Go to main content
|
|
Deploying the connector involves the following steps:
Preinstallation information is divided across the following sections:
This section contains the following topics:
deploying-connector.htm#GUID-82C4EEE8-BEF9-4DD7-9317-0892FB5BD72F__BIHDDDIB lists the files and directories on the installation media.
Table 2-1 Files and Directories on the Installation Media
File in the Installation Media Directory | Description |
---|---|
Files in the bundle directory |
These JAR files contain bundles for the connector. |
configuration/Peoplesoft_User-Management-CI.xml |
This XML file contains configuration information that is used during connector installation. |
Files in the dataset directory: ModifyProvisionedResource_PeoplesoftUser.xml ProvisionResource_PeoplesoftUser.xml |
These XML files contain preconfigured datasets that can be used to configure the provisioning operations. Note: These files specific to Oracle Identity Manager release prior to 11.1.2. |
JavaDoc |
This directory contains information about the Java APIs used by the connector. |
lib/PSFT_UM-oim-integration.jar |
This JAR file contains the class files that are specific to integration of the connector with PeopleSoft target systems. During connector deployment, this file is copied to the Oracle Identity Manager database. |
lib/PSFTCommon.jar |
This JAR file contains PeopleSoft-specific files common to both Employee Reconciliation and User Management versions of the connector. During connector deployment, this file is copied to the Oracle Identity Manager database. |
The following files and directories in the listener directory: base directory lib/deploytool.jar build.xml deploy.properties |
The base directory contains the class files for the PeopleSoftOIMListener.ear file. This Enterprise Archive (EAR) file contains one or more entries representing the modules of the Web application to be deployed onto an application server. During connector deployment, the PeopleSoft listener is deployed as an EAR file. The deploytool.jar file contains the class files required for deploying the listeners. The build.xml file contains configurations to build the listener EAR file. The deploy.properties file contains Oracle Identity Manager connection details. |
The following files in the peoplecode directory: CurrencyCode.txt EmailType.txt LanguageCode.txt PermissionList.txt UserRoles.txt The following project files in the peoplecode directory: OIM_UM OIM_UM_DELETE |
These files contain the PeopleCode for the steps that you define for the Application Engine program. This is explained in Creating the Application Engine Program If PeopleSoft Application Designer Project Is Not Imported and Creating the Application Engine Program If PeopleSoft Application Designer Project Is Imported. The project files contain the PeopleCode for the steps that you define for importing a Project from Application Designer. This is explained in Importing a Project from Application Designer. Each project file contains two files with .ini and .xml extension that has the same name as the project. They are listed as follows:
|
Files in the resources directory |
Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied to the Oracle Identity Manager database. Note: A resource bundle is a file containing localized versions of the text strings that include GUI element labels and messages |
test/config/reconConfig.properties test/config/log.properties |
These files are used by the InvokeListener.bat file. The reconConfig.properties file contains configuration information for running the InvokeListener.bat file. The log.properties file contains logger information. |
test/config/config.properties |
This file is used to specify the parameters and settings required to connect, create, update, and delete users in the target system by using the testing utility for provisioning operations. |
test/lib/PSFTTest.jar |
This JAR file is used by the testing utility for provisioning operations. |
test/scripts/InvokeListener.bat test/scripts/InvokeListener.sh |
This BAT file and the UNIX shell script call the testing utility for reconciliation. |
test/scripts/PeoplesoftProvisioningTester.bat test/scripts/PeoplesoftProvisioningTester.sh |
This BAT file and the UNIX shell script call the testing utility for provisioning. |
xml/PeopleSoftComponentInterfaces.xml |
This XML file contains PeopleSoft Component Interface map definitions for the connector components. |
xml/PeoplesoftUserManagement-ConnectorConfig.xml |
This XML file contains definitions for the connector components:
|
xml/PeoplesoftUserManagementRequestDatasets.xml |
This XML file preconfigured request dataset for the PeopleSoft User Management connector that can be imported into the metadata store (MDS). Note: This dataset should not be imported if you are using Oracle Identity Manager release 11.1.2.x or later. |
If you are using PeopleTools 8.53, PeopleTools 8.54, or PeopleTools 8.55, then the following is the JDK requirement:
If you are already using a Connector Server, then it is mandatory to use JDK 1.7.0_02 as the minimum version in the Connector Server.
If the you are not using Connector Server and Oracle Identity Manager is not using JDK 1.7.0_02, then follow one of the following steps:
Refer the Oracle Identity Manager certification matrix and upgrade the JDK version used by Oracle Identity Manager to JDK 1.7.0_02 if it is supported.
If JDK 1.7.0_02 is not supported for Oracle Identity Manager, then it is mandatory to use a Connector Server with minimum JDK 1.7.0_02. In addition, enter the name of this Connector Server as the value of the Connector Server name parameter of the IT resource.
If you are using PeopleTools 8.56 or 8.57, then the following is the JDK requirement:
If you are already using a Connector Server, then it is mandatory to use JDK 1.8.0_40 as the minimum version in the Connector Server.
If the you are not using Connector Server and Oracle Identity Manager is not using JDK 1.8.0_40, then follow one of the following steps:
Refer the Oracle Identity Manager certification matrix and upgrade the JDK version used by Oracle Identity Manager to JDK 1.8.0_40 if it is supported.
If JDK 1.8.0_40 is not supported for Oracle Identity Manager, then it is mandatory to use a Connector Server with minimum JDK 1.8.0_40. In addition, enter the name of this Connector Server as the value of the Connector Server name parameter of the IT resource.
Permission lists, roles, and user profiles are building blocks of PeopleSoft security. Each user of the system has an individual user profile, which in turn is linked to one or more roles. To each role, you can add one or more permission lists, which defines what a user can access. So, a user inherits permissions through the role that is attached to a user profile.
You must create limited rights users who have restricted rights to access resources in the production environment to perform PeopleSoft-specific installation or maintenance operations. A limited rights user has the privilege to invoke PeopleSoft User Profile Component Interface Java APIs for provisioning.
The preinstallation steps consist of creating a user account with limited rights. Permission lists may contain any number of accesses, such as the Web libraries permission, Web services permissions, page permissions, and so on. You attach this permission list to a role, which in turn is linked to a user profile.
This section describes the following procedures, which have to be performed on the target system to create a user account with limited rights:
A PeopleSoft Application Designer project is an efficient way to configure your application.
You can import the OIM_UM project created in Application Designer to automate the steps for creating a permission list. You can also create a permission list by manually performing the steps described in Creating a Permission List. If you import the OIM_UM project, then you need not perform the steps mentioned in this section. You must perform a separate set of instructions for creating an Application Engine program if you have imported the project. See Creating the Application Engine Program If PeopleSoft Application Designer Project Is Not Imported and Creating the Application Engine Program If PeopleSoft Application Designer Project Is Imported for details.
Note:
If you install, uninstall, or upgrade the same project repeatedly, the earlier project definition will be overwritten in the database.
To import a project from Application Designer:
Note:
You can access the project files from the following directories:
OIM_HOME/server/XLIntegrations/PSFTUM/peoplecode/OIM_UM
OIM_HOME/server/XLIntegrations/PSFTUM/peoplecode/OIM_UM_DELETE
Copy these files to a directory on your computer from where you can access Application Designer.
Note:
You can remove the PeopleSoft project file and all its objects from the target system if needed. To do so, repeat the steps described in the preceding procedure. When you reach Step 4, select OIM_UM_DELETE from the Select Project from the List Below region.
You must create a target system account with privileges required for connector operations. The user account created on the target system has the permission to perform all the configurations required for connector operations. This includes configuring the PeopleSoft Integration Broker for full reconciliation and incremental reconciliation. This account does not have access to pages or components that are not required by the connector.
The following section describes the procedures to create a target system account:
Note:
For creating the target system account, you must log in to PeopleSoft Internet Architecture with administrator credentials.
To create a permission list:
Note:
You can skip this section if you have imported a project from Application Designer. See Importing a Project from Application Designer for more information.
Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:
http://IPADDRESS:PORT/psp/ps/?cmd=login
For example:
http://172.21.109.69:9080/psp/ps/?cmd=login
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, click PeopleTools, Security, Permissions & Roles, and then click Permission Lists.
For PeopleTools 8.55, 8.56, and 8.57, click NavBar, Navigator, PeopleTools, Security, Permissions & Roles, and then click Permission Lists.
Click Add a new Value. On the Add a New Value tab, enter the permission list name, for example, OIMUM
and then click Add.
On the General tab, enter a description for the permission list in the Description field.
On the Component Interfaces tab, click the search icon for the Name field and perform the following:
In the Name lookup, enter USER_PROFILE
and then click Lookup. From the list, select USER_PROFILE. The application returns to the Component Interfaces tab. Click Edit.
On the Component Interface Permissions page, click Full Access(All).
Click OK and then click Save.
Click the plus sign (+) to add a row for the Name field and repeat Steps a through c for the DELETE_USER_PROFILE component interface.
On the Pages tab, click the search icon for Menu Name and perform the following:
In the Menu Name lookup, enter APPLICATION_ENGINE
and then click Lookup. From the list, select APPLICATION_ENGINE. The application returns to the Pages tab. Click Edit Components.
On the Component Permissions page, click Edit Pages for the AE_REQUEST component name.
Click Select All, and then click OK. Click OK on the Components Permissions page.
On the Pages tab, click the plus sign (+) to add a row for Menu Name. Click the search icon for Menu Name. In the Menu Name lookup, enter IB_PROFILE
and then click Lookup. From the list, select IB_PROFILE. The application returns to the Pages tab. Click Edit Components.
On the Component Permissions page, click Edit Pages for each of the following component names:
IB_GATEWAY
IB_MESSAGE_BUILDER
IB_MONITOR_QUEUES
IB_NODE
IB_OPERATION
IB_QUEUEDEFN
IB_ROUTINGDEFN
IB_SERVICE
IB_SERVICEDEFN
IB_MONITOR
Click Select All, and then click OK for each of the components. Click OK on the Components Permissions page.
On the Pages tab, click the plus sign (+) to add another row for Menu Name.
In the Menu Name lookup, enter PROCESSMONITOR
and then click Lookup. From the list, select PROCESSMONITOR. The application returns to the Pages tab. Click Edit Components.
On the Component Permissions page, click Edit Pages for the PROCESSMONITOR component name.
Click Select All, and then click OK. Click OK on the Components Permissions page.
On the Pages tab, click the plus sign (+) to add another row for Menu Name.
In the Menu Name lookup, enter PROCESS_SCHEDULER
and then click Lookup. From the list, select PROCESS_SCHEDULER. The application returns to the Pages tab. Click Edit Components.
On the Component Permissions page, click Edit Pages for the PRCSDEFN component name.
Click Select All, and then click OK. Click OK on the Components Permissions page.
On the People Tools tab, select the Application Designer Access check box and click the Definition Permissions link. The Definition Permissions page is displayed.
On this page, grant full access to the following object types by selecting Full Access from the Access list:
App Engine Program
Message
Component Interface
Project
Application Package
Click OK.
