Performing the Postconfiguration Tasks for the Microsoft Exchange Connector

4 Performing the Postconfiguration Tasks for the Microsoft Exchange Connector

These are the tasks that you can perform after creating the application in Oracle Identity Governance.

4.1 Configuring Oracle Identity Governance

During application creation, if you did not choose to create a default form, then you must create a UI form for the application that you created by using the connector.

Note:

Perform the procedures described in this section only if you did not choose to create the default form during creating the application.

The following topics describe the procedures to configure Oracle Identity Governance:

4.1.1 Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.1.2 Creating a New UI Form

You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.

See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance.

While creating the UI form, ensure that you select the resource object corresponding to the newly created application that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.

4.1.3 Publishing a Sandbox

Before publishing a sandbox, perform this procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published.

In Identity System Administration, deactivate the sandbox.
Log out of Identity System Administration.
Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
In the Catalog, ensure that the application instance form for your resource appears with correct fields.
Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

4.1.4 Updating an Existing Application Instance with a New Form

For any changes that you do in the schema of your application in Identity Self Service, you must create a new UI form and update the changes in an application instance.

To update an existing application instance with a new form:

Create and activate a sandbox.
Create a new UI form for the resource.
Open the existing application instance.
In the Form field, select the new UI form that you created.
Save the application instance.
Publish the sandbox.

4.2 Harvesting Entitlements and Sync Catalog

You can populate Entitlement schema from child process form table, and harvest roles, application instances, and entitlements into catalog. You can also load catalog metadata.

To harvest entitlements and sync catalog:

Run the reconciliation jobs for lookup field synchronization.
Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table.
Run the Catalog Synchronization Job scheduled job.

4.3 Setting Up Remote Mailbox Provisioning

You can configure your Exchange application or resource to support Remote Mailbox provisioning operations.

4.3.1 Setting Up Remote Mailbox Provisioning for an AOB Application

You can configure your Exchange application to support Remote Mailbox provisioning operation.

You can set up Remote Mailbox provisioning either during or after the creation of your Exchange application.

Log in to Identity Self Service.
Depending on whether you are setting up Remote Mailbox provisioning during or after the creation of your Exchange application, perform one of the following steps:
- For setting up Remote mailbox provisioning during Exchange application creation, fill in all the necessary details on the Basic Information page and then navigate to the Schema page.
- For setting up Remote mailbox provisioning after creating the Exchange application, search for and open the application you created for editing.
On the Schema page, add two new attributes as follows:
1. Click Add Attribute.
2. In the newly added row, enter values for the following fields:
  
  - Display Name: Remote Routing Address
  
  - Target Attribute: RemoteRoutingAddress
  
  - Select the Provision Field and Recon Field check boxes.
  
  - Click Advanced Settings denoted by three horizontal lines at the end of the row, select the Provide old value on update checkbox, and then click OK.
3. If you want to reconcile Remote Mailbox Type, then click Add Attribute to add a new attribute named Recipient Type Details.
4. In the newly added row, enter values for the following fields:
  
  - Display Name: Recipient Type Details
  
  - Target Attribute: RecipientTypeDetails
  
  - Deselect the Provision Field checkbox and select the Recon Field check box.
If you are in the process of creating the Exchange application, then continue with the rest of the process for creating it.
If you added the attributes for Remote Mailbox provisioning to an existing application, then apply your changes. Then, log in to Identity System Administration, create a new form and associate it with your updated Exchange application.
Log in to Identity System Administration.
Search for and open the Lookup.Exchange.RecipientType.Options lookup.
Add a new entry to the lookup with both the code and decode values as RemoteUserMailbox and save your changes.
Verify that the lookup Lookup.Exchange.RecipientType.Options contains the newly added entry.

4.3.2 Setting Up Remote Mailbox Provisioning for a CI-Based Resource

You can configure your Exchange resource to support Remote Mailbox provisioning operations after you deploy the connector.

