Skip Navigation Links | |
Exit Print View | |
Oracle Identity Analytics System Integrator's Guide 11g Release 1 |
1. Integrating With Oracle Identity Manager, Preferred Method
2. Integrating With Oracle Identity Manager, Deprecated Method
Understanding Terminology in Oracle Identity Analytics and Oracle Identity Manager
Step 1: Enable Oracle Identity Manager as a Provisioning Server Option
Step 2: Copy the Required .jar Files
Step 3: Designate Oracle Identity Manager as the Provisioning Server
Step 4: Enable Real-Time Updates from Oracle Identity Analytics to Oracle Identity Manager
Populating Oracle Identity Analytics With User Information From Oracle Identity Manager
Use Case 1: Importing Global Users From Oracle Identity Manager Into Oracle Identity Analytics
To Import Users From Oracle Identity Manager Into Oracle Identity Analytics
Use Case 2: Importing Resource Metadata From Oracle Identity Manager Into Oracle Identity Analytics
To Import Resource Metadata From Identity Manager Into Oracle Identity Analytics
Use Case 3: Importing Resources From Identity Manager Into Oracle Identity Analytics
To Import Resources From Identity Manager Into Oracle Identity Analytics
Use Case 4: Importing Roles From Identity Manager Into Oracle Identity Analytics
To Import Role From Identity Manager Into Oracle Identity Analytics
Populating Oracle Identity Manager With Roles Information From Oracle Identity Analytics
Use Case 1: Exporting Roles From Oracle Identity Analytics to Identity Manager
To Export Roles to Identity Manager
Understanding Closed Loop Compliance
To Configure Resources in Oracle Identity Analytics for Remediation
To Configure Certifications in Oracle Identity Analytics for Remediation
3. Integrating With Oracle Waveset (Sun Identity Manager)
4. Integrating With Other Provisioning Servers
6. Integrating With Intellitactics Security Manager
7. Configuring Oracle Identity Analytics For Web Access Control
Before You Begin -
At least version 9.1.0.2 BP5 of Oracle Identity Manager and at least version 11gR1 of Oracle Identity Analytics are required.
Oracle Identity Manager should be installed and configured.
In Oracle Identity Analytics add Oracle Identity Manager as a provisioning server option. ("Sun Identity Manager" and "File" are the default options.)
See Step 1: Enable Oracle Identity Manager as a Provisioning Server Option
Copy the required Oracle Identity Manager API JAR files to Oracle Identity Analytics.
In Oracle Identity Analytics, designate Oracle Identity Manager as the provisioning server. Establish a connection by entering authentication details.
See Step 3: Designate Oracle Identity Manager as the Provisioning Server
To send real time changes from Oracle Identity Analytics to Oracle Identity Manager, change the Oracle Identity Analytics configuration files related to workflows.
In the Oracle Identity Analytics user interface, the Administration > Configuration > Provisioning Servers tab displays "file" and "sun" as the available options. To display Oracle Identity Manager as a supported provisioning server, edit iam-context.xml in the RBACX_Home/WEB-INF folder as follows.
Uncomment the oracle key entry in the iamSolutions property map lines in iam-context.xml:
<bean id="rbacxIAMService" parent="baseTransactionProxy"> <property name="target"> <bean class="com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl" parent="baseServiceSupport"> <property name="iamSolutions"> <map> <entry key="sun"> <ref local="waveset"/> </entry> <!--entry key="ca"> <ref local="eTrust"/> </entry--> <!--entry key="ibm"> <ref local="tim"/> </entry--> <entry key="oracle"> <ref local="oim"/> </entry> <entry key="file"> <ref local="file"/> </entry> </map> </property>
and the second change to this file is to uncomment the bean definition:
<bean id="oim" class="com.vaau.rbacx.iam.oracle.OIMIAMSolution" parent="abstractIAMSolution"> <property name="metadataManager" ref="metadataManager"/> <property name = "namespaceMap"> <map> <!-- This mapping fetches the attributes from the appropriate object form ( AD User). This mapping clarifies that, for the "AD Server" resource type, attributes are imported from the "AD User" Object form in OIM --> <entry key = "AD Server"> <value>AD User</value> </entry> </map> </property> <property name="resourceFieldMap"> <map> <!-- This mapping identifies the field that is the ITResourceLookupField for each resource type. (Oracle Identity Manager "IT resources" map to resources in Oracle Identity Analytics.) From the mapping for the "AD Server" resource type field, we define that the "UD_ADUSER_AD" column field corresponds to the ITResource Entry. --> <entry key="AD Server"> <value>UD_ADUSER_AD</value> </entry> </map> </property> <property name="accountIdentifierMap"> <map> <entry key="AD Server"> <value>UD_ADUSER_UID</value> </entry> </map> </property> <property name = "secPolicyMap"> <map> <entry key = "RACF Account"> <value>Server,Group</value> </entry> </map> </property> <property name="maxStaleDays"> <value>${com.vaau.rbacx.iam.oracle.maxStaleDays}</value> </property> <property name = "excludeFlag" > <value>${com.vaau.rbacx.iam.oracle.excludeFlag}</value> </property> <property name = 'roleDao'> <ref bean="roleDao"/> </property> <property name = "policyManager"> <ref bean = "policyManager"/> </property> <property name="userProperties"> <map> <entry key = "userName"> <value>Users.User ID</value> </entry> <entry key = "firstName"> <value>Users.First Name</value> </entry> <entry key = "lastName"> <value>Users.Last Name</value> </entry> <entry key = "middleName"> <value>Users.Middle Name</value> </entry> <entry key = "manager"> <value>Users.Manager Login</value> </entry> <entry key = "primaryEmail"> <value>Users.Email</value> </entry> <entry key = "employeeType"> <value>Users.Role</value> </entry> <entry key = "startDate"> <value>Users.Start Date</value> </entry> <entry key = "endDate"> <value>Users.End Date</value> </entry> <entry key = "createDate"> <value>Users.Provisioned Date</value> </entry> </map> </property> <property name = "customProperties"> <list> <value>Users.Email</value> <value>Organizations.Organization Name</value> <value>USR_UDF_LOCATION</value> <value>Users.Deprovisioning Date</value> <value>Users.Xellerate Type</value> <value>Users.Identity</value> <value>Users.Lock User</value> <value>Users.Disable User</value> <value>Users.Role</value> </list> </property> </bean>
