Deploying the RSA Authentication Manager Connector

2 Deploying the RSA Authentication Manager Connector

The procedure to deploy the connector can be divided into the following stages:

2.1 Preinstallation

Before installing the connector, you must copy the external code files and create a target system account to perform all reconciliation and provisioning operations. This information is divided across the following sections:

2.1.1 Copying the External Code Files

You must perform the following procedure to copy the external code files:

Create a directory named RSAAM-RELEASE_NUMBER under the following directory:

OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib/

For example, if you are using release 11.1.1.5.0 of this connector, then create a directory named RSAAM-11.1.1.5.0 in the OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib/ directory.
Copy the third party libraries mentioned in the "Java API Library JAR Files" section of the RSA Authentication Manager Developer's Guide to the OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib/RSAAM-RELEASE_NUMBER directory.

2.1.2 Creating a Target System Account for Connector Operations

As a part of preinstallation, the connector uses a target system account to perform reconciliation and provisioning operations on the target system. To create this account, you must perform the following procedure:

Log in to the RSA Security Console.
If you want to assign administrative roles to end-users, then use the SuperAdminRole which is present by default in the target system, since only SuperAdminRole (and no custom role) can have permissions over all the administrative roles. If not, to create a role having the minimum permissions required for connector operations, perform the following procedure:
1. Expand the Administration list, select Administrative Roles, and then select Add New.
  
  The following screenshot shows this page:
  
  Description of the illustration first_page.gif
2. In the Administrative Role Name field, enter a name for the role.
3. Select the Permission Delegation check box.
4. In the Notes field, enter a description for the role.
5. In the Administrative Scope region:
  
  - Select the security domains that you want to include in the scope for connector operations.
  
  - Select the identity source that you want to include in the scope for connector operations.
  
  Description of the illustration createts_1.gif
6. Click Next.
7. In the Manager Policies region of the General Permissions page, select the View check box for the following permissions:
  
  - Password Policies
  
  - Lockout Policies
  
  - Self-Service Troubleshooting Policies
  
  - SecurID Token Policies
  
  - Offline Authentication Policies
8. In the Manage Security Domains region, select the View check box.
  
  Description of the illustration createts_2.gif
9. In the Manage Delegated Administration region, select the following permissions:
  
  - View check box for Administrative Roles
  
  - Assign Administrative Roles check box
10. In the Manage Users region, select the following permissions:
  
  - All, Delete, Add, Edit, and View check boxes for Users
  
  - Console Display check box
11. In the Manage User Groups region, select the View and Assign User Group Membership check boxes.
12. In the Manage Reports region, select the View check box for the Reports permission.
  
  Description of the illustration createts_3.gif
13. Click Next.
14. In the Manage RSA SecurID Tokens region of the Authentication Permissions page, select the following permissions:
  
  - Edit and View check boxes for SecurID Tokens
  
  - Assign Tokens
  
  - Distribute Software Tokens
  
  - View check box for Token Attribute Definitions
  
  - SecurID 800 Smart Card Details
15. In the Manage User Groups region, select the View check box for the User Group Restricted Access permission.
16. In the Manage User Authentication Attributes region, select the following permissions:
  
  - Edit and View check boxes for the Fixed Passcode
  
  - Manage Windows Password Integration
  
  - Manage Incorrect Password Count
  
  - Edit and View check boxes for the Default Shell permission
  
  Description of the illustration createts_4.gif
17. In the Manage Authentication Agents region, select the View check box for the Authentication Agent permission.
18. In the Trusted Realm Management region, select the following check boxes
  
  - View check box for the Trusted Users permission
  
  - View check box for the Trusted User Groups permission
  
  - View check box for the Trusted User Group Restricted Access permission
19. In the Manage RADIUS region, select following permissions:
  
  - View check box for RADIUS Profiles
  
  - Assign User RADIUS Profile check box
20. In the Manage On-Demand Authentication region, select the Manage On-Demand Authentication permission
21. Click Next.
  
  Description of the illustration createts_5.gif
22. On the Self-Service Permissions page, in the Provisioning Requests region, click Next.
  
  Description of the illustration createts_6.gif
23. On the Control/Summary page, review the summary of permissions and then click Save And Finish.
  
  Description of the illustration save_finish.gif
Create a user and assign the role to the user as follows:
1. Expand the Identity list, select Users, and then select Add New.
  
  The following screenshot shows this page:
  
  Description of the illustration step3_1.gif
2. On the Add New User page, enter the required values and then click Save.
  
  Note:
  
  The user ID and password that you enter on this page must be provided as the values of the Admin UserID and Admin Password IT resource parameters.
  