Log in to Oracle Identity Manager Design Console.
Update the Lookup.Exchange.RecipientType.Options lookup definition to include an entry for Remote User Mailbox as follows:
1. Expand Administration, and then double-click Lookup Definition.
2. Search for and open the Lookup.Exchange.RecipientType.Options lookup definition.
3. Add a new entry to the lookup definition with the Code Key and Decode values as RemoteUserMailbox and Remote User Mailbox, respectively.
4. Verify that the Lookup.Exchange.RecipientType.Options lookup definition contains the newly added entry.
Update the UD_Exchange process form by adding a new field for Remote Routing Address as follows:
1. Expand Development Tools, and then double-click Form Designer.
2. Search for and open the UD_Exchange process form.
3. Click Create a New Version.
4. Click Add to add the new field and enter all the required details. Ensure that you enter the form field name as Remote Routing Address. Enter values for form field label, length, and other properties as per your requirement.
5. Click Make Version Active to activate the new version of the process form.
Update the Lookup.Exchange.UM.ProvAttrMap lookup definition for provisioning by adding a new entry with the Code Key and Decode values as Remote Routing Address and RemoteRoutingAddress, respectively.
Add the new field to the list of reconciliation fields in the resource object as follows:
1. Expand Resource Management and then double-click Resource Objects.
2. Search for and open the Exchange User resource object.
3. On the Object Reconciliation tab, click Add Field. Then, in the Add Reconciliation Field dialog box, enter the details for the RemoteRoutingAddress field.
4. Click Create Reconciliation Profile to copy changes made to the resource object into the MDS.
Create a reconciliation field mapping for the new field on the process form as follows:
1. Expand Process Management and then double-click Process Definition.
2. From the Process Definition table, select and open the Exchange User resource object.
3. Click Reconciliation Field Mappings and then click Add Field Map.
4. Enter all the details for the RemoteRoutingAddress field and then save your changes.
Create an entry for the field in the lookup definition for reconciliation as follows:
1. Expand Administration, and then double-click Lookup Definition.
2. Search for and open the Lookup.Exchange.UM.ReconAttrMap lookup definition.
3. Add a new entry to the lookup definition with the Code Key and Decode values as RemoteRoutingAddress and Remote Routing Address, respectively and the save your changes.
On the Resource Objects form, click Create Reconciliation Profile to copy changes made to the resource object into the MDS.
If you want to reconcile Remote Mailbox Type, then you must add a new entry named "Recipient Type Details" for reconciliation as follows:

Perform Steps 5 through 8 to add the Recipient Type Details field for reconciliation. While performing these steps ensure to replace RemoteRoutingAddress with RecipientTypeDetails.
Restart Oracle Identity Manager.

4.4 Localizing Field Labels in UI Forms

You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation media.

To localize field label that you add to in UI forms:

Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive (oracle.iam.console.identity.sysadmin.ear_V2.0_metadata.zip) to the local computer.
Extract the contents of the archive, and open the following file in a text editor if you are using Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) or later:

SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf

Edit the BizEditorBundle.xlf file in the following manner:

Search for the following text:

<file source-language="en"  
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Replace with the following text:

<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in French:

<file source-language="en" target-language="fr"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Search for the application instance code. This procedure shows a sample edit for Exchange application instance. The original code is:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_EXCHANGE_DISPLAYNAME__c_description']}">
<source>Display Name</source>
<target/>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ExchUserForm.entity.ExchUserFormEO.UD_EXCHANGE_DISPLAYNAME__c_LABEL">
<source>Display Name</source>
<target/>
</trans-unit>

Open the resource file from the connector package, for example Exchange_fr.properties, and get the value of the attribute from the file, for example, global.udf.UD_EXCHANGE_DISPLAYNAME=Nom d'affichage.

Replace the original code shown in Step 6.c with the following:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_EXCHANGE_DISPLAYNAME__c_description']}">
<source>Display Name</source>
<target>Nom d'affichage</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ExchUserForm.entity.ExchUserFormEO.UD_EXCHANGE_DISPLAYNAME__c_LABEL">
<source>Display Name</source>
<target>Nom d'affichage</target>
</trans-unit>

Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

Sample file name: BizEditorBundle_fr.xlf.

Repackage the ZIP file and import it into MDS.

See Also:

Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager, for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Manager.

4.5 Configuring SSL Between Oracle Identity Governance and Connector Server

You must configure SSL to secure communication between Oracle Identity Governance and Connector Server.

This procedure is mandatory if the connector server and the Exchange bundle are installed on the target system.

The following sections provide information about configuring SSL between Oracle Identity Governance and connector server:

4.5.1 Exporting the Certificate

You can export the certificate generated by CA by using the Microsoft Management Console. Ensure to export the certificate by creating a certificate file (.cer). For detailed instruction on exporting the certificate, refer to the target system documentation.

