Deploying the Connector

2 Deploying the Connector

The procedure to deploy the connector can be divided into the following stages:

2.1 Preinstallation

Preinstallation for the connector involves performing the procedures described in the following sections:

2.1.1 Deploying the SPML-DSML Service

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.1, 11.1.2.x, or 12c.

If you are using Oracle Identity Governance 12c, perform the steps in Setting up the SPML-DSML.ear for Password Synchronization after deploying the SPML-DSML.ear.

If you are using Oracle Identity Manager release 9.1.0.x, then skip this section and deploy the SPML Web Service. See Oracle Identity Manager Tools Reference for detailed information.

Before you deploy the connector, deploy the SPML-DSML Service on the Oracle WebLogic Application Server on which Oracle Identity Manager is running:

Log in to the Oracle WebLogic Server Administration Console.
In the Change Center region, click Lock & Edit to enable modification to the settings on the page.
In the Domain Structure region, click Deployments.
On the right pane, click Install.
On the Locate deployment to install and prepare for deployment page, in the Path field, enter OIM_HOME\server\apps. For example, D:\my_install\middleware\Oracle_IDM1\server\apps.
In the region following the Current Location field, select spml-dsml.ear and then click Next.
On the Choose targeting style page, click Next to accept the default selection and proceed with installation.
On the Select deployment targets page, in the Available targets for spml-dsml region, select oim_server1 if Oracle Identity Manager is installed in a nonclustered environment. Otherwise, select oim_cluster.
Click Next.
On the Optional Settings page, in the Source accessibility region, select I will make the deployment accessible from the following location, and then click Next.
On the Review your choices and click Finish page, verify the data that you have provided, and then click Finish.
On the Settings for spml-dsml page, review the configuration information of the deployed SPML-DSML Service, and then click Save.
In the Change Center region, click Activate Changes for the changes to take effect.
On the left pane, in the Domain Structure region, click Deployments.
On the right pane, in the Deployments table, select spml-dsml, and then from the Start list, select Servicing all requests.

The SPML-DSML Service is started.

2.1.2 Setting up the SPML-DSML.ear for Password Synchronization

Note:

This procedure is applicable only for Oracle Identity Governance 12c.

After deploying SPML-DSML ear, perform the following steps in the WebLogis Server (WLS) console to enable the Web Service test tool which is disabled by default:

In the WLS console, click the domain name you want to modify.
On the General tab, open the Advanced section and select Enable Web Service Test Page.
Click Save.
Restart all the servers.

2.1.3 Testing the SPML Web Service and SPML-DSML Service

Note:

You can use the information in this section to test the SPML Web Service on Oracle Identity Manager release 9.1.0.x, or the SPML-DSML Service on Oracle Identity Manager release 11.1.1 or 11.1.2.x.

To test whether the SPML Web service is deployed successfully on Oracle Identity Manager, navigate to the following URL:

For IBM WebSphere Application Server:

http://IP ADDRESS:PORT NUMBER/spmlws/HttpSoap11

https://IP ADDRESS:SSL PORT NUMBER/spmlws/HttpSoap11
For JBoss Application Server:

http://IP ADDRESS:PORT NUMBER/spmlws/services/HttpSoap11

https://IP ADDRESS:SSL PORT NUMBER/spmlws/services/HttpSoap11
For Oracle Application Server:

http://IP ADDRESS:PORT NUMBER/spmlws/HttpSoap11

https://IP ADDRESS:SSL PORT NUMBER/spmlws/HttpSoap11
For Oracle WebLogic Server:

http://IP ADDRESS:NON-SSL PORT NUMBER/spmlws/OIMProvisioning

https://IP ADDRESS:SSL PORT NUMBER/spmlws/OIMProvisioning

2.1.4 Determining the Release Number of the Connector

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager Microsoft Active Directory Password Synchronization Connector release 9.1.1.5.13 (patch 21492223 ) or later. The following procedure is not applicable to prior releases of the connector.