Click the Tools Permissions link. The Tools Permissions page is displayed. On this page, grant full access to the SQL Editor tool by selecting Full Access from the Access list.
Click OK. The application returns to the People Tools tab.
On the Web Libraries tab, click the search icon for the Web Library Name field and perform the following:
In the Web Library Name lookup, enter WEBLIB_PORTAL
and then click Lookup. From the list, select WEBLIB_PORTAL. The application returns to the Web Libraries tab. Click the Edit link.
On the WebLib Permissions page, click Full Access(All).
Click OK and then click Save.
Click the plus sign (+) to add a row for the Web Library Name field and repeat Steps a through c for the WEBLIB_PT_NAV library.
Click Save to save all the settings specified for the permission list.
On the Process tab, click the Process Group Permissions link. The Process Group Permission page is displayed.
In the Process Group lookup, click the search icon. From the list, select TLSALL. The application returns to the Process Group Permission page.
Click the plus sign (+) to add another row for Process Group.
In the Process Group lookup, click the search icon. From the list, select STALL. The application returns to the Process Group Permission page.
Click OK.
Click Save.
To create a role for a limited rights user:
Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:
http://IPADDRESS:PORT/psp/ps/?cmd=login
For example:
http://172.21.109.69:9080/psp/ps/?cmd=login
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, click PeopleTools, Security, Permissions & Roles, and then click Roles.
For PeopleTools 8.55, 8.56, and 8.57, click NavBar, Navigator, PeopleTools, Security, Permissions & Roles, and then click Roles.
Click Add a new Value. On the Add a New Value tab, enter the role name, for example, OIMUM,
and then click Add.
On the General tab, enter a description for the role in the Description field.
On the Permission Lists tab, click the search icon and perform the following:
In the Permission Lists lookup, enter OIMUM
and then click Lookup. From the list, select OIMUM.
Click the plus sign (+) to add another row.
In the Permission Lists lookup, enter EOEI9000
and then click Lookup. From the list, select EOEI9000.
Note:
Permission list EOEI9000 is not available in PeopleTools 8.53, PeopleTools 8.54, PeopleTools 8.55, 8.56, or PeopleTools 8.57, and is hence not applicable.
Click the plus sign (+) to add another row.
In the Permission Lists lookup, enter EOCO9000
and then click Lookup. From the list, select EOCO9000.
Click Save.
To assign the required privileges to a user:
Open a Web browser and enter the URL for PeopleSoft Internet Architecture. The URL is in the following format:
http://IPADDRESS:PORT/psp/ps/?cmd=login
For example:
http://172.21.109.69:9080/psp/ps/?cmd=login
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, click PeopleTools, Security, User Profiles , and then click User Profiles.
For PeopleTools 8.55, 8.56, and 8.57, click NavBar, Navigator, PeopleTools, Security, User Profiles, and then click User Profiles.
Click Add a new Value. On the Add a New Value tab, enter the user profile name, for example, OIMUM
, and then click Add.
On the General tab, perform the following:
From the Symbolic ID list, select the value that is displayed, for example, SYSADM1.
Enter valid values for the Password and Confirm Password fields.
Click the search icon for the Process Profile permission list.
In the Process Profile lookup, enter OIMUM
and then click Lookup. From the list, select OIMUM. The application returns to the General tab.
On the ID tab, select none as the value of the ID type.
On the Roles tab, click the search icon and perform the following:
In the Roles lookup, enter OIMUM
and then click Lookup. From the list, select OIMUM.
Click the plus sign (+) to add another row.
In the Roles lookup, enter ProcessSchedulerAdmin
and then click Lookup. From the list, select ProcessSchedulerAdmin.
Click the plus sign (+) to add another row.
In the Roles lookup, enter EIR Administrator
and then click Lookup. From the list, select EIR Administrator.
Note:
Role EIR Administrator is not available in PeopleTools 8.53, PeopleTools 8.54, PeopleTools 8.55, 8.56, or PeopleTools 8.57 and is hence not applicable.
Click Save to save this user profile.
Oracle Identity Manager uses this profile for the Admin user parameter in IT resource to enable the connector to perform provisioning operations. This profile is also used for a user with limited rights in PeopleSoft for performing all reconciliation-related configurations.
This procedure is optional. If you want to run the connector code (bundle) remotely in a Connector Server, then install and configure the Connector Server as follows:
Note:
For related information, see Running the Connector Server and Creating the IT Resource for the Connector Server.
To configure the Connector Server to support multiple versions of the connector:
The connector JAR files copied to the CONNECTOR_SERVER_HOME/bundle directory must contain target system-specific copy of the psjoa.jar file. For PeopleTools 8.54, PeopleTools 8.55, PeopleTools 8.56, and PeopleTools 8.57, the directory must contain target system-specific copy of the psmanagement.jar file.
Ensure that there are no JAR files in the CONNECTOR_SERVER_HOME/lib directory.
This procedure is optional. If you want to run the connector code (bundle) remotely in a Connector Server, then install and configure the Connector Server as described in Installing and Configuring the Connector Server. See Creating the IT Resource for the Connector Server for related information.
After installing and configuring the Connector Server, perform one of the following procedures to run the Connector Server depending on your platform:
To run the Connector Server on UNIX and Linux systems, use the connectorserver.sh script, as follows:
You can run the connector code locally in Oracle Identity Manager or remotely in a Connector Server.
This section contains the following topics:
Depending on where you want to run the connector code (bundle), the connector provides the following installation options:
Run the connector code locally in Oracle Identity Manager.
In this scenario, you deploy the connector in Oracle Identity Manager.
Run the connector code remotely in a Connector Server.
In this scenario, you deploy the connector in Oracle Identity Manager, and then, deploy the connector bundle in a Connector Server. See Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about installing, configuring, and running the Connector Server.
Installation on Oracle Identity Manager consists of the following procedures:
Note:
Direct provisioning is automatically enabled after you run the Connector Installer. If required, you can enable request-based provisioning in the connector. Direct provisioning is automatically disabled when you enable request-based provisioning. See Enabling Request-Based Provisioning if you want to use the request-based provisioning feature for this target system.
To run the Connector Installer:
Create a directory for the connector, for example, PSFT_UM-11.1.1.6.0, in the OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib directory. This directory contains connector-specific files.
Copy the psjoa.jar file from the PEOPLESOFT_HOME/web/psjoa directory to the directory created in Step 1.
Note:
If you are using PeopleTools 8.54, PeopleTools 8.55, PeopleTools 8.56, or PeopleTools 8.57, you must also copy the psmanagement.jar file from PEOPLESOFT_HOME/client-tools/class to the directory created in Step 1 of this procedure.
Copy the contents of the connector installation media directory into another directory to hold the installation files.
For example: OIM_HOME/server/ConnectorDefaultDirectory/PSFT_UM-11.1.1.6.0
Note:
In an Oracle Identity Manager cluster, perform this step on each node of the cluster.
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to Oracle Identity Manager Administration and User Console by using the user account described in Creating the User Account for Installing Connectors of Oracle Fusion Middleware Administering Oracle Identity Manager.
On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.
For Oracle Identity Manager release 11.1.2.x:
Log in to Oracle Identity System Administration.
In the left pane, under System Management, click Manage Connector.
In the Manage Connector page, click Install.
From the Connector List, select PeopleSoft User Management 11.1.1.6.0. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List, click Refresh.
From the Connector List, select PeopleSoft User Management 11.1.1.6.0.
Click Load.
To start the installation process, click Continue.
The following tasks are performed, in sequence:
Configuration of connector libraries
Import of the connector XML files (by using the Deployment Manager)
Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of steps that you must perform after the installation is displayed. These steps are as follows:
Note:
At this stage, run the PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Clearing Content Related to Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.
There are no prerequisites for some predefined connectors.
Configuring the IT resource for the connector.
See Configuring the IT Resource for more information.
Configuring the scheduled tasks.
See Configuring the Scheduled Jobs for Lookup Field Synchronization for more information.
Configuring the xmlMapping lookup in the configuration lookup definition.
See Setting Up the Lookup.PSFT.Configuration Lookup Definition for more information.
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in deploying-connector.htm#GUID-82C4EEE8-BEF9-4DD7-9317-0892FB5BD72F__BIHDDDIB.
deploying-connector.htm#GUID-19F0DB4E-B59E-4775-86E7-75E3AFDB0BBF__BGBICCEH lists all the files that you must copy manually and the directories on the Oracle Identity Manager host computer to which you must copy them.
Note:
While installing Oracle Identity Manager in a cluster, you copy the contents of the installation directory to each node of the cluster. Similarly, you must copy the contents of the connectorResources directory and the JAR files to the corresponding directories on each node of the cluster.
The directory paths given in the first column of this table correspond to the location of the connector files on the installation media. See Files and Directories on the Installation Media for more information about these files.
If a particular destination directory does not exist on the Oracle Identity Manager host computer, then create it.
Table 2-2 Files to Be Copied to the Oracle Identity Manager Host Computer
File in the Installation Media Directory | Destination for Oracle Identity Manager |
---|---|
xml/PeoplesoftComponentInterfaces.xml |
Copy to a path applicable to each node of the target system. Map the path to the xmlMapping lookup in the configuration lookup. |
lib/PeopleSoftOIMListener.ear |
OIM_HOME/server/ConnectorDefaultDirectory/PSFT_UM-11.1.1.6.0/listener/ |
Files in the peoplecode directory |
OIM_HOME/server/ConnectorDefaultDirectory/PSFT_UM-11.1.1.6.0/peoplecode |
Files in the test/scripts directory |
OIM_HOME/server/ConnectorDefaultDirectory/PSFT_UM-11.1.1.6.0/scripts |
Files in the test/config directory |
OIM_HOME/server/ConnectorDefaultDirectory/PSFT_UM-11.1.1.6.0/config |
Note:
You might want to configure the connector for different versions of the target system simultaneously. See Configuring the Connector to Support Multiple Versions of the Target System for more information about creating and placing the target system-specific JAR files.
The IT resource for the target system contains connection information about the target system. Oracle Identity Manager uses this information during provisioning and reconciliation.
When you run the Connector Installer, the PSFT User
IT resource is automatically created in Oracle Identity Manager. You must specify values for the parameters of this IT resource as follows:
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to the Administrative and User Console.
For Oracle Identity Manager release 11.1.2.x:
Log in to Oracle Identity System Administration.
If you are using Oracle Identity Manager release 11.1.1.x, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x, in the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter PSFT User
and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Click Edit and specify values for the parameters of the IT resource. deploying-connector.htm#GUID-0A832C70-36E6-4DB7-9AB0-97D514B8970E__BIHGHEAE describes each parameter.
Click Update to save the values.
deploying-connector.htm#GUID-0A832C70-36E6-4DB7-9AB0-97D514B8970E__BIHGHEAE describes the IT resource parameters.
