2 Deploying the Connector

Preinstallation information is divided across the following sections:

2.1 Preinstallation

Preinstallation information is divided across the following sections:

2.1.1 Files and Directories on the Installation Media

deploying-connector.htm#GUID-1ABFAF93-C729-4768-BC5F-0001938E98D8__BGBDBABG describes the files and directories on the installation media.

Table 2-1 Files and Directories on the Installation Media

File in the Installation Media Directory	Description
File in the bundle directory: org.identityconnectors.dbum-1.0.1116.jar	This file contains connector code, SQL queries, and stored procedures that are used for provisioning and reconciliation.
Files in the configuration directory: DBUM-Oracle-CI.xml DBUM-MSSQL-CI.xml DBUM-MySQL-CI.xml DBUM-DB2-CI.xml DBUM-Sybase-CI.xml	This directory contains the configuration files that are used by the Connector Installer during installation of the connector for a particular target system.
Files in the javadoc directory	This directory contains information about the Java APIs used by the connector.
File in the lib directory: DBUM-oim-integration.jar	This JAR file contains the class files that are used during reconciliation and provisioning operations. During connector installation, this file is copied to the Oracle Identity Manager database.
Files in the resources directory	Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied to the Oracle Identity Manager database location. Note: A resource bundle is a file containing localized versions of the text strings that include GUI element labels and messages.
Files in the test directory: config\oracleconfig.properties config\mssqlconfig.properties config\mysqlconfig.properties config\db2config.properties config\sybaseconfig.properties lib\DBUMTest.jar scripts\DBUMProvisioningTester.bat scripts\DBUMProvisioningTester.sh thirdparty (folder)	This directory contains the files for testing the connector.
Files in the upgrade directory: PostUpgradeScriptOracleDBUM.sql PostUpgradeScriptMSSQLDBUM.sql PostUpgradeScriptMySQLDBUM.sql PostUpgradeScriptDB2DBUM.sql PostUpgradeScriptSybaseDBUM.sql	This directory contains the scripts for performing the post-upgrade operations.
Files in the xml directory: DBUserManagement-Oracle-ConnectorConfig.xml DBUserManagement-Oracle-Datasets.xml DBUserManagement-MSSQL-ConnectorConfig.xml DBUserManagement-MSSQL-Datasets.xml DBUserManagement-MySQL-ConnectorConfig.xml DBUserManagement-MySQL-Datasets.xml DBUserManagement-DB2-ConnectorConfig.xml DBUserManagement-DB2-Datasets.xml DBUserManagement-Sybase-ConnectorConfig.xml DBUserManagement-Sybase-Datasets.xm Note: The dataset XML files are applicable only if you are using Oracle Identity Manager release 11.1.1.x.	This directory contains configuration (target and trusted) XML files and dataset XML files specific to the target system. The configuration XML files contain definitions for the various connector objects, such as resource objects and scheduled jobs, where as the dataset XML files contain datasets for the request based operations. IT resource type Process form for each login entity Process form for each user entity Process tasks for each login entity Process tasks for each user entity Resource objects for each login entity Resource objects for each user entity Provisioning Processes for each login entity

2.1.2 Preinstallation on Microsoft SQL Server

If you are using Microsoft SQL Server, then verify the preinstallation requirements by performing the following steps before deploying the connector:

The target database in which users are to be created exists in the target Microsoft SQL Server installation.
The TCP/IP port is enabled. The default port is 1433.

To enable the TCP/IP port:
1. Open the Microsoft SQL Server Configuration Manager.
2. Click SQL Server Network Configuration.
3. Click Protocols for MSSQLSERVER.
4. In the right frame, right-click TCP/IP and then click Enable.
The TCP/IP port is not the only port enabled. Ports other than the TCP/IP port must also be enabled.
Mixed mode authentication is enabled.
The TCP/IP port is not blocked by a firewall.

2.1.3 Creating a Target System User Account for Connector Operations

Oracle Identity Manager requires a target system user account to access the target system during reconciliation and provisioning operations. You provide the credentials of this user account while performing the procedure described in Configuring the IT Resource for the Target System.

To create a target system user account for connector operations, depending on the target system you are using, create a user in your target system and assign the mentioned permissions and roles to the user.

See Also:

Target system documentation for detailed information about creating the user

For MSSQL:
1. Create Login using the following query:
```
Create LOGIN serviceuser with PASSWORD='password'
, DEFAULT_DATABASE =DBname
GO
```
2. Create a user using the following query:
```
USE DBname;
Create USER serviceuser with LOGIN serviceuser;
GO
```
3. Assign the following permissions and roles to the created user:
  - ALTER ROLE db_datawriter ADD MEMBER serviceuser;
  - ALTER ROLE db_datareader ADD MEMBER serviceuser;
  - ALTER ROLE db_accessadmin ADD MEMBER serviceuser;
  - ALTER ROLE db_owner ADD MEMBER serviceuser;
  - exec sp_addsrvrolemember 'serviceuser', 'securityadmin';
For Oracle Database:
1. Create Login using the following query:
```
CREATE USER serviceuser IDENTIFIED BY password 
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users;
```
2. Assign the following permissions and roles to the created user:
  - GRANT CONNECT TO serviceuser;
  - GRANT SELECT on dba_role_privs TO serviceuser;
  - GRANT SELECT on dba_sys_privs TO serviceuser;
  - GRANT SELECT on dba_ts_quotas TO serviceuser;
  - GRANT SELECT on dba_tablespaces TO serviceuser;
  - GRANT SELECT on dba_users TO serviceuser;
  - GRANT CREATE USER TO serviceuser;
  - GRANT ALTER ANY TABLE TO serviceuser;
  - GRANT GRANT ANY PRIVILEGE TO serviceuser;
  - GRANT GRANT ANY ROLE TO serviceuser;
  - GRANT DROP USER TO serviceuser;
  - GRANT SELECT on dba_roles TO serviceuser;
  - GRANT SELECT ON dba_profiles TO serviceuser;
  - GRANT ALTER USER TO serviceuser;
  - GRANT CREATE ANY TABLE TO serviceuser;
  - GRANT DROP ANY TABLE TO serviceuser;
  - GRANT CREATE ANY PROCEDURE TO serviceuser;
  - REVOKE DROP ANY PROCEDURE TO serviceuser;
For MySQL:
1. Create a user using the following query:
  
  CREATE USER serviceuser IDENTIFIED BY 'password';
2. Assign the following permissions and roles to the created user using the following query:
  
