4 Performing Postconfiguration Tasks for the SAP User Management Engine Connector
These are the tasks that you can perform after creating an application in Oracle Identity Governance.
4.1 Configuring Oracle Identity Governance
During application creation, if you did not choose to create a default form, then you must create a UI form for the application that you created by using the connector.
Note:
Perform the procedures described in this section only if you did not choose to create the default form during creating the application.4.1.1 Creating and Activating a Sandbox
You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.
See Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
4.1.2 Creating a New UI Form
You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.
See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance.
While creating the UI form, ensure that you select the resource object corresponding to the newly created application that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.
4.1.3 Publishing a Sandbox
Before publishing a sandbox, perform this procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published.
-
In Identity System Administration, deactivate the sandbox.
-
Log out of Identity System Administration.
-
Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
-
In the Catalog, ensure that the application instance form for your resource appears with correct fields.
-
Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
4.1.5 Updating an Existing Application Instance with a New Form
For any changes that you do in the schema of your application in Identity Self Service, you must create a new UI form and update the changes in an application instance.
To update an existing application instance with a new form:
-
Create and activate a sandbox.
-
Create a new UI form for the resource.
-
Open the existing application instance.
-
In the Form field, select the new UI form that you created.
-
Save the application instance.
-
Publish the sandbox.
See Also:
-
Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance
-
Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance
-
Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance
4.2 Harvesting Entitlements and Sync Catalog
To harvest entitlements and sync catalog:
- Run the scheduled jobs for lookup field synchronization.
- Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table.
- Run the Catalog Synchronization Job scheduled job.
See Also:
-
Reconciliation Jobs for a list of jobs for entitlements (lookup field synchronization)
-
Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Governance for information about the Entitlement List and Catalog Synchronization Job scheduled jobs
4.3 Configuring Password Changes for Newly Created Accounts
When you log in to SAP by using a newly created account, you are prompted to change your password at first logon. For accounts created through Oracle Identity Governance, password management can be configured by using the changePwdFlag and dummyPassword parameters of the Advanced Settings section.
You can apply one of the following approaches:
-
Configure the connector so that users with newly created accounts are prompted to change their passwords at first logon.
To achieve this, set the changePwdFlag parameter of Basic Configuration section to
no
. With this setting, the password entered on the process form for a new user account is used to set the password for the new account on the target system. When the user logs in to the target system, the user is prompted to change the password. -
Configure the connector so that the password set while creating the account on Oracle Identity Governance is set as the new password on the target system. The user is not prompted to change the password at first logon.
To achieve this, set the changePwdFlag parameter to
yes
and enter a string in the dummyPassword parameter of the Basic Configuration section. With these settings, when you create a user account through Oracle Identity Governance, the user is first created with the dummy password. Immediately after that, the connector changes the password of the user to the one entered on the process form. When the user logs in to the target system, the user is not prompted to change the password.Note:
Security policies of a few target systems allow a user to change the password only once per day. In such a scenario, the target system allows the user to only reset the password and not to change it. The password update task throws an error message, such as
Could not update user NEW_PASSWORD_INVALID.
If the password feature is disabled for users on the target system, then set the changePwdFlag parameter to
no
.
4.4 Managing Logging
Oracle Identity Governance uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.
The following topics provide detailed information about logging:
4.4.1 Understanding Log Levels
When you enable logging, Oracle Identity Governance automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations.
ODL is the principle logging service used by Oracle Identity Governance and is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
-
SEVERE.intValue()+100
This level enables logging of information about fatal errors.
-
SEVERE
This level enables logging of information about errors that might allow Oracle Identity Governance to continue running.
-
WARNING
This level enables logging of information about potentially harmful situations.
-
INFO
This level enables logging of messages that highlight the progress of the application.
-
CONFIG
This level enables logging of information about fine-grained events that are useful for debugging.
-
FINE, FINER, FINEST
These levels enable logging of information about fine-grained events, where FINEST logs information about all events.
These message types are mapped to ODL message type and level combinations as shown in Table 4-1.
Table 4-1 Log Levels and ODL Message Type:Level Combinations
Java Level | ODL Message Type:Level |
---|---|
SEVERE.intValue()+100 |
INCIDENT_ERROR:1 |
SEVERE |
ERROR:1 |
WARNING |
WARNING:1 |
INFO |
NOTIFICATION:1 |
CONFIG |
NOTIFICATION:16 |
FINE |
TRACE:1 |
FINER |
TRACE:16 |
FINEST |
TRACE:32 |
The configuration file for OJDL is logging.xml, which is located at the following path:
DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml
Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Governance.
