracle Identity Manager. and About Deploying the Connector Bundle in a Connector Server.
In this scenario, you install the connector in Oracle Identity Manager using the Connector Installer.
Note:
In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.
If this version of the connector has been installed earlier and you want to install it for another target system whose libraries need to be added, then:
Download the connector bundle JAR file from the Oracle Identity Manager database by using the Download JARs utility.
Extract the contents of the JAR file and copy the JDBC drivers for your target system to the lib directory. See the "JDBC drivers" row of Table 1-1 to determine the JDBC drivers for your target system.
Run the Upload JARs utility to upload the JAR file to the Oracle Identity Manager database.
Run the PurgeCache utility to clear content related to connector bundle JARs from the server cache. See Clearing Content Related to Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.
You must install the connector package (generated after running the DBAT Generator) by running the connector installer. To do so:
Copy the unzipped connector package (generated in Discover the Schema and Generate the Connector) to the following directory:
OIM_HOME/server/ConnectorDefaultDirectory
Create a directory in OIM_HOME/ConnectorDefaultDirectory/targetsystems-lib with the same name as the installer package. For example:
OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib/dbat-11.1.1.6.0
Copy the JDBC driver to this directory. See Table 1-1 to know the JDBC driver corresponding to your target system.
Note:
If you are using Oracle Database or Oracle RAC as the target system, then no JDBC driver is needed. You can skip this step and proceed to the next.
During connector installation, all JDBC drivers located in the OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib/dbat-11.1.1.6.0 directory are loaded into the Oracle Identity Manager database and then registered with the Database Application Tables connector.
If this step is skipped for any reason, then you must manually copy the JDBC drivers into the lib directory of the connector JAR file, and then run the Oracle Identity Manager Upload JARs utility to post the connector JAR file to the Oracle Identity Manager database. See Migrating JARs and Resource Bundle in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about running the Upload JARs utility.
Log in to Oracle Identity System Administration.
In the Manage Connector page, click Install.
From the Connector List, select the name of the connector package (generated by running the DBAT Generator). This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List list, click Refresh.
From the Connector List list, select the name of the connector package.
Click Load.
To start the installation process, click Continue.
The following tasks are performed in sequence:
Configuration of connector libraries
Import of the connector XML files (Using Deployment Manager).
Compilation of Adapter Definitions
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed.
When you run the Connector Installer, it processes the script in the DBAT-CI.xml file located in the configuration directory. This file is listed in Table C-1.
You can deploy the Database Application Tables connector either locally in Oracle Identity Manager or remotely in the Connector Server. A connector server is a separate Oracle application that enables remote execution of an Identity Connector, such as the Database Application Tables connector. Running a connector on the connector server allows you to pass provisioning and reconciliation requests through the firewalls in a manner defined by the connector server.
The procedure to deploy the connector bundle in a connector server is divided into the following stages:
Connector servers are available in two implementations:
As a .Net implementation that is used by Identity Connectors implemented in .Net framework
As a Java Connector Server implementation that is used by Java-based Identity Connectors
The Database Application Tables connector is implemented in Java, so you can deploy this connector to a Java Connector Server.
Use the following steps to install and configure the Java Connector Server:
Note:
Before you deploy the Java Connector Server, ensure that you install the JDK or JRE on the same computer where you are installing the Java Connector Server and that your JAVA_HOME or JRE_HOME environment variable points to this installation.
To run the Java Connector Server on Microsoft Windows, Solaris, Linux, see Using the Java Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
To install the connector into the Java connector server, see Installing the Connector in the Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
These are the tasks that you must perform after installing the DBAT connector.
This section discusses the following postinstallation procedures:
Configuring the Connector for a Target System with an Autoincrement Primary Key
Clearing Content Related to Connector Resource Bundles from the Server Cache
About Configuring Secure Communication Between the Target System and Oracle Identity Manager
Configuring Secure Communication Between the Connector Server and Oracle Identity Manager
Configuring the Connector for Stored Procedures and Groovy Scripts
The IT resource for the target system contains connection information about the target system. Oracle Identity Manager uses this information during provisioning and reconciliation.
When you run the DBAT Generator, the IT resource corresponding to this connector is automatically created in Oracle Identity Manager. You must specify values for the parameters of this IT resource as follows:
The connector enables you to configure the manner in which date data must be handled. You can handle date data either as a date editor or text.
