Performing the Postconfiguration Tasks

4 Performing the Postconfiguration Tasks

These are the tasks that you can perform after creating an application in Oracle Identity Governance.

4.1 Configuring the Connector for a Target System with an Autoincrement Primary Key

Note:

Perform the procedure described in this section only if both the conditions are true:

You have configured your target system as a target resource.
The key column of the target system is configured with an autoincrement option.

Perform the following steps to configure the connector for a target system with an autoincrement primary key:

By default, the key column of the target system is mapped to the OIM User Login field in the reconciliation rule. Before you perform any connector operation, you can modify the reconciliation rule to map the OIM User Login field to a different target system column.
If the key column of the child table has been configured with the autoincrement option, then modify the child form by removing the 'required=true' property for the key field of the child table by using the Design Console.
If the prepopulate adapter contains a mapping for the key column, then either disable the prepopulate adapter or modify it to remove the connector key column by using the Design Console.

4.2 Configuring Oracle Identity Governance

During application creation, if you did not choose to create a default form, then you must create a UI form for the application that you created by using the connector.

Note:

Perform the procedures described in this section only if you did not choose to create the default form during creating the application.

The following topics describe the procedures to configure Oracle Identity Governance:

4.2.1 Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.2.2 Creating a New UI Form

You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.

See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance.

While creating the UI form, ensure that you select the resource object corresponding to the newly created application that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.

4.2.3 Publishing a Sandbox

Before publishing a sandbox, perform this procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published.

In Identity System Administration, deactivate the sandbox.
Log out of Identity System Administration.
Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
In the Catalog, ensure that the application instance form for your resource appears with correct fields.
Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.2.4 Updating an Existing Application Instance with a New Form

For any changes that you do in the schema of your application in Identity Self Service, you must create a new UI form and update the changes in an application instance.

To update an existing application instance with a new form:

Create and activate a sandbox.
Create a new UI form for the resource.
Open the existing application instance.
In the Form field, select the new UI form that you created.
Save the application instance.
Publish the sandbox.

4.3 Harvesting Entitlements and Sync Catalog

To harvest entitlements and sync catalog:

Run the scheduled jobs for lookup field synchronization listed in Scheduled Job for Lookup Field Synchronization.
Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Governance for more information about this scheduled job.
Run the Catalog Synchronization Job scheduled job. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Governance for more information about this scheduled job.

4.4 Managing Logging for Oracle Identity Governance

Oracle Identity Governance uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.

The following topics provide detailed information about logging:

4.4.1 Understanding Log Levels

When you enable logging, Oracle Identity Governance automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations.

ODL is the principle logging service used by Oracle Identity Governance and is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

SEVERE.intValue()+100

This level enables logging of information about fatal errors.
SEVERE

This level enables logging of information about errors that might allow Oracle Identity Governance to continue running.
WARNING

This level enables logging of information about potentially harmful situations.
INFO

This level enables logging of messages that highlight the progress of the application.
CONFIG

This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST

These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These message types are mapped to ODL message type and level combinations as shown in Table 4-1.

Table 4-1 Log Levels and ODL Message Type:Level Combinations

Java Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Governance.

4.4.2 Enabling Logging

To enable logging in Oracle WebLogic Server:

Edit the logging.xml file as follows:

Add the following blocks in the file:

<log_handler name='dbat-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
<property name='logreader:' value='off'/>
     <property name='path' value='[FILE_NAME]'/>
     <property name='format' value='ODL-Text'/>
     <property name='useThreadName' value='true'/>
     <property name='locale' value='en'/>
     <property name='maxFileSize' value='5242880'/>
     <property name='maxLogSize' value='52428800'/>
     <property name='encoding' value='UTF-8'/>
   </log_handler>

<logger name="ORG.IDENTITYCONNECTORS.DATABASETABLE" level="[LOG_LEVEL]" useParentHandlers="false">
     <handler name="dbat-handler"/>
     <handler name="console-handler"/>
   </logger>

Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 4-1 lists the supported message type and level combinations.

Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:

<log_handler name='dbat-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
<property name='logreader:' value='off'/>
     <property name='path' value='/<%OIM_DOMAIN%>/servers/oim_server1/logs/DBATlogs.log'/>
     <property name='format' value='ODL-Text'/>
     <property name='useThreadName' value='true'/>
     <property name='locale' value='en'/>
     <property name='maxFileSize' value='5242880'/>
     <property name='maxLogSize' value='52428800'/>
     <property name='encoding' value='UTF-8'/>
   </log_handler>
 
<logger name="ORG.IDENTITYCONNECTORS.DATABASETABLE" level="NOTIFICATION:1" useParentHandlers="false">
     <handler name="dbat-handler"/>
     <handler name="console-handler"/>
   </logger>

With these sample values, when you use Oracle Identity Governance, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

Save and close the file.
Set the following environment variable to redirect the server logs to a file:

For Microsoft Windows:
```
set WLS_REDIRECT_LOG=FILENAME
 
```
For UNIX:
```
export WLS_REDIRECT_LOG=FILENAME
 
```
Replace FILENAME with the location and name of the file to which you want to redirect the output.
Restart the application server.

4.5 Configuring the IT Resource for the Connector Server

If you have used the Connector Server, then you must configure values for the parameters of the Connector Server IT resource.

After you create the application for your target system, you must create an IT resource for the Connector Server as described in Creating IT Resource of Oracle Fusion Middleware Administering Oracle Identity Governance. While creating the IT resource, ensure to use to select Connector Server from the IT Resource Type list.

In addition, specify values for the parameters of the IT resource for the Connector Server listed in Table 4-2.

Table 4-2 Parameters of the IT Resource for the Connector Server

Parameter	Description
Host	Enter the host name or IP address of the computer hosting the Connector Server. Sample value: `myhost.com`
Key	Enter the key for the Connector Server.
Port	Enter the number of the port at which the Connector Server is listening. By default, this value is blank. You must enter the port number that is displayed on the terminal when you start the Connector Server. Sample value: `8759`
Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the Connector Server and Oracle Identity Governance times out. Recommended value: `0` A value of 0 means that the connection never times out.
UseSSL	Enter `true` to specify that you will configure SSL between Oracle Identity Governance and the Connector Server. Otherwise, enter `false.` Default value: `false` Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL, see Configuring the Java Connector Server with SSL in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.6 Localizing Field Labels in UI Forms

To localize a field label that is added to the UI forms:

Create a properties file (for example, DBAT_ja.properties) containing localized versions for the column names in your target system (to be displayed as text strings for GUI elements and messages in the Administrative and User Console).
Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open the following file in a text editor:

SAVED_LOCATION/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle_en.xlf

Edit the BizEditorBundle.xlf file in the following manner:

Search for the following text:

<file source-language="en"  
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Replace with the following text:

<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

<file source-language="en" target-language="ja"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Search for the application instance code. This procedure shows a sample edit for Database Application Tables application instance. The original code is:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ACMEDBAP_APP_DFLT_HOME__c_description']}">
<source>APP_DFLT_HOME</source>
<target/>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ACMEFORM.entity.ACMEFORMEO.UD_ACMEDBAP_APP_DFLT_HOME__c_LABEL">
<source>APP_DFLT_HOME</source>
<target/>
</trans-unit>

Open the properties file created in Step 1 and get the value of the attribute, for example, global.udf.D_ACMEDBAP_APP_DFLT_HOME=\u4567d.

Replace the original code shown in Step 7.c with the following:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ACMEDBAP_APP_DFLT_HOME__c_description']}">
<source>APP_DFLT_HOME</source>
<target>\u4567d</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ACMEFORM.entity.ACMEFORMEO.UD_ACMEDBAP_APP_DFLT_HOME__c_LABEL">
<source>APP_DFLT_HOME</source>
<target>\u4567d</target>
</trans-unit>

Repeat Steps 7.a through 7.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

Sample file name: BizEditorBundle_ja.xlf.

Repackage the ZIP file and import it into MDS.

See Also:

Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Governance.

4.7 Configuring Secure Communication Between the Target System and Oracle Identity Governance

Note:

It is recommended that you perform the procedure described in this section to secure communication between the target system and Oracle Identity Governance.