You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed, perform the following procedure:

Open the Windows System Registry (regedit.exe).
Navigate to the registry key at the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\oimpwdsync\Install
In the registry key, the release number of the connector is displayed in the string data as the value of the InstallID property.

Sample value: 9.1.1.5.13

2.1.5 Configuring the Connector for Oracle Identity Governance 12c (12.2.1.4.0)

Note:

Perform the procedure described in this section only if you are using Oracle Identity Governance 12c (12.2.1.4.0).

To configure the connector:

Configure a new administrative user in the connector. For example, admin1.
Note:
- Be sure not to create XELSYSADM as the new user.
- Ensure that the new user exists in Oracle Identity Governance with appropriate permissions, including Admin Role.
Log in to the Design Console and perform the following steps:
1. Search for and open the Lookup.AD.Users lookup definition.
2. Add the following new values:
  
  For Code Key, enter the value of the new administrative user configured in connector.
  
  For Decode, enter the application instance name for Active Directory.
Save the lookup definition.

2.2 Installation

Note:

Skip the procedures described in this section and install the connector manually if any of the following conditions are true:

You are unable to install or reconfigure release 9.1.1.5.0 of the connector using GUI-based installation or reconfiguration.
You are using Microsoft Active Directory 2019 or 2022 as your target system.

To install the latest version of the connector manually, you must first install the 9.1.1.5.16 version of the connector by applying patch 28353217. This patch includes a README.text file with instructions for manual installation, manual reconfiguration, and manual uninstallation of the connector. Then, apply patch 30856343 for the 9.1.1.5.17 version of the connector. You can download patches 28353217 and 30856343 from My Oracle Support.

This section discusses the following topics:

2.2.1 Installing the Connector

Installing the connector is described in the following topics:

2.2.1.1 Installation Procedure

To install the connector:

On the Microsoft Active Directory host computer, run the installer as follows:
1. Copy the contents of the installation media to a temporary directory.
2. In the temporary directory, run the setup.exe file to start the installer.
On the Welcome page, click Next.
On the next page, click Next.
On the Installation Directory page, you can either accept the default installation directory or use the Browse button to specify the directory in which you to want install the connector.

Figure 2-1 shows the Installation Directory page.

Figure 2-1 Installation Directory Page (Installation)

Description of "Figure 2-1 Installation Directory Page (Installation)"
Click Next.

If the installation directory that you specify (in the preceding step) exists, then the installer confirms if you want to overwrite the directory. Otherwise, the installer creates the installation directory.
On the Active Directory Configuration Parameters page, which displays the configuration parameters for Microsoft Active Directory, verify the values displayed in all fields.

If the values displayed on this page do not match the values for your current installation of Microsoft Active Directory, then change these values accordingly. Otherwise, you can proceed to the next step.

Figure 2-2 shows the Active Directory Configuration Parameters page on which sample values have been specified.

Figure 2-2 Active Directory Configuration Parameters Page (Installation)

Description of "Figure 2-2 Active Directory Configuration Parameters Page (Installation)"

See Microsoft Active Directory Configuration Parameters for information about the Active Directory configuration parameters.
Click Next.
On the second Active Directory Configuration Parameters page, enter values for the following fields:
- User: Enter the user name of an account that belongs to the Administrators group.
  
  You can use any one of the following formats to enter the user name:
  - USER_LOGIN@DOMAIN.COM
  - cn=USER_LOGIN,cn=USERS,dc=DOMAIN,dc=com
  Sample values:
  
  john_doe@example.com
  
  cn=admin,cn=Users,dc=example,dc=com
- User Password: Enter the password of the account that you entered in the User field.
- Log File Path: Enter the path to the directory where the log files must be generated.
  
  Default value: INSTALLATION_DIRECTORY\Logs
  
  INSTALLATION_DIRECTORY is the directory that you specify in Step 4.
  