  GRANT, SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER ON *.* TO 'serviceuser';
For DB2:
1. Create a User 'serviceuser' at the OS level.
2. Assign the following permissions and roles to the created user:
  - GRANT SELECT on TABLE syscat.schemata TO serviceuser
  - GRANT SELECT on TABLE syscat.tablespaces TO serviceuser
  - GRANT CREATEIN,DROPIN,ALTERIN ON SCHEMA 'SCHEMA_NAME' TO serviceuser
  - GRANT CONNECT,BINDADD,DBADM,CREATETAB,CREATE_NOT_FENCED_ROUTINE,IMPLICIT_SCHEMA,LOAD,CREATE_EXTERNAL_ROUTINE,QUIESCE_CONNECT ON DATABASE TO serviceuser
For Sybase:
1. Create login using the following query:
  
  sp_addlogin serviceuser, password
2. Create a user using the following query:
  
  sp_adduser serviceuser
3. Assign the following permissions and roles to the created user using the following queries:
  - GRANT ROLE sso_role TO serviceuser
  - GRANT ROLE oper_role TO serviceuser

2.2 Installation

The following topics provide details on installing the Database User Management Connector:

2.2.1 Understanding the Installation of the Connector

You can run the connector code either locally in Oracle Identity Manager or remotely in a Connector Server.

Depending on where you want to run the connector code (bundle), the connector provides the following installation options:

To run the connector code locally in Oracle Identity Manager, perform the procedure described in Installing the Connector in Oracle Identity Manager
To run the connector code remotely in a Connector Server, perform the procedures described in Installing the Connector in Oracle Identity Manager and Deploying the Connector Bundle in a Connector Server.

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.
If you are performing the installation for the second time, then the connector bundle has to be downloaded and the new thirdparty has to be added.
For Oracle Identity Manager hosted on a Microsoft Windows computer, if you have a previously installed connector, then you must extract the connector bundle again before installing a new connector.
Database drivers are not needed as they are already loaded for Oracle Identity Manager operations. However, if you want to use the connector with previous versions of database (such as Oracle 9i), then you must use a remote connector server.

2.2.2 Installing the Connector in Oracle Identity Manager

In this scenario, you install the connector in Oracle Identity Manager using the Connector Installer.

Note:

in this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.

To run the Connector Installer:

Copy the contents of the connector installation media directory into the following directory:

OIM_HOME/server/ConnectorDefaultDirectory
Copy the third party jars to target systems in the ConnectorDefaultDirectory/targetsystems-lib/DBUM-11.1.1.6.0 directory.
Note:

If the target is Oracle database, then no driver jar is needed. For other target systems, the following third party jar has to be copied:
- For MSSQL, copy sqljdbc4.jar.
- For MySQL, copy mysql-connector-java-5.1.20-bin.jar.
- For DB2, copy db2jcc.jar.
- For Sybase, copy jconn4.jar.
If you are using Oracle Identity Manager release 11.1.1.x:
1. Log in to the Administrative and User Console.
2. On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.
If you are using Oracle Identity Manager release 11.1.2.x or later:
1. Log in to Oracle Identity System Administration.
2. In the left pane, under System Management, click Manage Connector.
In the Manage Connector page, click Install.
The Connector List displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.

You can select one of the following options:
- For Oracle: Oracle DB User Management 11.1.1.8.0
- For MSSQL: MSSQL DB User Management 11.1.1.8.0
- For MySQL: MySQL DB User Management 11.1.1.8.0
- For DB2: DB2 DB User Management 11.1.1.8.0
- For Sybase: Sybase DB User Management 11.1.1.8.0
If you have copied the installation files into a different directory, then:
1. In the Alternative Directory field, enter the full path and name of that directory.
2. To repopulate the list of connectors in the Connector List options, click Refresh.
3. From the Connector List options, select:
- For Oracle: Oracle DB User Management 11.1.1.8.0
- For MSSQL: MSSQL DB User Management 11.1.1.8.0
- For MySQL: MySQL DB User Management 11.1.1.8.0
- For DB2: DB2 DB User Management 11.1.1.8.0
- For Sybase: Sybase DB User Management 11.1.1.8.0
Click Load.
To start the installation process, click Continue.

The following tasks are performed in sequence:
1. Configuration of connector libraries
2. Import of the connector XML files (by using the Deployment Manager)
3. Compilation of tasks
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
- Retry the installation by clicking Retry.
- Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
1. Ensuring that the prerequisites for using the connector are addressed
  
  Note:
  
  At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Clearing Content Related to the Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.
  
  There are no prerequisites for some predefined connectors.
2. Configuring an IT resource for the connector
  
  Record the name of the IT resource displayed on this page. See Configuring the IT Resource for the Target System for the IT Resource details.
3. Configuring the scheduled jobs that are created when you installed the connector
  
  Record the names of the scheduled jobs displayed on this page. See Configuring Scheduled Jobs for Oracle Database for a sample procedure to configure these scheduled jobs. There are similar sections for other databases in this guide.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in deploying-connector.htm#GUID-1ABFAF93-C729-4768-BC5F-0001938E98D8__BGBDBABG.

2.2.3 Deploying the Connector Bundle in a Connector Server

You can deploy the Database User Management connector either locally in Oracle Identity Manager or remotely in the Connector Server. A connector server is an application that enables remote execution of an Identity Connector, such as the DBUM connector.

Note:

To deploy the connector bundle remotely in a Connector Server, you must first deploy the connector in Oracle Identity Manager, as described in Installing the Connector in Oracle Identity Manager.
See Configuring the IT Resource for the Connector Server for related information.

This procedure can be divided into the following stages:

2.2.3.1 Installing and Configuring the Connector Server

Connector servers are available in two implementations:

As a .Net implementation that is used by Identity Connectors implemented in .Net
As a Java Connector Server implementation that is used by Java-based Identity Connectors

The DBUM connector is implemented in Java, so you can deploy this connector to a Java Connector Server.

Use the following steps to install and configure the Java Connector Server:

Note:

Before you deploy the Java Connector Server, ensure that you install the JDK or JRE on the same computer where you are installing the Java Connector Server and that your JAVA_HOME or JRE_HOME environment variable points to this installation.

Create a new directory on the computer where you want to install the Java Connector Server.