The procedure to secure communication depends on the database that you are using:

4.7.1 Configuring Secure Communication Between IBM DB2 and Oracle Identity Governance

Note:

IBM DB2 version 11.x and later support secure communication over SSL.
Before configuring secure communication between IBM DB2 and Oracle Identity Governance, you must install the IBM Global Security Kit (GSKit).

See the IBM DB2 documentation for more information about enabling SSL communication between IBM DB2 and a client system. In this context, the client is Oracle Identity Governance.

To configure secure communication between IBM DB2 and Oracle Identity Governance:

Generate the certificate store by running the GSKit tool. To do so, run the following command:
```
GSKCAPICMD -keydb -create -db "KEY_DATABASE_LOCATION" -pw KEY_DATABASE_PASSWORD -stash
```
In the command, replace:
- GSKCAPICMD with the full path and name of the GSKit tool. For example, for the target system running on a 64-bit Microsoft Windows platform, replace GSKCAPICMD with C:\Program Files (x86)\IBM\GSK8\bin\gsk8capicmd_64.exe.
- KEY_DATABASE_LOCATION with the full path and name of the key database to be created.
- KEY_DATABASE_PASSWORD with the password for the key database.
The following is a sample command that generates a certificate store (db2oim.kdb):

C:\DB2>"\Program Files\IBM\gsk8\bin\gsk8capicmd_64.exe" -keydb -create -db "c:\db2\db2oim.kdb" -pw PASSWORD -stash
Generate the self-signed certificate by running the following command:
```
GSKCAPICMD -cert -create -db  "KEY_DATABASE_LOCATION" -pw KEY_DATABASE_PASSWORD -label "CERT_LABEL" -dn "DISTINCT_NAME"
```
In the command, replace:
- GSKCAPICMD with the full path and name of the GSKit tool. For example, for the target system running on a 64-bit Microsoft Windows platform, replace GSKCAPICMD with C:\Program Files (x86)\IBM\GSK8\bin\gsk8capicmd_64.exe.
- KEY_DATABASE_LOCATION with the full path and name of the key database to store the certificate.
- KEY_DATABASE_PASSWORD with the password for the key database.
- CERT_LABEL with a label that is used to uniquely identify the certificate.
- DISTINCT_NAME with the distinguished name that uniquely identifies the certificate.
The following is a sample command that generates a self-signed certificate:

C:\DB2>"\Program Files\IBM\gsk8\bin\gsk8capicmd_64.exe" -cert -create -db "c:\db2\db2oim.kdb" -pw PASSWORD -label "db2oim" -dn "CN=example.com,O=org,OU=myorg,L=myLocation,ST=CA,C=USA"
Export the server certificate by running the following command:
```
GSKCAPICMD -cert -extract -db "KEY_DATABASE_LOCATION" -pw KEY_DATABASE_PASSWORD -label "CERT_LABEL" -target "LOCATION" -format FORMAT -fips
```
In the command, replace:
- GSKCAPICMD with the full path and name of the GSKit tool. For example, for the target system running on a 64-bit Microsoft Windows platform, replace GSKCAPICMD with C:\Program Files (x86)\IBM\GSK8\bin\gsk8capicmd_64.exe.
- KEY_DATABASE_LOCATION with the full path and name of the key database.
- KEY_DATABASE_PASSWORD with the password for the key database.
- CERT_LABEL with the label that is used to uniquely identify the certificate to be extracted.
- LOCATION with the full path and name of the file to which the certificate is to be extracted.
- FORMAT with the certificate format, which can be either ascii or binary.
The following is a sample command that exports the server certificate to db2oim.arm:

C:\DB2>"\Program Files\IBM\gsk8\bin\gsk8capicmd_64.exe" -cert -extract -db "c:\db2\db2oim.kdb" -pw PASSWORD -label "db2oim" -target "c:\db2\db2oim.arm" -format ascii -fips
Configure the database to enable both SSL and TCP/IP communication protocols by running the following command:
```
db2set.exe DB2COMM=SSL,TCPIP 
```
Check protocols by using db2set.exe to validate that the SSL and TCP/IP protocols are enabled in DB2COMM.

