2 Prerequisites for Installing the Generic REST Connector

Learn about the tasks that you must complete before you install the Generic REST connector.

Topics

2.1 Downloading the Connector Installation Package

You can obtain the installation package for the Generic REST connector on the Oracle Technology Network (OTN) website.

To download the connector installation package:
  1. Navigate to the OTN website at http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html.
  2. Click OTN License Agreement and read the license agreement.
  3. Select the Accept License Agreement option.
    You must accept the license agreement before you can download the installation package.
  4. Download and save the installation package to any directory on the computer hosting Oracle Identity Manager.

2.2 Creating a Schema File

Create a schema file to help the connector understand the underlying structure of your target system.

The schema file contains entries that you add to it by using Account qualifiers and Field qualifiers. Account qualifiers help you list certain fields of an account in your target system that the connector uses for performing reconciliation and provisioning operations. You can use Field qualifiers to further describe the fields listed using account qualifiers. For example, using field qualifiers, you can specify whether a given field is mandatory or a multivalued field. You can also specify the datatype of the field.
You must specify field qualifiers in one of the following formats:

  • The following is the format for describing parent form fields:

    <FIELDNAME>.<FIELDQUALIFIER>=<VALUE>

    Example: UserId.Required=true

  • The following is the format for describing complex child form fields:

    <FIELDNAME>.<SUBFIELDNAME>.<FIELDQUALIFIER>=<VALUE>.

    Example: Roles.fromdate.DataType=Long

The schema file that you create must adhere to the following guidelines that are recognized by the metadata generator:

  • Each entry must be in a single line in the following format:

    PropertyName=PropertyValue

  • Any space characters that appear between the property name and property value is ignored. For example, the following three entries are all the same:

    • StatusAttribute=AccountStatus

    • StatusAttribute = AccountStatus

    • StatusAttribute= AccountStatus

  • Comments help you and others referring the schema understand its entries better. Any entry or line that begins with the number sign (#) is ignored by the metadata generator.

  • Unless specified, the default data type for all fields is String.

Note:

You must create the schema.properties file on the computer on which you intend to run the metadata generation utility.
To create the schema file:
  1. Create a .properties file.
  2. Add entries to the file by using the account qualifiers listed in the following table to define the schema of your target system.

    Table 2-1 Account Qualifiers

    Account Qualifier Mandatory? Description

    FieldNames

    Yes

    Enter a comma-separated list of attributes that the connector must fetch from the target system. You must specify all single-valued and multivalued attributes, including the attribute used for performing incremental reconciliation here. You must also specify any child form names here. However, do not enter child form field names here as you specify them by using the Subfields qualifier which is discussed later in this guide.

    Note: For target system attributes that have corresponding attributes predefined in ICF, Oracle recommends to use the predefined ICF attribute naming convention in the FieldNames qualifier. Suppose you want the connector to fetch groups from the target system, then you must include the group attribute in the FieldNames qualifier. ICF has a corresponding predefined attribute for groups named __GROUP__ . Therefore, we recommend that you specify __GROUP__ instead of Groups. For a complete list of predefined ICF attributes, see Oracle Fusion Middleware Java API Reference for Identity Connector Framework.

    Sample entry: FieldNames=id,primaryEmail,password,name.familyName,name.givenName,alias,phones,__GROUP__,isAdmin,changePasswordAtNextLogin,orgUnitPath,suspended

    UidAttribute

    Yes

    Enter the name of the attribute that corresponds to the unique ID of the account. The connector uses this value to uniquely identify target system user accounts that it needs to fetch during reconciliation. The connector also uses this value to uniquely identify target system user accounts during update and delete provisioning operations.

    The value of this qualifier corresponds to the __UID__ attribute of the connector.

    Sample entry: UidAttribute=id

    NameAttribute

    Yes

    Name of the attribute that corresponds to a descriptive name of the account in the target system that the connector uses for performing reconciliation and update provisioning operations.

    This value corresponds to the __NAME__ attribute of the connector and is used to generate the reconciliation rule.

    Sample entry: NameAttribute=UserName

    PasswordAttribute

    Yes, if your target system supports password management of user accounts

    Name of the password attribute of the account that the connector uses during Change Password provisioning operations.

    The value of this qualifier corresponds to the __PASSWORD__ attribute of the connector.

    Sample value: PasswordAttribute=accountPwd

    StatusAttribute

    Yes, if your target system supports management of user account statuses

    This qualifier refers to the attribute which denotes the status of the account. The connector uses this attribute during provisioning operations to enable or disable user accounts. In addition, the connector uses this attribute to fetch the status of an account during Status reconciliation.