To handle date data as a date editor:
Ensure that no value is entered for the dateFormat parameter of the IT resource.
Log in to the Design Console.
In the process form, change all date parameters to denote date editor.
Change the process form field data type from string to date.
In the Lookup.RESOURCE.UM.ProvAttrMap and Lookup.RESOURCE.UM.ReconAttrMap lookup definitions, add the [DATE]
tag for all lookup entries corresponding to date fields.
In the resource object, update the date fields by setting the reconciliation data field type to Date.
On the Reconciliation Field Mappings tab of the process definition, add field mappings for date fields.
On the Object Reconciliation tab of the resource object, click Create Reconciliation Profile to copy changes made to the resource object into the MDS.
To handle date data as text:
[DATE]
tag for lookup entries corresponding to date fields.Note:
Perform the procedure described in this section only if both the conditions are true:
You have configured your target system as a target resource.
The key column of the target system is configured with an autoincrement option.
Perform the following steps to configure the connector for a target system with an autoincrement primary key:
By default, the key column of the target system is mapped to the OIM User Login field in the reconciliation rule. Before you perform any connector operation, you can modify the reconciliation rule to map the OIM User Login field to a different target system column.
If the key column of the child table has been configured with the autoincrement option, then modify the child form by removing the 'required=true' property for the key field of the child table by using the Design Console.
If the prepopulate adapter contains a mapping for the key column, then either disable the prepopulate adapter or modify it to remove the connector key column by using the Design Console.
Note:
Perform the procedures described in this section only if you are using the connector in the target resource configuration mode.
You must create a UI form and an application instance for the resource against which you want to perform reconciliation and provisioning operations. In addition, you must run entitlement and catalog synchronization jobs. These procedures are described in the following sections:
See Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for instructions on creating and activating a sandbox.
See Managing Forms in Oracle Fusion Middleware Administering Oracle Identity Manager. for instructions on creating a new UI form. While creating the UI form, ensure that you select the resource object corresponding to the DBAT connector that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.
See Managing Application Instances in Oracle Fusion Middleware Administering Oracle Identity Manager for instructions on creating an application instance. While creating the application instance, ensure that you select the form created in Creating a New UI Form.
After creating the application instance, you must publish it to an organization to make the application instance available for requesting and subsequent provisioning to users. However, as a best practice, perform the following procedure before publishing the application instance:
See Managing Organizations Associated With Application Instances in Oracle Fusion Middleware Administering Oracle Identity Manager for instructions on publishing an application instance to an organization.
Before you publish a sandbox, perform the following procedure as a best practice to validate all sandbox changes made till this stage as it is hard to revert changes once a sandbox is published:
To harvest entitlements and sync catalog:
To localize a field label that is added to the UI forms::
Create a properties file (for example, DBAT_ja.properties) containing localized versions for the column names in your target system (to be displayed as text strings for GUI elements and messages in the Administrative and User Console).
Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open one of the following files in a text editor:
For Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) or later releases:
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf
For releases prior to Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf
Edit the BizEditorBundle.xlf file in the following manner:
Search for the following text:
<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Replace with the following text:
<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">
In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:
<file source-language="en" target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Search for the application instance code. This procedure shows a sample edit for Database Application Tables application instance. The original code is:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ACMEDBAP_APP_DFLT_HOME__c_description']}"> <source>APP_DFLT_HOME</source> <target/> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ACMEFORM.entity.ACMEFORMEO.UD_ACMEDBAP_APP_DFLT_HOME__c_LABEL"> <source>APP_DFLT_HOME</source> <target/> </trans-unit>
Open the properties file created in Step 1 and get the value of the attribute, for example, global.udf.D_ACMEDBAP_APP_DFLT_HOME=\u4567d.
Replace the original code shown in Step 7.7.c with the following:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ACMEDBAP_APP_DFLT_HOME__c_description']}"> <source>APP_DFLT_HOME</source> <target>\u4567d</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ACMEFORM.entity.ACMEFORMEO.UD_ACMEDBAP_APP_DFLT_HOME__c_LABEL"> <source>APP_DFLT_HOME</source> <target>\u4567d</target> </trans-unit>
Repeat Steps 7.7.a through 7.7.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.
