Configuring the Connector

This section provides information to configure the OFSAA Connector with OIM that enables mapping of policies from OFSAA and user configuration.

The following steps describe the procedure to configure the OFSAA OIM Connector:

1. Login to the OFSAA host with your OFSAA user credentials.
   1. Navigate to $FIC_HOME/utility folder.
   2. Copy the OFSConnector directory to your local system.
2. Login to the OIM host with OIM user credentials.
3. Copy the OFSConnector directory from your local system to $OIM_ORACLE_HOME/connectors.
4. Check and ensure that the following environment variables are set in the OIM host:
   JAVA_HOME= <Path to Java Dir>
   For example, /u01/java/jdk1.7.0_91 MW_HOME=<Middleware Home Path>
   For example, /u01/oracle/products/fmw/10.3.6 WL_HOME=<Weblogic Home Dir>
   For example, $MW_HOME/wlserver_10.3 LD_LIBRARY_PATH=<Webtier lib path>
   For example, /u01/oracle/products/fmw/Oracle_WT1/lib APP_SERVER=<App server>
   For example, weblogic/websphere OIM_ORACLE_HOME=< OIM install dir>
   For example, /u01/oracle/products/fmw/10.3.6/Oracle_IDM DOMAIN_HOME=<OIM Domain path>
   For example, /u01/oracle/domains/idm_domain ANT_HOME=<Ant Home>
   For example, $MW_HOME/modules/org.apache.ant_1.7.1 PATH=$JAVA_HOME/bin:$ANT_HOME/bin:$PATH:$OIM_ORACLE_HOME/OPatch
5. Generate wlfullclient.jar by using the following procedure:
   1. Navigate to the $DOMAIN_HOME/bin directory and run the following command: ./setDomainEnv.sh
   2. Navigate to the $WL_HOME/server/lib directory and run the following command: java -jar wljarbuilder.jar
   3. Copy the newly created wlfullclient.jar from $WL_HOME/server/lib to the path $OIM_ORACLE_HOME/designconsole/ext.
6. Execute the following command from the $OIM_ORACLE_HOME/server/bin directory to upload the OFSAA connector to OIM:
   sh UploadJars.sh -username << Xellerate admin username>> -password << admin password>> -serverURL << serverURL>> -ctxFactory << context>> -ICFBundle <<Full path of OFS connector>>
   For example:
   sh UploadJars.sh -username xelsysadm -password Welcome1 -serverURL t3://whf00aum:14000 -ctxFactory weblogic.jndi.WLInitialContextFactory -ICFBundle /scratch/software/weblogic10.3.6/iam/connectors/OFSConnector/org.identityconnectors.ofs-1.0.0.jar

   Note:

   ctxFactory value is weblogic.jndi.WLInitialContextFactory for WebLogic and com.ibm.websphere.naming.WsnInitialContextFactory for WebSphere.
7. Navigate to the $OIM_ORACLE_HOME/server/plugin_utility directory and set the following values in the ant.properties file:
   wls.home=<Path to WebLogic Server Dir>
   For example, /u01/oracle/products/fmw/10.3.6/wlserver_10.3 oim.home=<OIM Home Path>
   For example, /u01/oracle/products/fmw/10.3.6/Oracle_IDM/server login.config=<Login Configuration File Home Path>
   For example, ${oim.home}/config/authwl.conf mw.home=<Middleware Home Path>
   For example, /u01/oracle/products/fmw/10.3.6
8. Execute the following command from the $OIM_ORACLE_HOME/connectors/OFSConnector/ directory and upload the schedule task in OIM: sh deploySchTask.sh -username << Xellerate admin username>> -password << admin password>> -serverURL <<oim_server_url>> -id <<OFSAA_ID>>
9. Upload the OFSAA Connector metadata to OIM by executing the following command from the$OIM_ORACLE_HOME/connectors/OFSConnector directory:
   sh ImportMetadata.sh <xellerate admin username> <admin password> <oim_server_url> OFS-ConnectorConfig_<OIM_VERSION>.xml <OFSAA_ID> <OFS_USER> <OFS_PASSWD> <OFS_URL>