    The value of this qualifier corresponds to the __ENABLE__ attribute of the connector.

    Sample value: StatusAttribute=status
  3. If required, using the field qualifiers, add entries to the file to include details about fields added in Step 2.

    Note:

    All the field qualifiers are optional.

    Table 2-2 Field Qualifiers

    Field Qualifier Description

    Required

    This field qualifier specifies if the mentioned attribute is mandatory. If the value of this qualifier is set to true, the parser will skip processing the records that do not contain this field name.

    For example: UserId.Required=true

    Multivalued

    This field qualifier specifies if the mentioned attribute is a multivalued field.

    For example: Roles.Multivalued=true

    DataType

    This field qualifier is used to specify the datatype of the field name. If you do not specify the data type for any field, then it is considered as a String data type by default.

    The following are the possible values for this qualifier:

    • String

    • Long

    • Character

    • Double

    • Float

    • Integer

    • Boolean

    • Byte

    • BigDecimal

    • BigInteger

    • Date

    For example: startDate.DataType=Date

    EmbeddedObjectClass

    This field qualifier specifies the object class name of child forms that have more than one subfield. The value of this qualifier is used internally by ICF and is mandatory for all complex child forms.

    For example: Roles.EmbeddedObjectClass=Roles
  4. Save the created .properties file.

See Also:

Sample Schema Filefor a sample ACME schema file

2.3 Updating the Groovy File

Update the Groovy file by specifying values for properties that store information about your target system schema and the mode in which you want to configure the connector.

To update the GenericRestConfiguration.groovy file:
  1. Extract the contents of the connector installation package to any directory on the computer hosting OIM. This creates a directory named GenericREST-RELEASE_NUMBER. See Files and Directories of the Generic REST Connector for information about all the files and directories in the connector installation package.
  2. In a text editor, open the GenericRestConfiguration.groovy file located in the GenericREST-RELEASE_NUMBER/metadata-generator/resources directory.
  3. Depending on whether you want to run the connector in the trusted source mode or target resource mode, enter values for the entries in the configuration section. You can use the existing sample configuration or create your own section.

    Note:

    • The presence of the trusted=true entry in a configuration section indicates that the section is for configuring the connector to run in the trusted source mode. If trusted=true does not exist or trusted=false, then the configuration section is for running the connector in the target resource mode.

    • If you do not want to specify a value for any of the optional entries or attributes in the GenericRestConfiguration.groovy file, then comment out that entry or attribute by prefixing it with the double-slash symbol (//).

    Table 2-3 Entries in the GenericRestConfiguration.groovy File

    Entry Applicable to trusted, target, or both? Mandatory? Description

    trusted

    Trusted source

    Yes

    This entry indicates whether the configuration section is for trusted source mode or target resource mode.

    Set the value of this entry to true, if you are configuring the connector to run in the trusted source mode.

    itResourceDefName

    Both

    Yes

    Enter the name of the IT resource type for the target system. Note that the value that you specify for this entry determines the name of the connector package, connector configuration file, and connector installer file. For example, if you specify GenRestTrusted as the value of this entry, then the name of the connector package directory is GenRestTrusted.zip. See Understanding the Generator Connector Package for the directory structure of the connector package.

    itResourceName

    Both

    No

    Enter the name of the IT resource for the target system. If this entry is commented, then the IT resource name will be the same as the value of the ITResourceDefName entry.

    Default value: "$itResourceDefName"

    Note: The value of this entry must be unique for each connector that you create for your target system, if you plan to install or use two or more Generic REST connectors in the same OIM environment. In addition, this value will be a part of the names for all connector components (defined in the connector configuration XML file, which is created after you run the metadata generator) such as lookup definitions, resource objects, process forms, and scheduled tasks.

    For example, if you specify GenRestTrusted as the value of itResourceName entry, then after you deploy the connector, the configuration lookup definition is created and its name will be Lookup.GenRestTrusted.Configuration.

    connectorDir

    Both

    No

    This entry is the complete path to the directory that must contain the connector package that is generated when you run the metadata generator. By default, the name of the directory containing the generated connector package is the same as the value of the itResourceDefName entry.

    Sample value: "/scratch/jdoe/OIMPS3/mw4318/idm7854/server/ConnectorDefaultDirectory/GenRestTrusted"

    xmlFile

    Both

    No

    Enter the name and relative path of the XML file that must contain definitions of the connector objects. If you do not specify a value for this entry, then the file name is generated in the following format:

    IT_RES_DEF_NAME-ConnectorConfig.xml

    In this format, IT_RES_DEF_NAME is the value of the itResourceDefName entry.