Note:

In this guide, CONNECTOR_SERVER_HOME represents this directory.
Unzip the Java Connector Server package in the new directory created in Step 1. You can download the Java Connector Server package from the Oracle Technology Network.

Open the ConnectorServer.properties file located in the conf directory. In the ConnectorServer.properties file, set the following properties, as required by your deployment.

Property	Description
connectorserver.port	Port on which the Java Connector Server listens for requests. Default is `8763.`
connectorserver.bundleDir	Directory where the connector bundles are deployed. Default is `bundles.`
connectorserver.libDir	Directory in which to place dependent libraries. Default is `lib.`
connectorserver.usessl	If set to `true`, the Java Connector Server uses SSL for secure communication. Default is `false.` If you specify `true`, use the following options on the command line when you start the Java Connector Server: `-Djavax.net.ssl.keyStore` `-Djavax.net.ssl.keyStoreType` (optional) `-Djavax.net.ssl.keyStorePassword`
connectorserver.ifaddress	Bind address. To set this property, uncomment it in the file (if necessary). The bind address can be useful if there are more NICs installed on the computer.
connectorserver.key	Java Connector Server key.

Set the properties in the ConnectorServer.properties file, as follows:
- To set the connectorserver.key, run the Java Connector Server with the /setKey option.
  
  Note:
  
  For more information, see Running the Connector Server.
- For all other properties, edit the ConnectorServer.properties file manually.
The conf directory also contains the logging.properties file, which you can edit if required by your deployment.

Note:

Oracle Identity Manager has no built-in support for connector servers, so you cannot test your configuration.

2.2.3.2 Running the Connector Server

To run the Java Connector Server, use the ConnectorServer.bat script for Windows and use the ConnectorServer.sh script for UNIX as follows:

Make sure that you have set the properties required by your deployment in the ConnectorServer.properties file, as described in Installing and Configuring the Connector Server.

Change to the CONNECTOR_SERVER_HOME\bin directory and find the ConnectorServer.bat script.

The ConnectorServer.bat supports the following options:

Option	Description
`/install` [`serviceName`] `["-J` `java-option"]`	Installs the Java Connector Server as a Windows service. Optionally, you can specify a service name and Java options. If you do not specify a service name, the default name is `ConnectorServerJava.`
`/run ["-J` `java-option"]`	Runs the Java Connector Server from the console. Optionally, you can specify Java options. For example, to run the Java Connector Server with SSL: ConnectorServer.bat /run "-J-Djavax.net.ssl.keyStore=mykeystore.jks" "-J-Djavax.net.ssl.keyStorePassword=password"
`/setKey [key]`	Sets the Java Connector Server key. The `ConnectorServer.bat` script stores the hashed value of the key in the `connectorserver.key` property in the `ConnectorServer.properties` file.
`/uninstall [serviceName]`	Uninstalls the Java Connector Server. If you do not specify a service name, the script uninstalls the `ConnectorServerJava` service.

If you need to stop the Java Connector Server, stop the respective Windows service.

2.2.3.3 Installing the Connector on the Connector Server

See Also:

Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about installing and configuring connector server and running the connector server

If you need to deploy the DBUM into the Java Connector Server, then follow these steps:

Stop the Java Connector Server.

Note:

You can download the necessary Java Connector Server from the Oracle Technology Network web page.
Copy the DBUM connector bundle into the Java Connector Server CONNECTOR_SERVER_HOME\bundles directory.
Copy the DBUM third party libraries to the CONNECTOR_SERVER_HOME\lib directory.

If multiple versions of the same connector are present, then third party has to be bundled within the connector bundle jar. To do so:
1. Create temporary/lib folder and drop third party jars in it.
2. Update the bundle with the third party jar:
  
  jar -uvf org.identityconnectors.dbum-1.0.1116.jar lib/JAR_NAME
3. Remove temporary/lib folder.
4. Start the Connector Server.
Note:

if there are multiple versions of the same connector bundle, then the third-party JAR should go into bundle instead of the CONNECTOR_SERVER_HOME/lib directory.
Start the Java Connector Server.

2.3 Postinstallation

Postinstallation steps are divided across the following sections:

2.3.1 Postinstallation on Oracle Identity Manager

This section discusses the following topics:

2.3.1.1 Configuring the Target System As a Trusted Source

Note:

You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.

You can designate the target system as a trusted source or target resource. If you designate the target system as a trusted source, then during a reconciliation run:

For each newly created user on the target system, an OIM User is created.
Updates made to each user on the target system are propagated to the corresponding OIM User.

To configure trusted source reconciliation, create and configure a new IT resource.

See Also:

Configuring the IT Resource for the Target System for more information about configuring the IT resource for the target system

Create a new IT resource:
- For Oracle: Oracle DB Trusted of type Oracle DBUM
- For MSSQL: MSSQL DB Trusted of type MSSQL DBUM
- For MySQL: MSSQL DB Trusted of type MSSQL DBUM
- For DB2: DB2 DB Trusted of type DB2 DBUM
- For Sybase: Sybase DB Trusted of type Sybase DBUM
In the Configuration Lookup, update the trusted configuration lookup name to:
- For Oracle: Lookup.DBUM.Oracle.Configuration.Trusted
- For MSSQL: Lookup.DBUM.MSSQL.Configuration.Trusted
- For MySQL: Lookup.DBUM.MySQL.Configuration.Trusted
- For DB2: Lookup.DBUM.DB2.Configuration.Trusted
- For Sybase: Lookup.DBUM.Sybase.Configuration.Trusted

2.3.1.2 Changing to the Required Input Locale

Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.

You may require the assistance of the system administrator to change to the required input locale.

2.3.1.3 Clearing Content Related to the Connector Resource Bundles from the Server Cache

Note:

In an Oracle Identity Manager cluster, you must perform these steps on each node of the cluster. Then, restart each node.

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

In a command window, switch to the OIM_HOME/server/bin directory.
Note:

You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:
```
OIM_HOME/server/bin/SCRIPT_FILE_NAME
```
Enter one of the following commands:
Note:

You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.

For example, the following commands purge Metadata entries from the server cache:

PurgeCache.bat MetaData

PurgeCache.sh MetaData

On Microsoft Windows: PurgeCache.bat All

On UNIX: PurgeCache.sh All

When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:
```
t3://OIM_HOST_NAME:OIM_PORT_NUMBER
```
In this format:
- Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.
- Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

2.3.1.4 Creating the Administrator Account on Oracle Database Vault

Note:

Perform the procedure described in this section only if you have Oracle Database Vault installed and you want to configure the connector for provisioning and reconciling authorization to Oracle Database Vault realms.

