3 IBM RACF Connector Deployment on Oracle Identity Manager
The LDAP Gateway acts as the intermediary between Oracle Identity Manager and the connector components on the mainframe. The following sections of this chapter describe the procedure to deploy some components of the connector, including the LDAP Gateway, on the Oracle Identity Manager host computer:
Note:
The procedure to deploy the mainframe components of the connector is described in the next chapter.
3.1 Running the Connector Installer
Perform the following steps to run the Connector Installer:
- Ensure you have downloaded the connector installation package from the OTN website at http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html and extracted its contents.
-
Copy the contents of the connector installation package into the following directory:
OIM_HOME/server/ConnectorDefaultDirectory
-
Log in to Oracle Identity System Administration.
- In the left pane, under Provisioning Configuration, click Manage Connector.
-
In the Manage Connector page, click Install.
-
From the Connector list, select IBM RACF Advanced RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 2.
If you have copied the installation files into a different directory, then:
-
In the Alternative Directory field, enter the full path and name of that directory.
-
To repopulate the list of connectors in the Connector list, click Refresh.
-
From the Connector list, select IBM RACF Advanced RELEASE_NUMBER.
-
-
Click Load.
-
To start the installation process, click Continue. In a sequence, the following tasks are automatically performed:
-
Configuration of connector libraries.
-
Import of the connector Target Resource user configuration XML file (by using the Deployment Manager).
-
Compilation of adapters.
On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. If a task fails, make the required correction and then perform one of the following steps:
-
Retry the installation by clicking Retry.
-
Cancel the installation and begin again from Step 2.
-
-
If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed.
- Click Exit to close the installation page.
When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Files and Directories in the IBM RACF Advanced Connector Package.
3.2 Configuring the IT Resource
You must specify values for the parameters of the RacfResource IT resource as follows:
-
Log in to the Oracle Identity System Administration.
-
In the left pane, under Configuration, click IT Resource.
-
In the IT Resource Name field on the Manage IT Resource page, enter
RacfResource
and then click Search. -
Click the edit icon for the IT resource.
-
From the list at the top of the page, select Details and Parameters.
-
Specify values for the parameters of the IT resource as described in the following table:
Table 3-1 IT Resource Parameters for IBM RACF Advanced Connector
Parameter Description AtMap User
This parameter holds the name of the lookup definition containing attribute mappings that are used for provisioning.
Value:
AtMap.RACF
Note: You must not change the value of this parameter.
idfBackendDn
Enter the user ID that the connector will use to connect to the LDAP Gateway backend.
Sample value:
cn=Directory Manager,dc=system,dc=backend
idfBackendPassword
Enter the password of the user ID that the connector will use to connect to the LDAP Gateway backend. You also set this password in the configuration.properties file of the LDAP Gateway.
Note: Do not enter an encrypted value.
idfbackendContext
Enter the root context for LDAP Gateway backend.
Sample Value:
dc=system,dc=backend
idfConnectTimeoutMS
Enter an integer value that specifies the number of milliseconds after which an attempt to establish a connection between the LDAP Gateway and Oracle Identity Manager times out.
If you do not enter a value for this parameter, then the connector uses a default time out of
300000
ms (that is, 5 minutes).idfPrincipalDn
Set a user ID for an account that the connector will use to connect to the LDAP Gateway.
Format:
cn=
USER_ID
,dc=racf,dc=com
Sample value:
cn=idfRacfAdmin,dc=racf,dc=com
idfPrincipalPwd
Set a password for the account that the connector will use to connect to the LDAP Gateway. You also set this password in the files listed in the description of the idfPrincipalDn parameter.
Note: Do not enter an encrypted value.
idfReadTimeoutMS
Enter an integer value that specifies the number of milliseconds after which an attempt to read data from the target system times out.
If you do not enter a value for this parameter, then the connector uses a default time out of
1800000
ms (that is, 30 minutes).idfRootContext
This parameter holds the root context for IBM RACF.
Value:
dc=racf,dc=com
Note: You must not change the value of this parameter.
idfServerHost
This parameter holds the host name or IP address of the computer on which you install the LDAP Gateway. For this release of the connector, you install the LDAP Gateway on the Oracle Identity Manager host computer.
Default value:
localhost
Note: Do not change the value of this parameter unless you have installed the LDAP Gateway on a different machine from the Oracle Identity Manager host computer.
idfServerPort
Enter the number of the port for connecting to the LDAP Gateway.