4.5.2 Configuring the Connector Server for SSL

To configure the connector server for SSL:

Create a certificate store and add the certificate created in Exporting the Certificate to the store. To do so:
In a command window, enter the following:

C:\>certutil -f -addstore sslstore C:\ExchangeSSLCer.cer

This command creates a new certificate store with the name 'sslstore' and adds the certificate ExchangeSSLCer to this store.
Navigate to the location where connector server is installed and locate the Connector Server\ConnectorServer.exe.Config file.
In a text editor, open the ConnectorServer.exe.Config file for editing:
Change the values of the following lines:

From:

<add key="connectorserver.usessl" value="false" />

<add key="connectorserver.certificatestorename" value="ConnectorServerSSLCertificate" />

To:

<add key="connectorserver.usessl" value="true" />

<add key="connectorserver.certificatestorename" value="sslstore" />
Restart the connector server.

4.5.3 Configuring Oracle Identity Governance for SSL

The following is the procedure to configure Oracle Identity Governance for SSL:

Copy the certificate generated in Step 1 of Configuring the Connector Server for SSL to the computer on which Oracle Identity Governance is running.
Import the target system certificate into the JDK used by Oracle Identity Governance by running the following command:
- For Oracle Identity Governance running on Oracle WebLogic Application Server:
  
  keytool -import -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD
  
  In this command:
  
  - MY_CACERTS is the full path and name of the certificate store (the default is cacerts).
  
  - CERT_FILE_NAME is the full path and name of the certificate file.
  
  - PASSWORD is the password of the keystore.
  
  The following is a sample command:
  
  keytool -import -keystore /home/testoc4j/OIM/jrockit_160_14_R27.6.5-32/jre/lib/security/cacerts -file /home/ExchangeSSLCer.cer -storepass sample_password
- For Oracle Identity Governance running on IBM WebSphere Application Server:
  
  In a terminal window, change to the WEBSPHERE_HOME\AppServer\java\jre\bin directory and run the following command:
  
  keytool -import -alias ALIAS_NAME -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD
  
  In this command:
  
  - ALIAS_NAME is the alias for the certificate store.
  
  - MY_CACERTS is the full path and name of the certificate store (the default is cacerts).
  
  - CERT_FILE_NAME is the full path and name of the certificate file.
  
  - PASSWORD is the password of the keystore.
  
  The following is a sample command:
  
  keytool -import -alias exchange_cert -keystore /scratch/jdoe/r2was/was9461/java/jre/lib/security/cacerts -file /scratch/jdoe/first/CS.cer -storepass sample_password
Import the target system certificate into the keystore of the application server by running the following command:
- For Oracle Identity Governance running on Oracle WebLogic Application Server:
  
  keytool -import -keystore WEBLOGIC_HOME/server/lib/DemoTrust.jks -file CERT_FILE_NAME -storepass PASSWORD
  
  In this command:
  
  - CERT_FILE_NAME is the full path and name of the certificate file.
  
  - PASSWORD is the password of the keystore.
  
  The following is a sample command:
  
  keytool -import -keystore WEBLOGIC_HOME/server/lib/DemoTrust.jks -file /home/ExchangeSSLCer.cer -storepass DemoTrustKeyStorePassPhrase
- For Oracle Identity Governance running on IBM WebSphere Application Server:
  
  In a terminal window, change to the WEBSPHERE_HOME\AppServer\java\jre\bin directory and run the following command:
  
  keytool -import -alias ALIAS_NAME -keystore $WAS_PROFILE_HOME/config/cells/DefaultCell01/trust.p12 -storetype PKCS12 -file CERT_FILE_NAME -storepass PASSWORD
  
  In this command:
  
  - ALIAS_NAME is the alias for the certificate store.
  
  - MY_CACERTS is the full path and name of the certificate store (the default is cacerts).
  
  - CERT_FILE_NAME is the full path and name of the certificate file.
  
  - PASSWORD is the password of the keystore.
  
  The following is a sample command:
  
  keytool -import -alias exchange_cert -keystore /scratch/jdoe/r2was/was9461/java/jre/lib/security/cacerts -file /scratch/jdoe/first/CS.cer -storepass sample_password
  
  keytool -import -alias exchange_cert -keystore /scratch/jdoe/r2was/was9461/profiles/Custom01/config/cells/DefaultCell01/trust.p12 -storetype PKCS12 -file /scratch/jdoe/first/CS.cer -storepass WebAS
Set the value of the UseSSL parameter of the connector server IT resource to true.