  In the Account Information region, select the No expiration date check box.
  
  The following screenshot shows this page:
  
  Description of the illustration step3_2.gif
3. Use the Search feature to open the details of the newly created user.
  
  The following screenshot shows this page:
  
  Description of the illustration step3_3.gif
4. Click the arrow displayed next to the user name and then select Assign More.
  
  The following screenshot shows this page:
  
  Description of the illustration step3_4.gif
5. From the list of administrative roles, select the role that you create in Step 2 and then click Assign Role.
  
  The following screenshot shows this page:
  
  Description of the illustration step3_5.gif

2.2 Installation

You must install the RSA Authentication Manager connector in Oracle Identity Manager and in the Connector Server, as described in the following sections:

2.2.1 Understanding Installation

Depending on where you want to run the generated connector, the connector provides the following installation options:

If you are using Oracle Identity Manager 11g Release 2 (11.1.2.0.0) and any later BP in this release track, then you must run the connector code remotely in a Connector Server. To do so, perform the procedures described in Installing the Connector in Oracle Identity Manager and Deploying the Connector in a Connector Server.
If you are using Oracle Identity Manager 11g Release 2 PS1 (11.1.2.1.0) and any later BP in this release track, Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and any later BP in this release track, or Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0), depending on where you want to run the connector code (bundle), the connector provides the following installation options:
- To run the connector code locally in Oracle Identity Manager, perform the procedure described in Installing the Connector in Oracle Identity Manager.
- To run the connector code remotely in a Connector Server, perform the procedures described in Installing the Connector in Oracle Identity Manager and Deploying the Connector in a Connector Server.

2.2.2 Installing the Connector in Oracle Identity Manager

To install the connector on Oracle Identity Manager, you must run the installer and configure the IT Resource parameters as described in the following sections:

2.2.2.1 Running the Connector Installer

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Administrative and User Console.

To run the Connector Installer:

Copy the contents of the connector installation media directory into the following directory:

OIM_HOME/server/ConnectorDefaultDirectory
Log in to Oracle Identity System Administration.
In the left pane, under System Management, click Manage Connector.
In the Manage Connector page, click Install.
From the Connector List list, select RSAAM Connector RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.

If you have copied the installation files into a different directory, then:
1. In the Alternative Directory field, enter the full path and name of that directory.
2. To repopulate the list of connectors in the Connector List list, click Refresh.
3. From the Connector List list, select RSAAM Connector RELEASE_NUMBER.
Click Load.
To start the installation process, click Continue.

The following tasks are performed, in sequence:
1. Configuration of connector libraries
2. Import of the connector XML files (by using the Deployment Manager)
3. Compilation of adapters
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure is displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:
- Retry the installation by clicking Retry.
- Cancel the installation and begin again from Step 1.
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of steps that you must perform after the installation is displayed. These steps are as follows:
1. Ensuring that the prerequisites for using the connector are addressed
  
  Note:
  
  At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. SeeClearing Content Related to Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.
  
  There are no prerequisites for some predefined connectors.
2. Configuring the IT resource for the connector
  
  The procedure to configure the IT resource is described later in this guide.
3. Configuring the scheduled jobs
  
  The procedure to configure these scheduled jobs is described later in this guide.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Configuring the IT Resource for the Target System.

2.2.2.2 Configuring the IT Resource for the Target System

The IT resource for the target system is created during connector installation. This IT resource contains connection information about the target system. Oracle Identity Manager uses this information during reconciliation and provisioning.

You must specify values for the parameters of the RSA Server Instance IT resource as follows:

Log in to Oracle Identity System Administration.
In the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter RSA Server Instance and then click Search. Figure 2-1 shows the Manage IT Resource page.

Figure 2-1 Manage IT Resource Page

Description of "Figure 2-1 Manage IT Resource Page"
Click the edit icon corresponding to the RSA Server Instance IT resource.
From the list at the top of the page, select Details and Parameters.
Specify values for the parameters of the RSA Server Instance IT resource. Figure 2-2 shows the Edit IT Resource Details and Parameters page.
Figure 2-2 Edit IT Resource Details and Parameters Page for the RSA Server Instance IT Resource

Description of "Figure 2-2 Edit IT Resource Details and Parameters Page for the RSA Server Instance IT Resource"

The following list describes each parameter of the RSA Authentication Manager IT resource:
- adminPassword
  
  Enter the password of the target system user account that you create for connector operations.
- adminUserID
  
  Enter the user ID of the target system user account that you create for connector operations.
  
