Preinstallation information is divided across the following sections:
Preinstallation information is divided across the following sections:
deploying-connector.htm#GUID-1ABFAF93-C729-4768-BC5F-0001938E98D8__BGBDBABG describes the files and directories on the installation media.
Table 2-1 Files and Directories on the Installation Media
File in the Installation Media Directory | Description |
---|---|
File in the bundle directory: org.identityconnectors.dbum-1.0.1116.jar |
This file contains connector code, SQL queries, and stored procedures that are used for provisioning and reconciliation. |
Files in the configuration directory: DBUM-Oracle-CI.xml DBUM-MSSQL-CI.xml DBUM-MySQL-CI.xml DBUM-DB2-CI.xml DBUM-Sybase-CI.xml |
This directory contains the configuration files that are used by the Connector Installer during installation of the connector for a particular target system. |
Files in the javadoc directory |
This directory contains information about the Java APIs used by the connector. |
File in the lib directory: DBUM-oim-integration.jar |
This JAR file contains the class files that are used during reconciliation and provisioning operations. During connector installation, this file is copied to the Oracle Identity Manager database. |
Files in the resources directory |
Each of these resource bundles contains language-specific information that is used by the connector. During connector deployment, this file is copied to the Oracle Identity Manager database location. Note: A resource bundle is a file containing localized versions of the text strings that include GUI element labels and messages. |
Files in the test directory: config\oracleconfig.properties config\mssqlconfig.properties config\mysqlconfig.properties config\db2config.properties config\sybaseconfig.properties lib\DBUMTest.jar scripts\DBUMProvisioningTester.bat scripts\DBUMProvisioningTester.sh thirdparty (folder) |
This directory contains the files for testing the connector. |
Files in the upgrade directory: PostUpgradeScriptOracleDBUM.sql PostUpgradeScriptMSSQLDBUM.sql PostUpgradeScriptMySQLDBUM.sql PostUpgradeScriptDB2DBUM.sql PostUpgradeScriptSybaseDBUM.sql |
This directory contains the scripts for performing the post-upgrade operations. |
Files in the xml directory: DBUserManagement-Oracle-ConnectorConfig.xml DBUserManagement-Oracle-Datasets.xml DBUserManagement-MSSQL-ConnectorConfig.xml DBUserManagement-MSSQL-Datasets.xml DBUserManagement-MySQL-ConnectorConfig.xml DBUserManagement-MySQL-Datasets.xml DBUserManagement-DB2-ConnectorConfig.xml DBUserManagement-DB2-Datasets.xml DBUserManagement-Sybase-ConnectorConfig.xml DBUserManagement-Sybase-Datasets.xm Note: The dataset XML files are applicable only if you are using Oracle Identity Manager release 11.1.1.x. |
This directory contains configuration (target and trusted) XML files and dataset XML files specific to the target system. The configuration XML files contain definitions for the various connector objects, such as resource objects and scheduled jobs, where as the dataset XML files contain datasets for the request based operations.
|
If you are using Microsoft SQL Server, then verify the preinstallation requirements by performing the following steps before deploying the connector:
The target database in which users are to be created exists in the target Microsoft SQL Server installation.
The TCP/IP port is enabled. The default port is 1433.
To enable the TCP/IP port:
Open the Microsoft SQL Server Configuration Manager.
Click SQL Server Network Configuration.
Click Protocols for MSSQLSERVER.
In the right frame, right-click TCP/IP and then click Enable.
The TCP/IP port is not the only port enabled. Ports other than the TCP/IP port must also be enabled.
Mixed mode authentication is enabled.
The TCP/IP port is not blocked by a firewall.
Oracle Identity Manager requires a target system user account to access the target system during reconciliation and provisioning operations. You provide the credentials of this user account while performing the procedure described in Configuring the IT Resource for the Target System.
To create a target system user account for connector operations, depending on the target system you are using, create a user in your target system and assign the mentioned permissions and roles to the user.
