Performing the Postconfiguration Tasks for the Oracle E-Business Suite HRMS Connectors

5.1 Configuring Oracle Identity Governance

During application creation, if you did not choose to create a default form, then you must create a UI form for the application that you created by using the connector.

Note:

Perform the procedures described in this section only if you did not choose to create the default form during creating the application.

The following topics describe the procedures to configure Oracle Identity Governance:

5.1.1 Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

5.1.2 Creating a New UI Form

You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.

See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance.

While creating the UI form, ensure that you select the resource object corresponding to the newly created application that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.

5.1.3 Publishing a Sandbox

Before publishing a sandbox, perform this procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published.

In Identity System Administration, deactivate the sandbox.
Log out of Identity System Administration.
Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
In the Catalog, ensure that the application instance form for your resource appears with correct fields.
Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

5.1.4 Updating an Existing Application Instance with a New Form

For any changes that you do in the schema of your application in Identity Self Service, you must create a new UI form and update the changes in an application instance.

To update an existing application instance with a new form:

Create and activate a sandbox.
Create a new UI form for the resource.
Open the existing application instance.
In the Form field, select the new UI form that you created.
Save the application instance.
Publish the sandbox.

5.2 Harvesting Entitlements and Syncing the Catalog

You can populate Entitlement schema from child process form table, and harvest addresses, assignments, application instances, and entitlements into catalog. You can also load catalog metadata.

To harvest entitlements and sync catalog:

If you are using the Oracle EBS HRMS connector, then run the reconciliation jobs for entitlements.
Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table.
Run the Catalog Synchronization Job scheduled job. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Governance for more information about this scheduled job.

5.3 Configuring Secure Communication Between the Target System and Oracle Identity Governance

It is recommended that you configure SSL to secure the communication between your target system and Oracle Identity Governance.

Note:

To perform the procedures described in this section, you must have the permissions required to modify the TNS listener configuration file.

5.3.1 Configuring Data Encryption and Integrity

You can protect data against active attacks and ensure data privacy by configuring native Oracle Net Services data encryption and integrity for Oracle Advanced Security.

To configure data encryption and integrity, see Data Encryption in Oracle Database Advanced Security Administrator's Guide .

5.3.2 Configuring SSL Communication

You configure SSL to secure data communication between Oracle Identity Governance and the target system.

To enable SSL communication between Oracle Database and Oracle Identity Governance:

See Secure Socket Layer in Oracle Database Advanced Security Administrator's Guide for information about enabling SSL communication between Oracle Database and Oracle Identity Governance.
Export the certificate on the Oracle Database host computer.
Copy the certificate to Oracle Identity Governance.

Import the certificate into the JVM certificate store of the application server on which Oracle Identity Governance is running.

To import the certificate into the certificate store, run the following command:

keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS

In this command:

Replace FILE_LOCATION with the full path and name of the certificate file.
Replace ALIAS with an alias for the certificate.
Replace TRUSTSTORE_PASSWORD with a password for the certificate store.
Replace TRUSTSTORE_LOCATION with one of the certificate store paths given in Table 5-1. This table shows the location of the certificate store for each of the supported application servers.

Note:

In an Oracle Identity Governance cluster, you must import the file into the certificate store on each node of the cluster.

Table 5-1 Certificate Store Locations

Application Server	Certificate Store Location
Oracle WebLogic Server	If you are using Oracle jrockit_R27.3.1-jdk, then copy the certificate into the following directory: JROCKIT_HOME/jre/lib/security If you are using the default Oracle WebLogic Server JDK, then copy the certificate into the following directory: WEBLOGIC_HOME/java/jre/lib/security/cacerts
IBM WebSphere Application Server	For a nonclustered configuration of any supported IBM WebSphere Application Server release, import the certificate into the following certificate store: WEBSPHERE_HOME/java/jre/lib/security/cacerts For IBM WebSphere Application Server 6.1.x, in addition to the `cacerts` certificate store, you must import the certificate into the following certificate store: WEBSPHERE_HOME/Web_Sphere/profiles/SERVER_NAME/config/cells/CELL_NAME/nodes/NODE_NAME/trust.p12 For example: C:/Web_Sphere/profiles/AppSrv01/config/cells/tcs055071Node01Cell/nodes/tcs055071Node0/trust.p12 For IBM WebSphere Application Server 5.1.x, in addition to the `cacerts` certificate store, you must import the certificate into the following certificate store: WEBSPHERE_HOME/etc/DummyServerTrustFile.jks
JBoss Application Server	JAVA_HOME/jre/lib/security/cacerts
Oracle Application Server	ORACLE_HOME/jdk/jre/lib/security/cacerts

5.4 Determining Values for the JDBC URL and Connection Properties Parameters

This section discusses the JDBC URL and Connection Properties parameters.