  See Creating a Target System Account for Connector Operations.
  
  commandClient Password
  
  Enter the command client password.
  
  Setting the command client user name and password is one of the tasks in the procedure mentioned in Addressing the Prerequisites for Using the Java API of RSA Authentication Manager.
- commandClient UserID
  
  Enter the command client user name.
  
  Setting the command client user name and password is one of the tasks in the procedure mentioned in Addressing the Prerequisites for Using the Java API of RSA Authentication Manager.
- Configuration Lookup
  
  This parameter holds the name of the configuration lookup definition.
  
  Default value: Lookup.RSAAM.Configuration
- Connector Server Name
  
  This parameter holds the hostname of the machine where the connector server resides.
- host
  
  This parameter holds the hostname of the RSA target.
- port
  
  This parameter holds the port of the RSA target.
  
  Default value: 7002
- connectionType
  
  This parameter specifies the type of connection to be used to connect to the target system.
  
  Default value: EJB
  
  Do not change this value.
To save the values, click Update.

2.2.3 Deploying the Connector in a Connector Server

You can deploy the RSA Authentication Manager connector either locally in Oracle Identity Manager or remotely in the Connector Server. A connector server is an application that enables remote execution of an Identity Connector, such as the RSA Authentication Manager connector.

This section discusses the following topics:

2.2.3.1 About the Connector Server

Note:

To deploy the connector bundle remotely in a Connector Server, you must first deploy the connector in Oracle Identity Manager, as described in Installing the Connector in Oracle Identity Manager.

You can deploy the RSA Authentication Manager connector remotely in the Connector Server. A connector server is a Microsoft Windows application that enables remote execution of an Identity Connector. Connector servers are available in the following two implementations:

As a .Net implementation that is used by Identity Connectors implemented in .Net
As a Java Connector Server implementation that is used by Java-based Identity Connectors

The RSA Authentication Manager connector is implemented in Java, so you can deploy this connector to a Java Connector Server.

2.2.3.2 Installing and Configuring the Connector Server

Use the following steps to install and configure the Java Connector Server:

Note:

Before you deploy the Java Connector Server, ensure that you install the JDK or JRE on the same computer where you are installing the Java Connector Server and that your JAVA_HOME or JRE_HOME environment variable points to this installation.

Create a new directory on the computer where you want to install the Java Connector Server.

Note:

In this guide, CONNECTOR_SERVER_HOME represents this directory.
Unzip the Java Connector Server package in the new directory created in Step 1. You can download the Java Connector Server package from the Oracle Technology Network.

Open the ConnectorServer.properties file located in the conf directory. In the ConnectorServer.properties file, set the following properties, as required by your deployment.

Property	Description
connectorserver.port	Port on which the Java Connector Server listens for requests. Default is `8763.`
connectorserver.bundleDir	Directory where the connector bundles are deployed. Default is `bundles.`
connectorserver.libDir	Directory in which to place dependent libraries. Default is `lib.`
connectorserver.usessl	If set to `true`, the Java Connector Server uses SSL for secure communication. Default is `false.` If you specify `true`, use the following options on the command line when you start the Java Connector Server: `-Djavax.net.ssl.keyStore` `-Djavax.net.ssl.keyStoreType` (optional) `-Djavax.net.ssl.keyStorePassword`
connectorserver.ifaddress	Bind address. To set this property, uncomment it in the file (if necessary). The bind address can be useful if there are more NICs installed on the computer.
connectorserver.key	Java Connector Server key.

Set the properties in the ConnectorServer.properties file, as follows:
- To set the connectorserver.key, run the Java Connector Server with the /setKey option.
  
  Note:
  See Running the Connector Server.
- For all other properties, edit the ConnectorServer.properties file manually.
The conf directory also contains the logging.properties file, which you can edit if required by your deployment.

Note:

Oracle Identity Manager has no built-in support for connector servers, so you cannot test your configuration.

2.2.3.3 Running the Connector Server

To run the Java Connector Server, use the ConnectorServer.bat script for Windows and use the ConnectorServer.sh script for UNIX as follows:

Make sure that you have set the properties required by your deployment in the ConnectorServer.properties file, as described in Running the Connector Server.
Make sure that you have set the JAVA_HOME and the PATH to the java used by Oracle Identity Manager.

Change to the CONNECTOR_SERVER_HOME\bin directory and find the ConnectorServer.bat script.