Sample value:
5389
idfSsl
This parameter determines whether the LDAP Gateway will use SSL to connect to the target system. Enter
true
if using SSL. Otherwise, enterfalse.
Sample value:
true
idfTrustStore
This parameter holds the directory location of the trust store containing the SSL certificate. This parameter is optional, and should only be entered when using SSL authentication. This must be the full path to the directory location.
Sample value:
/app/home/ldapgateway/conf/idf.jks
idfTrustStorePassword
This parameter holds the password for the SSL trust store. This parameter is optional, and should only be entered when using SSL authentication.
idfTrustStoreType
This parameter holds the trust store type for the SSL trust store. This parameter is optional, and should only be entered when using SSL authentication.
Sample value:
jks
Last Modified Time Stamp
The most recent start time of the RACF Reconcile All LDAP Users reconciliation scheduled task is stored in this parameter. See RACF Reconcile All LDAP Users for more information about this scheduled task.
The format of the value stored in this parameter is as follows:
MM/dd/yy hh:mm:ss a
In this format:
MM is the month of the year.
dd is the day of the month.
yy is the year.
hh is the hour in am/pm (01-12).
mm is the minute in the hour.
ss is the second in the minute.
a is the marker for AM or PM.
Sample value:
05/07/10 02:46:52 PM
Default value:
0
The reconciliation task will perform full LDAP user reconciliation when the value is 0. If the value is a non-zero, standard time-stamp value in the format given above, then incremental reconciliation is performed.
Only records that have been created or modified after the specified time stamp are brought to Oracle Identity Manager for reconciliation.
Note: When required, you can manually enter a time-stamp value in the specified format.
-
To save the values, click Update.
3.3 Configuring Oracle Identity Manager
Configuring Oracle Identity Manager involves the following procedures:
Note:
In an Oracle Identity Manager cluster, you must perform these steps on each node of the cluster.
3.3.1 Creating Additional Metadata, Running Entitlement, and Catalog Synchronization Jobs
You must create additional metadata, such as a UI form and an application instance. In addition, you must run entitlement and catalog synchronization jobs. These procedures are described in the following sections:
3.3.1.2 Creating a New UI Form
Create a new UI form as follows:
- In the left pane, under Configuration, click Form Designer.
- Under Search Results, click Create.
- Select the resource type for which you want to create the form, for example, OIMRacfResourceObject.
- Enter a form name and click Create.
3.3.1.3 Creating an Application Instance
Create an application instance as follows:
- In the System Administration page, under Configuration in the left pane, click Application Instances.
- Under Search Results, click Create.
- Enter appropriate values for the fields displayed on the Attributes form and click Save.
- In the Form drop-down list, select the newly created form and click Apply.
- Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users.
3.3.1.4 Publishing a Sandbox
- In Identity System Administration, deactivate the sandbox.
- Log out of Identity System Administration.
- Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
- In the Catalog, ensure that the Concur application instance form appears with correct fields.
- Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
3.3.1.5 Harvesting Entitlements and Sync Catalog
To harvest entitlements and sync catalog:
- Run the scheduled jobs for lookup field synchronization. See Scheduled Tasks for Lookup Field Synchronization for more information about these scheduled jobs.
- Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table.
- Run the Catalog Synchronization Job scheduled job.
See Also:
Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Governance for a description of the Entitlement List and Catalog Synchronization Job scheduled jobs.
3.3.1.6 Updating an Existing Application Instance with a New Form
For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:
- Create a sandbox and activate it as described in Creating and Activating a Sandbox.
- Create a new UI form for the resource as described in Creating a New UI Form.
- Open the existing application instance.
- In the Form field, select the new UI form that you created.
- Save the application instance.
- Publish the sandbox as described in Publishing a Sandbox.
3.3.2 Localizing Field Labels in UI Forms
Perform the following steps to localize field labels that you add to in UI forms:
-
Log in to Oracle Enterprise Manager.
-
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
-
In the right pane, from the Application Deployment list, select MDS Configuration.
-
On the MDS Configuration page, click Export and save the archive to the local computer.
-
Extract the contents of the archive, and open the following file in a text editor:
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf
-
Edit the BizEditorBundle.xlf file as follows:
-
Search for the following text:
<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
-
Replace with the following text:
<file source-language="en" target-language="LANG_CODE" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:
<file source-language="en" target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
-
Search for the application instance code. The original code will be in the following format:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}"> <source><Field_Label></source> <target/> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL"> <source><Field_Label></source> <target/> </trans-unit>
For example, the following sample code show the update that should be made for the FULL NAME field on a UI form named RacfUserFormv1:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_IDF_RACF_ADV_CN__c_description']}"> <source>FULL NAME</source> <target/> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.RacfUserFormv1.entity.RacfUserFormv1EO.UD_IDF_RACF_ADV_CN__c_LABEL"> <source>FULL NAME</source> <target/> </trans-unit>
-
Open the resource file from the /resources directory in the connector installation media, for example Racf-Adv_ja.properties, and get the value of the attribute from the file, for example global.udf.UD_IDF_RACF_ADV_CN=\u6C0F\u540D.