DB2PROCESSORS=0,1

DB2INSTPROF=C:\ProgramData\IBM\DB2\DB2COPY1

DB2COMM=SSL,TCPIP
Verify your SSL settings by running the db2 GET DATABASE MANAGER CONFIGURATION command.
Import the certificate into the Java keystore of the application server on which Oracle Identity Governance is running.
To import the certificate into the Java keystore, run the following command:
```
keytool -importcert -file FILE_LOCATION -alias ALIAS -storepass STORE_PASSWORD -keystore STORE_LOCATION
```
In this command, replace:
- FILE_LOCATION with the full path and name of the certificate file.
- ALIAS with an alias for the certificate.
- STORE_PASSWORD with a password for the truststore.
- STORE_LOCATION with one of the truststore paths from
The following is a sample command that imports the certificate into the Java keystore:
```
C:\DB2>keytool -importcert -file db2oim.arm -alias db2oim -storepass PASSWORD -keystore C:\Users\example_user\.keystore
```
The certificate is imported into the keystore.

4.7.2 Configuring Secure Communication Between Microsoft SQL Server and Oracle Identity Governance

To configure secure communication between Microsoft SQL Server and Oracle Identity Governance:

Refer to Microsoft SQL Server documentation for information about enabling SSL communication between Microsoft SQL Server and a client system. In this context, the client is Oracle Identity Governance.

Export the certificate on the Microsoft SQL Server host computer.
Copy the certificate to the Oracle Identity Governance host computer.
Import the certificate into the JVM truststore of the application server on which Oracle Identity Governance is running.
To import the certificate into the truststore, run the following command:
```
..\..\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS 
```
In this command:
- Replace FILE_LOCATION with the full path and name of the certificate file.
- Replace ALIAS with an alias for the certificate.
- Replace TRUSTSTORE_PASSWORD with a password for the truststore.
- Replace TRUSTSTORE_LOCATION with the following truststore path:
  
  JAVA_HOME/jre/lib/security/cacerts

4.7.3 Configuring Secure Communication Between MySQL and Oracle Identity Governance

To configure secure communication between MySQL and Oracle Identity Governance:

See MySQL documentation for information about enabling SSL communication between MySQL and a client system. In this context, the client is Oracle Identity Governance.
Export the certificate on the MySQL host computer.
Restart the MySQL database service by using the certificate exported in the preceding step. See MySQL documentation for information on restarting the database service.
Copy the ca-cert.pem and client-cert.pem certificates to the Oracle Identity Governance host computer.
Import the certificates into the JVM truststore of the application server on which Oracle Identity Governance is running.
To import the certificates into the truststore, run the following command for each certificate:
```
keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS 
```
In this command:
- Replace FILE_LOCATION with the full path and name of the certificate file.
- Replace ALIAS with an alias for the certificate.
- Replace TRUSTSTORE_PASSWORD with a password for the truststore.
- Replace TRUSTSTORE_LOCATION with the following truststore path:
  
  JAVA_HOME/jre/lib/security/cacerts
Note:

In an Oracle Identity Governance cluster, you must import the file into the truststore on each node of the cluster.

4.7.4 Configuring Secure Communication Between Oracle Database and Oracle Identity Governance

To secure communication between Oracle Database and Oracle Identity Governance, you can perform either one or both of the following procedures:

4.7.4.1 Configuring Data Encryption and Integrity in Oracle Database

See Configuring Network Data Encryption and Integrity in Oracle Database Security Guide for information about configuring data encryption and integrity.

4.7.4.2 Configuring SSL Communication in Oracle Database

To enable SSL communication between Oracle Database and Oracle Identity Governance:

Note:

See Enabling Secure Sockets Layer in Oracle Database Security Guide for detailed information about enabling SSL communication between Oracle Database and Oracle Identity Governance.

Export the certificate on the Oracle Database host computer.
Copy the certificate to Oracle Identity Governance.
Import the certificate into the JVM truststore of the application server on which Oracle Identity Governance is running.
To import the certificate into the truststore, run the following command:
```
keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS 
```
In this command:
- Replace FILE_LOCATION with the full path and name of the certificate file.
- Replace ALIAS with an alias for the certificate.
- Replace TRUSTSTORE_PASSWORD with a password for the truststore.
- Replace TRUSTSTORE_LOCATION with the following truststore path:
  
  JAVA_HOME/jre/lib/security/cacerts
Note:

In an Oracle Identity Governance cluster, you must import the file into the truststore on each node of the cluster.