The ConnectorServer.bat supports the following options:

Option	Description
`/install` [`serviceName`] `["-J` `java-option"]`	Installs the Java Connector Server as a Windows service. Optionally, you can specify a service name and Java options. If you do not specify a service name, the default name is `ConnectorServerJava.`
`/run ["-J` `java-option"]`	Runs the Java Connector Server from the console. Optionally, you can specify Java options. For example, to run the Java Connector Server with SSL: ConnectorServer.bat /run "-J-Djavax.net.ssl.keyStore=mykeystore.jks" "-J-Djavax.net.ssl.keyStorePassword=`password`"
`/setKey [key]`	Sets the Java Connector Server key. The `ConnectorServer.bat` script stores the hashed value of the key in the `connectorserver.key` property in the `ConnectorServer.properties` file.
`/uninstall [serviceName]`	Uninstalls the Java Connector Server. If you do not specify a service name, the script uninstalls the `ConnectorServerJava` service.

If you need to stop the Java Connector Server, stop the respective Windows service.

2.2.3.4 Installing the Connector on the Connector Server

2.3 Postinstallation

After successfully installing the connector, you must configure Oracle Identity Manager and create an IT Resource for the connector server. The following sections contain detailed information:

2.3.1 Postinstallation on Oracle Identity Manager

Configuring the Oracle Identity Manager involves performing multiple operations. These operations are discussed in detail in the following procedures:

2.3.1.1 Configuring Self-Request Provisioning

To configure self-request provisioning, perform the following procedure:

Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the RSA Auth Manager User process form.
Double-click the Create User process task.
Open the Responses tab and select SUCCESS.

The Copy the UID task is displayed at the bottom of the same page.
Delete the Copy the UID task under the Task To Generate entry by selecting the delete option.
Click Save.

2.3.1.2 Configuring Oracle Identity Manager

You must create additional metadata such as a UI form and an application instance, and must run entitlement and catalog synchronization jobs. In addition, you must tag some of the fields in the OIM User process form. These procedures are described in the following sections:

Note:

The procedure mentioned in the following sections have to performed for RSA Auth Manager User resource object and RSA Auth Manager Token resource object.

2.3.1.2.1 Creating and Activating a Sandbox

You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.

See Creating a Sandbox and Activating and Deactivating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

2.3.1.2.2 Creating a New UI Form

Create a new UI form as follows:

In the left pane, under Configuration, click Form Designer.
Under Search Results, click Create.
Select the resource type for which you want to create the form, for example, RSA Auth Manager User or RSA Auth Manager Token.
Enter a form name and click Create.

2.3.1.2.3 Creating an Application Instance

Create an application instance as follows:

In the System Administration page, under Configuration in the left pane, click Application Instances.
Under Search Results, click Create.
Enter appropriate values for the fields displayed on the Attributes form and click Save.
In the Form drop-down list, select the newly created form and click Apply.
Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See Publishing an Application Instance to Organizations in Oracle Fusion Middleware Administering Oracle Identity Manager.

2.3.1.2.4 Upgrading User Form in Oracle Identity Manager

This connector creates a new OIM user attribute (UDF) RSAAM User GUID. Although this user attribute (UDF) is added to a new User Form version, the User Form from the old version is only used for all operations. To use the latest form version which contains the GUID field, you must customize the associated pages on the interface to upgrade to the latest User Form and add the custom form fields. To do so, perform the following procedure:

Log in to Oracle Identity System Administration.
From the Upgrade region, click Upgrade User Form. The RSAAM User GUID UDF is listed.
Click Upgrade.

See Also:
Configuring Custom Attributes in Oracle Fusion Middleware Administering Oracle Identity Manager

2.3.1.2.5 Publishing a Sandbox

To publish the sandbox that you created in Creating and Activating a Sandbox:

Close all the open tabs and pages.
From the table showing the available sandboxes in the Manage Sandboxes page, select the sandbox that you created in Creating and Activating a Sandbox.
On the toolbar, click Publish Sandbox. A message is displayed asking for confirmation.
Click Yes to confirm. The sandbox is published and the customizations it contained are merged with the main line.

2.3.1.2.6 Harvesting Entitlements and Sync Catalog

To harvest entitlements and sync catalog:

Run the scheduled jobs for lookup field synchronization listed in Scheduled Job for Lookup Field Synchronization.
Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table.
Run the Catalog Synchronization Job scheduled job.

See Also:
Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager

2.3.1.2.7 Updating an Existing Application Instance with a New Form

For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:

Create a sandbox and activate it. See Creating a Sandbox and Activating and Deactivating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
Create a new UI form for the resource. See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Manager.
Open the existing application instance.
In the Form field, select the new UI form that you created.
Save the application instance.
Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

2.3.1.3 Clearing Content Related to Connector Resource Bundles from the Server Cache

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

In a command window, switch to the OIM_HOME/server/bin directory.
Note:

You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:
```
OIM_HOME/server/bin/SCRIPT_FILE_NAME
```
Enter one of the following commands:
Note:

You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.