Table 2-3 IT Resource Parameters
Parameter | Description |
---|---|
Configuration Lookup |
Name of the lookup definition that contains configuration information. Default value: Note: You must not change the value of this parameter. However, if you create a copy of all the connector objects, then you can specify the unique name of the copy of this lookup definition as the value of the Configuration Lookup Name parameter in the copy of the IT resource. |
Connector Server Name |
Name of the remote connector server IT resource, if any. See Creating the IT Resource for the Connector Server for related information. |
IsActive |
Specifies whether the specified IT Resource is in use or not. When If it is Default value: |
TopologyName |
Name of the Segregation of Duties (SoD) topology, if any SoD integration exists. See Specifying a Value for the TopologyName IT Resource Parameter for more information. |
URL |
JOLT URL of the computer hosting the PeopleSoft application server. Format: Sample value: See Determining the JOLT Listener Port for instructions to locate the Jolt Listener port. Note: If you have implemented high availability for PeopleSoft Application Servers, then you need not perform any additional step on Oracle Identity Manager for provisioning to work. You have to provide the correct Jolt URL according to your high availability set up for PeopleSoft Application Servers. For more information about high availability, see Red Paper on Clustering and High Availability for Enterprise Tools 8.4x on Oracle Support and Working with Jolt Configuration Options in the PeopleBook Enterprise PeopleTools 8.49 PeopleBook: System and Server Administration. |
User |
User name of the target system account to be used for connector operations. You create this account by performing the procedure described in the Creating a Target System User Account for Connector Operations section. Sample value: |
Password |
Password of the target system account specified by the User parameter. |
You can obtain the Jolt Listener port number from the PeopleSoft Application Server configuration file, psappsrv.cfg.
To locate the Jolt Listener Port:
You can configure the connector for multiple versions of the target system simultaneously.
This section contains the following topics:
You might want to configure the connector for different versions of the target system simultaneously. For example, you can use the connector to perform provisioning operations on both PeopleTools 8.48 and PeopleTools 8.49 simultaneously. The following example illustrates this requirement:
To meet the requirement posed by such a scenario:
The London and New York offices of Example Multinational Inc. have their own installations of the target system. The London office has PeopleTools 8.48 installation, while the New York office has PeopleTools 8.49 installation. You have to provision resources on both installations of PeopleTools simultaneously.
You can configure a single version of the connector to simultaneously provision the resources on both the versions of the target system. The connector uses a class loading mechanism, which toggles between the different versions of the installation. You only need to place the target system-specific JAR files on the computer that hosts Oracle Identity Manager.
To configure the connector to support multiple versions of the target system:
From the connector package, copy the bundle JAR file in a temporary directory.
Sample JAR file: bundle/org.identityconnectors.peoplesoftintfc-1.0.5963.jar
Sample temporary directory: c:\temp
Run the following command to extract the manifest file, META-INF/MANIFEST.MF, from the JAR file:
jar -xvf org.identityconnectors.peoplesoftintfc-1.0.5963.jar
Note:
You can also run the WinZip or WinRAR utility to extract the contents from the JAR file.
Delete the bundle JAR file in the temporary directory.
Update the value of ConnectorBundle-Version in the manifest file to a new value.
For example:
ConnectorBundle-Version: 1.0.5964
Copy the psjoa.jar file (target specific) from the PEOPLESOFT_HOME/web/psjoa directory to the lib folder of the extracted bundle jar.
Note:
If you are using PeopleTools 8.54, PeopleTools 8.55, PeopleTools 8.56, or PeopleTools 8.57, you must also copy the psmanagement.jar file (target specific) from the PEOPLESOFT_HOME/client-tools/class directory to the lib folder of the extracted bundle jar.De
Create a new bundle JAR file that contains the updated manifest file as follows:
Open the command prompt and navigate to the temporary directory:
c:\temp
Run the following command:
jar -cvfm org.identityconnectors.peoplesoftintfc-1.0.5964.jar META-INF/MANIFEST.MF *
The new connector bundle JAR name contains the new bundle version.
In the case of a remote connector server, copy the new bundle JAR file in the bundles directory of the remote connector server instead of posting the JAR file to the Oracle Identity Manager database. Skip to Step 8.
Run the Oracle Identity Manager Upload JARs utility to post the JAR file created in Step 6 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you use this utility, verify that the WL_HOME
environment variable is set to the directory in which Oracle WebLogic Server is installed.
For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Select ICFBundle as the JAR type.
See Also:
JARs utility in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed information about the Upload JARs utility
Create a copy of the configuration lookup, for example, Lookup.PSFTV2.Configuration.
Ensure you update the new lookup with the bundle version.
Create a new PeopleSoft UM IT resource definition for the new bundle. Map the Configuration Lookup parameter of the new IT resource to Lookup.PSFTV2.Configuration.
The new IT resource will use the new bundle and the corresponding third-party libraries without affecting the previous installations.
Repeat the preceding procedure for the other version of the target system, PeopleSoft 8.48.
The PeopleSoft listener is a Web application that is deployed on an Oracle Identity Manager host computer. The PeopleSoft listener parses the XML message and creates a reconciliation event in Oracle Identity Manager.
Note:
The PeopleSoft Employee Reconciliation and PeopleSoft User Management connectors have different IT resources. Therefore, you must configure separate HTTP nodes for messages of the Employee Reconciliation and User Management connectors.
Even if an existing node is configured to the PeopleSoft listener on Oracle Identity Manager, a separate node is required for messages of the PeopleSoft Employee Reconciliation connector.
A single listener is sufficient for both the connectors. You can configure the nodes to point to the same listener with different IT resource names.
If you are using IBM WebSphere Application Server, perform the procedure described in Deploying the PeopleSoft Listener on WebSphere Application Server.
See Also:
Upgrading the PeopleSoft Listener for information about upgrading the listener
This section contains the following topics:
Deploying the PeopleSoft Listener on Oracle Identity Manager
Prerequisites for Deploying the PeopleSoft Listener on WebSphere Application Server
Deploying the PeopleSoft Listener on WebSphere Application Server
Importing Oracle Identity Manager CA Root Certificate for WebLogic Server
Importing Oracle Identity Manager CA Root Certificate for WebSphere Application Server
Before deploying the PeopleSoft listener, perform the following steps:
Ensure Apache Ant 1.7 or later and JDK 1.6 or later are installed.
Set the following environment values in ant.properties:
ORACLE_HOME maps to the Oracle Identity Manager installation directory. For example, /ps1/beahome/Oracle_IDM1
ORACLE_COMMON maps to the oracle_common directory in MW_HOME, where MW_HOME is the directory in which Oracle Identity Management Suite is installed. For example, /ps1/beahome/oracle_common
WLS_HOME maps to the WebLogic Server directory. For example, /middleware/wlserver_10.3
JAVA_HOME maps to your JDK environment. For example, C:\Program Files\Java\jdk1.6.0_24
PATH must include the JAVA_HOME/bin directory. You can set the PATH variable using the SET PATH=$JAVA_HOME/bin:$PATH
command.
Build the wlfullclient.jar file in Oracle WebLogic server, for example, in the WLS_HOME/server/lib directory:
Change directories to WLS_HOME/server/lib.
Run the following command:
java -jar ../../../modules/com.bea.core.jarbuilder_1.3.0.0.jar
Note:
The exact jar file version can be different based on the WebLogic Server. Use the corresponding file with the name as com.bea.core.jarbuilder
at the WLS_HOME/../modules/ directory.
Start Oracle Identity Manager and the Admin Server.
To deploy the PeopleSoft listener on Oracle Identity Manager:
Note:
If you need to deploy the listener in an Oracle Identity Manager cluster, then:
Specify the name of the cluster for the oim.server.name
property in the listener/deploy.properties file.
Update the following configurations appropriately with the URL of the listener, /PeopleSoftOIMListener:
Front-end web server
Load balancer
PeopleSoft nodes
Copy the connector package into the OIM_HOME/server/ConnectorDefaultDirectory directory of every node.
Before deploying the PeopleSoft listener, ensure Apache Ant 1.7 or later and JDK 1.6 or later are installed. Then, set the following environment values in the ant.properties file:
OIM_ORACLE_HOME maps to the Oracle Identity Manager installation directory. For example, /ps1/was/Oracle_IDM1
You can set this variable using the setenv OIM_ORACLE_HOME <value>
command.
JAVA_HOME maps to your JDK environment. For example, /usr/local/packages/jdk16/
You can set this variable using the setenv JAVA_HOME <value>
command.
PATH must include the JAVA_HOME/bin directory. You can set this variable using the setenv PATH $JAVA_HOME/bin:$PATH
command.
Create the listener EAR file in listener directory. To do so:
Change directories to $OIM_ORACLE_HOME/server/ConnectorDefaultDirectory/PSFT_UM-11.1.1.6.0/listener.
Run the following commands:
rm -rf deployear mkdir deployear cp -rf base/PeopleSoftOIMListener.ear/META-INF deployear cp -rf base/PeopleSoftOIMListener.ear/PeopleSoftOIMListener.war/WEB-INF deployear cp -rf $OIM_ORACLE_HOME/server/client/oimclient.jar deployear/WEB-INF/lib cp -rf $OIM_ORACLE_HOME/server/platform/iam-platform-utils.jar deployear/WEB-INF/lib cp -rf $OIM_ORACLE_HOME/server/platform/iam-platform-auth-client.jar deployear/WEB-INF/lib cd deployear sed -i 's/OIM_ADMIN_USER/xelsysadm/g' WEB-INF/web.xml jar -cvf PeopleSoftOIMListener.war WEB-INF rm -rf WEB-INF/ jar -cvf PeopleSoftOIMListener.ear META-INF PeopleSoftOIMListener.war rm -rf META-INF rm -rf PeopleSoftOIMListener.war
To deploy the PeopleSoft listener on IBM WebSphere Application Server:
If you have configured SSL in Oracle Identity Manager, for the PeopleSoft listener to work in SSL you must import Oracle Identity Manager CA root certificate into PeopleSoft WebServer.
To import the CA root certificate into PeopleSoft WebServer for WebLogic Server:
If you have configured SSL in Oracle Identity Manager, for the PeopleSoft listener to work in SSL you must import Oracle Identity Manager CA root certificate into PeopleSoft WebServer.
To import the CA root certificate into PeopleSoft WebServer for WebSphere Application Server:
If you uninstall the connector, you must also remove the listener. Installing a new connector over a previously deployed listener creates discrepancies.
Note:
This section is not a part of installation on Oracle Identity Manager. You might need this procedure to extend the connector.
See Upgrading the PeopleSoft Listener for more information about upgrading the listener.
This section contains the following topics:
To remove the PeopleSoft listener on WebSphere Application Server:
During this stage, you configure the target system to enable it for reconciliation and provisioning operations.
Note:
If the target system is PeopleSoft 9.1 with PeopleTools 8.51, the target system must be patched with the PeopleSoft USER_PROFILE project.
This information is provided in the following sections:
Lookup reconciliation is used to reconcile lookup definitions for currency codes, languages, roles, permissions, and e-mail types corresponding to the lookup fields on the target system created into Oracle Identity Manager.