Sample file name: BizEditorBundle_ja.xlf.
Repackage the ZIP file and import it into MDS.
See Also:
Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Manager.
When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache you can either restart Oracle Identity Manager or run the PurgeCache utility. The following is the procedure to clear the server cache by running the PurgeCache utility:
Managing logging is discussed in the following sections:
Oracle Identity Manager release uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.Logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
SEVERE.intValue()+100
This level enables logging of information about fatal errors.
SEVERE
This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.
WARNING
This level enables logging of information about potentially harmful situations.
INFO
This level enables logging of messages that highlight the progress of the application.
CONFIG
This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
These log levels are mapped to ODL message type and level combinations as shown in Table 3-2.
Table 3-2 Log Levels and ODL Message Type:Level Combinations
Log Level | ODL Message Type:Level |
---|---|
SEVERE.intValue()+100 |
INCIDENT_ERROR:1 |
SEVERE |
ERROR:1 |
WARNING |
WARNING:1 |
INFO |
NOTIFICATION:1 |
CONFIG |
NOTIFICATION:16 |
FINE |
TRACE:1 |
FINER |
TRACE:16 |
FINEST |
TRACE:32 |
The configuration file for OJDL is logging.xml, which is located at the following path:
DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml
Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.
To enable logging in Oracle WebLogic Server:
Edit the logging.xml file as follows:
Add the following blocks in the file:
<log_handler name='dbat-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='[FILE_NAME]'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="ORG.IDENTITYCONNECTORS.DATABASETABLE" level="[LOG_LEVEL]" useParentHandlers="false">
<handler name="dbat-handler"/>
<handler name="console-handler"/>
</logger>
Replace both occurrences of [LOG_LEVEL]
with the ODL message type and level combination that you require. Table 3-2 lists the supported message type and level combinations.
Similarly, replace [FILE_NAME]
with the full path and name of the log file in which you want log messages to be recorded.
The following blocks show sample values for [LOG_LEVEL]
and [FILE_NAME]
:
<log_handler name='dbat-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='/<%OIM_DOMAIN%>/servers/oim_server1/logs/DBATlogs.log'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler> <logger name="ORG.IDENTITYCONNECTORS.DATABASETABLE" level="NOTIFICATION:1" useParentHandlers="false"> <handler name="dbat-handler"/> <handler name="console-handler"/> </logger>
With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1
level are recorded in the specified file.
Save and close the file.
Set the following environment variable to redirect the server logs to a file:
For Microsoft Windows:
set WLS_REDIRECT_LOG=FILENAME
For UNIX:
export WLS_REDIRECT_LOG=FILENAME
Replace FILENAME with the location and name of the file to which you want to redirect the output.
Restart the application server.
Note:
This is an optional procedure. Perform this procedure only if you want to use lookup definitions as the input source for some of the fields on the process form during provisioning operations.
If you are configuring the connector for provisioning, then you may want to create lookup fields on the process form. For example, during provisioning operations, you may want to select the Country Code value from a lookup field. After deploying the connector, you can set up this field as a lookup field by specifying an input source for the field.
You can use a lookup definition as the input source. For example, you can create a lookup definition containing country codes and then set up the lookup definition as the input source for the Country field. If you want to use a lookup definition as the input source, then perform the following steps:
See Also:
Adding or Editing Fields in Data Sets in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about each of the following steps
Log in to the Design Console.
Create an empty lookup definition that must be used as an input source. Skip this step if you want to use the Lookup.DBAT.Example lookup definition, which is created after you install the connector.
Update the process form to change the data field from text to lookup field. To do so:
Expand Development Tools and double-click Form Designer.
Search for and open the process form that contains the required information to provision resources to a target system user account. The name of the process form is in the following format:
UD_[RESOURCE]_[TABLE_ALIAS]
Click Create New Version.
A new version of the form is created for editing.
On the Additional Columns tab, in the row for the data field that you want to set up as a lookup field, change the value of the Field Type column from TextField to LookupField.
On the Properties tab, select the data field (whose Field Type was changed from TextField to Lookup Field in the preceding step), and then click Add Property.
In the Add Property dialog box:
From the Property Name list, select Lookup Code.
In the Property Value field, enter the name of the lookup definition to be used as the input source (the one used in Step 2).