For example, the following commands purge Metadata entries from the server cache:

PurgeCache.bat MetaData

PurgeCache.sh MetaData

On Microsoft Windows: PurgeCache.bat All

On UNIX: PurgeCache.sh All

When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:
```
t3://OIM_HOST_NAME:OIM_PORT_NUMBER
```
In this format:
- Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.
- Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

2.3.1.4 Managing Logging for RSA Authentication Manager Connector

You can set a log level based on Oracle Java Diagnostic Logging and enable logging in the Oracle WebLogic Server. The following sections contain detailed information:

2.3.1.4.1 Understanding Log Levels

Oracle Identity Manager uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. To specify the type of event for which you want logging to take place, you can set the logs to one of the following available levels:

SEVERE.intValue()+100

This level enables logging of information about fatal errors.
SEVERE

This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.
WARNING

This level enables logging of information about potentially harmful situations.
INFO

This level enables logging of messages that highlight the progress of the application.
CONFIG

This level enables logging of information about fine-grained events that are useful for debugging.
FINE, FINER, FINEST

These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These log levels are mapped to ODL message type and level combinations as shown in Table 2-1.

Table 2-1 Log Levels and ODL Message Type:Level Combinations

Log Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.

2.3.1.4.2 Enabling Logging

To enable logging in Oracle WebLogic Server:

Edit the logging.xml file as follows:

Add the following blocks in the file:

<log_handler name='rsaam-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
<property name='logreader:' value='off'/>
     <property name='path' value='[FILE_NAME]'/>
     <property name='format' value='ODL-Text'/>
     <property name='useThreadName' value='true'/>
     <property name='locale' value='en'/>
     <property name='maxFileSize' value='5242880'/>
     <property name='maxLogSize' value='52428800'/>
     <property name='encoding' value='UTF-8'/>
   </log_handler>

<logger name="ORG.IDENTITYCONNECTORS.RSAAM" level="[LOG_LEVEL]" useParentHandlers="false">
     <handler name="rsaam-handler"/>
     <handler name="console-handler"/>
   </logger>

Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-1 lists the supported message type and level combinations.

Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages specific to connector operations to be recorded.

The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME] :

<log_handler name='rsaam-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
<property name='logreader:' value='off'/>
     <property name='path' value=/scratch/RSA/Logs/RSA.log>
     <property name='format' value='ODL-Text'/>
     <property name='useThreadName' value='true'/>
     <property name='locale' value='en'/>
     <property name='maxFileSize' value='5242880'/>
     <property name='maxLogSize' value='52428800'/>
     <property name='encoding' value='UTF-8'/>
   </log_handler>
 
<logger name="ORG.IDENTITYCONNECTORS.RSAAM" level="NOTIFICATION:1" useParentHandlers="false">
     <handler name="rsaam-handler"/>
     <handler name="console-handler"/>
   </logger>

With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.

Save and close the file.
Set the following environment variable to redirect the server logs to a file:

For Microsoft Windows:
```
set WLS_REDIRECT_LOG=FILENAME
```
For UNIX:
```
export WLS_REDIRECT_LOG=FILENAME
```
Replace FILENAME with the location and name of the file to which you want to redirect the output.
Restart the application server.

2.3.1.5 Setting up the Lookup Definition for Connection Pooling

Connection pooling allows reuse of physical connections and reduced overhead for your application. This procedure of setting up the lookup definition for connector pooling can be divided into the following sections:

2.3.1.5.1 Understanding Connection Pooling Properties

By default, this connector uses the ICF connection pooling. Connection Pooling Properties lists the connection pooling properties, their description, and default values set in ICF:

Table 2-2 Connection Pooling Properties

Property	Description
Pool Max Idle	Maximum number of idle objects in a pool. Default value: `10`
Pool Max Size	Maximum number of connections that the pool can create. Default value: `10`
Pool Max Wait	Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: `150000`
Pool Min Evict Idle Time	Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: `120000`
Pool Min Idle	Minimum number of idle objects in a pool. Default value: `1`

2.3.1.5.2 Adding Connection Pooling Properties

If you want to add the connection pooling properties to use values that suit requirements in your environment, then:

Log in to the Design Console.
Expand Administration, and then double-click Lookup Definition.
Search for and open the Lookup.RSAAM.Configuration lookup definition.
On the Lookup Code Information tab, click Add.