4.4.2 Enabling Logging
To enable logging in Oracle WebLogic Server:
-
Edit the logging.xml file as follows:
-
Add the following blocks in the file:
<log_handler name='sap-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='[FILE_NAME]'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="ORG.IDENTITYCONNECTORS.SAPUME" level="[LOG_LEVEL]" useParentHandlers="false"> <handler name="sap-handler"/> <handler name="console-handler"/> </logger>
If you are using SAP GRC, then add the following block:
<logger name="ORG.IDENTITYCONNECTORS.SAPAC" level="[Log_LEVEL]" useParentHandlers="false"> <handler name="sap-handler"/> <handler name="console-handler"/> </logger>
If you are using Application Onboarding, then add the following block:
<logger name='oracle.iam.application' level="[Log_LEVEL]" useParentHandlers='false'> <handler name='sap-handler'/> <handler name='console-handler'/> </logger>
-
Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Understanding Log Levels lists the supported message type and level combinations.
Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.
The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:
<log_handler name='sap-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\oim_server1-diagnostic-1.log'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>
<logger name="ORG.IDENTITYCONNECTORS.SAPUME" level="NOTIFICATION:1" useParentHandlers="false"> <handler name="sap-handler"/> <handler name="console-handler"/> </logger>
If you are using SAP GRC, then add the following block:
<logger name="ORG.IDENTITYCONNECTORS.SAPAC" level="NOTIFICATION:1" useParentHandlers="false"> <handler name="sap-handler"/> <handler name="console-handler"/> </logger>
If you are using Application Onboarding, then add the following block:
<logger name='oracle.iam.application' level="NOTIFICATION:1" useParentHandlers='false'> <handler name='sap-handler'/> <handler name='console-handler'/> </logger> </logger>
With these sample values, when you use Oracle Identity Governance, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.
-
-
Save and close the file.
-
Set the following environment variable to redirect the server logs to a file:
For Microsoft Windows:
set WLS_REDIRECT_LOG=FILENAME
For UNIX:
export WLS_REDIRECT_LOG=FILENAME
Replace FILENAME with the location and name of the file to which you want to redirect the output.
-
Restart the application server.
4.5 Configuring SSL to Secure Communication Between the Target System and Oracle Identity Governance
You configure SSL to secure data communication between Oracle Identity Governance and the target system.
To configure SSL between the target system and Oracle Identity Governance:
-
Generate the certificate on the target system.
See the target system documentation for detailed instructions.
-
To import the certificate on Oracle Identity Governance:
-
Copy the target system certificate to the Oracle Identity Governance host computer.
-
In a command window, change to the directory where you copy the certificate file and then enter a command similar to the following:
keytool -import -alias ALIAS -file CER_FILE -keystore MY_CACERTS -storepass PASSWORD
In this command:
ALIAS is the alias for the certificate (for example, the server name).
CER_FILE is the full path and name of the certificate (.cer) file.
Table 4-2 shows the location of the certificate store of the supported application server.
The following is a sample command:
keytool -import -alias ibm1-cert140 -file C:\syaug24\Middleware\ibm1-cert.cer -keystore C:\syaug24\Middleware\jrockit_160_24_D1.1.2-4\jre\lib\security\cacerts -storepass changeit
Table 4-2 Certificate Store Locations
Application Server Certificate Store Location Oracle WebLogic Server
-
If you are using Oracle jrockit_R27.3.1-jdk, then copy the certificate into the following directory:
JROCKIT_HOME/jre/lib/security/cacerts
-
If you are using the default Oracle WebLogic Server JDK, then copy the certificate into the following directory:
WEBLOGIC_HOME/java/jre/lib/security/cacerts
-
-
To confirm whether or not the certificate has been imported successfully, enter a command similar to the following:
keytool -list -alias ALIAS -keystore MY_CACERTS -storepass PASSWORD
For example:
keytool -list -alias MyAlias -keystore C:\mydir\java\jre\lib\security\cacerts -storepass changeit
-
4.6 Configuring the IT Resource for the Connector Server
If you have used the Connector Server, then you must configure values for the parameters of the Connector Server IT resource.
After you create the application for your target system, you must create an IT resource for the Connector Server as described in Creating IT Resources of Oracle Fusion Middleware Administering Oracle Identity Governance. While creating the IT resource, ensure to select Connector Server from the IT Resource Type list. In addition, specify values for the parameters of IT resource for the Connector Server listed in Table 4-3. For more information about searching for IT resources and updating its parameters, see Managing IT Resources in Oracle Fusion Middleware Administering Oracle Identity Governance.