4.8 Configuring Secure Communication Between the Connector Server and Oracle Identity Governance

If you have deployed this connector on a Connector Server, then it is recommended that you secure communication between the Connector Server and Oracle Identity Governance. The procedure to configure secure communication is the same as the procedure described in section Configuring Secure Communication Between the Target System and Oracle Identity Governance. While performing the procedure described in that section, consider the Connector Server as a separate system, similar to the target system.

Before you configure secure communication:

Ensure that the Connector Server is running under a user that has the appropriate rights to access the keystore.
Ensure that the keystore on the Connector Server is present and accessible.
Ensure that the keystore on the Connector Server contains the expected certificates.
If you are not using the default Java keystore on the Connector Server, then modify the keystore paths and password in the IT resource URL or the jndiProperties property (of the DBATConfiguration.groovy file) to match the location on the Connector Server.

4.9 Configuring the Connector for Stored Procedures and Groovy Scripts

The connector runs default SQL queries and SQL statements when you use it to perform reconciliation and provisioning operations, respectively. Instead of default SQL statements and queries, if you want the connector to use custom stored procedures for performing reconciliation or provisioning operations, then you must perform the procedure described in this section.

4.9.1 Configuring the Connector for Custom Stored Procedures

To configure the connector for custom stored procedures:

On the target system, create the stored procedures that must be used for performing provisioning operations. The following are sample stored procedures (created on Oracle Database) that run the DELETE SQL statement for deleting the groups and roles child data. For target systems other than Oracle Database, the syntax of this sample procedure may vary.

The stored procedure for DELETE_USERGROUP is as follows:
```
create or replace PROCEDURE DELETE_USERGROUP
(  userin IN VARCHAR2, gId IN VARCHAR2
) AS
BEGIN
DELETE from USER_GROUP where USERID=userin and GROUPID=gId;
END DELETE_USERGROUP;
```
The stored procedure for DELETE_USERROLE is as follows:
```
create or replace PROCEDURE DELETE_USERROLE
(  userin IN VARCHAR2, rId IN VARCHAR2
) AS
BEGIN
DELETE  from USER_ROLE where USERID=userin and ROLEID=rId;
END DELETE_USERROLE;
```
On the Oracle Identity Governance host computer, create Groovy scripts that call the relevant stored procedures on the target system to perform provisioning operations. See Groovy Script Arguments for information about the arguments that can be directly used in the groovy script.

Note:

See Sample Groovy Script for a sample Groovy script that calls the DELETE_USERGROUP and DELETE_USERROLE stored procedure.
Update the Advanced configuration details definition to include information about the Groovy scripts as listed in Table 4-3.

Note:

Instead of the file URL of the Groovy script, you can directly enter the Groovy script. In such a case, ensure that the corresponding attribute does not contain [LOADFROMURL]. For example, if you directly enter the Groovy script for the create user account provisioning operation, then the corresponding attribute name must be createScript, instead of createScript[LOADFROMURL].

The following is a sample value for the removeMultiValuedAttributeScript[LOADFROMURL] entry:
```
file:///home/myname/dbat/scripts/removechilddata.groovy
```

To reset the password during the update procedure, do the following:

Check whether script argument "attributes" contains password (__PASSWORD__) attribute.

import org.identityconnectors.common.security.GuardedString;
GuardedString pass = attributes.get("__PASSWORD__")!=null?attributes.get"__PASSWORD__").getValue().get(0):null;

If "attributes" contains __PASSWORD__ attribute (not null), call targetstore procedure/sql query to reset password.

upstmt = conn.prepareStatement("UPDATE PASSWORD....
if(pass!=null){
       pass.access(new GuardedString.Accessor(){
           public void access(char[] clearChars){
               upstmt.setString(1, new String(clearChars));
           }
       });
} else {
          //Update other attributes 
}
     upstmt.executeUpdate();

4.9.2 Groovy Script Arguments

The following arguments can be directly used in the Groovy script:

connector - The Database Application Tables connector object.
conn - JDBC connection.
timing - When the Groovy script is called. In addition, the timing attribute also explains the type of operation being performed. For example, if it is search operation, then the object class being search is also returned.