Configuring the target system for lookup reconciliation involves creating the properties file by performing the procedure described in the following section:
The Application Engine program populates the .properties file with lookup data that is required for look up reconciliation. This is a one-time procedure.
You can create the Application Engine program based on whether you have imported the PeopleSoft Application Designer project. Perform the procedure described in one of the following sections:
To create the Application Engine program if you have not imported the PeopleSoft Application Designer Project as described in Importing a Project from Application Designer, you must perform the following tasks:
To create the Application Engine program if you have imported the PeopleSoft Application Designer Project as described in Importing a Project from Application Designer, you must perform the following tasks:
Configuring the target system for full reconciliation involves configuring the USER_PROFILE message.
This section contains the following topics:
Note:
The screenshots are taken on PeopleTools 8.49 version. They may vary for other versions of PeopleTools.
EI Repository is a hidden folder in PeopleSoft. Therefore, you must display this folder.
Note:
If you are using PeopleTools 8.53 or later as the target system, do not perform the procedure described in this section.
Perform this procedure using the PeopleSoft administrator credentials.
To display the EI Repository folder:
Note:
If you are using PeopleTools 8.53 or later as the target system, do not perform the procedure described in this section.
You must activate the USER_PROFILE message so that it can be processed.
To activate the USER_PROFILE messages:
You must define and activate this rule, because it acts as a catalyst for the Full Reconciliation process. This rule provides the Full Reconciliation process the desired information to initiate reconciliation.
To activate the full data publish rule:
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, expand Enterprise Components, Integration Definitions, and then click Full Data Publish Rules.
For PeopleTools 8.55, 8.56, and 8.57, click NavBar, Navigator, Enterprise Components, Integration Definitions, and then click Full Data Publish Rules.
Search for and open the USER_PROFILE message.
In the Publish Rule Definition region:
In the Publish Rule ID field, enter OIM_USER_PROFILE.
In the Description field, enter OIM_USER_PROFILE.
From the Status list, select Active.
Click Save.
PeopleSoft Integration Broker is installed as part of the PeopleTools installation process. The Integration Broker Gateway is a component of PeopleSoft Integration Broker, which runs on the PeopleSoft Web Server. It is the physical hub between PeopleSoft and the third-party system. The integration gateway manages the receipt and delivery of messages passed among systems through PeopleSoft Integration Broker.
PeopleSoft Integration Broker provides a mechanism for communicating with the outside world using XML files. Communication can take place between different PeopleSoft applications or between PeopleSoft and third-party systems. To subscribe to data, third-party applications can accept and process XML messages posted by PeopleSoft by using the available PeopleSoft connectors. The Integration Broker routes messages to and from PeopleSoft.
A remote node that you create within the Integration Broker acts as the receiver for XML messages from PeopleSoft. This remote node accepts XML messages and posts them as XML files to a folder that you specify. During a reconciliation run, a scheduled task running on Oracle Identity Manager uses the data in these XML files to Oracle Identity Manager.
To configure the PeopleSoft Integration Broker gateway:
To create the remote node:
While creating the remote node, you use the value of the ig.fileconnector.password property in the integrationGateway.properties file. Determine the value of this property as follows:
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, expand PeopleTools, Integration Broker, Configuration, and then click Gateways.
For PeopleTools 8.55 and 8.56, click NavBar, Navigator, PeopleTools, Integration Broker, Configuration, and then click Gateways.
In the Integration Gateway ID field, enter LOCAL
and then click Search.
Click the Gateway Setup Properties link.
Enter the user ID and password for accessing the integrationGateway.properties file, and then click OK.
On the PeopleSoft Node Configuration page, click Advanced Properties Page.
The contents of the integrationGateway.properties file are displayed.
Search for ig.fileconnector.properties in the file contents. The line displayed in the file may be similar to the following sample line:
ig.fileconnector.password={V1.1}%5GhbfJ89bvNT1HzF98==
Copy the text after (that is, to the right of) the equal sign of the property. For example, copy {V1.1}%5GhbfJ89bvNT1HzF98==
from the line given in the preceding sample.
This is the password that you specify while creating the remote node. The sample password given here is encrypted. If the password displayed on your PeopleSoft installation is not encrypted, then you can encrypt it by following the steps given later in this section.
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, expand PeopleTools, Integration Broker, Integration Setup, and then click Nodes.
For PeopleTools 8.55 and 8.56, click NavBar, Navigator, PeopleTools, Integration Broker, Integration Setup, and then click Nodes.
On the Add a New Value tab, enter the node name, for example, OIM_FILE_NODE,
and then click Add.
On the Node Definition tab, provide the following values:
In the Description field, enter a description for the node.
In the Default User ID field, enter PS.
Make this node a remote node by deselecting the Local Node check box and selecting the Active Node check box.
Make the Node Type as PIA.
On the Connectors tab, search for the following information by clicking the Lookup icon:
Gateway ID: LOCAL
Connector ID: FILEOUTPUT
On the Properties page in the Connectors tab, enter the following information:
Property ID: HEADER
Property Name: sendUncompressed
Required value: Y
Property ID: PROPERTY
Property Name: Method
Required value: PUT
Property ID: PROPERTY
Property Name: FilePath
Required value: Enter the full path of any folder on which the Integration Broker has Write permissions. The remote node will post XML files to this folder.
Property ID: PROPERTY
Property Name: Password
Required value: Enter the value of the ig.fileconnector.password property in the integrationGateway.properties file. This is the password that you determine by performing Step 1. If the password is not already encrypted, that you can encrypt it as follows:
In the Password Encrypting Utility region, enter the value of the ig.fileconnector.password property in the Password and Confirm Password fields.
Click Encrypt.
From the Encrypted Password field, copy the encrypted password to the Value field for the Password property.
Click Save.
Click Ping Node to check whether a connection is established with the specified IP address.
The service operation is a mechanism to trigger, receive, transform, and route messages that provide information about updates in the PeopleSoft or an external application. You must activate the service operation for successful transmission and receipt of messages.
To activate the USER_PROFILE service operation:
Note:
If the message version is not the same as specified, then you can change the message version as described in Changing Default Message Versions.
All messages in PeopleSoft are sent through a queue. This is done to ensure that the messages are delivered in the correct sequence. Therefore, you must ensure that the queue is in the Run status.
To ensure that the status of the queue for the USER_PROFILE service operation is Run:
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, expand PeopleTools, Integration Broker, Integration Setup, and then click Queues.
For PeopleTools 8.55, 8.56, and 8.57, click NavBar, Navigator, PeopleTools, Integration Broker, Integration Setup, and then click Queues.
Search for the USER_PROFILE queue.
In the Queue Status list, ensure that Run is selected.
Note:
If the queue status is not Run:
From the Queue Status list, select Run.
Click Save.
Click Return to Search.
The target system user who has the permission to modify, add, or delete personal or job information of an employee might not have access to send messages regarding these updates. Therefore, it is imperative to explicitly grant security to enable operations.
To set up the security for the USER_PROFILE service operation:
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, expand PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.
For PeopleTools 8.55, 8.56 and 8.57, click NavBar, Navigator, PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.
Search for and open the USER_PROFILE service operation.
On the General tab, click the Service Operation Security link.
Attach the permission list OIMUM to the USER_PROFILE service operation. This list is created in Step 3 of the preinstallation procedure discussed in Creating a Permission List.
To attach the permission list:
Note:
This procedure describes how to grant access to the OIMUM permission list. The OIMUM permission list is used as an example. However, to implement this procedure you must use the permission list (attached through a role) to the user profile of the actual user who maintains the user profile information or the user who performs full reconciliation.
Click the plus sign (+) to add a row to the Permission List field.
In the Permission List field, enter OIM and then click the Look up Permission List icon.
The OIMUM permission list appears.
From the Access list, select Full Access.
Click Save.
Click Return to Search.
Configuring the target system for incremental reconciliation involves configuration of USER_PROFILE and DELETE_USER_PROFILE service operations, nodes, and routing to send messages from PeopleSoft Integration Broker to other systems, and configuring PeopleSoft Integration Broker.
Note:
The PeopleSoft Employee Reconciliation and PeopleSoft User Management connectors have different IT resources. Therefore, you must configure separate HTTP nodes for messages of the Employee Reconciliation and User Management connectors.
Even if an existing node is configured to the PeopleSoft listener on Oracle Identity Manager, a separate node is required for messages of the PeopleSoft Employee Reconciliation connector.
A single listener is sufficient for both the connectors. You can configure the nodes to point to the same listener with different IT resource names.
This section contains the following topics:
About Configuring the Target System for Incremental Reconciliation
Verifying the Queue Status for the DELETE_USER_PROFILE Service Operation
Setting Up the Security for the DELETE_USER_PROFILE Service Operation
Defining the Routing for the DELETE_USER_PROFILE Service Operation
Preventing Transmission of Unwanted Fields During Incremental Reconciliation
Configuring the target system for incremental reconciliation involves configuration of USER_PROFILE and DELETE_USER_PROFILE service operations, nodes, and routing to send messages from PeopleSoft Integration Broker to other systems, and configuring PeopleSoft Integration Broker.
The USER_PROFILE message contains information about user accounts that are created or modified. The DELETE_USER_PROFILE message contains information about user accounts that have been deleted.
A message is the physical container for the XML data that is sent from the target system. Message definitions provide the physical description of data that is sent from the target system. This data includes fields, field types, and field lengths. A queue is used to carry messages. It is a mechanism for structuring data into logical groups. A message can belong to only one queue.
Setting the PeopleSoft Integration Broker gateway is mandatory when you configure PeopleSoft Integration Broker. To subscribe to XML data, Oracle Identity Manager can accept and process XML messages posted by PeopleSoft by using PeopleSoft connectors located in the PeopleSoft Integration Broker gateway. These connectors are Java programs that are controlled by the Integration Broker gateway.
This gateway is a program that runs on the PeopleSoft Web server. It acts as a physical hub between PeopleSoft and PeopleSoft applications (or third-party systems, such as Oracle Identity Manager). The gateway manages the receipt and delivery of messages passed among systems through PeopleSoft Integration Broker.
To configure the target system for incremental reconciliation, perform the following procedures:
Note:
You must use an administrator account to perform the following procedures.
The Integration Broker Gateway is a component of PeopleSoft Integration Broker (a messaging system), which is deployed at the PeopleSoft Web server. The Integration Broker Gateway is used for sending messages from PeopleSoft and for receiving messages for PeopleSoft.
Integration Broker is the inherent messaging system of PeopleSoft. You must configure Integration Broker to send and receive messages from and to PeopleSoft.
To configure PeopleSoft Integration Broker:
Create a remote node by performing the following steps:
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, expand PeopleTools, Integration Broker, Integration Setup, and then click Nodes.
For PeopleTools 8.55 and 8.56, click NavBar, Navigator, PeopleTools, Integration Broker, Integration Setup, and then click Nodes.
On the Add a New Value tab, enter the node name, for example, OIM_NODE,
and then click Add.
On the Node Definition tab, enter a description for the node in the Description field. In addition, enter PS
in the Default User ID field.