A new row is added.
In the Code Key column of the new row, enter Pool Max Idle.
In the Decode column of the new row, enter a value corresponding to the Pool Max Idle property.
Repeat Steps 4 through 6 for adding each of the connection pooling properties listed in Table 2-2.
Click the Save icon.

2.3.1.6 Setting up the Lookup Definition for Different Time Zones

Based on your requirement, the time zone property can be configured to define the time zone in which connector operations are performed. This information can be divided into the following sections:

Note:

Perform the following procedure only if Oracle Identity Manager and RSA Authentication Manger are in different time zones.

2.3.1.6.1 Time Zone Properties

Table 2-3 lists the time zone properties, their code and decode values along with respective descriptions:

Table 2-3 Time Zone Properties

Code Key Decode Description

Code Key	Decode	Description
sourceTimeZone	For the decode value, refer the format of the timeZone present in the following URL: `http://docs.oracle.com/javase/1.5.0/docs/api/java/util/TimeZone.html`	This entry is not present by default, and has to be added only if Oracle Identity Manager and RSA Authentication Manger are in different time zones. If this entry is not defined, then the connector retrieves the default time zone from the location where the connector is running (can be either from the Oracle Identity Manager server or the connector server).
targetTimeZone	For the decode value, refer the format of the timeZone present in the following URL: `http://docs.oracle.com/javase/1.5.0/docs/api/java/util/TimeZone.html`	This entry is not present by default, and has to be added only if Oracle Identity Manager and RSA Authentication Manger are in different time zones. If this entry is not defined, then the connector retrieves the default time zone from the location where the connector is running (can be either from the Oracle Identity Manager server or the connector server).

sourceTimeZone

For the decode value, refer the format of the timeZone present in the following URL:

http://docs.oracle.com/javase/1.5.0/docs/api/java/util/TimeZone.html

This entry is not present by default, and has to be added only if Oracle Identity Manager and RSA Authentication Manger are in different time zones. If this entry is not defined, then the connector retrieves the default time zone from the location where the connector is running (can be either from the Oracle Identity Manager server or the connector server).

targetTimeZone

For the decode value, refer the format of the timeZone present in the following URL:

http://docs.oracle.com/javase/1.5.0/docs/api/java/util/TimeZone.html

2.3.1.6.2 Setting up the Time Zone Properties

Perform the following procedure only if Oracle Identity Manager and RSA Authentication Manger are in different time zones. To specify the time zone properties:

Log in to the Design Console.
Expand Administration, and then double-click Lookup Definition.
Search for and open the Lookup.RSAAM.Configuration lookup definition.
On the Lookup Code Information tab, click Add.

A new row is added.
In the Code Key column of the new row, enter sourceTimeZone.
In the Decode column of the new row, enter the value from the URL mentioned in Table 2-3.
Repeat Steps 4 through 6 for adding the targetTimeZone property.
Click the Save icon.

2.3.1.7 Localizing Field Labels in UI Forms

To localize field label that you add to in UI forms:

Log in to Oracle Enterprise Manager.
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
In the right pane, from the Application Deployment list, select MDS Configuration.
On the MDS Configuration page, click Export and save the archive to the local computer.
Extract the contents of the archive, and open one of the following files in a text editor:
- For Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and later:
  
  SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf
- For releases prior to Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):
  
  SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf

Edit the BizEditorBundle.xlf file in the following manner:

Search for the following text:

<file source-language="en"  
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Replace with the following text:

<file source-language="en" target-language="LANG_CODE"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

<file source-language="en" target-language="ja"
original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
datatype="x-oracle-adf">

Search for the application instance code. This procedure shows a sample edit for RSA application instance. The original code is:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_AMUSER_FIRST_NAME__c_description']}">
<source>First Name</source>
<target/>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.RSAForm.entity.RSAFormEO.UD_AMUSER_FIRST_NAME__c_LABEL">
<source>First Name</source>
<target/>
</trans-unit>

Open the resource file from the connector package, for example RSA-AuthManager_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_AMUSER_FIRST_NAME=\u540D.

Replace the original code shown in Step 6.c with the following:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_AMUSER_FIRST_NAME__c_description']}">
<source>First Name</source>
<target>\u540D</target>
</trans-unit>
<trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.RSAForm.entity.RSAFormEO.UD_AMUSER_FIRST_NAME__c_LABEL">
<source>First Name</source>
<target>\u540D</target>
</trans-unit>

Repeat Steps 6.a through 6.d for all attributes of the process form.
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

Sample file name: BizEditorBundle_ja.xlf.

Repackage the ZIP file and import it into MDS.

See Also:

Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for more information about exporting and importing metadata files
Log out of and log in to Oracle Identity Manager.