The following is the format of the timing argument for lookup field synchronization:

executeQuery:OBJECT_CLASS

In this format, OBJECT_CLASS is replaced with the type of object being reconciled.

For example, for a lookup field synchronization scheduled job that contains the object type "Role", the value of the timing argument will be as follows:

executeQuery:Role
attributes - All attributes.
trace - Logger as a script trace bridge to the application.
where - String where condition for execute query, or null.
handler - resultSetHandler or SyncResultsHandler for the connector objects produced by the execute query, sync operation or null return.
quoting - The type of table name quoting to be used in SQL. The default value is an empty string. The value of this argument is obtained from the IT resource.
nativeTimestamps - Specifies whether the script retrieves the timestamp data of the columns as java.sql.Timestamp type from the database table. This information is obtained from the IT resource.
allNative - Specifies whether the script must retrieve the data type of the columns in a native format from the database table. The value of this argument is obtained from the IT resource.
rethrowAllSQLExceptions - The value of this argument is also obtained from the IT resource. The value of this argument specifies whether the script must throw exceptions when a zero (0x00) error code is encountered.
enableEmptyString - Specifies whether support for writing an empty string instead of a NULL value must be enabled. The value of this argument is obtained from the IT resource.
filterString - String filter condition for execute query, or null.
filterParams - List of filter parameters. Each parameter is present in the COLUMN_NAME:VALUE format. For example, FIRSTNAME:test.
syncattribute - Name of the database column configured for incremental reconciliation. This argument is available in the sync script, which is called during an incremental reconciliation run.
synctoken - Value of the sync attribute. This argument is available in the sync script.

4.9.3 Sample Groovy Script

The following is a sample Groovy script that calls the DELETE_USERGROUP and DELETE_USERROLE stored procedure created in step 1 of Configuring the Connector for Custom Stored Procedures.

import org.identityconnectors.framework.common.objects.*;
System.out.println("[removeMultiValuedAttributeScript] Removing Child data::"+ attributes);

try {
childDataEOSet = null;
delSt = null;
//Get UID 
String id = attributes.get("__UID__").getValue().get(0);
if(attributes.get("USER_GROUP")!=null)
{
childDataEOSet=attributes.get("USER_GROUP").getValue();
//Delete child data using stored procedure
delSt= conn.prepareCall("{call DELETE_USERGROUP(?,?)}");
    if(childDataEOSet !=null){
System.out.println("[removeMultiValuedAttributeScript] Removing Group data.");
//Iterate through child data and delete
for( iterator = childDataEOSet.iterator(); iterator.hasNext(); )
{
eo = iterator.next();
attrsSet = eo.getAttributes();
grpattr=AttributeUtil.find("GROUPID",attrsSet);
if(grpattr!=null){
groupid=grpattr.getValue().get(0);
delSt.setString(1, id);
delSt.setString(2, groupid);
delSt.executeUpdate();
System.out.println("[removeMultiValuedAttributeScript] Deleted Group::"+ grpattr);
} }; } }
} finally {
if (delSt != null)
delSt.close();
};
try {
childDataEOSet = null;
delSt = null;
String id      = attributes.get("__UID__").getValue().get(0);
if(attributes.get("USER_ROLE")!=null)
{
childDataEOSet=attributes.get("USER_ROLE").getValue();
delSt= conn.prepareCall("{call DELETE_USERROLE(?,?)}");
    if(childDataEOSet !=null){
System.out.println("[removeMultiValuedAttributeScript] Removing Role data.");
for( iterator = childDataEOSet.iterator(); iterator.hasNext(); )
{
eo = iterator.next();
attrsSet = eo.getAttributes();
roleattr=AttributeUtil.find("ROLEID",attrsSet);
if(roleattr!=null){
rolename=roleattr.getValue().get(0);
delSt.setString(1, id);
delSt.setString(2, rolename);
delSt.executeUpdate();
System.out.println("[removeMultiValuedAttributeScript] Deleted Role::"+ rolename);
} }; } }
} finally {
if (delSt != null)
delSt.close();
};

4.9.4 Entries Specific to Groovy Script Configuration

Table 4-3 describes the lookup entries specific to groovy script configuration.