  See "Enabling and Disabling Logging" for information about logging.
Figure 2-3 shows the Microsoft Active Directory Information page on which sample values have been specified.

Figure 2-3 Second Active Directory Configuration Parameters Page (Installation)

Description of "Figure 2-3 Second Active Directory Configuration Parameters Page (Installation)"
Click Next to proceed with installation.
On the Oracle Identity Manager Configuration Parameters page, specify values for the configuration parameters of Oracle Identity Manager.

Figure 2-4 displays the Oracle Identity Manager Configuration Parameters page on which sample values have been specified.

Figure 2-4 Oracle Identity Manager Configuration Parameters Page (Installation)

Description of "Figure 2-4 Oracle Identity Manager Configuration Parameters Page (Installation)"

See Oracle Identity Manager Configuration Parameters for information about the Oracle Identity manager configuration parameters.
Click Next.
On the Configuration Parameter Information page, enter values for the following fields:
- Time interval after which password synchronization happens with OIM (in Seconds): Enter an integer value in this field. This value represents the number of seconds the connector sleeps between processing password change events. The connector goes into the sleep mode after processing all the change events from the in-memory and persistent queues.
  
  Default value: 1
- No. of maximum retries to synchronize passwords from AD to OIM: Enter an integer value. This value represents the number of times the connector tries to propagate the password before removing the password change record from the persistent queue.
  
  Default value: 5
Figure 2-5 is a screenshot of the Connector Configuration Parameters page on which sample values have been specified.

Figure 2-5 Configuration Parameters Page (Installation)

Description of "Figure 2-5 Configuration Parameters Page (Installation)"
Click Next.
On the Summary Page, verify that the installation directory for the connector is displayed correctly and then click Next to install the connector.
Note:
- If you are installing the connector on a 64-bit Microsoft Windows operating system, then before you proceed to the next step, copy the oimadpwdsync10.dll and orclmessages.dll files from the Windows\SysWOW64 directory to the WINDOWS\system32 directory.
- If you want to change the installation directory, then click Back until you reach the Installation Directory page, make the required changes, and then proceed through the installation sequence again.
Figure 2-6 shows the Summary page.

Figure 2-6 Summary Page (Installation)

Description of "Figure 2-6 Summary Page (Installation)"

Note:

A dummy Active Directory user named oidtmpuser gets created and deleted immediately in the Active Directory server during installation to verify if the actual Active Directory Password Synchronization administrative user has required administration privileges or not.
On the next page, click Next to restart your computer.

Figure 2-7 Restart Page (Installation)

Description of "Figure 2-7 Restart Page (Installation)"

Clicking Next will force a restart. The restart is required to initialize the oimadpwdsync10.dll file. If the oimadpwdsync10.dll file is not initialized, then the connector is not ready for propagating passwords changes from target system to Oracle Identity Manager.

2.2.1.2 Microsoft Active Directory Configuration Parameters

Table 2-1 describes each configuration parameter of Microsoft Active Directory.

Table 2-1 Microsoft Active Directory Configuration Parameters

Parameter	Description
Domain	Enter the domain name for the Microsoft Active Directory domain controller on which the connector is being installed. This value is typically the DNS domain name. Sample value: `example.com`
BaseDN	Enter the base DN of Microsoft Active Directory. This is the container where the connector searches for entries with changed passwords. The persistent queue, which is an organizationUnit, will be created within this container. Therefore, the base DN that you specify must be capable of holding `organizationalUnit` objects. Sample value: `DC=example,DC=com`
Port	Enter the port number at which LDAP for Microsoft Active Directory host computer is enabled. Default value: `389`
Host	Enter the IP address or the host name of the Microsoft Active Directory host computer. Sample value: `172.20.55.120`
Persistent Store	Enter the Distinguished Name of the Organizational Unit where the Persistent Store Container has to be created. Sample value: `ou=Org`

2.2.1.3 Oracle Identity Manager Configuration Parameters

Table 2-2 describes each configuration parameter of Oracle Identity Manager.

