To Configure Oracle Identity Analytics and Oracle Identity Manager to Work Together (Preferred Integration Method)

Before You Begin -

• At least Oracle Identity Manager version 11gR1 BP3 or version 9.1.0.2 BP14a is required.

• At least Oracle Identity Analytics 11gR1 BP3 is required.

• Both Oracle Identity Manager and Oracle Identity Analytics should be installed on servers running the same version of the application server software, as well as the same version of the Java® Virtual Machine (JVM).

1. Copy the required Oracle Identity Manager API JAR files to Oracle Identity Analytics.

   See Step 1: Copy the Required Files From the OIM Server

2. In Oracle Identity Analytics, edit the required and optional configuration files.

   See Step 2: Edit the Oracle Identity Analytics Configuration Files

3. In Oracle Identity Manager, log on to the Design Console and edit the required forms.

   See Step 3: Modify the Oracle Identity Manager Forms Using the Form Designer

4. In Oracle Identity Manager, configure the data collection scheduler.

   See Step 4: Configure the Oracle Identity Manager Data Collection Scheduler

5. In Oracle Identity Analytics, create a connection to Oracle Identity Manager. Establish a connection by entering authentication details.

   See Step 5: Configure Oracle Identity Analytics to Connect to Oracle Identity Manager

6. In Oracle Identity Analytics, import data from Oracle Identity Manager.

   See Step 6: Import the Oracle Identity Manager (OIM) Data Into Oracle Identity Analytics (OIA)

7. To send real time changes from Oracle Identity Analytics to Oracle Identity Manager, change the Oracle Identity Analytics configuration files related to workflows.

   See Step 7: Configure the Oracle Identity Analytics (OIA) Workflows to Export Data to Oracle Identity Manager (OIM)

8. In Oracle Identity Manager, review automatic role assignment and role management.

   See Step 8: Review Oracle Identity Manager Automatic Role Assignment and Role Management Settings

Step 1: Copy the Required Files From the OIM Server

• Copy the following Oracle Identity Manager Java API JAR files located in the <OIMDesignConsole> /lib folder to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:

  • xlAPI.jar

  • xlCache.jar

  • xlDataObjectBeans.jar

  • xlDataObjects.jar

  • xlScheduler.jar

  • xlUtils.xls

  • xlVO.jar

• Copy the following JAR files located in the <IDM-HOME> /server/lib folder to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:

  • xlCrypto.jar

  • wlXLSecurityProviders.jar

  • xlAuthentication.jar

  • xlLogger.jar

• Copy the conf folder from <OIMDesignConsole>/conf to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder.

• If using at least Oracle Identity Manager 11gR1 BP3, also copy the following OIM files :

  • oimclient.jar

    Use the version located in the <OIMDesignConsole>/lib folder. (Important — Do not use a copy of this JAR file located in any other directory.)

  • iam-platform-utils.jar

    This file is located in the <OIMDesignConsole>/lib folder.

• If deploying to a JBoss application server, copy jbossall-client.jar

• If deploying to a WebLogic application server, and if Oracle Identity Analytics and Oracle Identity Manager are on different WebLogic domains, copy <OIMDesignConsole>/ext/wlfullclient.jar

  Note - If wlfullclient.jar is not present in Oracle Identity Manager, follow these steps to generate it:

  1. Type cd <WLS-HOME>/server/lib , where <WLS-HOME> is the base WebLogic installation directory

  2. Type java -jar wljarbuilder.jar

  3. Copy the wlfullclient.jar file to the $RBACX_HOME/WEB-INF/lib folder

Step 2: Edit the Oracle Identity Analytics Configuration Files

1. Enable Oracle Identity Manager as a supported provisioning server by editing iam-context.xml in the RBACX_Home/WEB-INF folder as follows:

   1. Uncomment the following lines at the start of iam-context.xml:

      <import resource="oim-commons-context.xml"/>
      <import resource="oim-11g-context.xml"/>  <!-- This also works with at least Oracle  /
      Identity Manager 9.1.0.2 BP14a-->