Table 4-3 Entries Specific to Groovy Script Configuration

Code Key	Decode
createScript[LOADFROMURL]	Enter the file URL of the Groovy script created for the create user account provisioning operation.
updateScript[LOADFROMURL]	Enter the file URL of the Groovy script created for the update user account provisioning operation.
deleteScript[LOADFROMURL]	Enter the file URL of the Groovy script created for the delete user account provisioning operation.
executeQueryScript[LOADFROMURL]	Enter the file URL of the Groovy script created for full and filtered reconciliation.
lookupScript[LOADFROMURL]	Enter the file URL of the Groovy script created for lookup field synchronization.
syncScript[LOADFROMURL]	Enter the file URL of the Groovy script created for incremental reconciliation.
addMultiValuedAttributeScript[LOADFROMURL]	Enter the file URL of the Groovy script created for the add multivalued attributes provisioning operation.
removeMultiValuedAttributeScript[LOADFROMURL]	Enter the file URL of the Groovy script created for the remove multivalued attributes provisioning operation.

4.10 Configuring the Datasource and JNDI Properties

Perform the procedure described in this topic if the connector uses datasource configuration to connect to your target system.

To configure the datasource and JNDI properties

Login to Oracle WebLogic Server Administration Console.
On the Domain Structure left navigation pane, expand Services, and click Data Sources.
Click Lock & Edit.
In the Configuration tab, below Data Source, click the New menu, and select Generic Data Source.
In the Create a New JDBC Data Source page, provide the following values, and then click Next.
- Name: Enter the datasource name.
- JNDI Name: Enter the JNDI name in the format jdbc/DATASOURCE_NAME.
- Database Type: Select a database type. For example, if you are using an Oracle database, then select Oracle.
From the JDBC Driver list, select *Oracle's Driver (Thin) for Service connections; Versions:Any, and then click Next.
Deselect the Supports Global Transactions option, and then click Next.
In the Connection Properties page, provide the following values, and then click Next.
- Database Name: Enter the name of the database that you want to connect to.
- Host Name: Enter the name or IP address of the database server.
- Port: Enter the port number of the database server.
- Database User Name: Enter the user name for connecting to the database.
- Password: Enter the password for connecting to the database.
- Confirm Password: Re-enter the password.
Click Test Configuration.
A message states that the connection test is successful.
Click Next.
Under Servers, select AdminServer.
Select all OIM servers listed or select the OIM cluster and then click Finish.
Click Activate Changes to activate the datasource creation.

Note:
Add the Java property -Dweblogic.jdbc.remoteEnabled=true in Weblogic OIM Domain Environment script, and restart the WebLogic server.

4.11 Configuring the Datasource and JNDI Properties for SAP HANA DB

Perform the procedure described in this topic to configure the datasource and JNDI properties for SAP HANA DB:

Login to Oracle WebLogic Server Administration Console.
On the Domain Structure left navigation pane, expand Services, and click DataSources.
Click Lock & Edit.
In the Configuration tab, below Data Source, click the New menu, and select Generic Data Source.
In the Create a New JDBC Data Source page, provide the following values, and then click Next.
- Name: Enter the datasource name.
- JNDI Name: Enter the JNDI name in the format jdbc/DATASOURCE_NAME.
- Database Type: Select a database type. For example, if you are using an SAP Hana database, then select Other and then click Next.
From the JDBC Driver list, select Other for Service connections and then click Next.
Deselect the Supports Global Transactions option, and then click Next.
In the Connection Properties page, provide the following values, and then click Next.
- Database Name: Enter the name of the database that you want to connect to.
- Password: Enter the password for connecting to the database, and then click Next.
Test Database Connection:
- Driver Class Name: Enter the name or IP address of the database server.
- url: Enter the port number of the database server.
- Database User Name: Enter the user name for connecting to the database.
- Password: Enter the password for connecting to the database.
- Confirm Password: Re-enter the password.
Click Test Configuration. A message states that the connection test is successful.
Click Next.
Under Servers, select AdminServer.
Select all OIM servers listed or select the OIM cluster and then click Finish.
Click Activate Changes to activate the Data Source creation.