Table 2-2 Oracle Identity Manager Configuration Parameters

Parameter	Description
Host	Enter the IP address (not the host name) of the Microsoft Active Directory host computer. Note: The host name must be accessible from the Microsoft Active Directory host computer. Sample value: `oimhost`
Port	Enter the number of the port at which the Oracle Identity Manager SPML Web service is listening. Sample value: `8080`
Administrator Login	Enter the user name of the account that will be used by the connector to login to Oracle Identity Manager during a password synchronization operation. This account must have the permissions required to change the password of OIM Users.
Administrator Password	Enter the password of the account that will be used by the connector to login to Oracle Identity Manager during a password synchronization operation.
OIM User Attribute	Enter the Metadata Column Code of the column in the USR table that you want to use to match OIM Users with users in the target system. Note that the corresponding column in the USR table on the Oracle Identity Manager Database must be unique. During password synchronization, the sAMAccountName value of the user whose password is changed is compared against values in this column. Sample value (for predefined OIMUser fields): `Users.User ID` For user-defined OIMUser fields, you can use the USR_UDF_FIELD_NAME format. Sample Value: `USR_UDF_USERNAME` See the "Metadata Column Codes" appendix in Oracle Identity Manager API Usage Guide for information about the mapping between the physical column names and metadata column codes.
OIM Application Server Type	Select the name of the application server that hosts Oracle Identity Manager. Sample value: `JBoss`
Use SSL	Select Yes, if you are going to configure SSL communication between Microsoft Active Directory and Oracle Identity Manager. Otherwise, select `No.` Default value: `Yes` Note: It is recommended that you configure SSL to secure the transfer of SOAP messages from the target system to Oracle Identity Manager. See "Configuring SSL" for information about enabling SSL.
Client Certificate Subject Name	Enter a value for this parameter only if `Use SSL` parameter has been set to `Yes` and client authentication is required by the application server. Enter a string that identifies the client certificate that must be used for SSL. Sample value: `TQL17` Here, TQL17 is the Issued To value in the certificate.

2.2.1.4 Ensuring that the Connector is Ready for Propagating Passwords

In order to ensure that the connector is ready for propagating password changes from target system to Oracle Identity Manager, you must check if the oimadpwdsync10.dll file has been initialized.

To verify whether the oimadpwdsync10.dll file is initialized:

Enable logging for the TIME_STAMPOIMMain.log file by performing the procedure described in "Enabling and Disabling Logging".
Check if the TIME_STAMPOIMMain.log file is generated in the path specified in the Log File Path field while performing Step 8 of "Installing the Connector".

If the TIME_STAMPOIMMain.log file is generated, then the oimadpwdsync10.dll file is initialized. Otherwise, you must reinstall the connector.

2.2.2 Reconfiguring the Connector

During connector installation, you specify a set of values for the configuration parameters of Microsoft Active Directory, Oracle Identity Manager, and the connector. After connector installation, if you want to change the values for any of the configuration parameters, then you must perform the procedure described in this section.

To reconfigure the connector:

On the Microsoft Active Directory host computer, run the setup.exe file located in the temp directory.
On the Welcome page, click Next.
On the Active Directory Configuration Parameters page, if required, modify values for any or all of the following parameters:
- Domain
- BaseDN
- Port
- Host
Figure 2-8 shows the Active Directory Configuration Parameters page on which sample values have been specified.

Figure 2-8 Active Directory Configuration Parameters (Reconfiguration)

Description of "Figure 2-8 Active Directory Configuration Parameters (Reconfiguration)"
Click Next.
On the Oracle Identity Manager Configuration Parameters page, if required, modify values for any or all of the following parameters:
- Host
- Port
- OIM User Attribute
- OIM Application Server Type
- Use SSL
- Client Configuration Subject Name
Figure 2-9 displays the Oracle Identity Manager Configuration Parameters page on which sample values have been specified.