You must create an administrator account on Oracle Database Vault. This account is used by the connector for performing reconciliation and provisioning operations on Oracle Database Vault realms.

To create the administrator account on Oracle Database Vault:

Log in to Oracle Database Vault as a user with the DV_ACCTMGR privilege.
Create the administrator account by running the following command:
```
CREATE USER USERNAME IDENTIFIED BY PASSWORD;
```
Log out and then log in as a user with the DV_OWNER privilege.

Grant access to Oracle Database Vault and Data Dictionary realms by running the following commands:

exec DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM('Database Vault Account Management','USERNAME','Enabled',1)
exec DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM('Oracle Data Dictionary','USERNAME','Enabled',1)

Grant the DV_ADMIN and DV_SECANALYST privileges.
Log in as a user with the DV_ACCTMGR privilege.
Grant the DV_SECANALYST privilege.

GRANT ANY OBJECT PRIVILEGE
GRANT ANY PRIVILEGE
GRANT ANY ROLE
UNLIMITED TABLESPACE
with ADMIN OPTION
to USERNAME

2.3.1.5 Setting up the Lookup Definition for Connection Pooling

By default, this connector uses the ICF connection pooling. deploying-connector.htm#GUID-291CA7A0-C5E5-40B5-B911-1AF30CC1B4B7__BABGAEDB lists the connection pooling properties, their description, and default values set in ICF:

Table 2-2 Connection Pooling Properties

Property	Description
Pool Max Idle	Maximum number of idle objects in a pool. Default value: `10`
Pool Max Size	Maximum number of connections that the pool can create. Default value: `10`
Pool Max Wait	Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: `150000`
Pool Min Evict Idle Time	Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: `120000`
Pool Min Idle	Minimum number of idle objects in a pool. Default value: `1`

If you want to modify the connection pooling properties to use values that suit requirements in your environment, then:

Log in to the Design Console.
Expand Administration, and then double-click Lookup Definition.
Search for and open the configuration lookup definition for the target system your are using.

For example, open Lookup.DBUM.Oracle.Configuration for Oracle Database.
On the Lookup Code Information tab, click Add.

A new row is added.
In the Code Key column of the new row, enter Pool Max Idle.
In the Decode column of the new row, enter a value corresponding to the Pool Max Idle property.
Repeat Steps 4 through 6 for adding each of the connection pooling properties listed in deploying-connector.htm#GUID-291CA7A0-C5E5-40B5-B911-1AF30CC1B4B7__BABGAEDB.
Click the save icon.

2.3.1.6 Managing Logging for Oracle Identity Manager

Oracle Identity Manager uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.

The following topics provide detailed information about logging:

2.3.1.6.1 Understanding Log Levels

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations.

ODL is the principle logging service used by Oracle Identity Manager and is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

SEVERE.intValue()+100

This level enables logging of information about fatal errors.
SEVERE

This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.
WARNING

This level enables logging of information about potentially harmful situations.
INFO

This level enables logging of messages that highlight the progress of the application.
CONFIG

This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST

These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These message types are mapped to ODL message type and level combinations as shown in deploying-connector.htm#GUID-FBF3BF8A-F2B7-46A7-A61C-398C1FBDDD28__BABCDAAD.

Table 2-3 Log Levels and ODL Message Type:Level Combinations

jAVA Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.

2.3.1.6.2 Enabling Logging

To enable logging in Oracle WebLogic Server:

Edit the logging.xml file as follows:

Add the following blocks in the file:

<log_handler name='db-um-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
<property name='logreader:' value='off'/>
     <property name='path' value='[FILE_NAME]'/>
     <property name='format' value='ODL-Text'/>
     <property name='useThreadName' value='true'/>
     <property name='locale' value='en'/>
     <property name='maxFileSize' value='5242880'/>
     <property name='maxLogSize' value='52428800'/>
     <property name='encoding' value='UTF-8'/>
   </log_handler>

<logger name="ORG.IDENTITYCONNECTORS.DBUM" level="[LOG_LEVEL]" useParentHandlers="false">
     <handler name="db-um-handler"/>
     <handler name="console-handler"/>
   </logger>

Replace all occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. deploying-connector.htm#GUID-FBF3BF8A-F2B7-46A7-A61C-398C1FBDDD28__BABCDAAD lists the supported message type and level combinations.

Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME] :

<log_handler name='db-um-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
<property name='logreader:' value='off'/>
     <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/>
     <property name='format' value='ODL-Text'/>
     <property name='useThreadName' value='true'/>
     <property name='locale' value='en'/>
     <property name='maxFileSize' value='5242880'/>
     <property name='maxLogSize' value='52428800'/>
     <property name='encoding' value='UTF-8'/>
   </log_handler>
 
<logger name="oracle.iam.connectors.icfcommon" level="NOTIFICATION:1" useParentHandlers="false">
     <handler name="db-um-handler"/>
   </logger>
<logger name="ORG.IDENTITYCONNECTORS.DBUM" level="NOTIFICATION:1" useParentHandlers="false">
     <handler name="db-um-handler"/>
   </logger>

With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

Save and close the file.
Restart the application server.

2.3.1.7 Configuring Oracle Identity Manager Release 11.1.2 or Later

You must create a UI form and an application instance for the resource against which you want to perform reconciliation and provisioning operations. In addition, you must run the entitlement and catalog synchronization jobs.

The following topics describe the procedures to configure Oracle Identity Manager:

2.3.1.7.1 Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Creating a Sandbox and Activating and Deactivating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Managers

2.3.1.7.2 Creating a New UI Form

You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms. See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Manager

While creating the UI form, ensure that you select the resource object corresponding to the Concur connector that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.

2.3.1.7.3 Creating an Application Instance

Create an application instance as follows:

In the left pane, under Configuration, click Application Instances. The Application Instances page is displayed.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.
Specify values for the following fields:
- Name: The name of the application instance.
- Display Name: The display name of the application instance.
- Description: A description of the application instance.
- Resource Object: The resource object name. Depending on the target system that you are using, click the search icon next to this Resource Object field to search for and select one of the following:
  
  For Oracle Database: Oracle DB User
  
  For MSSQL: MSSQL DB User Login or MSSQL DB User
  
  For MySQL: MySQL DB User
  
  For DB2: DB2 DB User
  
  For Sybase: Sybase DB User
- IT Resource Instance: The IT resource instance name. Depending on the target system that you are using, click the search icon next to this IT Resource Instance field to search for and select one of the following:
  
  For Oracle Database: Oracle DB
  
  For MSSQL: MSSQL DB
  
  For MySQL: MySQL DB
  
  For DB2: DB2
  
  For Sybase: Sybase DB
- Form: Select the form name (created in Step 3).
Click Save. The application instance is created.
Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See Managing Organizations Associated With Application Instances in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed instructions.