Copy the following Oracle Identity Manager Java API JAR files (located here: $OIM_HOME/xellerate/lib/.jar) to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:
wlXLSecurityProviders.jar
xlAPI.jar
xlAuthentication.jar
xlCache.jar
xlCrypto.jar
xlDataObjectBeans.jar
xlDataObjects.jar
xlLogger.jar
xlScheduler.jar
xlUtils.xls
xLVO.jar
Copy the following Oracle Identity Manager Java API JAR file (located in the client/ext folder) to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:
iam-platform-utils.jar
Copy the following JAR files if you are deploying to a JBoss or WebLogic application server:
If deploying to a JBoss application server, copy jbossall-client.jar
If deploying to a WebLogic application server, copy oim_design_consolexlclientextwlfullclient.jar
Note - The wlfullclient.jar is only required if Oracle Identity Analytics and Oracle Identity Manager are on different WebLogic domains. This JAR file allows client applications, such as Oracle Identity Analytics, to communicate with the WebLogic Server over the T3 protocol. If you deploy OIA and OIM to the same WebLogic domain, skip this step, otherwise you may receive an error similar to the following:
Caused By: java.lang.LinkageError: loader constraint violation: loader (instance of weblogic/utils/classloaders/ChangeAwareClassLoader) previously initiated loading for a different type with name "javax/xml/namespace/QName"
If wlfullclient.jar is not present in Oracle Identity Manager, follow these steps to generate it:
Type cd <WLS-HOME>/server/lib, where <WLS-HOME> is the base WebLogic installation directory
Type java -jar wljarbuilder.jar
Copy the wlfullclient.jar file to the $RBACX_HOME/WEB-INF/lib folder
Copy the following 11g Oracle Identity Manager Java API JAR files to Oracle Identity Analytics:
Copy $OIM_HOME/server/client/oimclient.jar to $OIA-HOME/WEB-INF/lib
Note - If this JAR file is not present, you will receive the following exception during
integrated operations: java.lang.NoClassDefFoundError:oracle/iam/platform/OIMClient at Thor.API.tcUtilityFactory.<init>(tcUtilityFactory.java:154) at com.vaau.rbacx.iam.oracle.OIMIAMSolution. getUtilityFactory(OIMIAMSolution.java:2595) at com.vaau.rbacx.iam.oracle.OIMIAMSolution.readUsers(OIMIAMSolution.java)
Copy the OIM 11g logger JAR file, xlLogger10g.jar, to $OIA-HOME/WEB-INF/lib
Note - If this JAR file is not present, you will receive the following error during integrated operations:
Caused by: java.lang.NoClassDefFoundError: com/thortech/util/logging/Logger at Thor.API.tcUtilityFactory.<clinit>(tcUtilityFactory.java:80) at com.vaau.rbacx.iam.oracle.OIMIAMSolution. getUtilityFactory(OIMIAMSolution.java:2595) at com.vaau.rbacx.iam.oracle.OIMIAMSolution.readUsers(OIMIAMSolution.java:770) at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl. importUsers(RbacxIAMServiceImpl.java:119)
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Provisioning Servers.
Click New Provisioning Server Connection.
The New Provisioning Server Connection wizard asks you to choose the type of provisioning server connection that you want to create.
From the Type of Provisioning Server Connection drop-down menu, select Oracle and click Next.
Complete the form:
Server Name - Type the connection object name.
Xellerate Home - Type the path to the config file in OIM. (example: C:oraclexellerate)
Login Config - Type the path to the authentication configuration ( auth.config ) file. (example: C:oraclexellerateconfigauth.conf)
Provider URL - Type the provider URL. The format for this field is as follows:
WebLogic -
t3://host:7001
JBoss -
jnp://host:1099 (The default port number in a clustered environment is 1100.)
WebSphere -
corbaloc:iiop:host:2809
Initial Context Factory - Enter the name of the environment property for specifying the initial context factory. The default values are as follows:
WebLogic -
weblogic.jndi.WLInitialContextFactory
JBoss -
org.jnp.interfaces.NamingContextFactory
WebSphere -
com.ibm.websphere.naming.WsnInitialContextFactory
User Name - Enter the OIM user name. (example: xelsysadm)
Password - Enter the OIM password.
To send real-time changes from Oracle Identity Analytics to Oracle Identity Manager, change the configuration files related to workflows.
For example, the following code snippet has to be enabled in role-creation-workflow.xml during the "Finish" step ( step 6):
<!--<function name="exportIAMRoleFunction" type="spring"> <arg name="bean.name">exportIAMRoleFunction</arg> <arg name="iamConnectionName"/> </function>-->
This becomes the following:
<function name="exportIAMRoleFunction" type="spring"> <arg name="bean.name">exportIAMRoleFunction</arg> <arg name="iamConnectionName">OIMConnectionObjectName</arg> </function>
Note — OIMConnectionObjectName is the name of the connection object you define in Step 2. Similar changes have to be made for all role related workflows: role-modification-workflow.xml, role-user-membership-workflow.xml, role-user-membership-activation-workflow.xml