4 Performing the Postconfiguration Tasks for the Identity Cloud Service Connector

These are the tasks that you must perform after creating an application in Oracle Identity Governance.

• Configuring Oracle Identity Governance

• Harvesting Entitlements and Sync Catalog

• Managing Logging for the Connector Server

• Configuring the IT Resource for the Connector Server

• Localizing Field Labels in UI Forms

• Configuring SSL for the Connector

4.1 Configuring Oracle Identity Governance

During application creation, if you did not choose to create a default form, then you must create a UI form for the application that you created by using the connector.

Note:

Perform the procedures described in this section only if you did not choose to create the default form during creating the application.

The following topics describe the procedures to configure Oracle Identity Governance:

• Creating and Activating a Sandbox

• Creating a New UI Form

• Publishing a Sandbox

• Updating an Existing Application Instance with a New Form

4.1.1 Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.1.2 Creating a New UI Form

You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.

See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance.

While creating the UI form, ensure that you select the resource object corresponding to the newly created application that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.

4.1.3 Publishing a Sandbox

Before publishing a sandbox, perform this procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published.

1. In Identity System Administration, deactivate the sandbox.

2. Log out of Identity System Administration.

3. Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.

4. In the Catalog, ensure that the application instance form for your resource appears with correct fields.

5. Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.1.4 Updating an Existing Application Instance with a New Form

For any changes that you do in the schema of your application in Identity Self Service, you must create a new UI form and update the changes in an application instance.

To update an existing application instance with a new form:

1. Create and activate a sandbox.

2. Create a new UI form for the resource.

3. Open the existing application instance.

4. In the Form field, select the new UI form that you created.

5. Save the application instance.

6. Publish the sandbox.

See Also:

• Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance

• Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance

• Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance

4.2 Harvesting Entitlements and Sync Catalog

You can populate Entitlement schema from child process form table, and harvest roles, application instances, and entitlements into catalog. You can also load catalog metadata.

To harvest entitlements and sync the catalog:

1. Run the scheduled jobs for lookup field synchronization listed in Reconciliation Jobs for Entitlements.
2. Run the Entitlement List scheduled job to populate Entitlement Assignment schema from the child process form table.
3. Run the Catalog Synchronization Job scheduled job.

See Also:

Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Governance for a description of the Entitlement List and Catalog Synchronization Job scheduled jobs

4.3 Managing Logging for the Connector Server

Oracle Identity Governance uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.

The following topics provide detailed information about logging:

• Understanding Log Levels

• Enabling Logging

4.3.1 Understanding Log Levels

When you enable logging, Oracle Identity Governance automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations.

ODL is the principle logging service used by Oracle Identity Governance and is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• SEVERE.intValue()+100

  This level enables logging of information about fatal errors.

• SEVERE

  This level enables logging of information about errors that might allow Oracle Identity Governance to continue running.

• WARNING

  This level enables logging of information about potentially harmful situations.

• INFO

  This level enables logging of messages that highlight the progress of the application.

• CONFIG

  This level enables logging of information about fine-grained events that are useful for debugging.

• FINE, FINER, FINEST

  These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These message types are mapped to ODL message type and level combinations as shown in Table 4-1.

Table 4-1 Log Levels and ODL Message Type:Level Combinations

Java Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Governance.

4.3.2 Enabling Logging

Perform this procedure to enable logging in Oracle WebLogic Server.

To enable logging:

1. Edit the logging.xml file as follows:

   1. Add the following blocks in the file:

      <log_handler name='idcs-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
           <property name='path' value='/scratch/IDCS/Logs/IDCS.log'/>     
      		 <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      

       <logger name='ORG.IDENTITYCONNECTORS.GENERICSCIM' level='TRACE:32'  
      useParentHandlers='false'>
           <handler name='idcs-handler'/>
           <handler name='console-handler'/>
         </logger>
      

   2. Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Understanding Log Levels lists the supported message type and level combinations.

      Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages specific to connector operations to be recorded.

      The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME] :

      <log_handler name='idcs-handler' level='TRACE:32' 
      class='oracle.core.ojdl.logging.ODLHandlerFactory'> 
      <property name='logreader:' value='off'/>
           <property name='path' 
        value='/scratch/IDCS/Logs/IDCS.log'/> 
           <property name='format' value='ODL-Text'/>
           <property name='useThreadName' value='true'/>
           <property name='locale' value='en'/>
           <property name='maxFileSize' value='5242880'/>
           <property name='maxLogSize' value='52428800'/>
           <property name='encoding' value='UTF-8'/>
         </log_handler>
      </log_handlers>  
      
       <logger name='ORG.IDENTITYCONNECTORS.GENERICSCIM' level='TRACE:32'  
      useParentHandlers='false'>
           <handler name='idcs-handler'/>
           <handler name='console-handler'/>
         </logger>
      

   With these sample values, when you use Oracle Identity Governance, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

2. Save and close the file.

3. Set the following environment variable to redirect the server logs to a file:

   • For Microsoft Windows:

     set WLS_REDIRECT_LOG=FILENAME

   • For UNIX:

     export WLS_REDIRECT_LOG=FILENAME

   Replace FILENAME with the location and name of the file to which you want to redirect the output.