   2. Enable the following:

       <entry key="oracle">
         <ref bean="oimSolution"/>
       </entry>

2. (Optional) To map Oracle Identity Manager extended attributes to Oracle Identity Analytics custom properties, add the following mappings to oim-commons-context.xml as appropriate:

   • For Users, complete the mapping by updating the value attribute with the Oracle Identity Manager extended attribute name, as follows:

     <util:map id="iamUserToUserCustomProperties">
             <!--entry key="customProperty1" value="usr_udf_cust1"/>
             <entry key="customProperty2" value="usr_udf_cust2"/>
             <entry key="customProperty19" value="usr_udf_cust19"/-->
     </util:map>

   • For Roles, complete the mapping by updating the value attribute with the Oracle Identity Manager extended attribute name, as follows:

     <util:map id="iamRoleCustProperties">
             <!--entry key="customProperty1" value="Groups.Group Name"/-->
     </util:map>

3. (Optional) If enabling closed-loop remediation, edit oim-11g-context.xml and add the appropriate mappings as follows:

   <property name="accountIdentifierMap">
               <map>
                   <entry key="AD User" value="UD_ADUSER_UID"/>
               </map>
   </property>

4. Edit $RBACX_HOME/conf/oimjdbc.properties. This should contain the Oracle Identity Manager database information.

   1. Run the encryptPassword tool in the samples folder to encrypt the database password located in the oimjdbc.properties file.

   2. Open the oim-11g-context.xml file for editing and search for the word password.

   3. Update the XML so that the tags look like the following sample:

          <prop key="user">${oim.jdbc.username}</prop>
          <!--prop key="password">${oim.jdbc.password}</prop-->
          <prop key="password">${oim.jdbc.password.encrypted}</prop>
          <prop key="SetBigStringTryClob">true</prop>
        </props>

   4. Save your changes.

Step 3: Modify the Oracle Identity Manager Forms Using the Form Designer

In this step you will open Form Designer and, for each OIM resource, add the three properties that OIA needs to exchange data with OIM.

1. Log in to the Oracle Identity Manager Design Console.

2. Open the Form Designer.

3. For each Resource, the following properties need to be added to some identified feed for accounts, policies, and entitlements imports:

   • AccountName - Identifies the unique account in the target system

   • ITResource - Identifies the unique IT Resource field for the target system

   • Entitlement - Identifies the account attribute designated for privileges

   • OIAParentAttribute - Add this property only if you have installed at least OIM 9.1.0.2 BP14a. This property identifies the parent or mandatory entitlement attributes.

     Complete this step as follows:

   1. Locate the Process Form for the given resource.

      Note - The AccountName and ITResource properties are on the parent form, and the Entitlement and OIAParentAttribute properties are on the child form.

   2. Open the child Process Form and create a new version.

   3. Click the Properties tab.

   4. Locate ONLY ONE entitlement field per form, click Add Property, and add the Entitlement = true property setting.

      If there are multiple Entitlement child forms, add one Entitlement = true property setting per Entitlement form.

   5. If you have installed at least OIM 9.1.0.2 BP14a (but not including OIM 11gR1 and higher), do the following: Locate ONLY ONE entitlement field per form, click Add Property, and add the OIAParentAttribute = true property setting.

      If there are multiple Entitlement child forms, add one OIAParentAttribute = true property setting per Entitlement form.

   6. Save the child form and make it active.

   7. Locate the parent process form and create a new version.

   8. Click the Properties tab.

   9. Locate the field that uniquely identifies the account in the target system, click Add Property, and add the AccountName = true property setting.

      See the following screen capture for an example.

   10. Locate the ITResource field for the target system, click Add Property, and add the ITResource = true property setting.

   11. Save the parent form and make it active.

4. Repeat for each Resource.

5. Restart the Oracle Identity Analytics server.

Step 4: Configure the Oracle Identity Manager Data Collection Scheduler

Use the following steps to register the Oracle Identity Manager scheduled task that is required to support the OIA-OIM integration.

Before You Begin - Verify that the OIM installation/upgrade script created the DataCollection Schedule Job in OIM and that the job is enabled but not scheduled for execution. Your integration will not work without this important job.