    For example, if you have not specified a value for this entry and GenRestTrusted is the value of the itResourceDefName entry, then the name of the XML file that is generated is GenRestTrusted-ConnectorConfig.xml.

    Tip: To easily identify files of a specific target system installation, prefix the names of this generated XML file with the name of the IT resource for the target system.

    Sample value: GenRestTrusted-ConnectorConfig.xml

    configFileName

    Both

    No

    Enter the name and relative path of the XML file that contains the configuration information of the connector objects. If you do not specify a value for this entry, then the file name is generated in the following format:

    IT_RES_DEF_NAME-CI.xml

    In this format, IT_RES_DEF_NAME is the value of the itResourceDefName entry.

    For example, if you have not specified a value for this entry and GenRestTrusted is the value of the itResourceDefName entry, then the name of the XML file that is generated is GenRestTrusted-CI.xml.

    propertiesFile

    Both

    No

    Enter the name and relative path of the .properties file which contains the resource bundle translations. If you do not specify a value for this entry, then the file name is generated in the following format:

    IT_RES_DEF_NAME-generator.properties

    In this format, IT_RES_DEF_NAME is the value of the itResourceDefName entry.

    For example, if you have not specified a value for this entry and GenRestTrusted is the value of the itResourceDefName entry, then the name of the properties file that is generated is GenRestTrusted-generator.properties.

    version

    Both

    No

    Enter the release number of the connector.

    Sample value: 11.1.1.5.0

    bundleJar

    Both

    Yes

    The value of this entry indicates the name and relative path of the JAR file containing the ICF bundle that the metadata generator will use.

    Default value: ../lib/org.identityconnectors.genericrest-1.0.11150.jar

    Do not change the value of this entry.

    config

    Both

    Yes

    Specify the manner in which the connector must behave and connect to the target system.

    By default, the config entry contains only the schemaFile property. The schemaFile property is a mandatory property. Enter the name and relative path of the schema file that you want to use.

    dateAttributeList

    Both

    No

    Enter the list of attributes that must be handled as date on the process form. Ensure that the data type of the attributes listed here is set to Long in the schema file.

    For more information about the format in which you must enter values for this entry, see About the dateAttributeList, entitlementAttributeList, lookupAttributeList, and alias Entries of the Groovy File.

    alias

    Both

    Yes

    Depending on whether you are configuring the Groovy file for the target resource mode or trusted source mode, you must specify a value for this entry.

    The metadata generator uses aliases to create relationships between the attributes in the target system and resource object field names in Oracle Identity Manager. In addition, the metadata generator uses aliases to shorten long database names to meet the character-length restrictions on form names and form field names in Oracle Identity Manager.

    For detailed information about this entry and the values that you can enter, see About the dateAttributeList, entitlementAttributeList, lookupAttributeList, and alias Entries of the Groovy File.

    applicationInstanceName

    Target resource

    No

    Enter the name of the application instance for your target system that the connector must generate. If this entry is commented, then the application instance name will be the same as the value of the ITResourceDefName entry.

    Default value: "$itResourceDefName"

    entitlementAttributeList

    Target resource

    No

    Enter the list of attributes in the target system that must be tagged as entitlements.

    For more information about the format in which you must enter values for this entry, see About the dateAttributeList, entitlementAttributeList, lookupAttributeList, and alias Entries of the Groovy File.

    lookupAttributeList

    Target resource

    No

    Enter the list of attributes in your target system that must be handled as lookup fields.

    For more information about the format in which you must enter values for this entry, see About the dateAttributeList, entitlementAttributeList, lookupAttributeList, and alias Entries of the Groovy File.

    prepopulate

    Target resource

    No

    Specify a value for this entry if you want Oracle Identity Manager to prepopulate connector's process form fields from OIM User fields while provisioning an enterprise target system resource.

    The default value of this entry is as follows:

    ['__NAME__':'User Login', 'FIRST_NAME':'First Name', 'LAST_NAME':'Last Name', '__PASSWORD__':'Password']

    This means that the groovy file is configured to prepopulate the following fields by default:

    • User Login

    • First Name

    • Last Name

    • Password

    You can add fields to or remove fields from the preceding list. The following is the format in which you must specify values for the prepopulate entry:

    ['ATTR1': 'OIM_FIELD1', 'ATTR2': 'OIM_FIELD2', . . . 'ATTRn': 'OIM_FIELDn']

    In this format:

    • ATTR can be either the connector attribute name or the target system attribute name.