2.3.1.8 Addressing Prerequisites for Using the Java API of RSA Authentication Manager

To enable the connector to work with the Java API of the target system, perform the following procedures:

2.3.1.8.1 Required Java System Properties

Perform the procedure described in the "Required Java System Properties" section of the RSA Authentication Manager Developer's Guide.

2.3.1.8.2 Exporting and Importing the Server Root Certificate

To export and then import the server root certificate:

To export the certificate from RSA Authentication Manager, perform the procedure described in the "Making the RSA Root Certificate Available for API Clients (Java)" section of the RSA Authentication Manager Developer's Guide.
To import the certificate exported in Step 1 into your Application Server (IBM Websphere, JBoss or Oracle Weblogic), follow the procedure described in the "Import the Server Root Certificate" section of the RSA Authentication Manager Developer's Guide. Import the certificate into the same keystore defined by the Java property in the previous section depending upon the type of connection with the target system.

2.3.1.8.3 Setting the Command Client User Name and Password

Perform the procedure described in the "Setting the Command Client User Name and Password" section of the RSA Authentication Manager Developer's Guide.

2.3.2 Creating the IT Resource for the Connector Server

Note:

Perform the procedure described in this section only if you have deployed the connector bundle remotely in a Connector Server.

To create the IT resource for the Connector Server:

Log in to Oracle Identity System Administration.
In the left pane, under Configuration, click IT Resource.
In the Manage IT Resource page, click Create IT Resource.
On the Step 1: Provide IT Resource Information page, perform the following steps:
- IT Resource Name: Enter a name for the IT resource.
- IT Resource Type: Select Connector Server from the IT Resource Type list.
- Remote Manager: Do not enter a value in this field.
Click Continue. Figure 2-3 shows the IT resource values added on the Create IT Resource page.

Figure 2-3 Step 1: Provide IT Resource Information

Description of "Figure 2-3 Step 1: Provide IT Resource Information"

On the Step 2: Specify IT Resource Parameter Values page, specify values for the parameters of the IT resource and then click Continue. Figure 2-4 shows the Step 2: Specify IT Resource Parameter Values page.

Figure 2-4 Step 2: Specify IT Resource Parameter Values

Description of "Figure 2-4 Step 2: Specify IT Resource Parameter Values"

Table 2-4 provides information about the parameters of the IT resource.

Table 2-4 Parameters of the IT Resource for the Connector Server

Parameter	Description
Host	Enter the host name or IP address of the computer hosting the connector server. Sample value: `RManager`
Key	Enter the key for the Java connector server.
Port	Enter the number of the port at which the connector server is listening. Default value: `8759`
Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Manager times out. Sample value: `300`
UseSSL	Enter `true` to specify that you will configure SSL between Oracle Identity Manager and the Connector Server. Otherwise, enter `false.` Default value: `false` Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL, run the connector server by using the /setKey [`key`] option. The value of this key must be specified as the value of the Key IT resource parameter of the connector server. To use SSL, you must set the value of connectorserver.usessl property to `true,` and then set the value of connectorserver.certifacatestorename to the certificate store name.

On the Step 3: Set Access Permission to IT Resource page, the SYSTEM ADMINISTRATORS group is displayed by default in the list of groups that have Read, Write, and Delete permissions on the IT resource that you are creating.

Note:

This step is optional.

If you want to assign groups to the IT resource and set access permissions for the groups, then:
1. Click Assign Group.
2. For the groups that you want to assign to the IT resource, select Assign and the access permissions that you want to set. For example, if you want to assign the ALL USERS group and set the Read and Write permissions to this group, then you must select the respective check boxes in the row, as well as the Assign check box, for this group.
3. Click Assign.
On the Step 3: Set Access Permission to IT Resource page, if you want to modify the access permissions of groups assigned to the IT resource, then:
Note:
- This step is optional.
- You cannot modify the access permissions of the SYSTEM ADMINISTRATORS group. You can modify the access permissions of only other groups that you assign to the IT resource.
1. Click Update Permissions.
2. Depending on whether you want to set or remove specific access permissions for groups displayed on this page, select or deselect the corresponding check boxes.
3. Click Update.
On the Step 3: Set Access Permission to IT Resource page, if you want to unassign a group from the IT resource, then:
Note:
- This step is optional.
- You cannot unassign the SYSTEM ADMINISTRATORS group. You can unassign only other groups that you assign to the IT resource.
1. Select the Unassign check box for the group that you want to unassign.
2. Click Unassign.
Click Continue. Figure 2-5 shows the Step 3: Set Access Permission to IT Resource page.