Follow these steps to register the task with OIM:

1. Export the task.xml file from the MDS.

   The MDS path for task.xml is /db/task.xml.

2. Open the task.xml file for editing.

3. Add the following scheduled task to the task.xml file and save the file.

       <task>
           <name>DataCollection Schedule Task</name>
           <class>com.thortech.xl.schedule.tasks.DataCollectionTask</class>
           <description>DataCollection Schedule Tasks</description>
           <retry>5</retry>
       </task>

4. Reimport task.xml into the MDS so that the scheduled task is available for creating the data collection scheduled job.

5. Enable the DataCollection Schedule Task if you are using Oracle Identity Manager 9.1.0.2.

   If you are using at least Oracle Identity Manager 11gR1, the DataCollection Schedule Task is already enabled so you should skip this step.

Step 5: Configure Oracle Identity Analytics to Connect to Oracle Identity Manager

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Provisioning Servers.

4. Click New Provisioning Server Connection.

   The New Provisioning Server Connection wizard asks you to choose the type of provisioning server connection that you want to create.

5. From the Type of Provisioning Server Connection drop-down menu, select Oracle and click Next.

6. Complete the form:

   • Server Name - Type the Oracle Identity Manager server name.

   • Xellerate Home - Type the path to the xellerate folder in OIM. (Example: C:oraclexellerate

     If Oracle Identity Manager is on a separate machine, create a local xellerate folder and copy the config folder from <OIMDesignConsole> in the xellerate folder.

   • Login Config - Type the path to the authentication configuration ( auth.config ) file. (Example: C:oraclexellerateconfigauthwl.conf)

   • Provider URL - Type the provider URL. The format for this field is as follows:

     • WebLogic -

       t3://host:7001

     • JBoss -

       jnp://host:1099 (The default port number in a clustered environment is 1100.)

     • WebSphere -

       corbaloc:iiop:host:2809

   • Initial Context Factory - Enter the name of the environment property for specifying the initial context factory. The default values are as follows:

     • WebLogic -

       weblogic.jndi.WLInitialContextFactory

     • JBoss -

       org.jnp.interfaces.NamingContextFactory

     • WebSphere -

       com.ibm.websphere.naming.WsnInitialContextFactory

   • User Name - Enter the OIM user name. (example: xelsysadm) The specified OIM user needs to have system administrator priviliges.

   • Password - Enter the OIM password.

7. Click Save.

Step 6: Import the Oracle Identity Manager (OIM) Data Into Oracle Identity Analytics (OIA)

Complete this step if you have data in Oracle Identity Manager that you want to use to populate the Oracle Identity Analytics Identity Warehouse. Importing data about Users, Resources, Entitlements, and so on, eliminates the need to manually create this information in Oracle Identity Analytics.

Note - Importing data from Oracle Identity Manager into Oracle Identity Analytics using this procedure should be a one-time event that takes place when first configuring the systems.

Schedule or run the import jobs in the following order:

1. Import Resource Metadata. See To Import Resource Metadata for details.

2. Import Resources. See To Import Resources for details.

3. Import the Glossary Data. See To Import Glossary Data for details.

4. Import Entitlements, Users, and Accounts. See To Import Entitlements, Users, and Accounts for details.

5. Import Policies. See To Import Policies for details.

6. Import Roles. See To Import Roles for details.

To Import Resource Metadata

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Import/Export.

4. To start a new import job, choose Schedule Job > Import > Import Resource Metadata.

   The next page will prompt you to choose the resource from the list of available resources for which metadata on attributes needs to be imported.

5. Select the specific resource type.

6. Under Data Selection Source, select the appropriate Connection Name and click Next.

7. Complete the form by entering the Name and Description of the Job.

8. Choose one of the following:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

9. Click Finish to generate the Import Job.

   The import resource metadata job runs on the scheduled date and time.

10. Set (or validate) the parent attribute for each attribute category by following the steps in the To Validate That the Parent Attribute for Each Attribute Category is Set topic.

    If you are running OIA BP3 and OIM 9.1.0.2 BP14a, or if you are running OIA BP4 and at least OIM 11gR1 BP3, you need to complete this step to set the parent attribute for each attribute category.