Figure 2-9 Oracle Identity Manager Configuration Parameters Page (Reconfiguration)

Description of "Figure 2-9 Oracle Identity Manager Configuration Parameters Page (Reconfiguration)"
Click Next.
On the Configuration Parameter Information page, if required, modify values for any or all of the following fields:
- Time interval after which password synchronization happens with OIM (in minutes)*
- No. of Maximum retries to synchronize Passwords from AD to OIM*
Figure 2-10 is a screenshot of the Configuration Parameters page on which sample values have been specified.

Figure 2-10 Configuration Parameters Page (Reconfiguration)

Description of "Figure 2-10 Configuration Parameters Page (Reconfiguration)"
Click Next to continue with reconfiguring the connector.
On the second Active Directory Configuration Parameters page, if you want to modify the value of any field, then you must enter values for all fields displayed on that page. Otherwise, leave all the fields blank and proceed to the next step.
The following fields are displayed on the Second Active Directory Configuration Parameters page:
- Active Directory User
- Active Directory User Password
- Oracle Identity Manager User
- Oracle Identity Manager User Password
Figure 2-11 is a screenshot of the second Active Directory Configuration Parameters page on which sample values have been specified.

Figure 2-11 Second Active Directory Configuration Parameters Page (Reconfiguration)

Description of "Figure 2-11 Second Active Directory Configuration Parameters Page (Reconfiguration)"
On the Second Active Directory Configuration Parameters page, click Next.
On the next page, click Finish to complete the procedure for reconfiguring the connector.

2.3 Postinstallation

You must perform the following steps after you install the connector:

2.3.1 Enabling and Disabling Logging

Log files contain information about events that occur during password synchronization. You can use the log files to determine the cause of any errors that may occur during password synchronization events.

This section contains the following topics:

2.3.1.1 Log Files

This connector provides three log files. Each log file name is prefixed with TIME_STAMP, which represents the time at which the log file was created.

The following is the list of log files for this connector and their description:

Note:

You cannot rename the log files. In addition, you cannot specify or change the log level for log files. The default log level is DEBUG.

TIME_STAMP_PasswordChange.log

This file stores information about whether the connector is enabled. In the TIME_STAMP_PasswordChange.log file name, TIME_STAMP represents the time at which the log file was created in the YearMonthDayHourMinuteSecondMillisecond format.

Sample value: 200931801311828_PasswordChange.log

The TIME_STAMP_PasswordChange.log file is generated every time the oimadpwdsync10.dll file is initialized. The oimadpwdsync10.dll file is initialized when you restart the computer hosting the connector.
TIME_STAMPOIMMain.log

This file stores information about events that occur while the password change records stored in the in-memory queue and persistent queue are being processed. In the TIME_STAMPOIMMain.log file name, TIME_STAMP represents the time at which the log file was created in the YearMonthDay format.

Sample value: 2009318OIMMain.log

The TIME_STAMPOIMMain.log file is generated every time the password update thread is created.
TIME_STAMP_adsi_debug.log

This file stores information about the events that occur from the time the password is changed in Microsoft Active Directory till the time the password change is saved to the in-memory queue. In the TIME_STAMP_adsi_debug.log file name, TIME_STAMP represents the time at which the log file was created in the YearMonthDayHourMinuteSecondMillisecond format.

Sample value: 2009318212319187_adsi_debug.log

The TIME_STAMP_adsi_debug.log file is generated every time a password change event occurs.

2.3.1.2 Enabling or Disabling Logging

By default, logging is disabled for the password synchronization connector. After connector installation, if you want to enable logging, or disable logging after it has been enabled, then perform the procedure described in this section.

To enable or disable logging:

Note:

The procedure described in this section must be performed on the target system host computer.