See Also:
Target system documentation for detailed information about creating the user
For MSSQL:
Create Login using the following query:
Create LOGIN serviceuser with PASSWORD='password' , DEFAULT_DATABASE =DBname GO
Create a user using the following query:
USE DBname; Create USER serviceuser with LOGIN serviceuser; GO
Assign the following permissions and roles to the created user:
ALTER ROLE db_datawriter ADD MEMBER serviceuser;
ALTER ROLE db_datareader ADD MEMBER serviceuser;
ALTER ROLE db_accessadmin ADD MEMBER serviceuser;
ALTER ROLE db_owner ADD MEMBER serviceuser;
exec sp_addsrvrolemember 'serviceuser', 'securityadmin';
For Oracle Database:
Create Login using the following query:
CREATE USER serviceuser IDENTIFIED BY password DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users;
Assign the following permissions and roles to the created user:
GRANT CONNECT TO serviceuser;
GRANT SELECT on dba_role_privs TO serviceuser;
GRANT SELECT on dba_sys_privs TO serviceuser;
GRANT SELECT on dba_ts_quotas TO serviceuser;
GRANT SELECT on dba_tablespaces TO serviceuser;
GRANT SELECT on dba_users TO serviceuser;
GRANT CREATE USER TO serviceuser;
GRANT ALTER ANY TABLE TO serviceuser;
GRANT GRANT ANY PRIVILEGE TO serviceuser;
GRANT GRANT ANY ROLE TO serviceuser;
GRANT DROP USER TO serviceuser;
GRANT SELECT on dba_roles TO serviceuser;
GRANT SELECT ON dba_profiles TO serviceuser;
GRANT ALTER USER TO serviceuser;
GRANT CREATE ANY TABLE TO serviceuser;
GRANT DROP ANY TABLE TO serviceuser;
GRANT CREATE ANY PROCEDURE TO serviceuser;
REVOKE DROP ANY PROCEDURE TO serviceuser;
For MySQL:
Create a user using the following query:
CREATE USER serviceuser IDENTIFIED BY 'password';
Assign the following permissions and roles to the created user using the following query:
GRANT, SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER ON *.* TO 'serviceuser';
For DB2:
Create a User 'serviceuser' at the OS level.
Assign the following permissions and roles to the created user:
GRANT SELECT on TABLE syscat.schemata TO serviceuser
GRANT SELECT on TABLE syscat.tablespaces TO serviceuser
GRANT CREATEIN,DROPIN,ALTERIN ON SCHEMA 'SCHEMA_NAME' TO serviceuser
GRANT CONNECT,BINDADD,DBADM,CREATETAB,CREATE_NOT_FENCED_ROUTINE,IMPLICIT_SCHEMA,LOAD,CREATE_EXTERNAL_ROUTINE,QUIESCE_CONNECT ON DATABASE TO serviceuser
For Sybase:
Create login using the following query:
sp_addlogin serviceuser, password
Create a user using the following query:
sp_adduser serviceuser
Assign the following permissions and roles to the created user using the following queries:
GRANT ROLE sso_role TO serviceuser
GRANT ROLE oper_role TO serviceuser
The following topics provide details on installing the Database User Management Connector:
You can run the connector code either locally in Oracle Identity Manager or remotely in a Connector Server.
Depending on where you want to run the connector code (bundle), the connector provides the following installation options:
To run the connector code locally in Oracle Identity Manager, perform the procedure described in Installing the Connector in Oracle Identity Manager
To run the connector code remotely in a Connector Server, perform the procedures described in Installing the Connector in Oracle Identity Manager and Deploying the Connector Bundle in a Connector Server.
Note:
In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.
If you are performing the installation for the second time, then the connector bundle has to be downloaded and the new thirdparty has to be added.
For Oracle Identity Manager hosted on a Microsoft Windows computer, if you have a previously installed connector, then you must extract the connector bundle again before installing a new connector.
Database drivers are not needed as they are already loaded for Oracle Identity Manager operations. However, if you want to use the connector with previous versions of database (such as Oracle 9i), then you must use a remote connector server.
In this scenario, you install the connector in Oracle Identity Manager using the Connector Installer.
Note:
in this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Oracle Identity Manager Administrative and User Console.
To run the Connector Installer:
Copy the contents of the connector installation media directory into the following directory:
OIM_HOME/server/ConnectorDefaultDirectory
Copy the third party jars to target systems in the ConnectorDefaultDirectory/targetsystems-lib/DBUM-11.1.1.6.0 directory.
Note:
If the target is Oracle database, then no driver jar is needed. For other target systems, the following third party jar has to be copied:
For MSSQL, copy sqljdbc4.jar.
For MySQL, copy mysql-connector-java-5.1.20-bin.jar.
For DB2, copy db2jcc.jar.
For Sybase, copy jconn4.jar.