    Otherwise, complete this step as a validation step to verify that the parent attribute for each attribute category has been set appropriately.

11. Verify that the resource metadata was properly imported into Oracle Identity Analytics either by accessing the Oracle Identity Analytics Resources Types tab (choose Configuration > Resources Types), or by following the steps in the To Verify That Each Import Job Completed Successfully topic.

To Import Resources

Note - An ITResource in OIM corresponds to a Resource in Oracle Identity Analytics.

1. If necessary, log in to Oracle Identity Analytics, choose Administration > Configuration, and click Import/Export.

2. To start the import resources job, choose Schedule Job > Import > Import Resources.

3. Under Data Selection Source, select the appropriate Connection Name and click Next.

4. Complete the form by typing a name and description for the job.

5. Choose one of the following tasks:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

6. Click Finish to generate the import job.

   The import resources job runs on the scheduled date and time.

7. Verify that the resources are imported into Oracle Identity Analytics from Identity Manager either by accessing the Oracle Identity Analytics Resources tab (choose Identity Warehouse > Resources), or by following the steps in the To Verify That Each Import Job Completed Successfully topic.

To Import Glossary Data

1. If necessary, log in to Oracle Identity Analytics, choose Administration > Configuration, and click Import/Export.

2. To start the import glossary job, choose Schedule Job > Import > Import Glossary.

3. Under Data Selection Source, select the appropriate Connection Name and click Next.

4. Complete the form by typing a name and description for the job.

5. Choose one of the following tasks:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

6. Click Finish to generate the import job.

   The import glossary job runs on the scheduled date and time.

7. Verify that the glossary data imported into Oracle Identity Analytics from Identity Manager either by following the steps in the To Verify That Each Import Job Completed Successfully topic.

To Import Entitlements, Users, and Accounts

1. If necessary, log in to Oracle Identity Analytics, choose Administration > Configuration, and click Import/Export.

2. To start a new import job, choose Schedule Job > Import > Import Entitlements, Users, and Accounts.

3. Under Data Selection Source, select the appropriate Connection Name and click Next.

4. Choose one of the following:

   • Load all resources defined in the system at the time the job is run - Choose this option to import data from all resources.

   • Load only those resources selected in the table - Choose this option to import data only from select resources. If you choose this option, select one or more resources in the table.

5. Complete the form as follows:

   1. Type a name and description for the job.

   2. In the Data to Load section, select the Entitlements option if, in addition to accounts and users, you also want to import the users' entitlements data. Otherwise, clear the Entitlements option box and only the accounts and users data will be imported.

   3. In the Import Type section, choose one of the following:

      • Complete - All entities found on the OIM server will be imported.

      • Incremental - All OIM entities updated since the last successful import will be imported.

   4. Choose one of the following:

      • To run the job immediately, select the Run the Job Now option.

      • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

6. Click Finish to generate the import job.

   The import job runs on the scheduled date and time.

7. Verify that the entitlements, users, and accounts are imported into Oracle Identity Analytics from Identity Manager either by accessing the Users View in Oracle Identity Analytics (choose Identity Warehouse > User), or by following the steps in the To Verify That Each Import Job Completed Successfully topic.

To Import Policies

Note - In OIA, a policy represents a specific privilege on a specific resource, whereas in OIM, a single access policy can represent multiple resources. Consequently, when importing an OIM policy that represents multiple resource types, OIA will create multiple policy instances (one policy instance per resource) and save the policy with the resource name appended to the policy name. Going forward, Oracle recommends that you not assign more than one resource to a policy in OIM.

1. If necessary, log in to Oracle Identity Analytics, choose Administration > Configuration, and click Import/Export.

2. To start the import policies job, choose Schedule Job > Import > Import Policies.

3. Under Data Selection Source, select the appropriate Connection Name and click Next.

4. Complete the form by typing a name and description for the job.

5. Choose one of the following tasks:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

6. Click Finish to generate the import job.

   The import policies job runs on the scheduled date and time.