From the Start menu, click Run.
In the Run dialog box, type regedit.
In the Registry Editor window, on the left navigation pane:
- If you want to enable or disable logging of events to the TIME_STAMP_PasswordChange.log file, then:
  1. Navigate to the following key:
    
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\oimpwdsync\ADConfig
  2. On the right pane, double-click the Log value.
- If you want to enable or disable logging of events to the TIME_STAMPOIMMain.log file, then:
  1. Navigate to the following key:
    
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\oimpwdsync\OIMConfig
  2. On the right pane, double-click the OIMLog value.
- If you want to enable or disable logging of events to the TIME_STAMP_adsi_debug.log file, then:
  1. Navigate to the following key:
    
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\oimpwdsync\ADConfig
  2. On the right pane, double-click the Log value.
In the Edit String dialog box:
- If you want to disable logging, then in the Value data field, enter N.
- If you want to enable logging, then in the Value data field, enter Y.
Click OK.
If you have enabled or disabled logging of events to the TIME_STAMP_PasswordChange.log file, then restart the computer for the changes to take effect.

2.3.2 Configuring the IT Resource for the Target System

Note:

If you have installed a user management connector release that is earlier than release 9.1.1 (for example, release 9.1.0), then you must set the value of the AD Sync installed parameter to no.

The ADITResource IT resource is created in Oracle Identity Manager when you install the user management connector. The Allow Password Provisioning parameter is a parameter of the user management connector.

Note:

This procedure is not applicable if you are using release 11.1.1.x or 12.2.1.3.x of the Microsoft Active Directory User Management connector.

If you want to use the target system as the trusted source for passwords, then set the Allow Password Provisioning parameter to no. When you set the value of this parameter to no, the user management connector does not propagate password changes from Oracle Identity Manager to the target system.

If you set the Allow Password Provisioning parameter to yes, then:

When a Microsoft Active Directory resource is provisioned to an OIM User:
1. An account is created on Microsoft Active Directory.
2. The password of the account is detected by the connector and sent to Oracle Identity Manager.
3. On Oracle Identity Manager, the password is compared with the current password of the Active Directory resource. Because both passwords are the same, no further action is taken.
4. If password history policy is set, then an exception for the SPML request (sent by the password synchronization connector) is encountered. You can ignore this exception.
When the password of the Microsoft Active Directory resource is changed on Oracle Identity Manager:
1. The password is sent to Microsoft Active Directory by the user management connector.
2. The updated password is detected by the connector and sent to Oracle Identity Manager.
3. On Oracle Identity Manager, the password is compared with the current password of the Active Directory resource. Because both passwords are the same, no further action is taken.
4. If password history policy is set, then an exception for the SPML request (sent by the password synchronization connector) is encountered. You can ignore this exception.
When the password is changed on Microsoft Active Directory:
1. The updated password is detected by the connector and sent to Oracle Identity Manager.
2. On Oracle Identity Manager, the password is compared with the current password of the Active Directory resource. Because both passwords are different, the password of the Microsoft Active resource on Oracle Identity Manager is updated.
3. The updated password is detected by the user management connector and sent to Microsoft Active Directory.
4. The password of the Microsoft Active Directory is modified, even though this is the same password that was set by the user.
5. The password of the account is detected by the password synchronization connector and sent to Oracle Identity Manager.
6. On Oracle Identity Manager, the password is compared with the current password of the Active Directory resource. Because both passwords are the same, no further action is taken.
7. If password history policy is set on Oracle Identity Manager, then an exception for the SPML request (sent by the password synchronization connector) is encountered. You can ignore this exception.

2.3.3 Specifying a Value for the Allow Password Provisioning Parameter

Note:

Perform the procedure described in this section only if the user management connector is installed.
This procedure is not applicable if you are using release 11.1.1.x or 12.2.1.3.x of the Microsoft Active Directory User Management connector.