If you are using Oracle Identity Manager release 11.1.1.x:
Log in to the Administrative and User Console.
On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.
If you are using Oracle Identity Manager release 11.1.2.x or later:
Log in to Oracle Identity System Administration.
In the left pane, under System Management, click Manage Connector.
In the Manage Connector page, click Install.
The Connector List displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.
You can select one of the following options:
For Oracle: Oracle DB User Management 11.1.1.8.0
For MSSQL: MSSQL DB User Management 11.1.1.8.0
For MySQL: MySQL DB User Management 11.1.1.8.0
For DB2: DB2 DB User Management 11.1.1.8.0
For Sybase: Sybase DB User Management 11.1.1.8.0
If you have copied the installation files into a different directory, then:
In the Alternative Directory field, enter the full path and name of that directory.
To repopulate the list of connectors in the Connector List options, click Refresh.
From the Connector List options, select:
For Oracle: Oracle DB User Management 11.1.1.8.0
For MSSQL: MSSQL DB User Management 11.1.1.8.0
For MySQL: MySQL DB User Management 11.1.1.8.0
For DB2: DB2 DB User Management 11.1.1.8.0
For Sybase: Sybase DB User Management 11.1.1.8.0
Click Load.
To start the installation process, click Continue.
The following tasks are performed in sequence:
Configuration of connector libraries
Import of the connector XML files (by using the Deployment Manager)
Compilation of tasks
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
Retry the installation by clicking Retry.
Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of the steps that you must perform after the installation is displayed. These steps are as follows:
Ensuring that the prerequisites for using the connector are addressed
Note:
At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Clearing Content Related to the Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.
There are no prerequisites for some predefined connectors.
Configuring an IT resource for the connector
Record the name of the IT resource displayed on this page. See Configuring the IT Resource for the Target System for the IT Resource details.
Configuring the scheduled jobs that are created when you installed the connector
Record the names of the scheduled jobs displayed on this page. See Configuring Scheduled Jobs for Oracle Database for a sample procedure to configure these scheduled jobs. There are similar sections for other databases in this guide.
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in deploying-connector.htm#GUID-1ABFAF93-C729-4768-BC5F-0001938E98D8__BGBDBABG.
You can deploy the Database User Management connector either locally in Oracle Identity Manager or remotely in the Connector Server. A connector server is an application that enables remote execution of an Identity Connector, such as the DBUM connector.
Note:
To deploy the connector bundle remotely in a Connector Server, you must first deploy the connector in Oracle Identity Manager, as described in Installing the Connector in Oracle Identity Manager.
See Configuring the IT Resource for the Connector Server for related information.
This procedure can be divided into the following stages:
Connector servers are available in two implementations:
As a .Net implementation that is used by Identity Connectors implemented in .Net
As a Java Connector Server implementation that is used by Java-based Identity Connectors
The DBUM connector is implemented in Java, so you can deploy this connector to a Java Connector Server.
Use the following steps to install and configure the Java Connector Server:
Note:
Before you deploy the Java Connector Server, ensure that you install the JDK or JRE on the same computer where you are installing the Java Connector Server and that your JAVA_HOME or JRE_HOME environment variable points to this installation.
Note:
Oracle Identity Manager has no built-in support for connector servers, so you cannot test your configuration.
To run the Java Connector Server, use the ConnectorServer.bat script for Windows and use the ConnectorServer.sh script for UNIX as follows:
See Also:
Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about installing and configuring connector server and running the connector server
If you need to deploy the DBUM into the Java Connector Server, then follow these steps:
Stop the Java Connector Server.
Note:
You can download the necessary Java Connector Server from the Oracle Technology Network web page.
Copy the DBUM connector bundle into the Java Connector Server CONNECTOR_SERVER_HOME\bundles directory.
Copy the DBUM third party libraries to the CONNECTOR_SERVER_HOME\lib directory.
If multiple versions of the same connector are present, then third party has to be bundled within the connector bundle jar. To do so:
Create temporary/lib folder and drop third party jars in it.
Update the bundle with the third party jar:
jar -uvf org.identityconnectors.dbum-1.0.1116.jar lib/JAR_NAME
Remove temporary/lib folder.
Start the Connector Server.
Note:
if there are multiple versions of the same connector bundle, then the third-party JAR should go into bundle instead of the CONNECTOR_SERVER_HOME/lib directory.
Start the Java Connector Server.