   Note:

   For SSO, <OFS_USER > is a valid OIM user. If the setup is non-SSO, then <OFS_USER> is SYSADMN. Based on the OIM version 11.1.2.2 or 11.1.2.3, select the appropriate version of the files to upload.
   If the file upload from the shell script is successful, the following message is printed: File imported successfully: OFS-ConnectorConfig_11.1.2.2.xml
10. For other OFSAA environments such as DEV, UAT and PROD, use the following command to create IT Resource and Access Policy:
    sh ImportMetadata.sh <xellerate admin username> <admin password> <oim_server_url> OFS-ITResource_<OIM_VERSION>.xml <OFSAA_ID> <OFS_USER> <OFS_PASSWD> <OFS_URL>

    Note:

    • For SSO, <OFS_USER > is a valid OIM user. If the setup is non-SSO, then <OFS_USER> is SYSADMN.
    • <OFSAA_ID> should always be unique for each environment. For example, UAT01.
    • Based on the OIM version 11.1.2.2 or 11.1.2.3, select the appropriate version of the files to upload.
11. Set the System Property XL.AllowAPHarvesting to TRUE. See the following steps for the procedure to set the property:
    1. Login to the SYSADMIN console.
    2. Click System Configuration to view System Properties.
    3. Enter XL.AllowAPHarvesting in Search System Properties and click to view the property name in the search results pane.
    4. Click Allows access policy based provisioning of multiple instances of a resource in the results pane to view the System Property Detail: Allows access policy based provisioning of multiple instances of a resource window.
    5. Enter TRUE in the Value field.
    6. Click Save.
    7. Restart the OIM Server.

    Figure 12-17 System Management window

    
    

    

    
    

    Note:

    Further instructions apply only if SSO is configured in OFSAA. If you use Native Authentication, skip these instructions and proceed to Configuring Entitlements.
12. Upload the OAM Policy file to set the authentication for REST APIs, which the OFSAA Connector uses. The following is the procedure to upload:
    1. Edit the oam-policies.xml file in a text editor. Replace the placeholders ${OHS_PORT}, ${OHS_HOST}, and ${IDM_HOST} with the respective values of OHS Port, OHS Host Name, and IDM Host Name of the server where the IDM is hosted and the Oracle HTTP Server (OHS)) is configured.
    2. Execute the command wlst.

       For example, $OIM_ORACLE_HOME/common/bin/wlst.sh

    3. Connect to the OAM Admin server using the following:

       wls:/offline> connect('<user_id>','<password>','t3://<IDM_HOST>:<ADMIN_PORT>')

    4. Import the OAM Policies using the following:

       wls:/idm_domain/serverConfig> importPolicy(pathTempOAMPolicyFile="/<path>/oam-policies.xml")

13. Perform OFSAA User Provisioning Configuration by applying Pre-authentication Advanced Rules to the basic Authorization Policy for users in the system. It is applied from the OAM console after IDM Provisioning and is done to switch to a form-based authentication scheme if the authorization header is not a basic scheme. Update the pre-authentication advanced rules to a form-based authentication scheme using the following steps:
    1. Login to the OAM Administrator Console.
    2. From the Launch Pad, click Application Domains from the Access Manager widget. The Application Domain window is displayed.

       Figure 12-18 Access Management Lauch Pad

       
       

       

       
       
    3. Search for the required application domain for which you want to switch the authentication scheme and click Name from the search results to display the details for the application domain.

       Figure 12-19 Application Domain tab

       
       

       

       
       
    4. Click the Authentication Policies tab to view the existing policies in the system.

       Figure 12-20 Authentication Policies tab

       
       

       

       
       
    5. Click Basic Authentication Policy from the list to view the details for the policy.

       Figure 12-21 Authentication Policies tab

       
       

       

       
       
    6. Click Advanced Rules tab to view the details for Pre-Authentication.

       Figure 12-22 Authentication Policies - Advanced Rules tab

       
       

       

       
       
    7. Click the Add button and create a rule with the following information:

       Figure 12-23 Authentication Policies - Advanced Rules tab

       
       

       

       
       
    8. Click Apply to save.