Note:

Creating Application Instances of Oracle Fusion Middleware Administering Oracle Identity Manager.

2.3.1.7.4 Publishing a Sandbox

Before publishing a sandbox, perform the following procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published:

In Identity System Administration, deactivate the sandbox.
Log out of Identity System Administration.
Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
In the Catalog, ensure that the application instance form for your resource appears with correct fields.
Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager

2.3.1.7.5 Harvesting Entitlements and Sync Catalog

You can populate Entitlement schema from child process form table, and harvest roles, application instances, and entitlements into catalog. You can also load catalog metadata.

To harvest entitlements and sync catalog:

Depending on the target system that you are using, run the scheduled jobs for lookup field synchronization as follows:

For Oracle Database: Run the scheduled jobs listed in Scheduled Jobs for Lookup Field Synchronization for Oracle Database.

For MSSQL: Run the scheduled jobs listed in Scheduled Jobs for Lookup Field Synchronization for MSSQL.

For MySQL: Run the scheduled jobs listed in Scheduled Job for Lookup Field Synchronization for MySQL.

For DB2: Run the scheduled jobs listed in Scheduled Jobs for Lookup Field Synchronization for DB2.

For Sybase: Run the scheduled jobs listed in Scheduled Jobs for Lookup Field Synchronization for Sybase.

For a JDBC-Based Database: Run the scheduled jobs listed in Configuring Scheduled Jobs for Lookup Field Synchronization.
Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.
Run the Catalog Synchronization Job scheduled job. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.

2.3.1.7.6 Updating an Existing Application Instance with a New Form

For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance.

To update an existing application instance with a new form:

Create and activate a sandbox. See Creating a Sandbox and Activating and Deactivating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager
Create a new UI form for the resource. See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Manager
Open the existing application instance.
In the Form field, select the new UI form that you created.
Save the application instance.
Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager

2.3.1.8 Localizing Field Labels in UI Forms for the Connector

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.

To localize field label that you add to in UI forms:

Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open the following file in a text editor:

SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf

Edit the BizEditorBundle.xlf file in the following manner:

Search for the following text:

<file source-language="en"  
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Replace with the following text:

<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

<file source-language="en" target-language="ja"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Search for the application instance code. This procedure shows a sample edit for Oracle Database application instance. The original code is:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_DB_ORA_U_USERNAME__c_description']}">
<source>Username</source>
</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.OracleDBForm.entity.OracleDBForm.UD_DB_ORA_U_USERNAME__c_LABEL">
<source>Username</source>
</target>
</trans-unit>

Open the resource file from the connector package, for example DB-UM_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_DB_ORA_U_USERNAME=\u30E6\u30FC\u30B6\u30FC\u540D.

Replace the original code shown in Step 6.b with the following:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_DB_ORA_U_USERNAME__c_description']}">
<source>Username</source>
<target>\u30E6\u30FC\u30B6\u30FC\u540D</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.OracleDBForm.entity.OracleDBForm.UD_DB_ORA_U_USERNAME__c_LABEL">
<source>Username</source>
<target>\u30E6\u30FC\u30B6\u30FC\u540D</target>
</trans-unit>

Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

Sample file name: BizEditorBundle_ja.xlf.

Repackage the ZIP file and import it into MDS.

See Also:

Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Manager.

2.3.2 Configuring the IT Resource for the Target System

Note:

Perform the procedure described in this section if you are using a certified database listed in deploying-connector.htm#GUID-1ABFAF93-C729-4768-BC5F-0001938E98D8__BGBDBABG.
For configuring IT resource for trusted source, you must create a new IT resource of the same type definition (such as OracleDBUM and MSSQLDBUM). However, the lookup configuration for trusted source is different. See the following sections for details:
The rest of the procedure is same as described in this section.

You must specify values for the parameters of the IT resource as follows:

If you are using Oracle Identity Manager release 11.1.1.x:
1. Log in to the Administrative and User Console.
2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x or later:
1. Log in to Oracle Identity System Administration.
2. Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
3. In the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter the name of one of the following IT resources, and then click Search. For example:
- For Oracle: Oracle DB
- For MSSQL: MSSQL DB
- For MySQL: MySQL DB
- For DB2: DB2
- For Sybase: Sybase DB
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.

Specify values for the parameters of the IT resource. deploying-connector.htm#GUID-B5E9AAC7-6784-4708-BE79-6ADFA89C82FA__BABCDCEH describes each parameter.