Postinstallation steps are divided across the following sections:
This section discusses the following topics:
Note:
You can skip this section if you do not want to designate the target system as a trusted source for reconciliation.
You can designate the target system as a trusted source or target resource. If you designate the target system as a trusted source, then during a reconciliation run:
For each newly created user on the target system, an OIM User is created.
Updates made to each user on the target system are propagated to the corresponding OIM User.
To configure trusted source reconciliation, create and configure a new IT resource.
See Also:
Configuring the IT Resource for the Target System for more information about configuring the IT resource for the target system
Changing to the required input locale (language and country setting) involves installing the required fonts and setting the required input locale.
You may require the assistance of the system administrator to change to the required input locale.
Note:
In an Oracle Identity Manager cluster, you must perform these steps on each node of the cluster. Then, restart each node.
When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
Note:
Perform the procedure described in this section only if you have Oracle Database Vault installed and you want to configure the connector for provisioning and reconciling authorization to Oracle Database Vault realms.
You must create an administrator account on Oracle Database Vault. This account is used by the connector for performing reconciliation and provisioning operations on Oracle Database Vault realms.
To create the administrator account on Oracle Database Vault:
By default, this connector uses the ICF connection pooling. deploying-connector.htm#GUID-291CA7A0-C5E5-40B5-B911-1AF30CC1B4B7__BABGAEDB lists the connection pooling properties, their description, and default values set in ICF:
Table 2-2 Connection Pooling Properties
Property | Description |
---|---|
Pool Max Idle |
Maximum number of idle objects in a pool. Default value: |
Pool Max Size |
Maximum number of connections that the pool can create. Default value: |
Pool Max Wait |
Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: |
Pool Min Evict Idle Time |
Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: |
Pool Min Idle |
Minimum number of idle objects in a pool. Default value: |
If you want to modify the connection pooling properties to use values that suit requirements in your environment, then:
Oracle Identity Manager uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.
The following topics provide detailed information about logging:
When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations.
ODL is the principle logging service used by Oracle Identity Manager and is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
SEVERE.intValue()+100
This level enables logging of information about fatal errors.
SEVERE
This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.
WARNING
This level enables logging of information about potentially harmful situations.
INFO
This level enables logging of messages that highlight the progress of the application.
CONFIG
This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
These message types are mapped to ODL message type and level combinations as shown in deploying-connector.htm#GUID-FBF3BF8A-F2B7-46A7-A61C-398C1FBDDD28__BABCDAAD.
Table 2-3 Log Levels and ODL Message Type:Level Combinations
jAVA Level | ODL Message Type:Level |
---|---|
SEVERE.intValue()+100 |
INCIDENT_ERROR:1 |
SEVERE |
ERROR:1 |
WARNING |
WARNING:1 |
INFO |
NOTIFICATION:1 |
CONFIG |
NOTIFICATION:16 |
FINE |
TRACE:1 |
FINER |
TRACE:16 |
FINEST |
TRACE:32 |
The configuration file for OJDL is logging.xml, which is located at the following path:
DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml
Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.
To enable logging in Oracle WebLogic Server:
Edit the logging.xml file as follows:
Add the following blocks in the file:
<log_handler name='db-um-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='[FILE_NAME]'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="ORG.IDENTITYCONNECTORS.DBUM" level="[LOG_LEVEL]" useParentHandlers="false">
<handler name="db-um-handler"/>
<handler name="console-handler"/>
</logger>
Replace all occurrences of [LOG_LEVEL]
with the ODL message type and level combination that you require. deploying-connector.htm#GUID-FBF3BF8A-F2B7-46A7-A61C-398C1FBDDD28__BABCDAAD lists the supported message type and level combinations.
Similarly, replace [FILE_NAME]
with the full path and name of the log file in which you want log messages to be recorded.
The following blocks show sample values for [LOG_LEVEL]
and [FILE_NAME]
:
<log_handler name='db-um-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler> <logger name="oracle.iam.connectors.icfcommon" level="NOTIFICATION:1" useParentHandlers="false"> <handler name="db-um-handler"/> </logger> <logger name="ORG.IDENTITYCONNECTORS.DBUM" level="NOTIFICATION:1" useParentHandlers="false"> <handler name="db-um-handler"/> </logger>
With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1
level are recorded in the specified file.
Save and close the file.
Restart the application server.
You must create a UI form and an application instance for the resource against which you want to perform reconciliation and provisioning operations. In addition, you must run the entitlement and catalog synchronization jobs.