    • OIM_FIELD is the name of the field on the OIM User form.

    See Working with Prepopulate Adapters in Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for more information about attaching and removing prepopulate adapters.
  4. Save and close the GenericRestConfiguration.groovy file.

2.3.1 About the dateAttributeList, entitlementAttributeList, lookupAttributeList, and alias Entries of the Groovy File

Learn about the dateAttributeList, entitlementAttributeList, lookupAttributeList, and alias entries of the Groovy file. You use the information provided here while updating the Groovy file.

dateAttributeList

This entry holds the list of attributes that the connector must handle as date on the process form. Ensure that the data type of the attributes listed here is set to Long in the schema file.

The connector creates a date editor for each of the attributes specified in this entry.

If you want to the connector to handle single-valued or multivalued fields as date, then enter the value for this entry in the following format:

["FIELD_NAME"]

In this format, replace FIELD_NAME with the name of the single or multivalued field.

If you want to handle an embedded multivalued field as date, then enter the value in the following format:

["OBJ_CLASS.SUB_FIELD_NAME"]

In this format, replace:

  • OBJ_CLASS with the EmbeddedObjectClass name for the child form as specified in the schema file.

  • SUB_FIELD_NAME with the subfield name for the child form as specified in the schema file.

Default value: ["JoiningDate"]

You can modify the default value to meet the requirements in your environment.

The following is a sample value for handling embedded multivalued fields as date:

["MyRole.StartDate", "MyRole.EndDate"]

entitlementAttributeList

This entry must include the list attributes in the target system that must be tagged as entitlements.

The connector creates a lookup field for each of the attributes specified in this entry, assigns the lookup fields to a process form, and adds all the required properties of entitlements.

If you want to tag entitlements for multivalued fields, then enter the value in the following format:

["MULTIVALUED_FIELD_NAME"]

If you want to tag entitlements for a multivalued field that is embedded, then enter the value in the following format:

["OBJ_CLASS.SUB_FIELD_NAME"]

In this format, replace:

  • OBJ_CLASS with the EmbeddedObjectClass name for the child form as specified in the schema file.

  • SUB_FIELD_NAME with the subfield name for the child form as specified in the schema file.

Default value: [‘Roles.RoleName’]

In this value, Roles.RoleName is a multivalued field that is embedded. In other words, Roles is the EmbeddedObjectClass name for roles child form as specified in the schema file (that is, roles.EmbeddedObjectClass=Roles) and RoleName is one of the subfields for the roles child form as specified in the schema file (that is roles.Subfileds=ROLENAME).

You can modify the default value to meet the requirements in your environment.

lookupAttributeList

This entry holds the list of attributes in your target system that the connector must be handle as lookup fields.

The connector creates a lookup field for each of the attributes specified in this entry and associates it with the corresponding lookup fields on the OIM User process form.

If you want to create a lookup field for a single-valued or multivalued field, then enter the value in the following format:

['FIELD_NAME']

In this format, replace FIELD_NAME with the name of the single or multivalued field.

If you want create a lookup field for a multivalued field that is embedded then, enter the value in the following format:

['OBJ_CLASS.SUB_FIELD_NAME']

In this format, replace:

  • OBJ_CLASS with the EmbeddedObjectClass name for the child form as specified in the schema file.

  • SUB_FIELD_NAME with the subfield name for the child form as specified in the schema file.

The default value of this entry is:

['Currency']

In this value, Currency is a multivalued field.

You can modify the default value to meet the requirements in your environment.

For each attribute listed in the lookupAttributeList entry, the connector creates a lookup definition and scheduled job in the following format:

  • Lookup definition format:

    Lookup.${IT_RES_NAME}.${FIELD_NAME}

    This lookup definition holds the lookup values reconciled from the target system.

  • Scheduled job format:

    IT_RES_NAME Target FIELD_NAME Lookup Reconciliation

    This scheduled job is used to load or reconcile lookup values from your target system. See Scheduled Job for Lookup Field Synchronization for more information about the attributes of the scheduled job for lookup reconciliation.

In both the formats, the connector replaces:

  • IT_RES_NAME with the value of the itResourceDefName entry.

  • FIELD_NAME with the name of the field for which the lookup field is created.

alias

The metadata generator uses aliases to create relationships between the attributes in the target system and resource object field names in Oracle Identity Manager. In addition, the metadata generator uses aliases to shorten long database names to meet the character-length restrictions on form names and form field names in Oracle Identity Manager. Aliasing can be used on column name, form name, and form field name levels. Note that the target system attributes are represented as connector attributes.