7. Verify that the policies are imported into Oracle Identity Analytics from Identity Manager either by accessing the Oracle Identity Analytics Policies tab (choose Identity Warehouse > Policies), or by following the steps in the To Verify That Each Import Job Completed Successfully topic.

To Import Roles

Note - Groups defined in OIM are imported as Roles within Oracle Identity Analytics. In addition, the OIM Group-to-Access-Policy relationship is imported as a Roles-Policy relationship in Oracle Identity Analytics. For the import to work, you should have already successfully completed a Policy import.

In addition, the OIM Group-User relationship is imported and recreated as a Role-User relationship in Oracle Identity Analytics. To establish the Role-User relationship, verify that you have already imported Users.

1. If necessary, log in to Oracle Identity Analytics, choose Administration > Configuration, and click Import/Export.

2. To start the import roles job, choose Schedule Job > Import > Import Roles.

3. Under Data Selection Source, select the appropriate Connection Name and click Next.

4. Complete the form by typing a name and description for the job.

5. Choose one of the following tasks:

   • To run the job immediately, select the Run the Job Now option.

   • To schedule the job for later, clear the Run the Job Now option and enter the details of the scheduled job.

6. Click Finish to generate the import job.

   The import resources job runs on the scheduled date and time.

7. Verify that the roles are imported into Oracle Identity Analytics from Identity Manager either by accessing the Oracle Identity Analytics Roles tab (choose Identity Warehouse > Resources), or by following the steps in the To Verify That Each Import Job Completed Successfully topic.

To Verify That Each Import Job Completed Successfully

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Auditing & Events.

3. Click Import/Export Logs.

4. In the table, find the entries for your import jobs.

5. Click the entry in the Description column to view the Import Log Details page.

6. Verify that the number or Oracle Identity Manager export records (Number of Output Records) and the number of Oracle Identity Analytics import records (Number of Input Records) are the same.

To Validate That the Parent Attribute for Each Attribute Category is Set

After Importing Resource Metadata, complete this step as a validation step to verify that the parent attribute for each attribute category has been set appropriately.

Note - This procedure is required if you are running OIA BP3 and OIM 9.1.0.2 BP14a, or if you are running OIA BP4 and at least OIM 11gR1 BP3. Follow these steps to manually assign the parent attribute for each attribute category.

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Resource Type.

4. Click the + for each namespace to see the attribute categories for the selected Resource Type.

5. Click an attribute category. Attribute categories correspond to the child forms in OIM.

   

6. Click Properties in the menu.

   The Attribute Category Properties dialog box opens.

7. Do the following:

   • Verify that the Link Attributes option is selected and that the Parent list is set to the field that was marked as the OIAParentAttribute in OIM.

   • If the correct field is not selected, choose the correct parent attribute from the Parent list and click Save.

     

Step 7: Configure the Oracle Identity Analytics (OIA) Workflows to Export Data to Oracle Identity Manager (OIM)

This section describes how to configure workflows to export data in near real-time from Oracle Identity Analytics (OIA) to Oracle Identity Manager (OIM). As noted earlier, all roles are defined and created in Oracle Identity Analytics. Hence, Oracle Identity Analytics is the authoritative source for role management, role membership, and policy entitlement definitions.

For information about closed loop compliance, see the Oracle Identity Analytics Web Services section.

1. Log in to Oracle Identity Analytics.

2. Choose Administration > Configuration.

3. Click Workflows.

   A list of workflows displays.

4. The following three configuration files need to be modified:

   • Role-creation

   • Role-modification

   • Role-membership

     Modify each configuration file as follows:

5. Click the workflow name.

   1. In the Steps table, scroll down and click the Finish step.

      The Edit Workflow Step page opens.

   2. Click Add Pre-Functions

      The Pre-Functions pop-up opens.

   3. In the pop-up, select "Export IAM Role Function."

   4. Choose the Oracle Identity Manager connection name that you created previously.

   5. Click Save.

      Repeat these steps until the Role-creation, Role-modification, and Role-membership workflows have been modified.

Step 8: Review Oracle Identity Manager Automatic Role Assignment and Role Management Settings

When integrating with Oracle Identity Analytics, Oracle recommends that you no longer use OIM Automatic Role Assignment and Role Management.