The following topics describe the procedures to configure Oracle Identity Manager:
You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.
See Creating a Sandbox and Activating and Deactivating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Managers
You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms. See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Manager
While creating the UI form, ensure that you select the resource object corresponding to the Concur connector that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.
Create an application instance as follows:
Note:
Creating Application Instances of Oracle Fusion Middleware Administering Oracle Identity Manager.
Before publishing a sandbox, perform the following procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published:
You can populate Entitlement schema from child process form table, and harvest roles, application instances, and entitlements into catalog. You can also load catalog metadata.
To harvest entitlements and sync catalog:
For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance.
To update an existing application instance with a new form:
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.
To localize field label that you add to in UI forms:
Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open the following file in a text editor:
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf
Edit the BizEditorBundle.xlf file in the following manner:
Search for the following text:
<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Replace with the following text:
<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">
In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:
<file source-language="en" target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
Search for the application instance code. This procedure shows a sample edit for Oracle Database application instance. The original code is:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_DB_ORA_U_USERNAME__c_description']}"> <source>Username</source> </target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.OracleDBForm.entity.OracleDBForm.UD_DB_ORA_U_USERNAME__c_LABEL"> <source>Username</source> </target> </trans-unit>
Open the resource file from the connector package, for example DB-UM_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_DB_ORA_U_USERNAME=\u30E6\u30FC\u30B6\u30FC\u540D.
Replace the original code shown in Step 6.b with the following:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_DB_ORA_U_USERNAME__c_description']}"> <source>Username</source> <target>\u30E6\u30FC\u30B6\u30FC\u540D</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.OracleDBForm.entity.OracleDBForm.UD_DB_ORA_U_USERNAME__c_LABEL"> <source>Username</source> <target>\u30E6\u30FC\u30B6\u30FC\u540D</target> </trans-unit>
Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.
Sample file name: BizEditorBundle_ja.xlf.
Repackage the ZIP file and import it into MDS.
See Also:
Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Manager.
Note:
Perform the procedure described in this section if you are using a certified database listed in deploying-connector.htm#GUID-1ABFAF93-C729-4768-BC5F-0001938E98D8__BGBDBABG.
For configuring IT resource for trusted source, you must create a new IT resource of the same type definition (such as OracleDBUM and MSSQLDBUM). However, the lookup configuration for trusted source is different. See the following sections for details:
The rest of the procedure is same as described in this section.
You must specify values for the parameters of the IT resource as follows:
If you are using Oracle Identity Manager release 11.1.1.x:
Log in to the Administrative and User Console.
On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 11.1.2.x or later:
Log in to Oracle Identity System Administration.
Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
In the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter the name of one of the following IT resources, and then click Search. For example:
For Oracle: Oracle DB
For MSSQL: MSSQL DB
For MySQL: MySQL DB
For DB2: DB2
For Sybase: Sybase DB
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the IT resource. deploying-connector.htm#GUID-B5E9AAC7-6784-4708-BE79-6ADFA89C82FA__BABCDCEH describes each parameter.
Table 2-4 IT Resource Parameters
Parameter | Description |
---|---|
Configuration Lookup |
This parameter holds the name of the lookup definition that stores configuration information for connector operations. If you have configured your target system as a target resource, then enter one of the following values:
If you have configured your target system as a trusted source, then enter one of the following values:
|
Connector Server Name |
Specify the name of the connector server IT resource. Sample value: |
Connection Properties |
Specify the connection properties for the target system database. |
Database Name |
This parameter specifies the database name for the SQL server. Sample value: |
DB Type |
This field identifies database type (such as Oracle and MSSQL) and its used for loading respective scripts. Sample value: |
JDBC Driver |
Depending on the target system that you are using, enter one of the following values as the JDBC driver class name:
|
JDBC URL |
Specify the JDBC URL for the target system database. Sample Value:
|
Login Password |
Enter the password for the user name of the target system account to be used for connector operations. Note: If you are configuring the connector for Oracle Database Vault, then you must enter the password and the user name of the account that you had created in Creating the Administrator Account on Oracle Database Vault. |
Login User |
Enter the user name of the target system account to be used for connector operations. For Oracle: For MSSQL: For MySQL: For DB2: For Sybase: Note:
|
To save the values, click Update.