Make this node a remote node by deselecting the Local Node check box and selecting the Active Node check box.
Make the Node Type as PIA.
On the Connectors tab, search for the following information by clicking the Lookup icon:
Gateway ID: LOCAL
Connector ID: HTTPTARGET
On the Properties page in the Connectors tab, enter the following information:
Property ID: HEADER
Property Name: sendUncompressed
Required value: Y
Property ID: HTTP PROPERTY
Property Name: Method
Required value: POST
Property ID: HEADER
Property Name: Location
Required value: Enter the value of the IT resource name as configured for the target system.
Sample value: PSFT User
Property ID: PRIMARYURL
Property Name: URL
Required value: Enter the URL of the PeopleSoft listener that is configured to receive XML messages. This URL must be in the following format:
http://HOSTNAME_of_OIM_SERVER or IPADDRESS:PORT/
PeopleSoftOIMListener
The URL depends on the application server that you are using. For an environment on which SSL is not enabled, the URL must be in the following format:
For IBM WebSphere Application Server:
http://10.121.16.42:9080/PeopleSoftOIMListener
For JBoss Application Server:
http://10.121.16.42:8080/PeopleSoftOIMListener
For Oracle WebLogic Server:
http://10.121.16.42:7001/PeopleSoftOIMListener
For Oracle Application Server:
http://10.121.16.42:7200/PeopleSoftOIMListener/
For an environment on which SSL is enabled, the URL must be in the following format:
https://COMMON_NAME:PORT/PeopleSoftOIMListener
For IBM WebSphere Application Server:
https://example088196:9443/PeopleSoftOIMListener
For JBoss Application Server:
https://example088196:8443/PeopleSoftOIMListener
For Oracle WebLogic Server:
https://example088196:7002/PeopleSoftOIMListener
For Oracle Application Server
https://example088916:7200/PeopleSoftOIMListener/
Click Save to save the changes.
Click Ping Node to check whether a connection is established with the specified IP address. Ping Node will fail if the IT resource is not specified correctly.
Note:
You might encounter the following error when you send a message from PeopleSoft Integration Broker over HTTP PeopleTools 8.50 target system:
HttpTargetConnector:PSHttpFactory init or setCertificate failed
This happens because the Integration Broker Gateway Web server tries to access the keystore even if SSL is not enabled using the parameters defined in the integrationgateway.properties file as follows:
secureFileKeystorePath=<path to pskey>
secureFileKeystorePasswd=password
If either the <path to pskey> or the password (unencrypted) is incorrect, you will receive the preceding error message. Perform the following steps to resolve the error:
Verify if secureFileKeystorePath
in the integrationgateway.properties file is correct.
Verify if secureFileKeystorePasswd
in the integrationgateway.properties file is correct.
Access the pskeymanager to check the accuracy of the path and the password. You can access pskeymanager from the following location:
<PIA_HOME>\webserv\peoplesoft\bin
Usually, a new PeopleTools 8.50 instance throws the preceding error when you message over the HTTP target connector. The reason is that the default password is not in the encrypted format in the integrationgateway.properties file.
Before configuring the service operations for PeopleTools 8.50, ensure that the following setting is enabled:
The USER_PROFILE message contains information about user accounts that are created or modified.
Note:
The screenshots are taken on PeopleTools 8.49 version. They may vary for other versions of PeopleTools.
To configure the USER_PROFILE service operation:
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, expand PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.
For PeopleTools 8.55 and 8.56, click NavBar, Navigator, PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.
Search for and open the USER_PROFILE service operation.
On the Routing tab, enter USER_PROFILE_HR_TO_OIM
as the routing name and then click Add.
On the Routing Definition tab, enter the following:
Sender Node: PSFT_HR
Note:
The sender node is the default active local node. To locate the sender node:
Click the Look up icon.
Click Default to sort the results in descending order.
The default active local node should meet the following criteria:
Local Node: 1
Default Local Node: Y
Node Type: PIA
Only one node can meet all the above conditions at a time.
Select the node.
Click Save.
Receiver Node: OIM_NODE
Click Save.
Click Return to go back to the Routings tab of the Service Operation and verify whether your routing is active.
To activate the DELETE_USER_PROFILE service operation:
Note:
If the message version is not the same as specified, then you can change the message version as described in Changing Default Message Versions.
The screenshots are taken on PeopleTools 8.49 version. They may vary for other versions of PeopleTools.
DELETE_USER_PROFILE
in the Service field, and then click Search.To ensure that the status of the queue for the DELETE_USER_PROFILE service operation is Run:
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, expand PeopleTools, Integration Broker, Integration Setup, and then click Queues.
For PeopleTools 8.55 and 8.56, click NavBar, Navigator, PeopleTools, Integration Broker, Integration Setup, and then click Queues.
Search for the DELETE_USER_PROFILE queue.
In the Queue Status List, ensure that Run is selected.
Note:
If the queue status is not Run:
From the Queue Status list, select Run.
Click Save.
Click Return to Search.
To set up the security for the DELETE_USER_PROFILE service operation:
In the PeopleSoft Internet Architecture window:
For PeopleTools 8.54 and earlier releases, expand PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.
For PeopleTools 8.55 and 8.56, click NavBar, Navigator, PeopleTools, Integration Broker, Integration Setup, and then click Service Operations.
Search for and open the DELETE_USER_PROFILE service operation.
On the General tab, click the Service Operation Security link.
Attach the permission list OIMUM, created as a part of the preinstalltion, in Step 3, (See Creating a Permission List) to the USER_PROFILE service operation.
To attach the permission list:
Note:
This procedure describes how to grant access to the OIMUM permission list. The OIMUM permission list is used as an example. However, to implement this procedure, you must use the permission list (attached through a role) to the user profile of the actual user who maintains the user profile information.
Click the plus sign (+) to add a row for the Permission List field.
In the Permission List field, enter OIM and then click the Look up Permission List icon.
The OIMUM permission list appears.
From the Access list, select Full Access.
Click Save.
Click Return to Search.
To define the routing for the DELETE_USER_PROFILE service operation:
On the Routing tab, enter DELETE_USER_PROFILE_HR_TO_OIM
as the routing name and then click Add. The following screenshot displays the routing information:
On the Routing Definition tab, enter the following:
Sender Node: PSFT_HR
Note:
The sender node is the default active local node. To locate the sender node:
Click the Look up icon.
Click Default to sort the results in descending order.
The default active local node should meet the following criteria:
Local Node: 1
Default Local Node: Y
Node Type: PIA
Only one node can meet all the above conditions at a time.
Select the node.
Click Save.
Receiver Node: OIM_NODE
The following screenshot displays the Sender and Receiver nodes:
Click Save.
Click Return to go back to the Routings tab of the Service Operation, and verify whether your routing is active.
By default, Peoplesoft messages contain fields that are not needed in Oracle Identity Manager. If there is a strong use case that these fields should not be published to Oracle Identity Manager, then do the following:
Locate if there are any local-to-local or local-to-third party PeopleSoft active routings for the service operations using the message under study.
If none, then you can safely remove the unwanted fields at message level. See Removing Unwanted Fields at Message Level for more information.
If active routings exist, analyze the subscription or handler code of the routing to determine the fields they are utilizing and the ones not needed in Oracle Identity Manager. If so, remove the unwanted fields at message level. See Removing Unwanted Fields at Message Level for more information.
Lastly, if there are active routings that use these sensitive fields that you do not want to transmit to Oracle Identity Manager, then you need to write a transformation.
For more information about implementing transformation, refer to Chapter 21 of Integration Broker PeopleBook on Oracle Technology Network at the following location
http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tibr/book.htm
In addition, refer to Chapter 43 of PeopleCode API Reference PeopleBook on Oracle Technology Network at the following location
http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tpcr/book.htm
To configure the target system for provisioning, you are required to perform the following procedure for adding FIND Method Support to the USER_PROFILE Component Interface:
The default USER_PROFILE component interface does not support the FIND method. However, the PeopleSoft User Management connector requires the FIND method in order to support account iteration and list.
To add FIND method support to an existing USER_PROFILE component interface, follow these steps:
The Find method is now visible under the METHODS field for the component interface. To verify the functionality of the new FIND method, right-click on the component interface and select Test Component Interface.
Note:
A PeopleSoft administrator should grant Full Access to the FIND method for the component interface (in addition to the Create, Get, Save, and SetPassword methods).
See Connector Component Interfaces for the PeopleSoft User Management for information about component interface map definitions.
Postinstallation information is divided across the following sections:
Postinstallation on Oracle Identity Manager consists of the following procedures:
Note:
In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster.
Enabling the Reset Password Option in Oracle Identity Manager 11.1.2.1.0 or Later
Clearing Content Related to Connector Resource Bundles from the Server Cache
Setting Up the Lookup.PSFT.UM.UserProfile.UserStatus Lookup Definition
Setting up the Lookup.PSFT.Configuration Lookup Definition for Connection Pooling
If you are using Oracle Identity Manager release 11.1.2 or later, you must create additional metadata such as a UI form and an application instance. In addition, you must run entitlement and catalog synchronization jobs. These procedures are described in the following sections:
Create and activate a sandbox as follows. For detailed instructions, see Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
Create a new UI form as follows. For detailed instructions, see Managing Forms in Oracle Fusion Middleware Administering Oracle Identity Manager.
Peoplesoft User.
Create an application instance as follows. For detailed instructions, see Managing Application Instances in Oracle Fusion Middleware Administering Oracle Identity Manager.
To publish the sandbox that you created in Creating and Activating a Sandbox:
To harvest entitlements and sync catalog:
For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:
In Oracle Identity Manager release 11.1.2.1.0 or later, you can reset password for an account after logging in as the user by navigating to My Access, Accounts tab.
The Reset Password option is enabled for only those accounts that follow the UD_FORMNAME_PASSWORD naming convention for the password field. Otherwise, this option would be disabled as shown in the following sample screenshot:
Note:
In Oracle Identity Manager 11.1.2 prior to release 11.1.2.1.0, if you want to change the password of a PeopleSoft User Management account under My Information, the account is not available for selection in the drop-down list of accounts. See bug 14697905 in Known Issues and Workarounds for more information about this known issue.
To enable the Reset Password option in Oracle Identity Manager release 11.1.2.1.0 or later:
Note:
In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.
When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
Oracle Identity Manager uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger.
This section contains the following topics:
To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
Note:
In an Oracle Identity Manager cluster, perform this procedure on each node of the cluster. Then, restart each node.
SEVERE.intValue()+100
This level enables logging of information about fatal errors.
SEVERE
This level enables logging of information about errors that may allow Oracle Identity Manager to continue running.
WARNING
This level enables logging of information about potentially harmful situations.
INFO
This level enables logging of messages that highlight the progress of the application.
CONFIG
This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
These message types are mapped to ODL message type and level combinations as shown in deploying-connector.htm#GUID-F1C48636-0649-4F08-BCDF-1BC5440CABBB__BABJDDJC.
Table 2-4 Log Levels and ODL Message Type:Level Combinations
Java Level | ODL Message Type:Level |
---|---|
SEVERE.intValue()+100 |
INCIDENT_ERROR:1 |
SEVERE |
ERROR:1 |
WARNING |
WARNING:1 |
INFO |
NOTIFICATION:1 |
CONFIG |
NOTIFICATION:16 |
FINE |
TRACE:1 |
FINER |
TRACE:16 |
FINEST |
TRACE:32 |
The configuration file for OJDL is logging.xml, which is located at the following path:
DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml
Here, DOMAIN_HOME and OIM_SEVER are the domain name and server name specified during the installation of Oracle Identity Manager.
You can specify the following logger names for logging of information:
Logger name for Identity Connector Framework (ICF) integration: ORACLE.IAM.CONNECTORS.ICFCOMMON
Logger name for ICF connectors: ORG.IDENTITYCONNECTORS
Logger name for PeopleSoft operations: ORACLE.IAM.CONNECTORS.PSFT
There are separate loggers for the PeopleSoft operations and the connector operations. The logger for the PeopleSoft operations uses Java-based logging and the logger name is ORACLE.IAM.CONNECTORS.PSFT.
The logger for the connector operations uses org.identityconnectors.common.logging.Log and the logger name is ORG.IDENTITYCONNECTORS.PEOPLESOFT.
The logger name for the connector operations must include the package name of the connector for which you want to enable logging. For example, ORG.IDENTITYCONNECTORS,
ORG.IDENTITYCONNECTORS.PEOPLESOFT,
and ORG.IDENTITYCONNECTORS.PEOPLESOFT.COMPINTFC
are valid logger names.
To enable logging in Oracle WebLogic Server:
Edit the logging.xml file as follows:
Add the following blocks in the file:
<log_handler name='psft-um-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='[FILE_NAME]'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="ORG.IDENTITYCONNECTORS.PEOPLESOFT.COMPINTFC" level="[LOG_LEVEL]" useParentHandlers="false">
<handler name="psft-um-handler"/>
<handler name="console-handler"/>
</logger>
<logger name="ORACLE.IAM.CONNECTORS.PSFT" level="[LOG_LEVEL]" useParentHandlers="false">
<handler name="psft-um-handler"/>
<handler name="console-handler"/>
</logger>
Replace all occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. deploying-connector.htm#GUID-F1C48636-0649-4F08-BCDF-1BC5440CABBB__BABJDDJC lists the supported message type and level combinations.
Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.
The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:
<log_handler name='psft-um-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="ORG.IDENTITYCONNECTORS.PEOPLESOFT.COMPINTFC" level="NOTIFICATION:1" useParentHandlers="false">
<handler name="psft-um-handler"/>
<handler name="console-handler"/>
</logger>
<logger name="ORACLE.IAM.CONNECTORS.PSFT" level="NOTIFICATION:1" useParentHandlers="false">
<handler name="psft-um-handler"/>
<handler name="console-handler"/>
</logger>
With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.
Note:
The logging level for console-handler must be as fine as the level set in the loggers.For example, if the NOTIFICATION:1
level is specified in the ORACLE.IAM.CONNECTORS.PSFT
logger, and the console-handler has ERROR:1
level, then only logs at ERROR:1
or coarser levels would be available.
Save and close the file.
Set the following environment variable to redirect the server logs to a file:
For Microsoft Windows:
set WLS_REDIRECT_LOG=FILENAME
For UNIX:
export WLS_REDIRECT_LOG=FILENAME
Replace FILENAME with the location and name of the file to which you want to redirect the output.
Restart the application server.
In the Lookup.PSFT.UM.Prov.ExclusionList and Lookup.PSFT.UM.Recon.ExclusionList lookup definitions, enter the user IDs of target system accounts for which you do not want to perform provisioning and reconciliation operations, respectively. See Lookup Definitions for Exclusion Lists for information about the format of the entries in these lookups.
To add entries in the lookup for exclusions during provisioning operations:
Note:
To specify user IDs to be excluded during reconciliation operations, add entries in the Lookup.PSFT.UM.Recon.ExclusionList lookup.
The lookup provides the mapping between the ACCTLOCK node in the USER_PROFILE message XML and the status to be shown on Oracle Identity Manager for the employee. See Lookup.PSFT.UM.UserProfile.UserStatus for more information about this lookup definition.
You can change the Decode value in this lookup definition for the Code Key value to modify the status of the provisioned resource. For example, you can change the Decode value from Enabled
to Provisioned
for the Code Key value, 0
defined in this lookup definition. This enables you to modify the status of the provisioned resource from enabled to provisioned.
To modify or set the Decode value in this lookup definition:
The Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping lookup definition maps OIM User attributes with the attributes defined in the DELETE_PROFILE message XML. See Lookup.PSFT.UM.DeleteUserProfile.AttributeMapping for more information about this lookup definition.
By default, the this lookup definition has the following entries:
Code Key | Decode |
---|---|
User ID |
|
If you are using PeopleTools 8.52, modify the Decode value in this lookup definition as follows:
You can configure the message names, such as USER_PROFILE and DELETE_USER_PROFILE, defined in the Lookup.PSFT.Configuration lookup definition.
This section contains the following topics:
Every standard PeopleSoft message has a message-specific configuration defined in the Lookup.PSFT.Configuration lookup definition. See Lookup.PSFT.Configuration for more information about this lookup definition.
For example, the mapping for the USER_PROFILE message in this lookup definition is defined as follows:
Code Key: USER_PROFILE.VERSION_84
Decode: Lookup.PSFT.Message.UserProfile.Configuration
You can configure the message names, such as USER_PROFILE and DELETE_USER_PROFILE, defined in this lookup definition.
You must map the xmlMapping lookup with the path to the PeopleSoft Component Interface map definition file, PeopleSoftComponentInterfaces.xml. By default, the PeopleSoftComponentInterfaces.xml file is located in the xml directory of the connector package.
Consider a scenario in which the target system sends the USER_PROFILE.VERSION_3 message. You must change the Code Key value in this lookup definition to implement the message sent by the target system.
By default, this connector uses the Identity Connector Framework (ICF) connection pooling.
This section contains the following topics:
deploying-connector.htm#GUID-2C7E2C44-0E79-461A-A868-0C2F8A892344__BABBHAEF lists the connection pooling properties, their description, and default values set in ICF.
Table 2-5 Connection Pooling Properties
Property | Description |
---|---|
Pool Max Idle |
Maximum number of idle objects in a pool. Default value: |
Pool Max Size |
Maximum number of connections that the pool can create. Default value: |
Pool Max Wait |
Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: |
Pool Min Evict Idle Time |
Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: |
Pool Min Idle |
Minimum number of idle objects in a pool. Default value: |
Note:
This procedure is only applicable to Oracle Identity Manager releases prior to release 11.1.2. Do not enable request-based provisioning if you want to use the direct provisioning feature of the connector.
In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.
The following are features of request-based provisioning:
A user can be provisioned only one resource (account) on the target system.
Direct provisioning cannot be used if you enable request-based provisioning.
To enable request-based provisioning, perform the following procedures:
A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation.
The following is the list of predefined request datasets available in the dataset directory on the installation media:
ModifyProvisionedResource_PeoplesoftUser.xml
ProvisionResource_PeoplesoftUser.xml
Copy the files from the dataset directory on the installation media to the OIM_HOME/DataSet/file directory.
Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets. See Validating Request Data in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about modifying request datasets.
Note:
In an Oracle Identity Manager cluster, perform this procedure on any node of the cluster.
All request datasets (predefined or generated) must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.
To import a request dataset definition into the MDS:
To enable the Auto Save Form feature:
Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Clearing Content Related to Connector Resource Bundles from the Server Cache for instructions.
The procedure to enable enabling request-based provisioning ends with this step.
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.
To localize field label that is added to the UI forms:
Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open one of the following files in a text editor:
For Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and later:
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf
For releases prior to Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf
Edit the BizEditorBundle.xlf file in the following manner:
Search for the following text:
<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Replace with the following text:
<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">
In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in French:
<file source-language="en" target-language="fr" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Search for the application instance code. This procedure shows a sample edit for PSFTUM application instance. The original code is:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_PSFT_BAS_LANGUAGE_CD__c_description']}"> <source>Language Code</source> </target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.PSFTUM.entity.PSFTUMEO.UD_PSFT_BAS_LANGUAGE_CD__c_LABEL"> <source>Language Code</source> </target> </trans-unit>
Open the resource file from the connector package, for example PSFT-UM_fr.properties, and get the value of the attribute from the file, for example, global.udf.UD_PSFT_BAS_LANGUAGE_CD= Code de langue.
Replace the original code shown in Step 6.c with the following:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_PSFT_BAS_LANGUAGE_CD__c_description']}"> <source> Language Code</source> <target> Code de langue</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.PSFTUM.entity.PSFTUMEO.UD_PSFT_BAS_LANGUAGE_CD__c_LABEL"> <source> Language Code</source> <target> Code de langue</target> </trans-unit>
Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.
Sample file name: BizEditorBundle_fr.xlf.
Repackage the ZIP file and import it into MDS.
See Also:
Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager, for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Manager.
The following sections describe the procedure to configure SSL connectivity between Oracle Identity Manager and the target system:
You can configure SSL connectivity on IBM WebSphere Application Server with either a self-signed certificate or a CA certificate. The following sections describe this:
To configure SSL connectivity between Oracle Identity Manager on IBM WebSphere Application Server and the target system with a self-signed certificate, you must perform the following tasks:
To configure SSL connectivity between Oracle Identity Manager on IBM WebSphere Application Server and the target system with a CA certificate, you must perform the following tasks:
To receive a signed certificate issued by a CA, perform the following tasks:
The keystore contains a new personal certificate that is issued by a CA. The SSL configuration is ready to use the new CA-signed personal certificate.
You can configure SSL connectivity on Oracle WebLogic Server with either a self-signed certificate or a CA certificate. The following sections describe the procedures:
See Also:
To configure SSL connectivity between Oracle Identity Manager on Oracle WebLogic Server and the target system with a self-signed certificate:
To generate the keystore:
Generate the keystore. To do so:
Run the following command:
keytool -genkey -keystore ABSOLUTE_KEYSTORE_PATH -alias ALIAS_NAME -keyalg KEY_ALGORITHM -storepass KEYSTORE_PASSWORD -keypass PRIVATE_KEY_PASSWORD
For example:
keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -storepass example1234 -keypass example1234
Note:
The keystore password and the private key password must be the same.
Typically, the alias is the name or the IP address of the computer on which you are configuring SSL.
The alias used in the various commands of this procedure must be the same.
When prompted, enter information about the certificate. This information is displayed to users attempting to access a secure page in the application. This is illustrated in the following example:
keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -storepass example1234 -keypass example1234 What is your first and last name? [Unknown]: Must be the name or IP address of the computer What is the name of your organizational unit? [Unknown]: example What is the name of your organization? [Unknown]: example What is the name of your City or Locality? [Unknown]: New York What is the name of your State or Province? [Unknown]: New York What is the two-letter country code for this unit? [Unknown]: US Is <CN=Name or IP address of the computer, OU=example, O=example, L=New York, ST=New York, C=US> correct? [no]: yes
When you enter yes in the last line of the preceding example, the keystore.jks file is created in the c:\temp\keys\directory.
Export the keystore to a certificate file by running the following command:
keytool -export -alias ALIAS_NAME -keystore ABSOLUTE_KEYSTORE_PATH -file CERTIFICATE_FILE_ABSOLUTE_PATH
For example:
keytool -export -alias example088196 -keystore c:\temp\keys\keystore.jks -file c:\temp\keys\keystore.cert
When prompted for the private key password, enter the same password used for the keystore, for example, example1234
.
Import the keystore by running the following command:
keytool -import -alias ALIAS_NAME -keystore NEW_KEYSTORE_ABSOLUTE_PATH -file CERTIFICATE_FILE_ABSOLUTE_PATH
For example:
keytool -import -alias example088196 -keystore c:\temp\keys\new.jks -file c:\temp\keys\keystore.cert
When you run this command, it prompts for the keystore password, as shown in the following example:
Enter keystore password: example1234 [Enter] Trust this certificate? [no]: yes [Enter] Certificate was added to keystore
In this example, the instances when you can press Enter are shown in bold.
After generating and importing the keystore, start Oracle WebLogic Server. To configure Oracle WebLogic Server, log in to the Oracle WebLogic Server console at http://
localhost:
7001/console
and perform the following:
Expand the servers node and select the oim server instance.
Select the General tab.
Select the SSL Listen Port Enabled option.
Ensure that a valid port is specified in the SSL Listen Port field. The default port is 7002.
Click Apply to save your changes.
Click the Keystore & SSL tab, and then click Change.
From the Keystores list, select Custom identity And Java Standard Trust, and then click Continue.
Configure the keystore properties. To do so:
In the Custom Identity Key Store File Name column, specify the full path of the keystore generated in Step 1 of this procedure, for example, c:\temp\keys\keystore.jks
. In the Custom Identity Key Store Type column, specify the type of keystore, for example, JKS
. In the Custom Identity Key Store Pass Phrase and Confirm Custom Identity Key Store Pass Phrase columns, specify the keystore password.
Provide the Java standard trust keystore pass phrase and the Confirm Java standard trust keystore pass phrase. The default password is changeit
.
Click Continue.
Specify the private key alias, pass phrase and the confirm pass phrase as the keystore password. Click Continue.
Click Finish.
Restart Oracle WebLogic Server. If the server starts successfully with the SSL configuration, then lines similar to the following are recorded in the startup log:
<Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default" listening on port 7001, ip address *.*> <Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
Note:
The default SSL port for Oracle WebLogic Server is 7002.
To configure SSL connectivity between Oracle Identity Manager on Oracle WebLogic Server and the target system with a CA certificate:
Note:
Although this is an optional step in the deployment procedure, Oracle strongly recommends that you configure SSL communication between the target system and Oracle Identity Manager.
The connector requires Certificate Services to be running on the host computer. To generate the keystore:
Run the following command:
keytool -genkey -keystore ABSOLUTE_KEYSTORE_PATH -alias ALIAS_NAME -keyalg KEY_ALGORITHM -storepass KEYSTORE_PASSWORD -keypass PRIVATE_KEY_PASSWORD
For example:
keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -storepass example1234 -keypass example1234
Note:
The keystore password and the private key password must be the same.
Typically, the alias name is the name or the IP address of the computer on which you are configuring SSL.
When prompted, enter information about the certificate. This information is displayed to users attempting to access a secure page in the application. This is illustrated in the following example:
keytool -genkey -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -storepass example1234 -keypass example1234 What is your first and last name? [Unknown]: Must be the name or IP address of the computer What is the name of your organizational unit? [Unknown]: example What is the name of your organization? [Unknown]: example What is the name of your City or Locality? [Unknown]: New York What is the name of your State or Province? [Unknown]: New York What is the two-letter country code for this unit? [Unknown]: US Is <CN=Name or IP address of the computer, OU=example, O=example, L=New York, ST=New York, C=US> correct? [no]: yes
When you enter yes in the last line of the preceding example, the keystore.jks file is created in the c:\temp\keys\directory.
Generate the certificate signing request by running the following command:
keytool -certreq -keystore ABSOLUTE_KEYSTORE_PATH -alias ALIAS_NAME -keyalg KEY_ALGORITHM -file CERTIFICATE_FILE_ABSOLUTE_PATH
For example:
keytool -certreq -keystore c:\temp\keys\keystore.jks -alias example088196 -keyalg RSA -file c:\temp\keys\keystore.cert
When prompted for the keystore password, enter the same password used for the keystore in Step 1, for example, example1234.
This stores a certificate request in the file that you specified in the preceding command.
Get the certificate from a CA by using the certificate request generated in the previous step, and store the certificate in a file.
Export the keystore generated in Step 1 to a new certificate file, for example, myCert.cer, by running the following command:
keytool –export –keystore ABSOLUTE_KEYSTORE_PATH -alias alias-name specified in step 1 -file CERTIFICATE_FILE_ABSOLUTE_PATH
For example:
keytool –export –keystore c:\temp\keys\keystore.jks -alias example088196 -file c:\temp\keys\myCert.cer
Import the CA certificate to a new keystore by running the following command:
keytool -import -alias ALIAS_NAME -file CERTIFICATE_FILE_ABSOLUTE_PATH -keystore NEW_KEYSTORE_ABSOLUTE_PATH -storepass KEYSTORE_PASSWORD generated in Step 1
For example:
keytool -import -alias example088196 -file c:\temp\keys\rootCert.cert -keystore c:\temp\keys\rootkeystore.jks
When you run this command, it prompts for the keystore password, as shown:
Enter keystore password: example1234 [Enter] Trust this certificate? [no]: yes [Enter] Certificate was added to keystore
In this example, the instances when you can press Enter are shown in bold.
After creating and importing the keystore to the system, start Oracle WebLogic Server. To configure Oracle WebLogic Server, log in to the Oracle WebLogic Server console (http://localhost:7001/console) and perform the following:
Expand the server node and select the server instance.
Select the General tab.
Select the SSL Port Enabled option.
Ensure that a valid port is specified in the SSL Listen Port field. The default port is 7002.
Click Apply to save your changes.
Click the Keystore & SSL tab, and click the Change link.
From the Keystores list, select Custom Identity And Custom Trust, and then click Continue.
Configure the keystore properties. To do so:
In the Custom Identity Key Store File Name column, specify the full path of the keystore generated in Step 1 of this procedure, for example, c:\temp\keys\keystore.jks.
In the Custom Identity Key Store Type column, specify the type of keystore, for example, JKS.
In the Custom Identity Key Store Pass Phrase and Confirm Custom Identity Key Store Pass Phrase columns, specify the keystore password.
In the Custom Trust and Custom Trust Key Store File Name column, specify the full path of the keystore generated in Step 1 of this procedure, for example, c:\temp\keys\rootkeystore.jks.
In the Custom Trust Key Store Type column, specify the type of keystore, for example, JKS.
In the Custom Trust Key Store Pass Phrase and Confirm Custom Trust Key Store Pass Phrase columns, specify the keystore password.
Provide the Java standard trust keystore password. The default password is changeit
.
Click Continue.
Specify the alias name and private key password. Click Continue.
Click Finish.
Restart Oracle WebLogic Server. If the server starts successfully with the SSL configuration, then lines similar to the following are recorded in the startup log:
<Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default" listening on port 7001, ip address *.*> <Apr 21, 2008 2:35:43 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
Note:
The default SSL port for Oracle WebLogic Server is 7002.
This section discusses the following procedures for configuring SoD on Oracle Identity Manager release 11.1.1.3 BP02:
The TopologyName IT resource parameter holds the name of the combination of the following elements that you want to use for SoD validation of entitlement provisioning operations:
Oracle Identity Manager installation
Oracle Applications Access Controls Governor installation
PeopleSoft installation
The value that you specify for the TopologyName parameter must be the same as the value of the topologyName element in the SILConfig.xml file. If you are using default SIL registration, then specify oaacgpsft
as the value of the topologyName parameter.
See Configuring the IT Resource section for information about specifying values for parameters of the IT resource.
To specify a value for TopologyName in the IT resource:
To disable SoD:
Note:
The SoD feature is disabled by default. Perform the following procedure only if the SoD feature is currently enabled and you want to disable it.
Log in to the Administrative and User Console.
Set the XL.SoDCheckRequired system property to FALSE
as follows:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Identity Manager Advanced Administration page, in the System Management section, click Search System Properties.
On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired
, which is the name of the system property as the search criterion.
In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.
On the System Property Detail page, in the Value field, enter FALSE
.
Click Save to save the changes made.
A message confirming that the system property has been modified is displayed.
Restart Oracle Identity Manager. deploying-connector.htm#GUID-65CDE115-19A2-4D0B-A88C-B45ACAA7D888__CHDGHIGG shows the details of disabling SoD.
To enable SoD:
Note:
If you are enabling SoD for the first time, then see Enabling and Disabling SoD in Oracle Fusion Middleware Developer's guide for Oracle Identity Manager for detailed information.
Log in to the Administrative and User Console.
Set the XL.SoDCheckRequired system property to TRUE
as follows:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Identity Manager Advanced Administration page, in the System Management section, click Search System Properties.
On the left pane, in the Search System Configuration field, enter XL.SoDCheckRequired
, which is the name of the system property as the search criterion.
In the search results table on the left pane, click the XL.SoDCheckRequired system property in the Property Name column.
On the System Property Detail page, in the Value field, enter TRUE
.
Click Save to save the changes made.
A message confirming that the system property has been modified is displayed.
Restart Oracle Identity Manager. deploying-connector.htm#GUID-32A9DBE8-D119-43FF-89C5-7083FC977593__CHDBECIF shows the details of enabling SoD.
Postinstallation on the target system involves configuring SSL.
To configure SSL on the target system:
Perform the procedure described in this section only if you have deployed the connector bundle remotely in a Connector Server.
This section contains the following topics:
Note:
Before you deploy the connector bundle remotely in a Connector Server, you must deploy the connector in Oracle Identity Manager by performing the procedures described in Installation.
To create the IT resource for the Connector Server:
Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
For Oracle Identity Manager release 11.1.1.x:
Log in to the Administrative and User Console.
For Oracle Identity Manager release 11.1.2.x:
Log in to Identity System Administration.
If you are using Oracle Identity Manager release 11.1.1.x, then:
On the Welcome page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Create IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x, then:
In the left pane under Configuration, click IT Resource.
In the Manage IT Resource page, click Create IT Resource.
On the Step 1: Provide IT Resource Information page, perform the following steps:
IT Resource Name: Enter a name for the IT resource.
IT Resource Type: Select Connector Server from the IT Resource Type list.
Remote Manager: Do not enter a value in this field.
Click Continue. deploying-connector.htm#GUID-291FDFF2-853A-493C-8F80-14994B023DDF__BABFGJII shows the IT resource values added on the Create IT Resource page.
