Oracle® Fusion Middleware Release Notes for Identity Synchronization for Windows 6.0 Service Pack 1 11g Release 1 (11.1.1.7.0) Part Number E28964-01 |
|
|
PDF · Mobi · ePub |
This chapter provides important formation about software related to Identity Synchronization for Windows 6.0 Service Pack 1 . In some cases you may have to resolve related software issues before you can run the Identity Synchronization for Windows 6.0 Service Pack 1 installer. This chapter contains the following sections:
Included with the Identity Synchronization for Windows bundle is the critical ISW 6.0SP1 CUMIL5 patch set. This patch set should be installed after ISW core installation, but before the Java console is used to create a configuration for ISW.
See the README file contained in the HotFix-6.0SP1_COMBO_5_20110722
bundle. Instructions for installing the ISW 6.0SP1 CUMIL5 patch set are contained in the installation and migration overview sections for each platform. The patch set is Java-based, and it works similarly on all supported platforms.
Identity Synchronization for Windows 6.0 Service Pack 1 requires the installation and configuration of Message Queue software. This guide provides instructions for installing or upgrading Message Queue to the 4.3 release.
If you are installing a new instance of Identity Synchronization for Windows, you must first complete the steps for installing NSS and NSPR components, the included JDK, and Message Queue.
If you are migrating from version 6.0 or an from earlier 6.0 Service Pack 1 installation of Identity Synchronization for Windows, before upgrading your Message Queue installation, you must complete the steps for cleaning up and exporting configuration.
For detailed instructions, see the "Preparing for Migration" section of one of the following platform-based chapters:
Chapter 4, "Migrating from Identity Synchronization for Windows 6.0 on Windows"
Chapter 6, "Migrating from Identity Synchronization for Windows 6.0 on Solaris"
Chapter 8, "Migrating from Identity Synchronization for Windows 6.0 on Linux"
Identity Synchronization for Windows 6.0 Service Pack 1 also supports Message Queue 3.7 Update 1 (the version that is provided with Java Enterprise System 5 update 1).
To determine which Message Queue version you are running, run the mqbrokerd command.
# /usr/bin/imqbrokerd -version
# /opt/sun/mq/bin/imqbrokerd -version
C:\Program Files\Sun\MessageQueue\mq\bin\imqbrokerd -version
See the Sun Java System Message Queue 4.3 Installation Guide.The complete Message Queue 4.3 documentation is available at http://download.oracle.com/docs/cd/E19340-01/index.html
Note:
The graphic installer must not be run on a sub-display other than 0.
If the Message Queue installer fails to start, then make sure that your DISPLAY
environment variable is set to host:display.0
.
If you are running a pre-3.6 version of Message Queue, then use the following steps to upgrade your installation.
Run the installer:
# cd ODSEE_Identity_Synchronization_for_Windows/mq4_3-installer/ # ./installer
C:\install\odsee-11.1.1.5.0\ODSEE_Identity_Synchronization_for_Windows\mq4_3-installer C:\run installer.vbs
Where C:\install\odsee-11.1.1.5.0\
is the directory where download zip
was unpacked.
The Installer's Welcome screen is displayed. Click Next.
Read and accept the product license agreement.
Make sure the radio button labeled "I accept the terms in the license agreement" is selected, then click Next.
In the JDK Selection screen, specify the version 1.5.0_29 JDK installed for Identity Synchronization for Windows, then click Next.
In the Multilingual Packages screen, specify whether to install multilingual packages, then click Next.
By default, Message Queue is installed to operate in the English language only. The Multilingual Packages screen allows you to install it for use in another language.
In the Upgrade screen, make sure the radio button labeled "Upgrade" is selected, then click Next.
If an earlier version of Message Queue exists on your system, or if any of the shared components on which Message Queue depends need to be upgraded from earlier versions, the Upgrade screen displays them in a scrollable list along with their current and required versions. If no upgrades are needed, the existing components are simply listed with their version numbers and a notation that they will remain at their current versions. In this case, the "Upgrade" and "Do not upgrade" radio buttons do not appear; just click Next to proceed to the next step.
Caution:
It is possible that upgrading Message Queue's shared components may break other software components on your system that depend on the earlier versions previously installed. Be sure there are no such dependencies before proceeding with the upgrade.
In the Ready to Install screen, click Install.
In the Register window, provide the required information and then click Next.
In the Create and Account screen, provide the required information, and then click Next.
In the Installer Summary screen, you can review the installation status and then click Exit.
You can now install Identity Synchronization for Windows.