Table 2-4 IT Resource Parameters

Parameter	Description
Configuration Lookup	This parameter holds the name of the lookup definition that stores configuration information for connector operations. If you have configured your target system as a target resource, then enter one of the following values: For Oracle: `Lookup.DBUM.Oracle.Configuration` For MSSQL: `Lookup.DBUM.MSSQL.Configuration` For MySQL: `Lookup.DBUM.MySQL.Configuration` For DB2: `Lookup.DBUM.DB2.Configuration` For Sybase: `Lookup.DBUM.Sybase.Configuration` If you have configured your target system as a trusted source, then enter one of the following values: For Oracle: `Lookup.DBUM.Oracle.Configuration.Trusted` For MSSQL: `Lookup.DBUM.MSSQL.Configuration.Trusted` For MySQL: `Lookup.DBUM.MySQL.Configuration.Trusted` For DB2: `Lookup.DBUM.DB2.Configuration.Trusted` For Sybase, create a new IT resource such as `Lookup.DBUM.Sybase.Configuration.Trusted`
Connector Server Name	Specify the name of the connector server IT resource. Sample value: `DBUM Connector Server`
Connection Properties	Specify the connection properties for the target system database.
Database Name	This parameter specifies the database name for the SQL server. Sample value: `Master`
DB Type	This field identifies database type (such as Oracle and MSSQL) and its used for loading respective scripts. Sample value: `Oracle`
JDBC Driver	Depending on the target system that you are using, enter one of the following values as the JDBC driver class name: For Oracle: `oracle.jdbc.driver.OracleDriver` For MSSQL: `microsoft.sqlserver.jdbc.SQLServerDriver` For MySQL: `com.mysql.jdbc.Driver` For DB2: `com.ibm.db2.jcc.DB2Driver` For Sybase: `com.sybase.jdbc4.jdbc.SybDriver`
JDBC URL	Specify the JDBC URL for the target system database. Sample Value: For Oracle: `jdbc:oracle:thin:@host:port:sid` If you are using Oracle 12c PDB Mode, specify `jdbc:oracle:thin:@//host:port/servicename` as the JDBC URL. For MSSQL: `jdbc:sqlserver://host:port` For MySQL: `jdbc:mysql://host:port/database` For DB2: `jdbc:db2://server:port/databaseName` For Sybase: `jdbc:sybase:Tds:host:port/database`
Login Password	Enter the password for the user name of the target system account to be used for connector operations. Note: If you are configuring the connector for Oracle Database Vault, then you must enter the password and the user name of the account that you had created in Creating the Administrator Account on Oracle Database Vault.
Login User	Enter the user name of the target system account to be used for connector operations. For Oracle: `sys as sysdba` For MSSQL: `sa` For MySQL: `root` For DB2: `db2admin` For Sybase: `sa` Note: If you are configuring the connector for Oracle Database Vault, then you must enter the user name of the account that you had created in Creating the Administrator Account on Oracle Database Vault. The MySQL user must have all the privileges on all the schemas. To grant these privileges, open the MySQL workbench, click Administration and Users and Privileges. Then, click Schema Privileges, enter `*` (the star wild card), and select all the privileges. Save the updates.

To save the values, click Update.

2.3.3 Configuring the Connector to Support Multiple Versions of the Target System

You might want to configure the connector for different versions of the target system simultaneously. For example, you can use the connector to perform provisioning operations on SQL Server 2005, SQL Server 2008, and SQL Server 2012 simultaneously. The following example illustrates this requirement:

The London, New York, and Toronto offices of Example Multinational Inc. have their own installations of the target system. The London office has SQL Server 2005 installation, while the New York office has SQL Server 2008 installation, and the Toronto office has SQL Server 2012 installation. You have to provision resources on all the installations of DBUM simultaneously.

To meet the requirement posed by such a scenario:

You can configure a different versions of the connector bundle to simultaneously provision the resources on both the versions of the target system. The connector uses a class loading mechanism, which toggles between the different versions of the installation. You only need to place the target system-specific JAR files on the computer that hosts Oracle Identity Manager. SQL Server 2005 and 2012 need sqljdbc.jar, and SQL Server 2008 needs sqljdbc4.jar. Since there are different versions of third-party libraries, you need to create different versions of connector bundle respectively.

To configure the connector to support multiple versions of the target system:

From the connector package, copy the bundle JAR file in a temporary directory.

Sample JAR file: bundle/org.identityconnectors.dbum-1.0.1116.jar

Sample temporary directory: c:\temp
Run the following command to extract the manifest file, META-INF/MANIFEST.MF, from the JAR file:
```
jar -xvf org.identityconnectors.dbum-1.0.1116.jar
```
Note:

You can also run the WinZip or WinRAR utility to extract the contents from the JAR file.
Delete the bundle JAR file in the temporary directory.
Update the value of ConnectorBundle-Version in the manifest file to a new value.

For example:

ConnectorBundle-Version: 1.1.1118
Copy the sqljdbc4.jar/ojdbc6.jar (target specific) from DBUM_HOME/web/sqljdbc4.jar directory or from DBUM_HOME/web/ojdbc6.jar directory to the lib folder of the extracted bundle jar.
Create a new bundle JAR file that contains the updated manifest file as follows:
1. Open the command prompt and navigate to the temporary directory:
  
  c:\temp
2. Run the following command:
```
jar -cvfm org.identityconnectors.dbumintfc-1.0.1118.jar META-INF/MANIFEST.MF *
```
The new connector bundle JAR name contains the new bundle version.
In the case of a remote connector server, copy the new bundle JAR file in the bundles directory of the remote connector server instead of posting the JAR file to the Oracle Identity Manager database. Therefore, skip Step 8.
Run the Oracle Identity Manager Upload JARs utility to post the JAR file created in Step 5 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

Note:

Before you use this utility, verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.

For Microsoft Windows:

OIM_HOME/server/bin/UploadJars.bat

For UNIX:

OIM_HOME/server/bin/UploadJars.sh

When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Select ICFBundle as the JAR type.

See Also:

Migrating JARs and Resource Bundle in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed information about the Upload JARs utility
Create a copy of the configuration lookup, for example, Lookup.DBUM.Oracle.UM.Configuration or Lookup.DBUM.MSSQL.UM.Configuration.

Ensure you update the new lookup with the bundle version.
Create a new DBUM IT resource definition for the new bundle. Map the Configuration Lookup parameter of the new IT resource to the user configuration lookup, such as Lookup.DBUM.Oracle.UM.Configuration and Lookup.DBUM.MSSQL.UM.Configuration.

The new IT resource will use the new bundle and the corresponding third-party libraries without affecting the previous installations.
Repeat the preceding procedure for the other versions of the target system, SQL Server 2008 and SQL Server 2012.

2.3.4 Configuring the IT Resource for the Connector Server

Note:

This procedure is optional and is required only when the Connector Server is being used.

To configure or modify the IT resource for the Connector Server:

If you are using Oracle Identity Manager release 11.1.1.x:
1. Log in to the Oracle Identity Manager Administrative and User Console.
2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 1.1.2.x or later:
1. Log in to Oracle Identity System Administration.
2. Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
3. In the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter DBUM Connector Server and then click Search. deploying-connector.htm#GUID-7895F1D2-C4D1-47C1-97F9-F943C53D76D7__BABDEJCC shows the Manage IT Resource page.

Figure 2-1 Manage IT Resource Page for Connector Server IT Resource

Description of "Figure 2-1 Manage IT Resource Page for Connector Server IT Resource"
Click the edit icon corresponding to the Connector Server IT resource.
From the list at the top of the page, select Details and Parameters.

Specify values for the parameters of the Connector Server IT resource. deploying-connector.htm#GUID-7895F1D2-C4D1-47C1-97F9-F943C53D76D7__BABCJHIF shows the Edit IT Resource Details and Parameters page.