Table 4-3 Parameters of the IT Resource for the Connector Server
Parameter | Description |
---|---|
Host |
Enter the host name or IP address of the computer hosting the connector server. Sample value: |
Key |
Enter the key for the Java connector server. |
Port |
Enter the number of the port at which the connector server is listening. Default value: |
Timeout |
Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Governance times out. Sample value: |
UseSSL |
Enter Default value: Note: If you configure the connector to communicate with the Connector Server using SSL, including setting the connectorserver.usessl property to true and importing the target system certificate into the Connector Server JDK keystore, an attempt to access the target system or run the Connector Server returns an error. |
4.7 Configuring the Access Request Management Feature of the Connector
You can configure Oracle Identity Governance as the medium for sending provisioning requests to SAP GRC Access Request Management. A request from Oracle Identity Governance is sent to Access Request Management, which forwards the provisioning data contained within the request to the target system (SAP NetWeaver Java Application Server). The outcome is the creation of or modification to the user's account on the target system.
Note:
Before you configure the Access Request Management feature, it is recommended that you read the guidelines described in Guidelines on Using an Application Configuration.
You must create and configure request types and workflows on SAP GRC Access Request Management for provisioning operations.
-
Create a request type in SAP GRC Access Request Management.
A request type In SAP GRC Access Request Management defines the action that is performed when a request is processed. Oracle Identity Governance is a requester. It works with request types defined in SAP GRC Access Request Management. The application advanced configuration maps request types to provisioning operations submitted through Oracle Identity Governance.
-
Create an access request workflow using the MSMP (Multi Step Multi process) Workflow engine.
4.8 Configuring SoD (Segregation of Duties)
SoD is a process that ensures that an individual is given access to only one module of a business process and will not be able to access other modules to reduce risk of fraud and error.
This section discusses the following procedures:
Note:
The ALL USERS group has INSERT, UPDATE, and DELETE permissions on the UD_SAPUME and UD_UME_ROLE process forms. During SoD validation of an entitlement request, data first moves from a dummy object form to a dummy process form. From there, data is sent to the SoD engine for validation. If the request clears the SoD validation, then data is moved from the dummy process form to the actual process form. Because the data is moved to the actual process forms through APIs, the ALL USERS group must have INSERT, UPDATE, and DELETE permissions on the three process forms.
4.8.1 Specifying Values for the GRC UME-ITRes IT Resource
The GRC UME-ITRes IT resource holds information that is used during communication with SAP GRC Access Request Management. To set values for the parameters of this IT resource:
-
For Oracle Identity Governance 12.2.1.3.0, log in to Oracle Identity System Administration.
-
In the left pane under Configuration, click IT Resource.
-
In the IT Resource Name field on the Manage IT Resource page, enter
GRC UME-ITRes
and then click Search. -
Click the edit icon for the IT resource.
-
From the list at the top of the page, select Details and Parameters.
-
Specify values for the parameters of the IT resource.
Table 4-4 lists the parameters of the GRC UME-ITRes IT resource.
Table 4-4 Parameters of the GRC UME-ITRes IT Resource
Parameter Description Configuration Lookup
Enter the name of the configuration lookup definition.
Value for Lookup
Lookup.SAPUME.Configuration
Connector Server Name
Name of the IT resource of the type "Connector Server."
language
Enter the two-letter code for the language set on the target system.
Sample value:
EN
password
Enter the password of the account created on Access Request Management system.
port
Enter the number of the port at which Access Request Management system is listening.
Sample value:
8090
server
Enter the IP address of the host computer on which Access Request Management system is listening.
Sample value:
10.231.231.231
username
Enter the user name of an account created on Access Request Management system. This account is used to call Access Request Management system APIs that are used during request validation.
Sample value:
jdoe
-
To save the values, click Update.
4.8.2 Configuring SAP GRC to Act As the SoD Engine
To configure the SAP GRC to act as the SoD engine, see Using Segregation of Duties (SoD) in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for 11g Release 1 (11.1.2).
4.8.3 Specifying a Value for the TopologyName Basic Configuration Parameter
The TopologyName IT resource parameter holds the name of the combination of the following elements that you want to use for SoD validation:
-
Oracle Identity Governance installation
-
SAP GRC installation
-
SAP ERP installation
By default, the GRC-ITRes IT resource is registered. However, you must manually register the GRC UME-ITRes IT resource and enter the new topology name as the value of the TopologyName IT resource parameter.