Identity Synchronization for Windows can be configured to work with "Domain Global Security" as well as "Domain Global Distribution" groups on Active Directory. If you use Identity Synchronization for Windows 6.0 Service Pack 1 to synchronize groups, you must use the following configuration:
Map the following Directory Server (DS) attributes to Active Directory (AD):
DS uid
to AD samaccountname
DS cn
to AD cn
Define the creation expression.
For Directory Server, the default is uid=%uid%,
sync_base
.
For Active Directory, the default is cn=%cn%,
sync_base
.
In Directory Server, specify the uid
attribute as the RDN for synchronized groups.
In spite of this configuration, group synchronization still has the following limitations:
Concurrent modifications of a specific attribute is not supported with synchronized groups.
Synchronization of nested groups fails.
If you create new users in Directory Server, and add those users to an existing group, the users must also be created in the corresponding connector before the synchronization of that group between Directory Server and Active Directory will work.
Synchronization between Identity Synchronization for Windows 6.0 Service Pack 1 and Active Directory 2008 (including R2 and R2+) is supported, with the following restrictions:
Fine-grained password policies.
These are supported, as long as the service complies with the configuration described here.
Active Directory, up to and including version 2003, uses Group Policy (GPO) that is global and domain-wide. The password policy and account lockout settings are therefore global in nature. In Active Directory 2008, domain level, fine-grained PSOs (password setting objects) can be configured for individual users or groups. Identity Synchronization for Windows 6.0 Service Pack 1 requires the password policy and account lockout settings to be uniform between Active Directory and Directory Server. This uniformity must include the PSOs, to avoid unpredictable behavior. Specifically, the following PSO attributes must have the same values in Active Directory and Directory Server:
msDS-LockoutThreshold
Determines how many failed password attempts are allowed before locking out a user account.
msDS-LockoutObservationWindow
Determines the time after which a bad password counter is reset.
msDS-LockoutDuration
Determines how long an account is locked out after too many failed password attempts.
Read-only domain controllers.
These are not supported. Identity Synchronization for Windows 6.0 Service Pack 1 uses failover server for all operations. Unlike Directory Server read-only replicas, a read-only domain controller cannot be a part of the Active Directory failover setup.
A Directory Server replica uses a password plug-in that redirects all writable requests to the masters. This functionality cannot be provided in Active Directory, as there is no such plug-in.
Note:
Windows Server 2008 is not a supported installation platform for Identity Synchronization for Windows . So, although you can synchronize with Active Directory 2008 data, installing Identity Synchronization for Windows 6.0 Service Pack 1 on Windows Server 2008 is not supported. For more information, see Chapter 1, "Software Requirements.".
Windows 2008 does not alleviate the current group synchronization restrictions that are described in Configuring Group Synchronization.
Verify any LDAP filters you plan on using within the SUL configuration by testing them with the ldapsearch
command provided with Directory Server Enterprise Edition. Verify your configured search base as well as filters for both Active Directory and Directory Server Enterprise Edition LDAP servers with which you will be synchronizing.
Also, a group and its members should be defined in the same SUL, Members of a group are not synchronized if they are defined in a different SUL than their group.
By default, Identity Synchronization for Windows 6.0 Service Pack 1 is configured with a client time-out period of two minutes. If your Active Directory server is under a heavy load, this setting can be too short and cause failures between the two servers. In this case, increase the client timeout setting. Complete the following steps.
Stop Identity Synchronization for Windows.
Make a backup of the WatchList.properties
file.
By default, this file is located here:
/var/opt/SUNWisw/resources/WatchList.properties
/var/opt/sun/isw/resources/WatchList.properties
C:\Program Files\Sun\MPS\isw-win2k3-isw\resources\WatchList.properties
In WatchList.properties
, change the value of the following setting.
-Dcom.sun.directory.wps.CLIENT_TIME_LIMIT=value
where value is the maximum number of milliseconds to wait for an operation to complete. The value must be from 0
through 600000
. A value of 0
specifies that the client waits for server to complete the operation. The default value is the recommended minimum of 120000
milliseconds.
The following example sets CLIENT_TIME_LIMIT
to 300,000 milliseconds, or 5 minutes.
-Dcom.sun.directory.wps.CLIENT_TIME_LIMIT=300000
Save and close the WatchList.properties
file.
Restart Identity Synchronization for Windows.
When Identity Synchronization for Windows 6.0 Service Pack 1 is uninstalled, the productregistry
file may not be updated.
After uninstalling Identity Synchronization for Windows, use a text editor to edit one of the following files, depending on your installation.
/var/sadm/install/productregistry
/var/opt/sun/install/productregistry
C:\WINDOWS\SysWOW64\productregistry
You can also use Windows Explorer to search for productregistry
under your C:\WINDOWS
path.
If the file still contains any entries for isw
, delete them.