Note:
If you want to set up the lookup field for entitlement, then from the Property Name list, select Entitlement and set its property value to true.
Click the Save icon and then close the dialog box.
Click the Save icon on the process form.
Click Make Version Active.
You must create and activate a new version of parent form as well to include the latest version of the child form.
Update the lookup entry to include information that specifies the field is a lookup field. To do so:
Expand Administration and double-click Lookup Definition.
Search for and open the Lookup.RESOURCE.UM.ProvAttrMap lookup definition.
In the lookup entries, search for the field name in the Code Key column that has been changed to a lookup field, and then suffix the field name with [LOOKUP].
This denotes that the process form field is a lookup field.
Click the Save icon.
Repeat Steps 4.4.b through 4.4.d to suffix the corresponding Code Key entry with [LOOKUP]
in the lookup definition that holds reconciliation attribute mappings:
While performing Step 4.4.c, search for and open the Lookup.RESOURCE.UM.ReconAttrMap lookup definition.
This completes the procedure for setting up a lookup definition as an input source.
If a child process form field has to be configured as a entitlement, then you must associate it with the corresponding lookup definition, and set the entitlement property to true. If the corresponding lookup definition does not exist, then you must create it manually. See Marking Entitlement Attributes on Child Process Forms in Oracle Fusion Middleware Administering Oracle Identity Manager for more information.
By default, after metadata generation, all date fields are displayed as text fields on the process form. If you want to display these fields as a Date picker, then you must perform the following steps:
Note:
See Step 3: Modify Connector Configuration Page in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information on performing each of the steps discussed in this procedure.
Note:
It is recommended that you perform the procedure described in this section to secure communication between the target system and Oracle Identity Manager.
The procedure to secure communication depends on the database that you are using:
Configuring Secure Communication Between IBM DB2 and Oracle Identity Manager
Configuring Secure Communication Between Microsoft SQL Server and Oracle Identity Manager
Configuring Secure Communication Between MySQL and Oracle Identity Manager
Configuring Secure Communication Between Oracle Database and Oracle Identity Manager
Note:
IBM DB2 version 9.1 Fix Pack 2 and later support secure communication over SSL.
Before configuring secure communication between IBM DB2 and Oracle Identity Manager, you must install the IBM Global Security Kit (GSKit).
See the IBM DB2 documentation for more information about enabling SSL communication between IBM DB2 and a client system. In this context, the client is Oracle Identity Manager.
To configure secure communication between IBM DB2 and Oracle Identity Manager:
To configure secure communication between Microsoft SQL Server and Oracle Identity Manager:
To configure secure communication between MySQL and Oracle Identity Manager:
To secure communication between Oracle Database and Oracle Identity Manager, you can perform either one or both of the following procedures:
See Configuring Network Data Encryption and Integrity in Oracle Database Security Guide for information about configuring data encryption and integrity.
To enable SSL communication between Oracle Database and Oracle Identity Manager:
Note:
See Enabling Secure Sockets Layer in Oracle Database Security Guide for detailed information about enabling SSL communication between Oracle Database and Oracle Identity Manager.
If you have deployed this connector on a Connector Server, then it is recommended that you secure communication between the Connector Server and Oracle Identity Manager. The procedure to configure secure communication is the same as the procedure described in section About Configuring Secure Communication Between the Target System and Oracle Identity Manager. While performing the procedure described in that section, consider the Connector Server as a separate system, similar to the target system.
Before you configure secure communication:
Ensure that the Connector Server is running under a user that has the appropriate rights to access the keystore.
Ensure that the keystore on the Connector Server is present and accessible.
Ensure that the keystore on the Connector Server contains the expected certificates.
If you are not using the default Java keystore on the Connector Server, then modify the keystore paths and password in the IT resource URL or the jndiProperties property (of the DBATConfiguration.groovy file) to match the location on the Connector Server.
The connector runs default SQL queries and SQL statements when you use it to perform reconciliation and provisioning operations, respectively. Instead of default SQL statements and queries, if you want the connector to use custom stored procedures for performing reconciliation or provisioning operations, then you must perform the procedure described in this section.