Figure 2-5 Step 3: Set Access Permission to IT Resource

Description of "Figure 2-5 Step 3: Set Access Permission to IT Resource"
On the Step 4: Verify IT Resource Details page, review the information that you provided on the first, second, and third pages. If you want to make changes in the data entered on any page, click Back to revisit the page and then make the required changes.
To proceed with the creation of the IT resource, click Continue. Figure 2-6 shows Step 4: Verify IT Resource Details page.

Figure 2-6 Step 4: Verify IT Resource Details

Description of "Figure 2-6 Step 4: Verify IT Resource Details"
The Step 5: IT Resource Connection Result page displays the results of a connectivity test that is run using the IT resource information. If the test is successful, then click Continue. If the test fails, then you can perform one of the following steps:
- Click Back to revisit the previous pages and then make corrections in the IT resource creation information.
- Click Cancel to stop the procedure, and then begin from the first step onward.
  
  Figure 2-7 shows the Step 5: IT Resource Connection Result page.
  
  Figure 2-7 Step 5: IT Resource Connection Result
  
  Description of "Figure 2-7 Step 5: IT Resource Connection Result"
Click Finish. Figure 2-8 shows the IT Resource Created page.

Figure 2-8 Step 6: IT Resource Created

Description of "Figure 2-8 Step 6: IT Resource Created"

2.4 About Upgrading the RSA Authentication Manager Connector

Upgrading to this release of the connector from earlier releases is not supported.

2.5 Postcloning the RSA Authentication Manager

If you clone the connector, a copy of the connector is created. Once this is completed, some of the connector objects that might contain the details of the old connector must be modified as a part of postcloning. The following sections contain detailed information:

2.5.1 About Postcloning

You can clone the RSA Authentication Manager connector by setting new names for some of the objects that comprise the connector. The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.

After a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes:

Localization Properties

You must update the resource bundle of a user locale with new names of the process form attributes for proper translations after cloning the connector. You can modify the properties file of your locale in the resources directory of the connector bundle.
Lookup Definition

In the cloned lookup definition for provisioning attribute map, if the code key entries specific to groups and roles contain the old process form details, then you must modify them to reflect the cloned form name.

For example, consider Lookup.RSAAM.UM.ProvAttr1 and UD_AMROLE1 to be the cloned versions of the Lookup.RSAAM.UM.ProvAttrMap lookup definition and UD_AMROLE child form, respectively.

After cloning, the Lookup.RSAAM.UM.ProvAttrMap1 lookup definition contains Code Key entries that correspond to the fields of the old child form UD_AMROLE. To ensure that the Code Key entries point to the fields of the cloned child form (UD_AMROLE1), specify UD_AMROLE1~Role Name[LOOKUP] in the corresponding Code Key column. Similarly, you can specify UD_AMGROUP1~Group Name[LOOKUP] in the Code Key column for groups.
Child Table

As a result of a change in the name of the child table, you must modify the corresponding mappings for the child table operations to work successfully.

See Updating Child Table Mappings.

2.5.2 Updating Child Table Mappings

To update the corresponding mappings, perform the following procedure:

Log in to the Design Console.
Expand Process Management, and then double-click Process Definition.
Search for and open the RSA Auth Manager User1 process form.
Double-click the Add User to Group process task.

The Editing Task window is displayed.
On the Integration tab, select the row corresponding to the name of the child table, and then click Map.
The Data Mapping for Variable window is displayed.
Change the value in the Literal Value field to the cloned table name. For example, UD_AMGROUP1.
Click Save and close the window.
To change the mappings for the Remove User from Group task, perform Steps 1 through 8 of this procedure with the following difference:

While performing Step 4 of this procedure, instead of double-clicking the Add User to Group task, double-click the Remove User from Group task.
To change the mappings for the Update User for Group task, perform Steps 1 through 8 with the following difference:

While performing Step 4 of this procedure, instead of double-clicking the Add User to Group task, double-click the Update User for Group task.
To change the mappings for the Add User to Role task, perform Steps 1 through 8 with the following difference:

While performing Step 4 of this procedure, instead of double-clicking the Add User to Group task, double-click the Add User to Role task.
To change the mappings for the Remove User from Role task, perform Steps 1 through 8 with the following difference:

While performing Step 4 of this procedure, instead of double-clicking the Add User to Group task, double-click the Remove User from Role task.
To change the mappings for the Update User for Role task, perform Steps 1 through 8 with the following difference:

While performing Step 4 of this procedure, instead of double-clicking the Add User to Group task, double-click the Update User for Role task.