Figure 2-2 Edit IT Resource Details and Parameters Page for the Connector Server IT Resource

Description of "Figure 2-2 Edit IT Resource Details and Parameters Page for the Connector Server IT Resource"

deploying-connector.htm#GUID-7895F1D2-C4D1-47C1-97F9-F943C53D76D7__BABGBDAG provides information about the parameters of the IT resource.

Table 2-5 Parameters of the IT Resource for the DBUM Connector Server

Parameter	Description
Host	Enter the host name or IP address of the computer hosting the Connector Server. Sample value: `HostName`
Key	Enter the key for the Connector Server.
Port	Enter the number of the port at which the Connector Server is listening. Default value: `8763`
Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the Connector Server and Oracle Identity Manager times out. If the value is zero or if no value is specified, the timeout is unlimited. Sample value: `0` (recommended value)
UseSSL	Enter `true` to specify that you will configure SSL between Oracle Identity Manager and the Connector Server. Otherwise, enter `false.` Default value: `false` See Also: Configuring Secure Communication Between Oracle Database and Oracle Identity Manager and Configuring Secure Communication Between MSSQL and Oracle Identity Managerfor information about enabling SSL.

To save the values, click Update.

2.3.5 Enabling Logging for Connector Server

When you enable logging, the connector server stores in a log file information about events that occur during the course of provisioning and reconciliation operations for different statuses. By default, the connector server logs are set at INFO level and you can change this level to the following:

Error

This level enables logging of information about errors that might allow connector server to continue running.
WARNING

This level enables logging of information about potentially harmful situations.
INFO

This level enables logging of messages that highlight the progress of the operation.
FINE, FINER, FINEST

These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

To enable the logging information for the connector server:

Go to CONNECTOR_SERVER_HOME/Conf.
Open the logging.properties file.
Edit the following entry:

.level=INFO
Save and close the file.
Restart the connector server.

2.4 Upgrading the Connector

If you have already deployed an earlier release of this connector, then upgrade the connector to the current release 11.1.1.6.0.

Note:

Before you perform the upgrade procedure:

It is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.
As a best practice, perform the upgrade procedure in a test environment initially.

See Also:

Upgrading Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information on these steps

The following sections discuss the procedure to upgrade the connector:

2.4.1 Preupgrade Steps

Perform the following preupgrade steps:

Perform a reconciliation run to fetch all latest updates to Oracle Identity Manager.
Define the source connector (an earlier release of the connector that must be upgraded) in Oracle Identity Manager. You define the source connector to update the Deployment Manager XML file with all customization changes made to the connector.
If required, create the connector XML file for a clone of the source connector.
Disable all the scheduled jobs.

2.4.2 Upgrade Steps

The following is the summary of the procedure to upgrade the connector:

Depending on the environment in which you are upgrading the connector, perform one of the following steps:
- Staging Environment
  
  Perform the upgrade procedure by using the wizard mode.
  
  Note:
  
  Do not upgrade IT resource type definition. In order to retain the default setting, you must map the IT resource definition to "None".
- Production Environment
  
  Perform the upgrade procedure by using the silent mode.

2.4.3 Postupgrade Steps

Perform the following procedure:

Upload new connector jars as:
1. Use $ORACLE_HOME/bin/UploadJars.sh utility for uploading connector jars.
2. Upload bundle/org.identityconnectors.dbum-1.0.1116.jar as ICFBundle.
  Note:
  
  If you have to add a third-party JAR:
  - Navigate to the bundle directory.
  - Create /lib folder and drop the third party jar in that folder.
  - Update the bundle with library "jar uvf org.identityconnectors.dbum-1.0.1116.jar lib/FILE_NAME".
3. Upload lib/DBUM-oim-integration.jar as JavaTask.

Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation. To do so:

In a text editor, open the fvc.properties file located in the OIM_DC_HOME directory and include the following entries:

For Oracle User:

ResourceObject;Oracle DB User
FormName;UD_DB_ORA_U
FromVersion;Version 0
ToVersion;v_22
ParentParent;UD_DB_ORA_U_USERNAME;UD_DB_ORA_U_RET_ID

For MSSQL UserLogin:

ResourceObject;MSSQL DB User Login
FormName;UD_DB_SQL_L
FromVersion;Version 0
ToVersion;v_11.1.1.1.8.0
ParentParent;UD_DB_SQL_L_LOGIN;UD_DB_SQL_L_REFID

For MSSQL User:

ResourceObject;MSSQL DB User
FormName;UD_DB_SQL_U
FromVersion;Version 7
ToVersion;v_11.1.1.1.8.0
ParentParent;UD_DB_SQL_U_USERNAME;UD_DB_SQL_U_REFID

For MySQL User:

ResourceObject;MySQL DB User
FormName;UD_DB_MYS_U
FromVersion;6
ToVersion;1
ParentParent;UD_DB_MYS_U_USER_NAME;UD_DB_MYS_U_RET_ID

For DB2 User:

ResourceObject;DB2 DB User
FormName;UD_DB_DB2_U
FromVersion;8
ToVersion;10
ParentParent;UD_DB_DB2_U_USERNAME;UD_DB_DB2_U_RET_ID

For Sybase User:

ResourceObject;Sybase DB User
FormName;UD_DB_SYB_U
FromVersion;8
ToVersion;10
ParentParent;UD_DB_SYB_U_USERNAME;UD_DB_SYB_U_RETURN_ID

For Sybase UserLogin:

ResourceObject;Sybase DB User Login
FormName;UD_DB_SYB_L
FromVersion;5
ToVersion;10
ParentParent;UD_DB_SYB_L_LOGIN;UD_DB_SYB_L_RET_ID

Run the FVC utility. This utility is copied into the following directory when you install the design console:

For Microsoft Windows:

OIM_DC_HOME/fvcutil.bat

For UNIX:

OIM_DC_HOME/fvcutil.sh

When you run this utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, and the logger level and log file location.