See Also:
Sample Stored Procedures and Groovy Scripts for sample stored procedures and Groovy scripts
To configure the connector for custom stored procedures:
On the target system, create the stored procedures that must be used for performing provisioning operations. The following are sample stored procedures (created on Oracle Database) that run the DELETE SQL statement for deleting the groups and roles child data. For target systems other than Oracle Database, the syntax of this sample procedure may vary.
The stored procedure for DELETE_USERGROUP
is as follows:
create or replace PROCEDURE DELETE_USERGROUP ( userin IN VARCHAR2, gId IN VARCHAR2 ) AS BEGIN DELETE from USER_GROUP where USERID=userin and GROUPID=gId; END DELETE_USERGROUP;
The stored procedure for DELETE_USERROLE
is as follows:
create or replace PROCEDURE DELETE_USERROLE ( userin IN VARCHAR2, rId IN VARCHAR2 ) AS BEGIN DELETE from USER_ROLE where USERID=userin and ROLEID=rId; END DELETE_USERROLE;
On the Oracle Identity Manager host computer, create Groovy scripts that call the relevant stored procedures on the target system to perform provisioning operations. The following arguments can be directly used in the Groovy script:
connector - The Database Application Tables connector object.
conn - JDBC connection.
timing - When the Groovy script is called. In addition, the timing attribute also explains the type of operation being performed. For example, if it is search operation, then the object class being search is also returned.
The following is the format of the timing argument for lookup field synchronization:
executeQuery:OBJECT_CLASS
In this format, OBJECT_CLASS is replaced with the type of object being reconciled.
For example, for a lookup field synchronization scheduled job that contains the object type "Role", the value of the timing argument will be as follows:
executeQuery:Role
attributes - All attributes.
trace - Logger as a script trace bridge to the application.
where - String where condition for execute query, or null.
handler - resultSetHandler or SyncResultsHandler for the connector objects produced by the execute query, sync operation or null return.
quoting - The type of table name quoting to be used in SQL. The default value is an empty string. The value of this argument is obtained from the IT resource.
nativeTimestamps - Specifies whether the script retrieves the timestamp data of the columns as java.sql.Timestamp type from the database table. This information is obtained from the IT resource.
allNative - Specifies whether the script must retrieve the data type of the columns in a native format from the database table. The value of this argument is obtained from the IT resource.
rethrowAllSQLExceptions - The value of this argument is also obtained from the IT resource. The value of this argument specifies whether the script must throw exceptions when a zero (0x00) error code is encountered.
enableEmptyString - Specifies whether support for writing an empty string instead of a NULL value must be enabled. The value of this argument is obtained from the IT resource.
filterString - String filter condition for execute query, or null.
filterParams - List of filter parameters. Each parameter is present in the COLUMN_NAME:VALUE format. For example, FIRSTNAME:test.
syncattribute - Name of the database column configured for incremental reconciliation. This argument is available in the sync script, which is called during an incremental reconciliation run.
synctoken - Value of the sync attribute. This argument is available in the sync script.
The following is a sample Groovy script that calls the DELETE_USERGROUP and DELETE_USERROLE stored procedure created in Step 1:
import org.identityconnectors.framework.common.objects.*; System.out.println("[removeMultiValuedAttributeScript] Removing Child data::"+ attributes); try { childDataEOSet = null; delSt = null; //Get UID String id = attributes.get("__UID__").getValue().get(0); if(attributes.get("USER_GROUP")!=null) { childDataEOSet=attributes.get("USER_GROUP").getValue(); //Delete child data using stored procedure delSt= conn.prepareCall("{call DELETE_USERGROUP(?,?)}"); if(childDataEOSet !=null){ System.out.println("[removeMultiValuedAttributeScript] Removing Group data."); //Iterate through child data and delete for( iterator = childDataEOSet.iterator(); iterator.hasNext(); ) { eo = iterator.next(); attrsSet = eo.getAttributes(); grpattr=AttributeUtil.find("GROUPID",attrsSet); if(grpattr!=null){ groupid=grpattr.getValue().get(0); delSt.setString(1, id); delSt.setString(2, groupid); delSt.executeUpdate(); System.out.println("[removeMultiValuedAttributeScript] Deleted Group::"+ grpattr); } }; } } } finally { if (delSt != null) delSt.close(); }; try { childDataEOSet = null; delSt = null; String id = attributes.get("__UID__").getValue().get(0); if(attributes.get("USER_ROLE")!=null) { childDataEOSet=attributes.get("USER_ROLE").getValue(); delSt= conn.prepareCall("{call DELETE_USERROLE(?,?)}"); if(childDataEOSet !=null){ System.out.println("[removeMultiValuedAttributeScript] Removing Role data."); for( iterator = childDataEOSet.iterator(); iterator.hasNext(); ) { eo = iterator.next(); attrsSet = eo.getAttributes(); roleattr=AttributeUtil.find("ROLEID",attrsSet); if(roleattr!=null){ rolename=roleattr.getValue().get(0); delSt.setString(1, id); delSt.setString(2, rolename); delSt.executeUpdate(); System.out.println("[removeMultiValuedAttributeScript] Deleted Role::"+ rolename); } }; } } } finally { if (delSt != null) delSt.close(); };
Update the configuration lookup definition to include information about the Groovy scripts as follows:
Note:
Perform the procedure described in this step only if you want to configure the connector for stored procedures and you have not entered values for script-related properties such as createScript, executeQueryScript, lookupScript, and so on in the DBATConfiguration.groovy file.