You can specify a value for the Allow Password Provisioning parameter as follows:

Depending on the Oracle Identity Manager release you are using, perform one of the following steps:
- For Oracle Identity Manager release 9.1.0.x:
  1. Log in to the Oracle Identity System Administration.
  2. Expand Resource Management, and then click Manage IT Resource.
- For Oracle Identity Manager release 11.1.1:
  1. Log in to the Oracle Identity System Administration.
  2. On the Welcome to Oracle Identity Manager Self Service page, click Advanced in the upper-right corner of the page.
  3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.
- For Oracle Identity Manager release 11.1.2.x:
  1. Log in to Oracle Identity System Administration.
  2. In the left pane, under Configuration, click IT Resource.
In the IT Resource Name field on the Manage IT Resource page, enter ADITResource and then click Search.
Click the edit icon for the IT resource.
From the list at the top of the page, select Details and Parameters.
Depending on how you want the user management connector and password synchronization connector to function, enter a value of either yes, or no for the Allow Password Provisioning parameter.
If you have installed a user management connector release that is earlier than release 9.1.1, then you must set the value of the AD Sync installed parameter to no.

2.3.4 Enabling the Strong Password Authentication (Password Complexity) Feature of Microsoft Active Directory

Note:

You must use an administrator account to perform the procedures described in this section.

Microsoft Active Directory provides the Strong Password Authentication feature through the implementation of a password filter. To use this password filter along with the connector, follow the instructions for enabling the "Passwords must meet complexity requirements" policy setting by visiting the Microsoft Web site at

http://www.microsoft.com/technet/

After you enable this policy setting, password changes in Microsoft Active Directory are checked against the Strong Password Authentication requirements before they are passed on to the connector.

2.3.5 Configuring SSL

Note:

It is strongly recommended that you configure SSL communication between the connector and Oracle Identity Manager in your production environment.

However, the configuration of secure client operation (using SSL at the server) affects all clients. This means that if you use SSL to secure Oracle Identity Manager communication with the connector, then the Oracle Identity Manager Design Console and any other custom clients must also communicate with Oracle Identity Manager using SSL.
If Microsoft Active Directory is running on Windows Server 2008 R2, then you must install all available Windows updates and apply the Easy fix provided on the Microsoft Support page for enabling TLS 1.2 at https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in.

If you do not do so, then Transport Layer Security (TLS) 1.2 connection is not enabled for SSL with Oracle Identity Governance 12c (12.2.1.3.0) Server and password sync fails due to SSL handshake issues.

To secure the propagation of passwords from Microsoft Active Directory to Oracle Identity Manager, you must configure SSL. The procedure that you must follow depends on the application server on which Oracle Identity Manager is running:

2.3.5.1 Configuring SSL on IBM WebSphere Application Server

The following sections provide information about enabling SSL communication when Oracle Identity Manager is running on IBM WebSphere Application Server:

2.3.5.1.1 Exporting the Certificate

Note:

The procedure described in this section must be performed on the IBM WebSphere Application Server host computer.

To export the IBM WebSphere Application Server certificate:

In a terminal window, change to the WEBSPHERE_HOME\AppServer\java\jre\bin directory.
Run the following command:
```
keytool -export -alias default -file CERT_FILE_NAME -keypass DEFAULT_TRUST_STORE_PASSWORD -keystore DEFAULT_IDENTITY_STORE -storepass DEFAULT_IDENTITY_STORE_PASSWORD -storetype pkcs12 -provider com.ibm.crypto.provider.IBMJCE
```
In this command:
- CERT_FILE_NAME is the complete path and name of the certificate file.
- DEFAULT_TRUST_STORE_PASSWORD is the password of the default trust store trust.p12.
- DEFAULT_IDENTITY_STORE is the complete path and name of the default identity store key.p12.
- DEFAULT_IDENTITY_STORE_PASSWORD is the password of the default identity store key.p12.
The following is a sample command:
```
keytool -export -alias default -file C:\mycertificates\websp.cer -keypass WebAS -keystore C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv06\etc\key.p12 -storepass WebAS -storetype pkcs12 -provider com.ibm.crypto.provider.IBMJCE
```
When you run the command, the application server certificate is generated in the WEBSPHERE_HOME\AppServer\java\jre\bin directory.