The values that you specify for the JDBC URL and Connection Properties parameters depend on the security measures that you have implemented:

5.4.1 Supported JDBC URL Formats

The following are the supported JDBC URL formats:

Multiple database instances support one service (Oracle RAC)

JDBC URL format:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=HOST1_NAME.DOMAIN)(PORT=PORT1_NUMBER))(ADDRESS=(PROTOCOL=TCP)(HOST=HOST2_NAME.DOMAIN)(PORT=PORT2_NUMBER))(ADDRESS=(PROTOCOL=TCP)(HOST=HOST3_NAME.DOMAIN)(PORT=PORT3_NUMBER)) . . . (ADDRESS=(PROTOCOL=TCP)(HOST=HOSTn_NAME.DOMAIN)(PORT=PORTn_NUMBER))(CONNECT_DATA=(SERVICE_NAME=ORACLE_DATABASE_SERVICE_NAME)))

Sample value:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST= host1.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host2.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host3.example.com)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST= host4.example.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME= srvce1)))
One database instance supports one service

JDBC URL format:

jdbc:oracle:thin:@HOST_NAME.DOMAIN:PORT_NUMBER:ORACLE_DATABASE_SERVICE_NAME

Sample value:

jdbc:oracle:thin:@host1.example:1521:srvce1
One database instance supports multiple services (for Oracle Database 10g and later)

JDBC URL format:

jdbc:oracle:thin:@//HOST_NAME.DOMAIN:PORT_NUMBER/ORACLE_DATABASE_SERVICE_NAME

Sample value:

jdbc:oracle:thin:@host1.example.com:1521/srvce1

5.4.2 Only SSL Communication Is Configured

After you configure SSL communication between Oracle Identity Governance and your target system, the database URL is recorded in the tnsnames.ora file.

See Local Naming Parameters in the tnsnames.ora File in Oracle Database Net Services Reference for detailed information about the tnsnames.ora file.

The following are sample formats of the contents of the tnsnames.ora file. In these formats, DESCRIPTION contains the connection descriptor, ADDRESS contains the protocol address, and CONNECT_DATA contains the database service identification information.

Sample Format 1:

NET_SERVICE_NAME=
 (DESCRIPTION=
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (CONNECT_DATA= 
     (SERVICE_NAME=SERVICE_NAME)))

Sample Format 2:

NET_SERVICE_NAME= 
 (DESCRIPTION_LIST=
  (DESCRIPTION= 
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (CONNECT_DATA= 
     (SERVICE_NAME=SERVICE_NAME)))
  (DESCRIPTION= 
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (CONNECT_DATA= 
     (SERVICE_NAME=SERVICE_NAME))))

Sample Format 3:

NET_SERVICE_NAME= 
 (DESCRIPTION= 
  (ADDRESS_LIST= 
   (LOAD_BALANCE=on)
   (FAILOVER=off)
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)))
  (ADDRESS_LIST= 
   (LOAD_BALANCE=off)
   (FAILOVER=on)
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION))
   (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)))
  (CONNECT_DATA=
   (SERVICE_NAME=SERVICE_NAME)))

If you have configured only SSL communication and imported the certificate that you create on the target system host computer into the JVM certificate store of Oracle Identity Governance, then you must derive the value for the Connection URL parameter from the value of NET_SERVICE_NAME in the tnsnames.ora file. For example:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))

Note:

As shown in this example, you must include only the (ADDRESS=(PROTOCOL=TCPS)(HOST=HOST_NAME)(PORT=2484)) element because you are configuring SSL. You need not include other (ADDRESS=(PROTOCOL_ADDRESS_INFORMATION)) elements.

5.4.3 Both Data Encryption and Integrity and SSL Communication Are Configured

If both data encryption and integrity and SSL communication are configured, then specify a value for the JDBC URL parameter in the following manner:

Enter a comma-separated combination of the values for the JDBC URL parameter described in Only SSL Communication Is Configured. For example:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost)(PORT=2484)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=mysid)))

5.5 Managing Logging

Oracle Identity Governance uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.

The following topics provide detailed information about logging:

5.5.1 Understanding Log Levels

When you enable logging, Oracle Identity Governance automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations.

ODL is the principle logging service used by Oracle Identity Governance and is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

SEVERE.intValue()+100

This level enables logging of information about fatal errors.
SEVERE

This level enables logging of information about errors that might allow Oracle Identity Governance to continue running.
WARNING

This level enables logging of information about potentially harmful situations.
INFO

This level enables logging of messages that highlight the progress of the application.
CONFIG

This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST

These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These message types are mapped to ODL message type and level combinations as shown in Table 5-2.

Table 5-2 Log Levels and ODL Message Type:Level Combinations

Java Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Governance.

5.5.2 Enabling logging

Perform these steps to enable logging in Oracle WebLogic Server.

Edit the logging.xml file as follows:

Add the following blocks in the file:

<log_handler name='ebs-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
<property name='logreader:' value='off'/>
     <property name='path' value='[FILE_NAME]'/>
     <property name='format' value='ODL-Text'/>
     <property name='useThreadName' value='true'/>
     <property name='locale' value='en'/>
     <property name='maxFileSize' value='5242880'/>
     <property name='maxLogSize' value='52428800'/>
     <property name='encoding' value='UTF-8'/>
   </log_handler>
</log_handlers>

<logger name='ORG.IDENTITYCONNECTORS.EBS' level='[LOG_LEVEL]' useParentHandlers='false'>
     <handler name='ebs-handler'/>
     <handler name='console-handler'/>
   </logger>

Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 5-2 lists the supported message type and level combinations.

Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.

The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME] :

<log_handler name='ebs-handler' level='TRACE:32' class='oracle.core.ojdl.logging.ODLHandlerFactory'>    
     <property name='logreader:' value='off'/>
     <property name='path' value='/scratch/acme1/user1/oim_Jun25.log'/>
     <property name='format' value='ODL-Text'/>
     <property name='useThreadName' value='true'/>
     <property name='locale' value='en'/>
     <property name='maxFileSize' value='5242880'/>
     <property name='maxLogSize' value='52428800'/>
     <property name='encoding' value='UTF-8'/>
   </log_handler>
</log_handlers>

<loggers>
   <logger name='ORG.IDENTITYCONNECTORS.EBS' level='TRACE:32' useParentHandlers='false'>
     <handler name='ebs-handler'/>
     <handler name='console-handler'/>
   </logger>

With these sample values, when you use Oracle Identity Governance, all messages generated for this connector that are of a log level equal to or higher than the TRACE:32 level are recorded in the specified file.

Save and close the file.
Set the following environment variable to redirect the server logs to a file:

For Microsoft Windows:
```
set WLS_REDIRECT_LOG=FILENAME
```
For UNIX:
```
export WLS_REDIRECT_LOG=FILENAME
```
Replace FILENAME with the location and name of the file to which you want to redirect the output.
Restart the application server.

5.6 Localizing Field Labels in UI Forms

You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation media.

To localize field label that you add in UI forms:

Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive (oracle.iam.console.identity.sysadmin.ear_V2.0_metadata.zip) to the local computer.
Extract the contents of the archive, and open the following file in a text editor:

SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf

Note:
You will not be able to view the BizEditorBundle.xlf unless you complete creating the application for your target system or perform any customization such as creating a UDF.

Edit the BizEditorBundle.xlf file in the following manner:

Search for the following text:

<file source-language="en"  
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Replace with the following text:

<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

<file source-language="en" target-language="ja"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Search for the application instance code. This procedure shows a sample edit for Oracle E-Business Suite application instance. The original code is:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_EBS_HRMS_EMPNO__c_description']}">
<source>Employee Number</source>
<target/>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.EBSHRMSForm1.entity.EBSHRMSForm1EO.UD_EBS_HRMS_EMPNO__c_LABEL">
<source>Employee Number</source>
<target/>

Open the resource file (for example, EBS-HRMS.properties) from the connector package, and get the value of the attribute from the file, for example, global.udf.UD_EBS_HRMS_EMPNO=\u4567d.

Replace the original code shown in Step 6.c with the following:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_EBS_HRMS_EMPNO__c_description']}">
<source>Employee Number</source>
<target>\u5F93\u696D\u54E1\u756A\u53F7</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.EBSHRMSForm1.entity.EBSHRMSForm1EO.UD_EBS_HRMS_EMPNO__c_LABEL">
<source>Employee Number</source>
<target>\u5F93\u696D\u54E1\u756A\u53F7</target>
</trans-unit>

Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

Sample file name: BizEditorBundle_ja.xlf.

Repackage the ZIP file and import it into MDS.

See Also:

Deploying and Undeploying Customizations in Developing and Customizing Applications for Oracle Identity Governance, for more information about exporting and importing metadata files
Log out of and log in to Oracle Enterprise Manager.

5.7 Removing the Default Validation Check for Provisioning Operations

During a provisioning operation for child data, the connector API validates data against a combination of the Grade Id, Department Id, and Organization Id fields. If this valid combination is not found, an error is encountered and the provisioning operation fails.

If you do not want to use this strict validation, then you must remove the default validation check to perform the provisioning operation successfully. To do so:

Open any SQL client. For example, SQL Developer.
Open the body of the OIM_EMPLOYEE_WRAPPER.pck wrapper package.

Comment out the following lines of code by prefixing them with a double hyphen (--):

       IF create_person_assignment_api.grade_id IS NOT NULL THEN
          select count(*) into validcount from PER_VALID_GRADES where business_group_id =create_person_assignment_api.organization_id 
          and job_id=create_person_assignment_api.job_id and grade_id=create_person_assignment_api.grade_id;
          if validcount = 0 then
            raise_application_error (-20001, 'Invalid combination of organization, job and grade');
          end if;
      ELSE
          select count(*) into valid_job_count from PER_JOBS where job_id = create_person_assignment_api.job_id;
          if valid_job_count = 0 then
             raise_application_error (-20001, 'Invalid combination of organization, job and grade');
            end if;
      END IF;

Re-compile the wrapper package.

As an alternative to this procedure, you can edit the scripts\OIM_EMPLOYEE_WRAPPER.pck file by commenting out the lines of code and then running either the Run_HRMS_DBScripts.sh or Run_HRMS_DBScripts.bat file.