In the Design Console, expand Administration, and double-click Lookup Definition.
Search for and open the Lookup.Configuration.RESOURCE lookup definition.
Click Add.
In the newly added row, depending on the reconciliation or provisioning operation you want to perform, add one or all of the following lookup entries:
Table 3-3 Entries Specific to Groovy Script Configuration
Code Key | Decode |
---|---|
createScript[LOADFROMURL] |
Enter the file URL of the Groovy script created for the create user account provisioning operation. |
updateScript[LOADFROMURL] |
Enter the file URL of the Groovy script created for the update user account provisioning operation. |
deleteScript[LOADFROMURL] |
Enter the file URL of the Groovy script created for the delete user account provisioning operation. |
executeQueryScript[LOADFROMURL] |
Enter the file URL of the Groovy script created for full and filtered reconciliation. |
lookupScript[LOADFROMURL] |
Enter the file URL of the Groovy script created for lookup field synchronization. |
syncScript[LOADFROMURL] |
Enter the file URL of the Groovy script created for incremental reconciliation. |
addMultiValuedAttributeScript[LOADFROMURL] |
Enter the file URL of the Groovy script created for the add multivalued attributes provisioning operation. |
removeMultiValuedAttributeScript[LOADFROMURL] |
Enter the file URL of the Groovy script created for the remove multivalued attributes provisioning operation. |
Note:
Instead of the file URL of the Groovy script, you can directly enter the Groovy script in the Decode column. In such a case, ensure that the corresponding Code Key value does not contain [LOADFROMURL]. For example, if you directly enter the Groovy script for the create user account provisioning operation, then the corresponding code key entry must be createScript, instead of createScript[LOADFROMURL].
The following is a sample value for the removeMultiValuedAttributeScript[LOADFROMURL] entry:
file:///home/myname/dbat/scripts/removechilddata.groovy
Click the Save icon.
To reset the password during the update procedure, do the following:
Check whether script argument "attributes" contains password (__PASSWORD__) attribute.
import org.identityconnectors.common.security.GuardedString; GuardedString pass = attributes.get("__PASSWORD__")!=null?attributes.get"__PASSWORD__").getValue().get(0):null;
If "attributes" contains __PASSWORD__ attribute (not null), call targetstore procedure/sql query to reset password.
upstmt = conn.prepareStatement("UPDATE PASSWORD.... if(pass!=null){ pass.access(new GuardedString.Accessor(){ public void access(char[] clearChars){ upstmt.setString(1, new String(clearChars)); } }); } else { //Update other attributes } upstmt.executeUpdate();
This completes the procedure for configuring your connector to use stored procedure for provisioning operations.
You can upgrade the connector from release 11.1.1.5.0 to the current release.
If you want to upgrade the connector from release 11.1.1.5.0 to this release of the connector, then you must update the connector bundle JAR file. No other configuration procedures are required.
Already installed connectors need not be upgraded as the artifacts are generated dynamically based on schema. However, if you want to upgrade to the latest functionality provided by the connector, then you need to update the JAR file.
Note:
Before you perform the upgrade procedure:
It is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.
As a best practice, perform the upgrade procedure in a test environment initially.
To update the connector bundle JAR: