2 Deploying the Connector

The procedure to deploy the connector is divided across three stages namely preinstallation, installation, and postinstallation.

Note:

Some of the procedures described in this chapter are meant to be performed on the target system. The minimum permissions required to perform the target system procedure are those assigned to members of the Domain Admins group. To perform the target system-specific procedures, you can use the same user account that you create for deploying the Microsoft Active Directory User Management connector.

See Creating a Target System User Account for Connector Operations of Oracle Identity Manager Connector Guide for Microsoft Active Directory User Management for information about creating that user account.

2.1 Preinstallation

Preinstallation involves installing, configuring, and running the connector server, enabling logging and so on.

2.1.1 Preinstallation on the Target System

Preinstallation on the target system involves creating a target system user account with appropriate permissions for connector operations. Oracle Identity Manager requires this account to connect to the target system during reconciliation and provisioning operations.

Depending on the Exchange Server version you are using, ensure the account meets the following requirements:

2.1.1.1 Privileges for Exchange 2007 Service Account

The following are the minimum privileges required for an Exchange 2007 service account to manage recipients (UserMailbox and MailUser):

The service account must be a member of Exchange Recipient Administrators group.

For more information, see http://technet.microsoft.com/en-us/library/aa996881%28v=exchg.80%29.aspx.
If you want to add a recipient to a distribution group or remove a recipient from a distribution group, then the service account must also be a member of Account Operators group in the domain where the distribution group exists.

For more information, see http://technet.microsoft.com/en-us/library/bb124340%28v=exchg.80%29.aspx and http://technet.microsoft.com/en-us/library/aa997627%28v=exchg.80%29.aspx.

2.1.1.2 Privileges for Exchange 2010 Service Account

This following is the minimum privilege required for an Exchange 2010 service account to manage recipients (UserMailbox and MailUser):

The service account must be a member of Recipient Management group.

For more information, see http://technet.microsoft.com/en-us/library/dd298028%28v=exchg.141%29.aspx.

2.1.1.3 Privileges for Exchange 2013 Service Account

This following is the minimum privilege required for an Exchange 2013 service account to manage recipients (UserMailbox and MailUser):

The service account must be a member of Recipient Management group.

For more information, see https://technet.microsoft.com/en-us/library/dd298028%28v=exchg.150%29.aspx.

2.1.1.4 Privileges for Exchange 2016 Service Account

The following is the minimum privilege required for an Exchange 2016 service account to manage recipients (UserMailbox and MailUser):

The service account must be a member of Recipient Management group.

For more information, see https://docs.microsoft.com/en-us/Exchange/permissions/permissions?view=exchserver-2016.

2.1.2 Installing, Configuring, and Running the Connector Server

The connector server is an application that enables remote execution of the Exchange connector. As the Exchange connector is implemented in .NET, it requires a .NET connector server. The connector server can either be installed on the same computer as that of the Exchange Server or on a different computer in the same domain as that of the Exchange Server.

For more information, see Connector Architecture.

This section contains the following topics:

2.1.2.1 Prerequisites for the Connector Server

The following prerequisites and requirements must be met for the connector server:

The computer hosting the connector server must have Intel Dual-Core Processor, 2 GHz with 4 GB RAM or a computer with similar configuration.

If you have a computer dedicated to the connector server, then 2 GB RAM is sufficient.
Before you install the connector server, ensure that you have installed .NET Framework 3.5 SP1 on the same computer where you are installing the connector server.

In addition, you must install the following patch:

http://support.microsoft.com/kb/981575

The .NET connector server need not be installed on the Exchange server target system. It can be installed either on the Exchange server or on a system that belongs to the same domain as that of the Exchange server.
If you are using Exchange Server 2007, then you must install Exchange Management Tools on the computer hosting the connector server. This is a mandatory requirement.
If you are using Exchange Server 2010, then TCP port 80 must be open between the computer hosting the connector server and the remote Exchange 2010 server, and the port must be allowed through Windows Firewall on the Exchange 2010 server. In addition, ensure other prerequisites are met for remote Shell as mentioned in the Remote Exchange Management page at:

http://technet.microsoft.com/en-in/library/dd297932%28v=exchg.141%29.aspx

2.1.2.2 Installing the Connector Server

To install the connector server:

Note:

If you have already installed Connector Server 11.1.1.5.0, then you can skip this procedure.

Download the connector server package (a zip file such as Connector_Server_111200.zip) from the Oracle Identity Manager Connector Downloads page at:

http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html
Extract the contents of the connector server package and locate the ServiceInstall-version.msi file, such as ServiceInstall-1.4.0.0.msi.
Install the connector server by running the ServiceInstall-1.4.0.0.msi file.

If the Setup Type - Typical option is used during the installation, then the connector server will be installed at the C:\Program Files\Identity Connector\Connector Server directory.

Note:

In this guide, CONNECTOR_SERVER_HOME represents the C:\Program Files\Identity Connector\Connector Server directory or the directory where the connector server was installed.
Upon successful installation, the connector server is registered as a Windows service and will be started automatically.
Stop the connector server Windows service.

2.1.2.3 Configuring the Connector Server

To configure the connector server:

Open the connectorserver.exe.config file located in the CONNECTOR_SERVER_HOME directory. In the connectorserver.exe.config file, set the following properties, as required by your deployment.

Property	Description
connectorserver.port	Port on which the connector server listens for requests. Default value: `8759`
connectorserver.usessl	If set to `true`, the connector server uses SSL for secure communication with Oracle Identity Manager. If this property is set to true, then you must set the corresponding property in Exchange connector server IT resource to `true.` To setup SSL between OIM and connector server, see Configuring SSL Between Oracle Identity Manager and Connector Server. Default value: `false`.
Certificatestorename	If the connectorserver.usessl property is set to true, then this property should point to your certificate store name.
connectorserver.key	Connector server key. See Step 2 for information about setting this value.

Set The connector server key in the connectorserver.exe.config file, as follows:

Note:

This key value must be mentioned in the Exchange connector server IT resource property.
1. Open a command prompt and navigate to CONNECTOR_SERVER_HOME directory.
2. Run the ConnectorServer.exe /setKey command.
  
  This displays the prompt Enter Key:
3. Enter an appropriate key and press Enter.
  
  This displays the prompt Confirm Key:
4. Enter the same key to confirm and press Enter.
  
  This displays the message Key Updated.

2.1.2.4 Enabling Logging

The Exchange connector uses the built-in logging mechanism of the .NET framework. Logging for the Exchange connector is not integrated with Oracle Identity Manager. The log level is set in the .NET connector server configuration file (ConnectorServer.exe.config).

By default, logging is not enabled for the connector. To enable logging:

Navigate to CONNECTOR_SERVER_HOME directory. The default directory is C:\Program Files\Identity Connectors\Connector Server.

The ConnectorServer.exe.config file must be present in this directory.
Search and locate the tag <add name="myListener" under the <listeners> tag.
The connector logs all information in the file indicated by the initializeData parameter. The default value is c:\connectorserver.log.

Edit this value as per your deployment needs. As the connector server runs using the service account, ensure the service account has write permissions on the log location and on the log file. Otherwise, there would be no logs generated even if you enable logging.

In the ConnectorServer.exe.config file, add the lines shown in bold text:

<system.diagnostics>
  <trace autoflush="true" indentsize="4">
    <listeners>
      <remove name="Default" />
      <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\connectorserver.log" traceOutputOptions="DateTime">
        <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" />
      </add>
    </listeners>
  </trace>
  <switches>
    <add name="ExchangeSwitch" value="4" />
  </switches>
</system.diagnostics>

The value="4" sets the log level to Verbose. This value can be set as follows:

Table 2-1 Log Levels

Value	Log Level
value="4" or value="Verbose"	Verbose level. Most granular.
value="3" or value="Information"	Information level.
value="2" or value="Warning"	Warning level.
value="1" or value="Error"	Error level.
value="0"	No logging.

2.1.2.5 Configuring Log File Rotation

Information about events that occur during the course of reconciliation and provisioning operations are stored in a log file. As you use the connector over a period time, the amount of information written to a log file increases. If no rotation is performed, then log files become huge.

To avoid such a scenario, perform the procedure described in this section to configure rotation of the log file.

To configure rotation of a log file on a daily basis:

Log in to the computer that is hosting the connector server.
Stop the connector server.
Back up the ConnectorServer.exe.config file. The default location of this file is C:\Program Files\Identity Connectors\Connector Server.
In a text editor, open the ConnectorServer.exe.config file for editing.

Search for the <listeners> and </listeners> elements and replace the text between these elements with the following:

<remove name="Default" />
<add name="FileLog" type="Microsoft.VisualBasic.Logging.FileLogTraceListener,Microsoft.VisualBasic,Version=8.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
initializeData="FileLogWriter"
traceOutputOptions="DateTime"
BaseFileName="ConnectorServerDaily"
Location="Custom"
CustomLocation="C:\ConnectorServerLog\"
LogFileCreationSchedule="Daily">
<filter type="System.Diagnostics.EventTypeFilter" initializeData="Information"/>
</add>

Save the file and close it.
Start the connector server.

2.1.2.6 Running the Connector Server

To run the connector server, perform one of the following steps depending on the Exchange Server version:

If you are using Exchange Server 2007:
1. Login to computer hosting the connector server.
  
  The login user must have permissions to perform the following steps.
2. Open Windows services explorer. To do so:
  
  Click the Start button, then click to Run... Enter Services.msc and click OK.
3. Locate the Connector Server service.
4. Right-click on the service and click Properties.
5. Click the Log On tab and select This Account.
6. Click Browse to choose the service account having minimum privileges as described in Privileges for Exchange 2007 Service Account. Then, enter password for this service account.
7. Click OK.
8. With this service selected, click Run.
After the above steps are completed successfully, the connector server runs with the service account that has the minimum privileges to perform recipient management tasks on Exchange Server 2007.

Note:

The above steps are mandatory and must be completed successfully. This is because the Exchange connector uses the credentials of the user who starts the connector server to communicate with Exchange Server 2007. The user name and password information provided in the IT resource is not used.
If you are using Exchange Server 2010:
1. Login to computer hosting the connector server.
  
  The login user must have permissions to perform the following steps.
2. Open Windows services explorer. To do so:
  
  Click the Start button, then click to Run... Then, enter Services.msc and click OK.
3. Locate the Connector Server service and click Run.
Note:

The Exchange connector uses the user credentials provided in the Exchange IT Resource. For more information, see Configuring the IT Resource for the Target System. As the connector uses credentials provided in the IT resource to communicate with Exchange Server, any user can start the connector server.

Alternatively, the connector server can be started by the service account having minimum privileges as described in Privileges for Exchange 2010 Service Account.

2.2 Installation

You must install the connector in Oracle Identity Manager and in the connector server.

The following sections provide information about installation:

2.2.1 Installing the Connector in Oracle Identity Manager

Installation on Oracle Identity Manager involves running the connector installer and configuring the IT resource.

2.2.1.1 Running the Connector Installer

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

Ensure that the Microsoft Active Directory User Management connector is installed before you proceed to install the connector.

To run the Connector Installer:

Copy the contents of the connector installation media directory into the following directory:

OIM_HOME/server/ConnectorDefaultDirectory

Note:

In an Oracle Identity Manager cluster, perform this step on each node of the cluster.
If you are using Oracle Identity Manager release 11.1.1., then:
1. Log in to the Administrative and User Console.
2. On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.
If you are using Oracle Identity Manager release 11.1.2.x, then:
1. Log in to Oracle Identity System Administration.
2. In the left pane, under System Management, click Manage Connector.
In the Manage Connector page, click Install.
From the Connector List list, select Exchange Connector 11.1.1.6.0. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation in Step 1.

If you have copied the installation files into a different directory, then:
1. In the Alternative Directory field, enter the full path and name of that directory.
2. To repopulate the list of connectors in the Connector List list, click Refresh.
3. From the Connector List list, select Exchange Connector 11.1.1.6.0.
Click Load.
To start the installation process, click Continue.

The following tasks are performed, in sequence:
1. Configuration of connector libraries
2. Import of the connector XML files (by using the Deployment Manager)
3. Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
- Retry the installation by clicking Retry.
- Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
1. Ensuring that the prerequisites for using the connector are addressed
  
  Note:
  
  At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Clearing Content Related to Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.
  
  There are no prerequisites for some predefined connectors.
2. Configuring the IT resource for the connector
  
  Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.
3. Configuring the scheduled tasks
  
  Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table A-1.

2.2.1.2 Configuring the IT Resource for the Target System

The IT resource for the target system contains connection information about the target system. Oracle Identity Manager uses this information for reconciliation and provisioning.

For both provisioning and reconciliation, the Microsoft Exchange connector uses Exchange IT Resource. This IT resource is created with default parameter values as part of the connector installation. You must update the IT resource parameters with information about the target system.

To configure the Microsoft Exchange Server IT resource:

Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
- For Oracle Identity Manager release 11.1.1:
  
  Log in to the Administrative and User Console.
- For Oracle Identity Manager release 11.1.2.x:
  
  Log in to Oracle Identity System Administration.
If you are using Oracle Identity Manager release 11.1.1, then:
1. On the Welcome page, click Advanced in the upper-right corner of the page.
2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x, then in the left pane under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter Exchange IT Resource and then click Search.
Click the edit icon corresponding to the Exchange IT resource.
From the list at the top of the page, select Details and Parameters.

Specify values for the parameters of the Exchange IT resource.

The following screenshot shows the Edit IT Resource Details and Parameters page for Exchange 2007:

Note:

The ExchangeUser, ExchangeServerHost, and ExchangeUserPassword properties are not required if Exchange Server version is 2007. The connector uses the credentials of the user who started the connector server to connect to Exchange Server. This user is the service account having minimum privileges described in Privileges for Exchange 2007 Service Account.

As the Exchange Management Tools are installed on connector server host computer, the connector knows to which Exchange Server it should connect to.

The following screenshot shows the Edit IT Resource Details and Parameters page for Exchange 2010:

Note:

The ExchangeUser, ExchangeServerHost, and ExchangeUserPassword properties are required. The connector uses these properties to connect remotely to Exchange Server.

The ExchangeUser specified is the service account having minimum privileges described in Privileges for Exchange 2010 Service Account.

Table 2-2 describes each parameter of the Exchange IT resource.

Table 2-2 Parameters of the Exchange IT Resource for the Target System

Parameter	Description
Configuration Lookup	This parameter holds the name of the lookup definition that stores configuration information used during reconciliation and provisioning. Default value: `Lookup.Exchange.Configuration`
Connector Server Name	Name of the IT resource of the type "Connector Server." A default IT resource for the connector server is created during the connector installation. See Configuring the IT Resource for the Connector Server for information about modifying the default IT resource. Default value: `Exchange Connector Server`
ExchangeServerType	Enter the type of Microsoft Exchange Server. For Exchange 2007, set the value to `OnPremise2007`. For Exchange 2010, set the value to `OnPremise2010`. For Exchange 2013, set the value to `OnPremise2013`. For Exchange 2016, set the value to `OnPremise2016`. Default value: `OnPremise2007`
ExchangeServerHost	Hostname of the computer hosting Exchange Server 2010, 2013, or 2016. This is required only if ExchangeServerType is set to `OnPremise2010`, `OnPremise2013`, or `OnPremise2016.`
ExchangeUser	User name of the service account having minimum privileges described in Privileges for Exchange 2010 Service Account. Format: DomainName\UserName This is required only if ExchangeServerType is set to `OnPremise2010`, `OnPremise2013`, or `OnPremise2016.`
ExchangeUserPassword	Valid password for user specified for the ExchangeUser parameter. This is required only if ExchangeServerType is set to `OnPremise2010`, `OnPremise2013`, or `OnPremise2016.`

To save the values, click Update.

2.2.2 Deploying the Connector Bundle on the Connector Server

To deploy the connector bundle on the connector server, you must copy and extract the connector bundle to the connector server and then configure the IT resource for the connector server.

2.2.2.1 Copying and Extracting the Connector Bundle to the Connector Server

To copy and extract the connector bundle to the connector server:

Note:

If a single connector server is used for both Active Directory and Exchange connectors, and if the connector server already has the Active Directory connector DLL, do not update connector server with Active Directory connector DLL provided as part of the Exchange connector bundle ZIP file.

Stop the connector server.
From the installation media, copy and extract contents of the bundle/Exchange.Connector-2.0.0.1.zip file to the CONNECTOR_SERVER_HOME directory.
Start the connector server. See Running the Connector Server for information about starting the connector server.

2.2.2.2 Configuring the IT Resource for the Connector Server

During the installation of the connector, a default IT resource for the connector server for Microsoft Exchange is created with the name, Exchange connector server.

To configure or modify the IT resource for the connector server:

Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
- For Oracle Identity Manager release 11.1.1:
  
  Log in to the Administrative and User Console.
- For Oracle Identity Manager release 11.1.2.x:
  
  Log in to Oracle Identity System Administration.
If you are using Oracle Identity Manager release 11.1.1, then:
1. On the Welcome page, click Advanced in the upper-right corner of the page.
2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x, then in the left pane under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter Exchange Connector Server and then click Search.
Click the edit icon corresponding to the Exchange connector server IT resource.
From the list at the top of the page, select Details and Parameters.

Specify values for the parameters of the Exchange connector server IT resource. Figure 2-1 shows the Edit IT Resource Details and Parameters page.

Figure 2-1 Edit IT Resource Details and Parameters Page for the Exchange Connector Server IT Resource

Description of "Figure 2-1 Edit IT Resource Details and Parameters Page for the Exchange Connector Server IT Resource"

Table 2-3 provides information about the parameters of the Exchange connector server IT resource.

Table 2-3 Parameters of the Exchange Connector Server IT Resource

Parameter	Description
Host	Enter the host name or IP address of the computer hosting the connector server. Sample value: `HostName`
Key	Enter the key for the connector server.
Port	Enter the number of the port at which the connector server is listening. Default value: `8759`
Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Manager times out. If the value is zero or if no value is specified, the timeout is unlimited. Sample value: `300`
UseSSL	Enter `true` to specify that you will configure SSL between Oracle Identity Manager and the connector server. Otherwise, enter `false.` Default value: `false` See Also: Configuring SSL Between Oracle Identity Manager and Connector Server for information about enabling SSL

To save the values, click Update.

2.3 Postinstallation

Postinstallation involves configuring Oracle Identity Manager, localizing field labels, clearing server cache, configuring SSL, and so on.

2.3.1 Configuring Oracle Identity Manager 11.1.2 or Later

If you are using Oracle Identity Manager release 11.1.2 or later, you must create additional metadata such as a UI form and an application instance. In addition, you must run entitlement and catalog synchronization jobs.

These procedures are described in the following sections:

2.3.1.1 Creating and Activating a Sandbox

Create and activate a sandbox as follows. For detailed instructions, see Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

On the upper navigation bar, click Sandboxes. The Manage Sandboxes page is displayed.
On the toolbar, click Create Sandbox. The Create Sandbox dialog box is displayed.
In the Sandbox Name field, enter a name for the sandbox. This is a mandatory field.
In the Sandbox Description field, enter a description of the sandbox. This is an optional field.
Click Save and Close. A message is displayed with the sandbox name and creation label.
Click OK. The sandbox is displayed in the Available Sandboxes section of the Manage Sandboxes page.
Select the sandbox that you created.
From the table showing the available sandboxes in the Manage Sandboxes page, select the newly created sandbox that you want to activate.
On the toolbar, click Activate Sandbox.

The sandbox is activated.

2.3.1.2 Creating a New UI Form

Create a new UI form as follows. For detailed instructions, see Managing Forms in Oracle Fusion Middleware Administering Oracle Identity Manager.

In the left pane, under Configuration, click Form Designer.
Under Search Results, click Create.
Select the resource type for which you want to create the form.
Enter a form name and click Create.

2.3.1.3 Creating an Application Instance

Create an application instance as follows. For detailed instructions, see Managing Application Instances in Oracle Fusion Middleware Administering Oracle Identity Manager.

In the System Administration page, under Configuration in the left pane, click Application Instances.
Under Search Results, click Create.
Enter appropriate values for the fields displayed on the Attributes form and click Save.
In the Form drop-down list, select the newly created form and click Apply.
Publish the application instance for a particular organization.

Note:

If you are using access policy-based provisioning, then specify the Active Directory connector application instance as the value for the Parent AppInstance attribute.

2.3.1.4 Publishing a Sandbox

To publish the sandbox that you created in Creating and Activating a Sandbox:

Close all the open tabs and pages.
From the table showing the available sandboxes in the Manage Sandboxes page, select the sandbox that you created in Creating and Activating a Sandbox.
On the toolbar, click Publish Sandbox. A message is displayed asking for confirmation.
Click Yes to confirm. The sandbox is published and the customizations it contained are merged with the main line.

2.3.1.5 Harvesting Entitlements and Sync Catalog

To harvest entitlements and sync catalog:

Run the scheduled jobs for lookup field synchronization listed in Scheduled Tasks for Lookup Field Synchronization.
Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.
Run the Catalog Synchronization Job scheduled job. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.

2.3.1.6 Updating an Existing Application Instance with a New Form

For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:

Create a sandbox and activate it as described in Creating and Activating a Sandbox.
Create a new UI form for the resource as described in Creating a New UI Form.
Open the existing application instance.
In the Form field, select the new UI form that you created.
Save the application instance.
Publish the sandbox as described in Publishing a Sandbox.

2.3.2 Localizing Field Labels in UI Forms

You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. Resource bundles are available in the connector installation media.

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.

To localize field label that you add to in UI forms:

Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open the following file in a text editor:
- For Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) or later:
  
  SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf
- For releases prior to Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):
  
  SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf

Edit the BizEditorBundle.xlf file in the following manner:

Search for the following text:

<file source-language="en"  
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Replace with the following text:

<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in French:

<file source-language="en" target-language="fr"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Search for the application instance code. This procedure shows a sample edit for Exchange application instance. The original code is:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_EXCHANGE_DISPLAYNAME__c_description']}">
<source>Display Name</source>
<target/>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ExchUserForm.entity.ExchUserFormEO.UD_EXCHANGE_DISPLAYNAME__c_LABEL">
<source>Display Name</source>
<target/>
</trans-unit>

Open the resource file from the connector package, for example Exchange_fr.properties, and get the value of the attribute from the file, for example, global.udf.UD_EXCHANGE_DISPLAYNAME=Nom d'affichage.

Replace the original code shown in Step 6.c with the following:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_EXCHANGE_DISPLAYNAME__c_description']}">
<source>Display Name</source>
<target>Nom d'affichage</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ExchUserForm.entity.ExchUserFormEO.UD_EXCHANGE_DISPLAYNAME__c_LABEL">
<source>Display Name</source>
<target>Nom d'affichage</target>
</trans-unit>

Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

Sample file name: BizEditorBundle_fr.xlf.

Repackage the ZIP file and import it into MDS.

See Also:

Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager, for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Manager.

2.3.3 Clearing Content Related to Connector Resource Bundles from the Server Cache

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

Note:

In an Oracle Identity Manager cluster, you must perform this step on each node of the cluster. Then, restart each node.

To clear content related to connector resource bundles from the server cache:

In a command window, switch to the OIM_HOME/server/bin directory.
Enter one of the following commands:
Note:

You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.

For example, the following commands purge Metadata entries from the server cache:

PurgeCache.bat MetaData

PurgeCache.sh MetaData

On Microsoft Windows: PurgeCache.bat All

On UNIX: PurgeCache.sh All

When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:
```
t3://OIM_HOST_NAME:OIM_PORT_NUMBER
```
In this format:
- Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.
- Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

2.3.4 Linking the Exchange Resource Object with the AD User Resource Object

To link the Exchange resource object with the AD User resource object:

On the Design Console, expand Resource Management and then double-click Resource Objects.
Search for and open the AD User resource object.
On the Status Definition sub tab of the Resource Object tab, ensure that the Disabled and Revoked check boxes are selected.
To save the changes to the AD User resource object, click the Save icon.
Search for and open the Exchange resource object.
On the Depends On sub tab of the Resource Object tab, click Assign.
In the Assigned Objects Dialog box, move the AD User resource object from Unassigned Objects to Assigned Objects.
Click OK.
To save the changes to the Exchange resource object, click the Save icon.

2.3.5 Configuring Oracle Identity Manager for Request-Based Provisioning

In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.

Note:

Perform the procedure described in this section only if both the conditions are true:

You are using Oracle Identity Manager release 11.1.1.
You want to perform request-based provisioning operations.

The following are features of request-based provisioning:

A user can be provisioned only one resource (account) on the target system.

Note:

Direct provisioning allows the provisioning of multiple Microsoft Exchange accounts on the target system.
Direct provisioning cannot be used if you enable request-based provisioning.

To configure request-based provisioning, perform the following procedures:

2.3.5.1 Importing Request Datasets Using Deployment Manager

Note:

You can perform this procedure instead of the procedures described in Copying Predefined Request Datasets and Importing Request Datasets into MDS.

A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation.

To import a request dataset XML file by using the Deployment Manager:

Log in to the Oracle Identity Manager Administrative and User Console.
Click the Deployment Management link on the left navigation bar.
Click the Import link under Deployment Management.

A dialog box for opening files is displayed.
Locate and open the request dataset XML file, Exchange-Datasets.xml, which is in the xml directory of the installation media.

Details of this XML file are shown on the File Preview page.
Click Add File.

The Substitutions page is displayed.
Click Next.

The Confirmation page is displayed.
Click Import.
Close the Deployment Manager dialog box.

The request dataset is imported into Oracle Identity Manager.

2.3.5.2 Copying Predefined Request Datasets

Predefined request datasets are shipped with this connector. The following is list of predefined request datasets available in the DataSet directory on the installation media:

ModifyResourceExchange.xml

ProvisionResourceExchange.xml

Copy these files from the installation media to any directory on the Oracle Identity Manager host computer. It is recommended that you create a directory structure as follows:

/custom/connector/RESOURCE_NAME

For example:

E:\MyDatasets\custom\connector\Exchng

Note:

Until you complete the procedure to configure request-based provisioning, ensure that there are no other files or directories inside the parent directory in which you create the directory structure. In the preceding example, ensure that there are no other files or directories inside the E:\MyDatasets directory.

The directory structure to which you copy the dataset files is the MDS location into which these files are imported after you run the Oracle Identity Manager MDS Import utility. The procedure to import dataset files is described in the next section.

Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets.

2.3.5.3 Importing Request Datasets into MDS

All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.

To import a request dataset definition into MDS:

Set up the environment for running the MDS Import utility as follows:

Set Environment Variable: Set the OIM_ORACLE_HOME environment variable to the Oracle Identity Management Oracle home directory inside the Middleware home directory. For example, for Microsoft Windows, set the OIM_ORACLE_HOME environment variable to C:\Oracle\Middleware\Oracle_IDM1\ directory.

Set Up the Properties File: Set the necessary properties in the weblogic.properties file, which is located in the same folder as the utilities.

Note:

While setting up the properties in the weblogic.properties file, ensure that the value of the metadata_from_loc property is the parent directory of the /custom/connector/RESOURCE_NAME directory. For example, while performing the procedure in Copying Predefined Request Datasets, if you copy the files to the E:\MyDatasets\custom\connector\Exchng directory, then set the value of the metada_from_loc property to E:\MyDatasets.

Table 2-4 Parameters in the Properties File

Property Name	Description	Notes
wls_servername	Name of the Oracle WebLogic Server on which Oracle Identity Manager is deployed
application_name	The application name	Value is: `oim` if importing/exporting an out-of-the-box event handler. `OIMMetadata` for customizable metadata. If importing or exporting custom data, set application_name to OIMMetadata.
metadata_from_loc	Directory location from which an XML file should be imported. This property is used by weblogicImportMetadata.sh script.	Microsoft Windows paths include // as file or directory separator.
metadata_to_loc	Directory location from which an XML file should be imported. This property is used by weblogicExportMetadata.sh script.	Microsoft Windows paths include // as file or directory separator.
metadata_files	Full path and name of an XML file. This property is used by weblogicExportMetadata.sh and weblogicDeleteMetadata.sh scripts.	For example, you may specify /file/User.xml to export a user entity definition. You can indicate multiple xml files as comma-separated values.

In a command window, change to the OIM_HOME\server\bin directory.
Run one of the following commands:
- On Microsoft Windows
```
weblogicImportMetadata.bat
```
- On UNIX
```
weblogicImportMetadata.sh
```
When prompted, enter the following values:
- Please enter your username [weblogic]
  
  Enter the username used to log in to WebLogic server
  
  Sample value: WL_User
- Please enter your password [weblogic]
  
  Enter the password used to log in to WebLogic server
- Please enter your server URL [t3://localhost:7001]
  
  Enter the URL of the application server in the following format:
  
  t3://HOST_NAME_IP_ADDRESS:PORT
  
  In this format, replace:
  
  HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed.
  
  PORT with the port on which Oracle Identity Manager is listening.
The request dataset is imported into MDS at the following location:

/custom/connector/RESOURCE_NAME

2.3.5.4 Enabling the Auto Save Form Feature

To enable the Auto Save Form feature:

Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the Exchange process definition.
Select the Auto Save Form check box.
Click the Save icon.

2.3.5.5 Running the PurgeCache Utility

Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Clearing Content Related to Connector Resource Bundles from the Server Cache for instructions.

The procedure to configure request-based provisioning ends with this step.

2.3.6 Configuring SSL Between Oracle Identity Manager and Connector Server

You must configure SSL to secure communication between Oracle Identity Manager and Connector Server.

This procedure is mandatory if the connector server and the Exchange bundle are installed on the target system.

The following sections provide information about configuring SSL between Oracle Identity manager and connector server:

2.3.6.1 Installing Certificate Services on Windows Server 2003

Before you configure SSL, you must install Certificate Services on the target system host computer:

To install Certificate Services on the target system host computer:

Note:

Before you begin installing Certificate Services, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.

Insert the operating system installation media into the CD-ROM or DVD drive.
Click Start, Settings, and Control Panel.
Double-click Add/Remove Programs.
Click Add/Remove Windows Components.
Select Certificate Services.
In the Windows Components Wizard, follow the instructions to start Certificate Services.

Note:

While providing input to the wizard, select Enterprise root CA as the CA type. This is required for adding a policy with the Domain Controller template, which is a step that you perform in the next procedure.

2.3.6.2 Installing Certificate Services for Windows Server 2008

To install Certificate Services on the target system host computer:

Select Administrative Tools from the Control Panel to open the Server Manager Window.

Note:

Ensure that the Web Server IIS role has been added from the Server Manager.
In the Select Server Roles window of the installation wizard, select Active Directory Certificate Services and click Next. The Introduction to Active Directory Certificate Services window appears.
In the Introduction to Active Directory Certificate Services window, click Next. The Role Services window appears.
In the Role Services window, select the Certification Authority and Certification Authority Web Enrollment options and click Next. The Specify Setup Type window appears.
In the Specify Setup Type window, select Enterprise and click Next. The Specify CA Type window appears.
In the Specify CA Type window, select Root CA and click Next. The Set Up Private Key window appears.
In the Set Up Private Key window, select Create a new private key and click Next. The Configure Cryptography for CA window appears.
In the Configure Cryptography for CA page, select a value for the Key character length field from the drop-down list and click Next. The Configure CA Name window appears.
In the Configure CA Name window, specify values for the available fields and click Next. The Set Validity Period window appears.
In the Set Validity Period window, specify values for the available fields and click Next. The Configure Certificate Database window appears.
In the Configure Certificate Database window, specify values for the available fields and click Next. The Confirm Installation Selections window appears.
In the Confirm Installation Selections window, review the presented information, click Install, then click Close.

2.3.6.3 Exporting the Certificate

To export the certificate generated by CA:

Click Start and then Run.
Enter the following command, and then click OK:

mmc

The Microsoft Management Console is displayed.
In the Console Root window, on the left pane, expand Certificates - Local Computer), Personal, and then Certificates.
Right-click Certificates, select All Tasks, and then click Export.
In the wizard that is displayed, select all default values to create a certificate file (.cer). Ensure to specify a file name (for example, C:\ExchangeSSLCer.cer) in the wizard, and then click Finish.

2.3.6.4 Configuring the Connector Server for SSL

To configure the connector server for SSL:

Create a certificate store and add the certificate created in Exporting the Certificate to the store. To do so:
In a command window, enter the following:

C:\>certutil -f -addstore sslstore C:\ExchangeSSLCer.cer

This command creates a new certificate store with the name 'sslstore' and adds the certificate ExchangeSSLCer to this store.
Navigate to the location where connector server is installed and locate the Connector Server\ConnectorServer.exe.Config file.
In a text editor, open the ConnectorServer.exe.Config file for editing:
Change the values of the following lines:

From:

<add key="connectorserver.usessl" value="false" />

<add key="connectorserver.certificatestorename" value="ConnectorServerSSLCertificate" />

To:

<add key="connectorserver.usessl" value="true" />

<add key="connectorserver.certificatestorename" value="sslstore" />
Restart the connector server.

2.3.6.5 Configuring Oracle Identity Manager for SSL

The following is the procedure to configure Oracle Identity Manager for SSL:

Copy the certificate generated in Step 1 of Configuring the Connector Server for SSL to the computer on which Oracle Identity Manager is running.
Import the target system certificate into the JDK used by Oracle Identity Manager by running the following command:
- For Oracle Identity Manager running on Oracle WebLogic Application Server:
  
  keytool -import -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD
  
  In this command:
  
  - MY_CACERTS is the full path and name of the certificate store (the default is cacerts).
  
  - CERT_FILE_NAME is the full path and name of the certificate file.
  
  - PASSWORD is the password of the keystore.
  
  The following is a sample command:
  
  keytool -import -keystore /home/testoc4j/OIM/jrockit_160_14_R27.6.5-32/jre/lib/security/cacerts -file /home/ExchangeSSLCer.cer -storepass changeit
- For Oracle Identity Manager running on IBM WebSphere Application Server:
  
  In a terminal window, change to the WEBSPHERE_HOME\AppServer\java\jre\bin directory and run the following command:
  
  keytool -import -alias ALIAS_NAME -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD
  
  In this command:
  
  - ALIAS_NAME is the alias for the certificate store.
  
  - MY_CACERTS is the full path and name of the certificate store (the default is cacerts).
  
  - CERT_FILE_NAME is the full path and name of the certificate file.
  
  - PASSWORD is the password of the keystore.
  
  The following is a sample command:
  
  keytool -import -alias exchange_cert -keystore /scratch/jdoe/r2was/was9461/java/jre/lib/security/cacerts -file /scratch/jdoe/first/CS.cer -storepass changeit
Import the target system certificate into the keystore of the application server by running the following command:
- For Oracle Identity Manager running on Oracle WebLogic Application Server:
  
  keytool -import -keystore WEBLOGIC_HOME/server/lib/DemoTrust.jks -file CERT_FILE_NAME -storepass PASSWORD
  
  In this command:
  
  - CERT_FILE_NAME is the full path and name of the certificate file.
  
  - PASSWORD is the password of the keystore.
  
  The following is a sample command:
  
  keytool -import -keystore WEBLOGIC_HOME/server/lib/DemoTrust.jks -file /home/ExchangeSSLCer.cer -storepass DemoTrustKeyStorePassPhrase
- For Oracle Identity Manager running on IBM WebSphere Application Server:
  
  In a terminal window, change to the WEBSPHERE_HOME\AppServer\java\jre\bin directory and run the following command:
  
  keytool -import -alias ALIAS_NAME -keystore $WAS_PROFILE_HOME/config/cells/DefaultCell01/trust.p12 -storetype PKCS12 -file CERT_FILE_NAME -storepass PASSWORD
  
  In this command:
  
  - ALIAS_NAME is the alias for the certificate store.
  
  - MY_CACERTS is the full path and name of the certificate store (the default is cacerts).
  
  - CERT_FILE_NAME is the full path and name of the certificate file.
  
  - PASSWORD is the password of the keystore.
  
  The following is a sample command:
  
  keytool -import -alias exchange_cert -keystore /scratch/jdoe/r2was/was9461/java/jre/lib/security/cacerts -file /scratch/jdoe/first/CS.cer -storepass changeit
  
  keytool -import -alias exchange_cert -keystore /scratch/jdoe/r2was/was9461/profiles/Custom01/config/cells/DefaultCell01/trust.p12 -storetype PKCS12 -file /scratch/jdoe/first/CS.cer -storepass WebAS
Set the value of the UseSSL parameter of the connector server IT resource to true.

2.3.7 Setting up the Lookup Definition for Connection Pooling

By default, this connector uses the ICF connection pooling. Learn about the connection pooling properties for this connector, their description, and default values set in ICF:

Table 2-5 Connection Pooling Properties

Property	Description
Pool Max Idle	Maximum number of idle objects in a pool. Default value: `10`
Pool Max Size	Maximum number of connections that the pool can create. Default value: `10`
Pool Max Wait	Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: `150000`
Pool Min Evict Idle Time	Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: `120000`
Pool Min Idle	Minimum number of idle objects in a pool. Default value: `1`

If you want to modify the connection pooling properties to use values that suit requirements in your environment, then:

Log in to the Design Console.
Expand Administration, and then double-click Lookup Definition.
Search for and open the Lookup.Exchange.Configuration lookup definition.

See Lookup.Exchange.Configuration for more information about this lookup.
On the Lookup Code Information tab, click Add.

A new row is added.
In the Code Key column of the new row, enter Pool Max Idle.
In the Decode column of the new row, enter a value corresponding to the Pool Max Idle property.
Repeat Steps 4 through 6 for adding each of the connection pooling properties listed in Table 2-5.
Click the save icon.

2.4 Upgrading the Connector

If you have already deployed an earlier release of this connector, then upgrade the connector to the current release.

The following sections discuss the procedure to upgrade the connector:

Note:

Before you perform the upgrade procedure:

It is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.
Upgrade the Microsoft Active Directory connector.
As a best practice, first perform the upgrade procedure in a test environment.

2.4.1 Preupgrade Steps

Preupgrade involves performing certain procedures such as performing a reconciliation run to fetch all the latest updates to Oracle Identity Manager and then disabling the scheduled tasks, defining the source connector and so on.

Perform the following preupgrade steps:

Perform a reconciliation run to fetch all latest updates to Oracle Identity Manager.
Perform the preupgrade procedure documented in Managing Connector Lifecycle of Oracle Fusion Middleware Administering Oracle Identity Manager.
Define the source connector (an earlier release of the connector that must be upgraded) in Oracle Identity Manager. You define the source connector to update the Deployment Manager XML file with all customization changes made to the connector. See Managing Connector Lifecycle in Oracle Fusion Middleware Administering Oracle Identity Manager for more information.

2.4.2 Upgrade Steps

This is a summary of the procedure to upgrade the connector for both staging and production environments.

Depending on the environment in which you are upgrading the connector, perform one of the following steps:

Staging Environment

Perform the upgrade procedure by using the wizard mode.
Production Environment

Perform the upgrade procedure by using the silent mode.

See Managing Connector Lifecycle in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about the wizard and silent modes.

2.4.3 Postupgrade Steps

Postupgrade involves copying connector code files, configuring the IT resource and scheduled tasks, running the FVC utility and so on.

Perform the following procedure:

Perform the postupgrade procedure documented in Managing Connector Lifecycle of Oracle Fusion Middleware Administering Oracle Identity Manager.
If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:
1. Log in to Oracle Identity System Administration.
2. Create and activate a sandbox. See Creating and Activating a Sandbox for more information.
3. Create a new UI form to view the upgraded fields. See Creating a New UI Form for more information about creating a UI form.
4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 2.c), and then save the application instance.
5. Publish the sandbox. See Publishing a Sandbox for more information.
Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation. To do so:
1. In a text editor, open the fvc.properties file located in the OIM_DC_HOME directory and include the following entries:
```
ResourceObject;Exchange User
FormName;UD_MSEXCHG
FromVersion;v1
ToVersion;v_11.1.1.6.0
Parent;UD_MSEXCHG_RECIPIENTTYPE;UserMailbox
ParentParent;UD_MSEXCHG_EXCHANGEITRESOURCE;UD_MSEXCHG_SERVER
```
2. Run the FVC utility. This utility is copied into the following directory when you install the design console:
  
  For Microsoft Windows:
  
  OIM_DC_HOME/fvcutil.bat
  
  For UNIX:
  
  OIM_DC_HOME/fvcutil.sh
  
  When you run this utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, and the logger level and log file location.
If you are upgrading the connector from release 9.x to 11.x, then run the PostUpgradeScript.sql script as follows:

Note:

Skip performing this step if you are upgrading the connector from release 11.1.1.5.0 to 11.1.1.6.0.
1. Connect to the Oracle Identity Manager database by using the OIM User credentials.
2. Run the PostUpgradeScript.sql located in the OIM_HOME/server/ConnectorDefaultDirectory/EXCHANGE_PACKAGE/upgrade directory.
Deploy the connector server. See Installing, Configuring, and Running the Connector Server for more information.
Re-configure the IT resource of the source connector (an earlier release of the connector that must be upgraded). See Configuring the IT Resource for the Target System for information about configuring the IT resource.

2.5 About Cloning the Connector

You can clone the Exchange connector by setting new names for some of the objects that comprise the connector.

The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.