You might want to configure the connector for different versions of the target system simultaneously. For example, you can use the connector to perform provisioning operations on SQL Server 2005, SQL Server 2008, and SQL Server 2012 simultaneously. The following example illustrates this requirement:
The London, New York, and Toronto offices of Example Multinational Inc. have their own installations of the target system. The London office has SQL Server 2005 installation, while the New York office has SQL Server 2008 installation, and the Toronto office has SQL Server 2012 installation. You have to provision resources on all the installations of DBUM simultaneously.
To meet the requirement posed by such a scenario:
You can configure a different versions of the connector bundle to simultaneously provision the resources on both the versions of the target system. The connector uses a class loading mechanism, which toggles between the different versions of the installation. You only need to place the target system-specific JAR files on the computer that hosts Oracle Identity Manager. SQL Server 2005 and 2012 need sqljdbc.jar, and SQL Server 2008 needs sqljdbc4.jar. Since there are different versions of third-party libraries, you need to create different versions of connector bundle respectively.
To configure the connector to support multiple versions of the target system:
From the connector package, copy the bundle JAR file in a temporary directory.
Sample JAR file: bundle/org.identityconnectors.dbum-1.0.1116.jar
Sample temporary directory: c:\temp
Run the following command to extract the manifest file, META-INF/MANIFEST.MF, from the JAR file:
jar -xvf org.identityconnectors.dbum-1.0.1116.jar
Note:
You can also run the WinZip or WinRAR utility to extract the contents from the JAR file.
Delete the bundle JAR file in the temporary directory.
Update the value of ConnectorBundle-Version in the manifest file to a new value.
For example:
ConnectorBundle-Version: 1.1.1118
Copy the sqljdbc4.jar/ojdbc6.jar (target specific) from DBUM_HOME/web/sqljdbc4.jar directory or from DBUM_HOME/web/ojdbc6.jar directory to the lib folder of the extracted bundle jar.
Create a new bundle JAR file that contains the updated manifest file as follows:
Open the command prompt and navigate to the temporary directory:
c:\temp
Run the following command:
jar -cvfm org.identityconnectors.dbumintfc-1.0.1118.jar META-INF/MANIFEST.MF *
The new connector bundle JAR name contains the new bundle version.
In the case of a remote connector server, copy the new bundle JAR file in the bundles directory of the remote connector server instead of posting the JAR file to the Oracle Identity Manager database. Therefore, skip Step 8.
Run the Oracle Identity Manager Upload JARs utility to post the JAR file created in Step 5 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you use this utility, verify that the WL_HOME
environment variable is set to the directory in which Oracle WebLogic Server is installed.
For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Select ICFBundle as the JAR type.
See Also:
Migrating JARs and Resource Bundle in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed information about the Upload JARs utility
Create a copy of the configuration lookup, for example, Lookup.DBUM.Oracle.UM.Configuration or Lookup.DBUM.MSSQL.UM.Configuration.
Ensure you update the new lookup with the bundle version.
Create a new DBUM IT resource definition for the new bundle. Map the Configuration Lookup parameter of the new IT resource to the user configuration lookup, such as Lookup.DBUM.Oracle.UM.Configuration and Lookup.DBUM.MSSQL.UM.Configuration.
The new IT resource will use the new bundle and the corresponding third-party libraries without affecting the previous installations.
Repeat the preceding procedure for the other versions of the target system, SQL Server 2008 and SQL Server 2012.
Note:
This procedure is optional and is required only when the Connector Server is being used.
To configure or modify the IT resource for the Connector Server:
If you are using Oracle Identity Manager release 11.1.1.x:
Log in to the Oracle Identity Manager Administrative and User Console.
On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
If you are using Oracle Identity Manager release 1.1.2.x or later:
Log in to Oracle Identity System Administration.
Create and activate a sandbox. For detailed instructions on creating and activating a sandbox, see Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
In the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter DBUM Connector Server
and then click Search. deploying-connector.htm#GUID-7895F1D2-C4D1-47C1-97F9-F943C53D76D7__BABDEJCC shows the Manage IT Resource page.
Figure 2-1 Manage IT Resource Page for Connector Server IT Resource
Click the edit icon corresponding to the Connector Server IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the Connector Server IT resource. deploying-connector.htm#GUID-7895F1D2-C4D1-47C1-97F9-F943C53D76D7__BABCJHIF shows the Edit IT Resource Details and Parameters page.