Figure 2-3 Step 1: Provide IT Resource Information
On the Step 2: Specify IT Resource Parameter Values page, specify values for the parameters of the IT resource and then click Continue. deploying-connector.htm#GUID-291FDFF2-853A-493C-8F80-14994B023DDF__BABJJBCH shows the Step 2: Specify IT Resource Parameter Values page.
Figure 2-4 Step 2: Specify IT Resource Parameter Values
deploying-connector.htm#GUID-2A13598C-08F8-4861-9FEC-4D9259E40B01__BIHDHGJF provides information about the parameters of the IT resource.
On the Step 3: Set Access Permission to IT Resource page, the SYSTEM ADMINISTRATORS
group is displayed by default in the list of groups that have Read, Write, and Delete permissions on the IT resource that you are creating.
Note:
This step is optional.
If you want to assign groups to the IT resource and set access permissions for the groups, then:
Click Assign Group.
For the groups that you want to assign to the IT resource, select Assign and the access permissions that you want to set. For example, if you want to assign the ALL USERS
group and set the Read and Write permissions to this group, then you must select the respective check boxes in the row, as well as the Assign check box, for this group.
Click Assign.
On the Step 3: Set Access Permission to IT Resource page, if you want to modify the access permissions of groups assigned to the IT resource, then:
Note:
This step is optional.
You cannot modify the access permissions of the SYSTEM ADMINISTRATORS
group. You can modify the access permissions of only other groups that you assign to the IT resource.
Click Update Permissions.
Depending on whether you want to set or remove specific access permissions for groups displayed on this page, select or deselect the corresponding check boxes.
Click Update.
On the Step 3: Set Access Permission to IT Resource page, if you want to unassign a group from the IT resource, then:
Note:
This step is optional.
You cannot unassign the SYSTEM ADMINISTRATORS
group. You can unassign only other groups that you assign to the IT resource.
Select the Unassign check box for the group that you want to unassign.
Click Unassign.
Click Continue. deploying-connector.htm#GUID-291FDFF2-853A-493C-8F80-14994B023DDF__BABBFEJI shows the Step 3: Set Access Permission to IT Resource page.
Figure 2-5 Step 3: Set Access Permission to IT Resource
On the Step 4: Verify IT Resource Details page, review the information that you provided on the first, second, and third pages. If you want to make changes in the data entered on any page, click Back to revisit the page and then make the required changes.
To proceed with the creation of the IT resource, click Continue. deploying-connector.htm#GUID-291FDFF2-853A-493C-8F80-14994B023DDF__BABHDDHH shows Step 4: Verify IT Resource Details page.
Figure 2-6 Step 4: Verify IT Resource Details
The Step 5: IT Resource Connection Result page displays the results of a connectivity test that is run using the IT resource information. If the test is successful, then click Continue. If the test fails, then you can perform one of the following steps:
Click Back to revisit the previous pages and then make corrections in the IT resource creation information.
Click Cancel to stop the procedure, and then begin from the first step onward.
deploying-connector.htm#GUID-291FDFF2-853A-493C-8F80-14994B023DDF__BABHFIFJ shows the Step 5: IT Resource Connection Result page.
Figure 2-7 Step 5: IT Resource Connection Result
Click Finish. deploying-connector.htm#GUID-291FDFF2-853A-493C-8F80-14994B023DDF__BABFDDDB shows the IT Resource Created Page.
deploying-connector.htm#GUID-2A13598C-08F8-4861-9FEC-4D9259E40B01__BIHDHGJF provides information about the parameters of the IT resource.
Table 2-7 Parameters of the IT Resource for the Connector Server
Parameter | Description |
---|---|
Host |
Enter the host name or IP address of the computer hosting the connector server. Sample value: |
Key |
Enter the key for the Java connector server. |
Port |
Enter the number of the port at which the connector server is listening. Default value: |
Timeout |
Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Manager times out. Sample value: Note: A value of 0 (zero) indicates unlimited timeout. |
UseSSL |
Enter Default value: Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL, run the connector server by using the /setKey [ |
You can upgrade the PeopleSoft User Management connector while in production, and with no downtime. Your customizations will remain intact and the upgrade should be transparent to your users. Form field names are preserved from the legacy connector.
To upgrade the PeopleSoft User Management connector, perform the steps listed in Prerequisites for Upgrading the Connector.
Then, perform one of the following procedures depending on the version of the existing connector:
See Also:
Upgrading Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information of these steps
Before you perform the upgrade procedures:
It is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.
As a best practice, first perform the upgrade procedure in a test environment.
You might encounter the following issue during or after performing the upgrade procedures:
After the upgrade process, an additional IT resource is created with the name PSFT User, in addition to converting existing IT resources. The additional IT resource is created because the default IT resource name has been changed.
As a workaround, if the additional IT resource is unused, you can delete it.
To upgrade the PeopleSoft User Management connector from release 11.1.1.5.0 to this release of the connector, perform the following steps:
Set entitlement tagging for PeopleSoft child form (UD_PSROLES) as follows:
Log in to the Oracle Identity Manager Design Console.
Expand Development Tools and then double-click Form Designer.
Enter the name of the PeopleSoft Roles child form, UD_PSROLES,
in the Table Name field and click the Query for records button.
Click Create New Version.
In the Create a New Version dialog box, specify the version name in the Label field, save the changes, and then close the dialog box.
From the Current Version list, select the newly created version.
Click the Properties tab.
Select the Role Name field, and click Add Property.
From the Property Name list, select Entitlement.
In the Property Value field, enter true.
Click Make Version Active.
Set IT resource, Account ID, and Account Name tagging in the process form (UD_PSFT_BAS) as follows:
In the Oracle Identity Manager Design Console, expand Development Tools and then double-click Form Designer.
Enter the name of the PeopleSoft parent form, UD_PSFT_BAS,
in the Table Name field and click the Query for records button.
Click Create New Version.
In the Create a New Version dialog box, specify the version name in the Label field, save the changes, and then close the dialog box.
From the Current Version list, select the newly created version.
Click the Properties tab.
Select the Server (IT resource) field, and click Add Property.
From the Property Name list, select ITResource.
In the Property Value field, enter true.
Select the User Id field, and click Add Property.
From the Property Name list, select AccountName.
In the Property Value field, enter true.
Select the User Id field, and click Add Property.
From the Property Name list, select AccountID.
In the Property Value field, enter true.
Update the parent form to add the child form created in Step 1.
Click Make Version Active.
Recreate the form in the user interface (UI) and update the application instance with the new form as described in Updating an Existing Application Instance with a New Form.
Set the status of Task to Object Status Mapping of the Role Updated process task to None as follows:
In the Oracle Identity Manager Design Console, expand Process Management and then double-click Process definition.
In the Name field, enter Peoplesoft User Management
and then click the Query for records button.
Under Tasks, open the Role Updated task.
In the Task to Object Status Mapping tab, change the object status of status C from Provisioned to None.
Repeat Steps 3.c and 3.d for the Email Updated task.
Update the bundle in the Oracle Identity Manager database with the latest bundle JAR from this release as described in Upgrading the Connector Files and External Code Files.
To upgrade the PeopleSoft User Management connector from release 9.1.1.6 to this release of the connector, perform the following procedures:
To upgrade the connector files and external code files:
Run the Oracle Identity Manager Delete JARs utility to delete the JAR files from the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you use this utility, verify that the WL_HOME
environment variable is set to the directory in which Oracle WebLogic Server is installed.
For Microsoft Windows:
OIM_HOME/server/bin/DeleteJars.bat
For UNIX:
OIM_HOME/server/bin/DeleteJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR files being deleted, and the location from which the JAR files are to be deleted.
Select the JAR files and indicate the JAR types as specified in the following table:
JAR File Name | JAR Type |
---|---|
PSFTUM.jar |
1 - JavaTasks |
PSFTCommon.jar |
1 - JavaTasks |
CustomClassLoader.jar |
1 - JavaTasks |
Common.jar Select this JAR file only if no other connector is using it. |
1 - JavaTasks |
psjoa.jar |
3 - ThirdParty |
peoplesoft.jar |
3 - ThirdParty |
See Also:
Delete JAR Utility in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed information about the Delete JARs utility
Patch the psjoa.jar file in the connector bundle as follows:
Open the command prompt and navigate to the bundle JAR file.
For example:
cd PSFT_UM-11.1.1.6.0/bundle bundle/org.identityconnectors.peoplesoftintfc-1.0.5963.jar
Run the following command to create a lib directory.
mkdir lib
Copy the psjoa.jar file (target specific) from the PEOPLESOFT_HOME/web/psjoa directory to the new lib directory.
For example:
cp psjoa/psjoa.jar lib
Run the following command:
jar -uvf org.identityconnectors.peoplesoftintfc-1.0.5963.jar lib/psjoa.jar
Run the Oracle Identity Manager Upload JARs utility to post the new bundle JAR file created in Step 2 and other JAR files to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR files being uploaded, and the location from which the JAR files are to be uploaded.
Select the JAR files and indicate the JAR types as specified in the following table:
JAR File Name | JAR Type |
---|---|
bundle/org.identityconnectors.peoplesoftintfc-1.0.5963.jar |
4 - ICFBundle |
lib/PSFTCommon.jar |
1 - JavaTasks |
lib/PSFT_UM-oim-integration.jar |
1 - JavaTasks |
See Also:
Upload JAR Utility in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed information about the Upload JARs utility
Note:
If you upgrade the connector, you must also upgrade the listener. Installing a new connector over a previously deployed listener creates discrepancies.
To upgrade the PeopleSoft listener:
If there are any validation or transformation JARs, you must add the JARs to the deployable connector bundle JAR and re-deploy the listener. See Configuring Validation of Data During Reconciliation, Configuring Transformation of Data During Reconciliation, and Configuring Validation of Data During Provisioning for more information.
The Form Version Control (FVC) utility is used to migrate data changes on a form after an upgrade operation.
Note:
After performing this procedure, you cannot revert the data changes.
To run the FVC utility:
To update the PeopleSoft target system for the upgrade process:
Enable the Find and Get methods on the USER_PROFILE component interface. To do so:
To open the PeopleSoft Application Designer, click Start and then select Programs, Peoplesoft8.x, and Application Designer.
On the Application Designer page, click Open from the File menu.
In the Open Definition dialog box, select Component Interface from the Definition list.
Enter USER_PROFILE
in the Name field, and then click Open.
All the component interfaces with names that start with USER_PROFILE
are displayed in the Open Definition dialog box.
Double-click the USER_PROFILE entry.
Drag the User ID field from the USERMAINT definition and drop to the component interface definition on the right hand side, as shown in the following screenshot. This will set the Find and Get keys.
Right-click on the USER_PROFILE component interface and click Component Interface Properties.
In the Properties dialog, click the Standard Methods tab, and then select the Get check-box.
Click OK and save the component interface.
Update the OIM_NODE node based on HTTP Connector. To do so:
Open the OIM_NODE node that is configured for the PeopleSoft listener.
Update the IT resource header type from Host to Location.