To register the GRC UME-ITRes IT resource:
See Basic Configuration Parameters for information about specifying values for Basic Configuration Parameters.
4.8.4 Disabling and Enabling SoD
This section describes the procedure to disable and enable SoD on Oracle Identity Governance.
4.8.4.1 Disabling SoD on Oracle Identity Governance
To disable SoD:
-
For Oracle Identity Governance release 12.2.1.3.0, log in to Oracle Identity System Administration.
-
In the left pane, under System Management, click System Configuration.
-
In the Search System Configuration box, enter
XL.SoDCheckRequired
and then click Search.A list that matches your search criteria is displayed in the search results table.
-
Click the XL.SoDCheckRequired property name.
System properties for SoD are displayed on the right pane.
-
In the Value box, enter
FALSE
to disable SoD. -
Click Save.
-
Restart Oracle Identity Governance.
4.8.4.2 Enabling SoD on Oracle Identity Governance
To enable SoD:
-
For Oracle Identity Governance release 12.2.1.3.0, log in to Oracle Identity System Administration.
-
In the left pane, under System Management, click System Configuration.
-
In the Search System Configuration box, enter
XL.SoDCheckRequired
and then click Search.A list that matches your search criteria is displayed in the search results table.
-
Click the XL.SoDCheckRequired property name.
System properties for SoD are displayed on the right pane.
-
In the Value box, enter
TRUE
to enable SoD. -
Click Save.
-
Restart Oracle Identity Governance.
4.9 Downloading WSDL files from SAP GRC
You need to download the WSDL files from SAP GRC before configuring the web services in SAP GRC. WSDL is required for connector to connect SAP web services.
Since the connector supports only basic authentication, select the User ID/Password check box for the following web services supported from OIG:
WSDL | Description |
---|---|
GRAC_AUDIT_LOGS_WS |
Audit log web service |
GRAC_LOOKUP_WS |
Look Up Service |
GRAC_REQUEST_STATUS_WS |
Request status web service |
GRAC_SELECT_APPL_WS |
Select Application web service |
GRAC_USER_ACCESS_WS |
User Access Request Service |
GRAC_SEARCH_ROLES_WS |
Search role web service |
When you download the WSDL file, ensure to save it with the same name as mentioned in the SOA Management page. In addition, ensure that the folder containing WSDL files have read permission.
4.10 Localizing Field Labels in UI Forms
You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation media.
Note:
Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.
To localize field label that you add to in UI forms:
-
Log in to Oracle Enterprise Manager.
-
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
-
In the right pane, from the Application Deployment list, select MDS Configuration.
-
On the MDS Configuration page, click Export and save the archive (oracle.iam.console.identity.sysadmin.ear_V2.0_metadata.zip) to the local computer.
-
Extract the contents of the archive, and open the SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf file in a text editor:
Note:
You will not be able to view the BizEditorBundle.xlf unless you complete creating the application for your target system or perform any customization such as creating a UDF. -
Edit the BizEditorBundle.xlf file in the following manner:
-
Search for the following text:
<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
-
Replace with the following text:
<file source-language="en" target-language="LANG_CODE" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:
<file source-language="en" target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
-
Search for the application instance code. This procedure shows a sample edit for SAP User Management Engine application instance. The original code is:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SAPUME_DEPARTMENT__c_description']}"> <source>Department</source> </target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.SAPUMEFORM.entity.SAPUMEFORMEO.UD_SAPUME_DEPARTMENT__c_LABEL"> <source>Department</source> </target> </trans-unit>
-
Open the resource file from the connector package, for example SAPUME_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_SAPUME_DEPARTMENT=\u90E8\u9580.
-
Replace the original code shown in Step 6.b with the following:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SAPUME_DEPARTMENT__c_description']}"> <source>Department</source> <target>\u90E8\u9580</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.SAPUMEFORM.entity.SAPUMEFORMEO.UD_SAPUME_DEPARTMENT__c_LABEL"> <source>Department</source> <target>\u90E8\u9580</target> </trans-unit>
-
Repeat Steps 6.a through 6.d for all attributes of the process form.
-
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.
Sample file name: BizEditorBundle_ja.xlf.
-
-
Repackage the ZIP file and import it into MDS.
See Also:
Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for more information about exporting and importing metadata files
-
Log out of and log in to Oracle Identity Governance.