-
Replace the original code shown in Step 6.c with the following:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}"> <source>< global.udf.UD_Field_Name></source> <target/>enter Unicode values here</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL"> <source><Field_Label></source> <target/>enter Unicode values here</target> </trans-unit>
As an example, the code for FULL_NAME field translation would be:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_IDF_RACF_ADV_CN__c_description']}">
<source>FULL_NAME</source> <target>\u6C0F\u540D</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.RacfUserFormv1.entity.RacfUserFormv1EO.UD_IDF_RACF_ADV_CN__c_LABEL"> <source>FULL_NAME</source> <target>\u6C0F\u540D</target> </trans-unit>
-
Repeat Steps 6.c through 6.e for all attributes of the process form.
-
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing. Sample file name:
BizEditorBundle_ja.xlf.
-
-
Repackage the ZIP file and import it into MDS.
-
Log out of and log in to Oracle Identity Manager.
3.3.3 Clearing Content Related to Connector Resource Bundles from the Server Cache for Oracle Identity Manager Connector
When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.
To clear content related to connector resource bundles from the server cache:
3.3.4 Enabling Logging for IBM RACF Advanced Connector
The IBM RACF Advanced connector supports two forms of logging, namely LDAP gateway-level logging and Oracle Identity Manager-level logging. This section discusses the following topics:
3.3.4.1 Enabling Logging for the LDAP Gateway
LDAP Gateway logging operations are managed by the log4j2.properties file, which is located in the LDAP_INSTALL_DIR/conf/ directory. In the log4j2.properties file, edit the rootLogger log level:
rootLogger.level = INFO
The following is a list of log levels that can be used:
-
ALL
This level enables logging for all events.
-
DEBUG
This level enables logging of information about fine-grained events that are useful for debugging.
-
INFO
This level enables logging of messages that highlight the progress of the application at a coarse-grained level.
-
WARN
This level enables logging of information about potentially harmful situations.
-
ERROR
This level enables logging of information about error events that might allow the application to continue running.
-
FATAL
This level enables logging of information about very severe error events that could cause the application to stop functioning.
-
OFF
This level disables logging for all events.
Multiple log files are available for use with the connector. Table 3-2 lists the name, location, and contents of each LDAP gateway log file.
Table 3-2 Log Files and their Contents
Log File | Description |
---|---|
nohup.out |
This log file contains the console window output from the LDAP Gateway. This file is primarily used in conjunction with the run.sh script (instead of the run.bat file) Location: … |
idfserver.log.0 |
This log file contains provisioning and reconciliation logging messages from the LDAP Gateway and is the primary log file used by the gateway component. Location: … |
3.3.4.2 Event Logging in Oracle Identity Manager
Oracle Identity Manager uses Oracle Java Diagnostic Logging (OJDL) for logging. OJDL is based on java.util.logger. This section contains the following topics:
3.3.4.2.1 Understanding the Log Levels
To specify the type of event for which you want logging to take place, you can set the log level to one of the following:
-
ERROR:1
-
WARNING:1
-
NOTIFICATION:1
-
TRACE:1
-
TRACE:16
-
TRACE:32
Oracle Identity Manager level logging operations are managed by the logging.xml file which is located in the following directory:
DOMAIN_NAME/config/fmwconfig/servers/SERVER_NAME/
Loggers are used to configure logging operations for the Oracle Identity Manager functions of the connector.
3.3.4.2.2 Configuring Logging in Oracle Identity Manager
OIM level logging operations are managed by the logging.xml file, which is located in following directory:
DOMAIN_NAME/config/fmwconfig/servers/SERVER_NAME/
Loggers are used to configure logging operations for the connector's OIM functions. To configure loggers:
Log statements will be written to the path that is defined in the log handler that you assigned in the logger definition. For example, in the above logger definition for the Reconcile All Users scheduled task (in step 3), the handler is odl-handler, which has the following default output file path:
${domain.home}/servers/${weblogic.Name}/logs/${weblogic.Name}-diagnostic.log
'