This chapter provides information about using the settings that configure Provisioning Gateway.
Use the Web Service Account page to set or change the Anonymous Logon for IIS Web Services. The Provisioning Gateway Web service runs as this domain account. The Web Service Account dialog displays the current Anonymous Logon account and provides a logon form for changing this account.
Note:
You must be authenticated to the Provisioning Gateway Console as a member of the administrator group of the Provisioning Gateway Web server to change the account.The Web service account requires the following privileges:
Read and write access to the Registry path HKLM\Software\Passlogix.
Connect, read, and write access to the storage if Active Directory or AD LDS (ADAM).
To change the Web service account, type in the account User Name (in the format Domain\Username) and Password, confirm the password, and click Save.
Use the Storage page to view or change connection settings for the directory service (Oracle Internet Directory, Microsoft Active Directory, Microsoft AD LDS (ADAM), IBM LDAP Directory, or Sun Directory Server) being used as the repository for Provisioning Gateway data.
When you have completed your changes, click Save Changes to apply the new settings to Provisioning Gateway. After the storage settings are saved, you will be prompted to re-authenticate to Provisioning Gateway.
The information on this page is encrypted and saved to the registry under HKLM\Software\Passlogix\PM\Server\Storage.
| Setting | Value |
|---|---|
| *Storage Type | Choose one of the following storage locations:
|
| *Server | Enter either the name or the IP address of the server, appended by the configured port number; for instance, example.oracle.com:389 (if not using SSL) or example.oracle.com:636 (if using a secured connection with SSL). |
| *Root DN | The root directory.
For example, |
| Provide this setting for Oracle Directories, Active Directory, IBM LDAP Directory, Novell eDirectory, and Sun Directory Server storage only: | |
| *User Path(s) | The fully-qualified path indicating the location of user accounts. There can be unlimited paths to search. The paths are searched in the order they are entered and are separated by a semicolon (;).
For example, |
| Provide these settings for Active Directory and/or AD LDS (ADAM) storage only: | |
| Prepend Domain | Select this option to add the user's domain to the username when naming the user's container. For example, for the domain oracle and user jamesk, the container is named jamesk with this flag disabled and oracle.jamesk with this flag enabled. |
| Provide this setting for Active Directory storage only: | |
| Locate in User | Select to enable searching for Provisioning Gateway user data under the Active Directory user objects. |
| Provide this setting for Sun LDAP storage only. | |
| User Prepend | Specifies the user naming attribute for user objects in the directory. This setting is used to form the relative distinguished name (RDN) of a user object. Typical values include "CN" or "UID." |
| Provide these settings for Oracle Directories, IBM LDAP Directory, Novell eDirectory, or Sun Directory Server storage only: | |
| *Connect as User | The user name of the directory administrator. |
| *Password | The password of the directory administrator. |
| Provide this setting for Oracle Directories, Active Directory, IBM LDAP Directory, Novell eDirectory, or Sun Directory Server storage only: | |
| Use secure connection (SSL) | Select to enable secure socket layer. |
| If using Configuration Objects or Role/Group support, provide these settings for all directory storage types: | |
| Use configuration objects instead of application list | Select to enable the use of configuration objects (COs) instead of application configuration lists, also known as the entlists.
The Provisioning Gateway Server obtains the access control rights of its provisioning clients by searching the directory for provisioning objects. It finds only the objects to which it has access. |
| Role/Group support | Select to enable Role/Group-based access control of administrative users. Enabling Role/Group support activates configuration object support.
If Role/Group support is enabled, permissions should be specified. If no permissions are specified, by default, all users and groups are denied access for all actions. See Chapter 4, "Setting Up Role or Group Support" for information on setting up permissions. |
| Configuration and role/group objects root DN | Specifies where to begin the search for configuration and provisioning objects. The search moves from the specified locations downward. For example, ou=vgoconfig,dc=test2003,dc=com or dc=passlogix,dc=com.
The path to this container must exist and contain at least one template prior to the input of these storage settings. The template can be in a sub-container rather than in the path itself. If this container does not exist, you will get an error message. See Chapter 4, "Setting Up Role or Group Support" for information on setting up permissions. |
Use the Event Log page to configure the server where events will be logged. When you have completed your changes, click Save Changes to apply the new settings to Provisioning Gateway.
| Setting | Description |
|---|---|
| Database Type | Select the database you are using:
The Syslog Daemon is not a database; however, you select it on the Event Log Settings page from the Database Type drop-down list in order to send events to the daemon. There are no parameters to set for the Syslog daemon. Configuration is done manually following installation. See Installing Oracle Enterprise Single Sign-On Suite for more information. |
| Provide the following setting for Oracle Database only. | |
| Connection string | Enter the database connection string. For example, this string should be in the following form when using Oracle using external authentication:
Microsoft's Oracle OLE Provider:
|
| Provide the following setting for Microsoft SQL Server database only. | |
| Server | Enter the name of the server where events will be logged. SQL Server must be running on this machine, although the Provisioning Gateway database does not have to exist. If this is the first time this server is used by Provisioning Gateway, the Initialize Event Log box must also be checked to create the Provisioning Gateway database.
You cannot use the IP address of the server to specify the current machine. You must use the actual machine name (for example, pdevrx2). You cannot use the name localhost to refer to the local machine. You must use the name of the machine. |
| Provide the following setting for the Oracle and SQL databases. | |
| Initialize Event Log | When enabled, this setting creates the Provisioning Gateway database on the specified server. If the database already exists, all existing data in the database is erased. Typically, this setting is used for initial installation and when you want to clear the log entries in the database. This setting is not saved. |
Use this page to map Logon Manager templates to Oracle Privileged Accounts Manager (OPAM) targets.
Note:
In order to perform any of the following functions, the user must be granted "Map Template" permissions in the Oracle Enterprise Single Sign-On Administrative Console.In the Targets window, you will see the names of all available OPAM targets, followed by the name of the template mapped to it (in parentheses), if any.
Select a target and click the Edit button to edit the target's mapping properties.
In the template mapping Edit dialog, select a template to map to the OPAM target. If a template is already mapped to the target, it is selected when this dialog launches.
For more information about setting up template mapping and assigning permissions, see Administering Oracle Enterprise Single Sign-On Suite.
Note:
If Logon Manager is synchronizing to an Active Directory repository and is using the "local computer credentials" option, you must enable sharing credentials from the authenticator to the Active Directory synchronization extension ("ShareCredsToSyncs") in the Global Agent Settings.