Figure 2-2 Edit IT Resource Details and Parameters Page for the Connector Server IT Resource
deploying-connector.htm#GUID-7895F1D2-C4D1-47C1-97F9-F943C53D76D7__BABGBDAG provides information about the parameters of the IT resource.
Table 2-5 Parameters of the IT Resource for the DBUM Connector Server
Parameter | Description |
---|---|
Host |
Enter the host name or IP address of the computer hosting the Connector Server. Sample value: |
Key |
Enter the key for the Connector Server. |
Port |
Enter the number of the port at which the Connector Server is listening. Default value: |
Timeout |
Enter an integer value which specifies the number of milliseconds after which the connection between the Connector Server and Oracle Identity Manager times out. If the value is zero or if no value is specified, the timeout is unlimited. Sample value: |
UseSSL |
Enter Default value: See Also: Configuring Secure Communication Between Oracle Database and Oracle Identity Manager and Configuring Secure Communication Between MSSQL and Oracle Identity Managerfor information about enabling SSL. |
To save the values, click Update.
When you enable logging, the connector server stores in a log file information about events that occur during the course of provisioning and reconciliation operations for different statuses. By default, the connector server logs are set at INFO level and you can change this level to the following:
Error
This level enables logging of information about errors that might allow connector server to continue running.
WARNING
This level enables logging of information about potentially harmful situations.
INFO
This level enables logging of messages that highlight the progress of the operation.
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
To enable the logging information for the connector server:
If you have already deployed an earlier release of this connector, then upgrade the connector to the current release 11.1.1.6.0.
Note:
Before you perform the upgrade procedure:
It is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.
As a best practice, perform the upgrade procedure in a test environment initially.
See Also:
Upgrading Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information on these steps
The following sections discuss the procedure to upgrade the connector:
Perform the following preupgrade steps:
Perform the following procedure:
Upload new connector jars as:
Use $ORACLE_HOME/bin/UploadJars.sh utility for uploading connector jars.
Upload bundle/org.identityconnectors.dbum-1.0.1116.jar as ICFBundle.
Note:
If you have to add a third-party JAR:
Navigate to the bundle directory.
Create /lib folder and drop the third party jar in that folder.
Update the bundle with library "jar uvf org.identityconnectors.dbum-1.0.1116.jar lib/FILE_NAME".
Upload lib/DBUM-oim-integration.jar as JavaTask.
Run the Form Version Control (FVC) utility to manage data changes on a form after an upgrade operation. To do so:
In a text editor, open the fvc.properties file located in the OIM_DC_HOME directory and include the following entries:
For Oracle User:
ResourceObject;Oracle DB User FormName;UD_DB_ORA_U FromVersion;Version 0 ToVersion;v_22 ParentParent;UD_DB_ORA_U_USERNAME;UD_DB_ORA_U_RET_ID
For MSSQL UserLogin:
ResourceObject;MSSQL DB User Login FormName;UD_DB_SQL_L FromVersion;Version 0 ToVersion;v_11.1.1.1.8.0 ParentParent;UD_DB_SQL_L_LOGIN;UD_DB_SQL_L_REFID
For MSSQL User:
ResourceObject;MSSQL DB User FormName;UD_DB_SQL_U FromVersion;Version 7 ToVersion;v_11.1.1.1.8.0 ParentParent;UD_DB_SQL_U_USERNAME;UD_DB_SQL_U_REFID
For MySQL User:
ResourceObject;MySQL DB User FormName;UD_DB_MYS_U FromVersion;6 ToVersion;1 ParentParent;UD_DB_MYS_U_USER_NAME;UD_DB_MYS_U_RET_ID
For DB2 User:
ResourceObject;DB2 DB User FormName;UD_DB_DB2_U FromVersion;8 ToVersion;10 ParentParent;UD_DB_DB2_U_USERNAME;UD_DB_DB2_U_RET_ID
For Sybase User:
ResourceObject;Sybase DB User FormName;UD_DB_SYB_U FromVersion;8 ToVersion;10 ParentParent;UD_DB_SYB_U_USERNAME;UD_DB_SYB_U_RETURN_ID
For Sybase UserLogin:
ResourceObject;Sybase DB User Login FormName;UD_DB_SYB_L FromVersion;5 ToVersion;10 ParentParent;UD_DB_SYB_L_LOGIN;UD_DB_SYB_L_RET_ID
Run the FVC utility. This utility is copied into the following directory when you install the design console:
For Microsoft Windows:
OIM_DC_HOME/fvcutil.bat
For UNIX:
OIM_DC_HOME/fvcutil.sh
When you run this utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, and the logger level and log file location.