Depending on the type of configuration, specify values for one of the following sections:

  • For trusted source configuration

    In the trusted source configuration section, you use the alias entry to map connector attributes or target system attributes to the OIM User form field names. The mappings that you specify here are used to populate entries in the Recon Attribute map lookup definition for trusted source reconciliation.

    Note that some of the OIM User form field names do not have the same display name internally. For such fields, you must ensure that you map the connector attribute or target system attribute to the internal name rather than the display name. The following table lists the names of the OIM User form display names and their corresponding internal names:

    Display Name Internal Name

    Organization

    Organization Name

    Manager

    Manager Login

    E-mail

    Email

    The following is the default value of the alias entry:

    ['__NAME__':'User Login', 'LastName':'Last Name','Organization':'Organization Name', 'Employee Type':'Xellerate Type', 'Role':'Role']

    In the default value, note that the "Organization" connector attribute has been mapped to "Organization Name", which is the internal name.

    You cannot delete existing mappings in the default value. However, you can modify these mappings.

    If you want to add mappings for fields other than the ones already present in the alias entry, then you can add them either to the existing values in the alias entry, or add them to the alias + entry.

    The following is the default value of the alias + entry:

    ['__ENABLE__':'Status', 'FirstName':'First Name', 'email':'Email', 'JoiningDate':'Start Date']

    The following is the format in which you must specify values for the alias and alias + entry:

    ['CONN_ATTR1': 'OIM_FIELD1', 'CONN_ATTR2': 'OIM_FIELD2', . . . 'CONN_ATTRn': 'OIM_FIELDn']

    In this format:

    • CONN_ATTR is the connector attribute name.

    • OIM_FIELD is the name of the field on the OIM User form.

  • For target resource configuration

    In the target resource configuration section, you use the alias entry for one or all of the following purposes:

    • To map connector attributes or target system attributes to fields of the process form. The mappings that you specify here are used to populate entries in the Recon Attribute map and Prov Attribute map lookup definitions that are used during target resource reconciliation.

    • To set an alias (a unique and shortened name) for the IT resource name specified in the itResourceName entry.

    • To specify a short name for a lengthy process form field name.

      When the number of characters in a process form is more than 11, the metadata generator automatically truncates the process form name to 10 characters and then suffixes it with the digit 0. Subsequently, for every process form that results in the same name after truncating, the suffix is incremented by 1. The metadata generator prevents any two process forms from having the same name by using autonumbering. To gain control over the autogenerated form name and to have meaningful form names, you can use an alias to specify a shortened process form name.

      This is illustrated by the following example:

      Assume that the resource name is GENDB and contains child data that is represented as USER_ROLES in the schema.

      When you run the metadata generator, the process form is created and the form name is UD_GENDB_USER_ROLES. As the number of characters in this process form name is more than 11, the metadata generator automatically truncates it to UD_GENDB_U0. The truncated form name, UD_GENDB_U0, is not meaningful.

      To avoid encountering such issues or forms with autogenerated names, you can use the alias entry to specify short and meaningful process form names.

      The following is the default value of the alias entry in the target resource configuration section:

      ['__UID__':'id', '__NAME__':'primaryEmail']

      You cannot delete existing mappings in the default value as they are mandatory. However, you must modify the default value to match the values of the UidAttribute and NameAttribute qualifiers in the schema file. For example, in the schema file, if you have set the values of the UidAttribute and NameAttribute qualifiers to EmpId and UserName respectively, then you must set the value of the alias entry to the following:

      ['__UID__':'EmpId', '__NAME__':'UserName']

      If you want to add mappings for fields other than the ones already present in the alias entry (in other words, optional aliases), then you can add them either to the existing values in the alias entry, or add them to the alias + entry.

      The following is the default value of the alias + entry in the target resource section:

      ['USERROLERELATIONSHIP':'USRROL', 'comments':'Description', 'Family Name':'Last Name', 'Visibility':'Status']

      The following is the format in which you must specify values for the alias and alias + entries:

      ['CONN_ATTR1': 'ALIAS_FIELD1', 'CONN_ATTR2': 'ALIAS_FIELD2', . . . 'CONN_ATTRn': 'ALIAS_FIELDn']

      In this format:

      • CONN_ATTR is the connector attribute name.

      • ALIAS_FIELD is the alias corresponding to the connector attribute or target system attribute.