4. Restart the application server.

4.4 Configuring the IT Resource for the Connector Server

If you have used the Connector Server, then you must configure values for the parameters of the Connector Server IT resource.

After you create the application for your target system, you must create an IT resource for the Connector Server as described in Creating IT Resource of Oracle Fusion Middleware Administering Oracle Identity Governance. While creating the IT resource, ensure to use to select Connector Server from the IT Resource Type list.

In addition, specify values for the parameters of the IT resource for the Connector Server listed in Table 4-2.

Table 4-2 Parameters of the IT Resource for the Connector Server

Parameter	Description
Host	Enter the host name or IP address of the computer hosting the Connector Server. Sample value: myhost.com
Key	Enter the key for the Connector Server.
Port	Enter the number of the port at which the Connector Server is listening. By default, this value is blank. You must enter the port number that is displayed on the terminal when you start the Connector Server. Sample value: 8759
Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the Connector Server and Oracle Identity Governance times out. Recommended value: 0 A value of 0 means that the connection never times out.
UseSSL	Enter true to specify that you will configure SSL between Oracle Identity Governance and the Connector Server. Otherwise, enter false. Default value: false Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL, see Configuring SSL for Java Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.5 Localizing Field Labels in UI Forms

You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation package.

To localize field label that is added to the UI forms:

1. Log in to Oracle Enterprise Manager.
2. In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
3. In the right pane, from the Application Deployment list, select MDS Configuration.
4. On the MDS Configuration page, click Export and save the archive to the local computer.
5. Extract the contents of the archive, and open one of the following files in a text editor:
   SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_ en.xlf

   Note:

   You will not be able to view the BizEditorBundle.xlf unless you complete creating the application for your target system or perform any customization such as creating a UDF.
6. Edit the BizEditorBundle.xlf file in the following manner:

   1. Search for the following text:

      <file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">

   2. Replace with the following text:

      <file source-language="en" target-language="LANG_CODE" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">

      In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

      <file source-language="en" target-language="ja"
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">

   3. Search for the application instance code. This procedure shows a sample edit for the Identity Cloud Service application instance. The original code is:

      <trans-unit
      id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ACMEGSAP_APP_DFLT_HOME__c_description']}">
      <source>APP_DFLT_HOME</source>
      <target/>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ACMEFORM.entity.ACMEFORMEO.UD_ACMEGSAP_APP_DFLT_HOME__c_LABEL">
      <source>APP_DFLT_HOME</source>
      <target/>
      </trans-unit>

   4. Open the properties file created in Step 1 and get the value of the attribute, for example, global.udf.D_ACMEGSAP_APP_DFLT_HOME=\u4567d.

   5. Replace the original code shown in Step c with the following:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ACMEGSAP_APP_DFLT_HOME__c_description']}">
      <source>APP_DFLT_HOME</source>
      <target>\u4567d</target>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ACMEFORM.entity.ACMEFORMEO.UD_ACMEGSAP_APP_DFLT_HOME__c_LABEL">
      <source>APP_DFLT_HOME</source>
      <target>\u4567d</target>
      </trans-unit>

   6. Repeat Steps 6.a through 6.d for all attributes of the process form.

   7. Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

      Sample file name: BizEditorBundle_ja.xlf.

7. Repackage the ZIP file and import it into MDS.

   See Also:

   Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for more information about exporting and importing metadata files

8. Log out of and log in to Oracle Identity Governance.

4.6 Configuring SSL for the Connector

You must configure SSL to secure communication between Oracle Identity Governance and your target system. Configuring SSL involves obtaining an SSL certificate from the target system and importing it into the identity keystore of Oracle Identity Governance.

Identity Cloud Service validates the client system dates to be in sync with the SSL certificate (the certificate issued by the Identity Cloud Service application) date. If there is any deviation, then the target system might throw an error. The client machine date must be in sync with the certificate timestamp range.

To configure SSL:

1. Obtain an SSL certificate from the target system:
   1. Open a web browser and enter the target system URL.
      The target system loads the SSL certificate in your browser.
   2. View and download the certificate.
2. Use the keytool command to import the downloaded certificate into the identity keystore in Oracle Identity Governance.

   keytool -import -alias alias -trustcacerts -file file-to-import -keystore keystore-name -storepass keystore-password

   In this example, the certificate file supportcert.pem is imported to the identity keystore client_store.jks with password weblogic1:

   keytool -import -alias serverwl -trustcacerts -file supportcert.pem -keystore client_store.jks -storepass weblogic1

   Note:

   Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool arguments.