Run the PostUpgradeScript.sql script as follows:
Connect to the Oracle Identity Manager database by using the OIM User credentials.
Run the PostUpgradeScript:
For Oracle: PostUpgradeScriptOracleDBUM.sql
For MSSQL: PostUpgradeScriptMSSQLDBUM.sql
For MSSQL: PostUpgradeScriptMySQLDBUM.sql
For MSSQL: PostUpgradeScriptDB2DBUM.sql
For MSSQL: PostUpgradeScriptSybaseDBUM.sql
This script will upgrade the IT resource only for the required database. For example, after upgrading the connector, you can upgrade the IT resource only for the MSSQL database by running PostUpgradeScriptMSSQLDBUM.sql. The script will not upgrade the IT resource for the Oracle database.
If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:
Log in to Oracle Identity System Administration.
Create and activate a sandbox. For more information, see step 2 of Configuring Oracle Identity Manager Release 11.1.2 or Later.
Create a new UI form to view the upgraded fields. See step 3 of Configuring Oracle Identity Manager Release 11.1.2 or Later for more information about creating a UI form.
Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in step 2.c) and then save the application instance.
Publish the sandbox. See step 5 of Configuring Oracle Identity Manager Release 11.1.2 or Later for more information.
Configure the upgraded IT resource of the source connector. See Configuring the IT Resource for the Target System for information about configuring the IT resource.
Deploy the Connector Server. See Installing and Configuring the Connector Server and Installing the Connector on the Connector Server for more information.
Configure the latest token value of the scheduled job as follows:
The following scheduled jobs contain the Latest Token attribute:
For Oracle
DBUM Oracle User Target Reconciliation
DBUM Oracle User Trusted Reconciliation
For MSSQL:
DBUM MSSQL Trusted Reconciliation
DBUM MSSQL User Login Target Reconciliation
DBUM MSSQL User Target Reconciliation
After upgrading the connector, you can perform either full reconciliation or incremental reconciliation. This ensures that records created or modified since the last reconciliation run (the one that you performed in Preupgrade Steps) are fetched into Oracle Identity Manager. From the next reconciliation run onward, the reconciliation engine automatically enters a value for the Latest Token attribute.
See Reconciliation from Oracle Database and Reconciliation from MSSQL for more information about performing full or incremental reconciliation for Oracle and MSSQL databases respectively.
Note:
If there are customizations in the query files, to include custom parameters, and for transformation/validation of data during reconciliation/ provisioning, then the same customizations have to be performed in the respective query files after upgrading the connector.
You can clone the connector by setting new names for some of the objects that comprise the connector. The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.
See Also:
Cloning Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about cloning connectors and the steps mentioned in this section
This section contains the following topics:
After a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes:
IT Resource
The cloned connector has its own set of IT resources. You must configure both the cloned connector IT resources and Connector Server IT resources, and provide the reference of the cloned Connector Server IT Resource in the cloned connector IT resource. Ensure you use the configuration lookup definition of the cloned connector.
Scheduled Job
The values of the Resource Object Name and IT Resource scheduled job attributes in the cloned connector refer to the values of the base connector. Therefore, these values (values of the Resource Object Name and IT resource scheduled job attributes that refer to the base connector) must be replaced with the new cloned connector artifacts.
Lookup Definition
No change is required to be made in any of the cloned lookup definitions. All cloned lookup definitions contain proper lookup entries.
Process Tasks
After cloning, you notice that all event handlers attached to the process tasks are the cloned ones. Therefore, no changes are required for process tasks in parent forms. This is because the adapter mappings for all process tasks related to parent forms are updated with cloned artifacts.
Localization Properties
You must update the resource bundle of a user locale with new names of the process form attributes for proper translations after cloning the connector. You can modify the properties file of your locale in the resources directory of the connector bundle.
For example, the process form (UD_DB_SQL_U) attributes are referenced in the Japanese properties file, DB-UM_ja.properties, as global.udf.UD_DB_SQL_U_USERNAME.
During cloning, if you change the process form name from UD_DB_SQLCLONED_U
to global.udf.UD_DB_SQLCLONED_U_USERNAME,
then you must add the process form attributes to global.udf.UD_DB_SQL_U_USERNAME.