Run the PostUpgradeScript.sql script as follows:
1. Connect to the Oracle Identity Manager database by using the OIM User credentials.
2. Run the PostUpgradeScript:
  
  For Oracle: PostUpgradeScriptOracleDBUM.sql
  
  For MSSQL: PostUpgradeScriptMSSQLDBUM.sql
  
  For MSSQL: PostUpgradeScriptMySQLDBUM.sql
  
  For MSSQL: PostUpgradeScriptDB2DBUM.sql
  
  For MSSQL: PostUpgradeScriptSybaseDBUM.sql
This script will upgrade the IT resource only for the required database. For example, after upgrading the connector, you can upgrade the IT resource only for the MSSQL database by running PostUpgradeScriptMSSQLDBUM.sql. The script will not upgrade the IT resource for the Oracle database.
If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:
1. Log in to Oracle Identity System Administration.
2. Create and activate a sandbox. For more information, see step 2 of Configuring Oracle Identity Manager Release 11.1.2 or Later.
3. Create a new UI form to view the upgraded fields. See step 3 of Configuring Oracle Identity Manager Release 11.1.2 or Later for more information about creating a UI form.
4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in step 2.c) and then save the application instance.
5. Publish the sandbox. See step 5 of Configuring Oracle Identity Manager Release 11.1.2 or Later for more information.
Configure the upgraded IT resource of the source connector. See Configuring the IT Resource for the Target System for information about configuring the IT resource.
Deploy the Connector Server. See Installing and Configuring the Connector Server and Installing the Connector on the Connector Server for more information.
Configure the latest token value of the scheduled job as follows:

The following scheduled jobs contain the Latest Token attribute:

For Oracle
- DBUM Oracle User Target Reconciliation
- DBUM Oracle User Trusted Reconciliation
For MSSQL:
- DBUM MSSQL Trusted Reconciliation
- DBUM MSSQL User Login Target Reconciliation
- DBUM MSSQL User Target Reconciliation
After upgrading the connector, you can perform either full reconciliation or incremental reconciliation. This ensures that records created or modified since the last reconciliation run (the one that you performed in Preupgrade Steps) are fetched into Oracle Identity Manager. From the next reconciliation run onward, the reconciliation engine automatically enters a value for the Latest Token attribute.

See Reconciliation from Oracle Database and Reconciliation from MSSQL for more information about performing full or incremental reconciliation for Oracle and MSSQL databases respectively.

Note:

If there are customizations in the query files, to include custom parameters, and for transformation/validation of data during reconciliation/ provisioning, then the same customizations have to be performed in the respective query files after upgrading the connector.

2.5 Postcloning Steps

You can clone the connector by setting new names for some of the objects that comprise the connector. The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.

See Also:

Cloning Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about cloning connectors and the steps mentioned in this section

This section contains the following topics:

2.5.1 Connector Objects

After a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes:

IT Resource

The cloned connector has its own set of IT resources. You must configure both the cloned connector IT resources and Connector Server IT resources, and provide the reference of the cloned Connector Server IT Resource in the cloned connector IT resource. Ensure you use the configuration lookup definition of the cloned connector.
Scheduled Job

The values of the Resource Object Name and IT Resource scheduled job attributes in the cloned connector refer to the values of the base connector. Therefore, these values (values of the Resource Object Name and IT resource scheduled job attributes that refer to the base connector) must be replaced with the new cloned connector artifacts.
Lookup Definition

No change is required to be made in any of the cloned lookup definitions. All cloned lookup definitions contain proper lookup entries.
Process Tasks

After cloning, you notice that all event handlers attached to the process tasks are the cloned ones. Therefore, no changes are required for process tasks in parent forms. This is because the adapter mappings for all process tasks related to parent forms are updated with cloned artifacts.
Localization Properties

You must update the resource bundle of a user locale with new names of the process form attributes for proper translations after cloning the connector. You can modify the properties file of your locale in the resources directory of the connector bundle.

For example, the process form (UD_DB_SQL_U) attributes are referenced in the Japanese properties file, DB-UM_ja.properties, as global.udf.UD_DB_SQL_U_USERNAME. During cloning, if you change the process form name from UD_DB_SQLCLONED_U to global.udf.UD_DB_SQLCLONED_U_USERNAME, then you must add the process form attributes to global.udf.UD_DB_SQL_U_USERNAME.

2.5.2 Postcloning Configuration for User Accounts

You must perform the postcloning steps to change the literal values.

This configuration change is related to a child form. When you add a role, privilege, tablespace or schema to an account, perform the following steps:

Log in to the Oracle Identity Manager Design Console.
Expand Process Management, and then double-click Process Definition.
Depending on the target system being used, search for and open one of the following cloned process definitions:
- For Oracle: Oracle DB User
- For MSSQL: MSSQL DB User
- For MySQL: My SQL DB User
- For DB2: DB2 DB User
- For Sybase: Sybase DB User Login
If you are using Oracle Database as the target system, then double-click the Add Role or Grant Process task.

The Editing Task: Add Role or Grant Process dialog box is displayed.
On the Integration tab, in the table in the Adapter Variables region, click the processInstanceKey variable, and then click Map.
In the Edit Data Mapping For Variable dialog box, create the following mapping:

- Variable Name: processInstanceKey

- Data Type: Long

- Map To: Response Code

- Qualifier: Process Instance
Click the Save icon and close the dialog box.

Perform Steps 5 through 7 for the remaining variables listed in the Adapter Variables region. deploying-connector.htm#GUID-74D62B0D-508F-4E91-ADB7-9556F896BD26__BGBDICID lists values that you must select from the Data Type, Map To, Qualifier, and Literal Value lists for each variable.

Table 2-6 Mappings for DBUM Oracle Event Handler/Adapter

Variable Name	Data Type	Map to	Qualifier	Literal Value
Adapter return value	Object	Response Code	NA	NA
objectType	String	Literal	String	User
itResourceName [Cloned IT Resource Name]	String	Literal	String	UD_DB_ORA_U_ITRES1
childTableName[Cloned Child Form]	String	Literal	String	UD_DB_ORA_R1

Note:

Open the childTableName mapping and change the Literal value to the new value (the cloned value).

Click the Save icon on the Process Definition form.
Repeat Steps 4 through 9 to update Revoke Role and Role Updated process tasks.
If you are using Oracle Database or My SQL as the target system, repeat Steps 4 through 9 for the Add Privilege or Grant, Update Privilege, and Revoke Privilege process tasks.
If you are using Sybase or MSSQL as the target system, repeat Steps 4 through 9 for the Add Role, Role Updated, and Revoke Role process tasks, which only supports roles.
If you are using DB2 as the target system, repeat Steps 4 through 9 for the Add Tablespace, Tablespace Updated, Delete Tablespace, Add Schema, Schema Updated and Delete Schema process tasks, which supports tablespaces and schemas.

Note:

After post cloning steps, user must create a new application instance and UI Form for the cloned DBUM connector as it is done for any DBUM connector setup.