2.3.5.1.2 Importing the Certificate

Note:

The procedure described in this section must be performed on the Microsoft Active Directory host computer.

To import the application server certificate:

Copy the certificate (exported in "Exporting the Certificate") to any directory on the Microsoft Active Directory host computer.
Click Start and then click Run.
Enter the following command, and then click OK:

mmc

The Microsoft Management Console is displayed.
From the File menu, select Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.
In the certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, accept the defaults, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the Console Root window, on the left pane, expand Certificates (Local Computer) under the Console Root folder.
Expand Trusted Root Certification Authorities, right-click Certificates, select All Tasks, and then click Import.

The Certificate Import Wizard is displayed.
On the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, you can either specify the path to the directory in which you copied the exported certificate, or use the Browse button to specify the directory in which you copied the exported certificate.
Click Next.
On the Certificate Store page, select Place all certificates in the following store, and click Next.
On the Completing the Certificate Import Wizard, click Finish.

A message indicating that the import was successful is displayed.
Click OK to close the Certificate Import Wizard dialog box.

2.3.5.1.3 Additional Configuration Steps

Note:

The procedure described in this section must be performed on the IBM WebSphere Client host computer.

You must extract and copy the xlDataObjectBeans.jar file located in the OIM_DC_HOME\xlclient\ext directory to the WEBSPHERE_HOME\profiles\PROFILE_NAME\installedApps\NODE_NAME\OIM-xell-WS.ear\spmlws.war\WEB-INF\lib directory.

Here:

OIM_DC_HOME is the directory in which you install the Oracle Identity Manager Design Console
WEBSPHERE_HOME is the home directory of WebSphere
PROFILE_NAME is the name of the application server profile being used
NODE_NAME is the name of the node which the application server profile uses

2.3.5.2 Configuring SSL on JBoss Application Server

The following sections provide information about enabling SSL communication when Oracle Identity Manager is running on JBoss application server:

Generating Keys
Signing the Certificate
Exporting the Certificate

Note:

The procedure described in the preceding sections must be performed on the JBoss Application Server host computer.
Importing the Certificate

Note:

The procedure described in the preceding section must be performed on the Microsoft Active Directory host computer.
Configuring the server.xml File

Note:

The procedure described in the preceding sections must be performed on the JBoss Application Server host computer.

2.3.5.2.1 Generating Keys

Generate keys by using the keytool command. The following keytool command generates an identity keystore. jbossserver.jks:

keytool -genkey -alias PRIVATE_KEY_ALIAS -keyalg RSA -keysize 1024 -dname DN_VALUE -keypass PRIVATE_KEY_PASSWORD -keystore IDENTITY_STORE_FILE -storepass IDENTITY_STORE_FILE_PASSWORD -storetype jks

In this command:

PRIVATE_KEY_ALIAS is the alias that you want to use for the private key.
PRIVATE_KEY_PASSWORD is the password that you want to use for the private key.
DN_VALUE is the distinguished name (DN) for your organization.

The common name (CN) value in the DN must be the host name of the Oracle Identity Manager server.
IDENTITY_STORE_FILE is the identity store that you want to use.
IDENTITY_STORE_FILE_PASSWORD is the password of the identity store that you want to use.

The following is a sample command:

keytool -genkey -alias serverjboss -keyalg RSA -keysize 1024 -dname "CN=myhost" -keypass welcome -keystore E:\jboss-4.0.3SP1\server\jbossserver.jks -storepass welcome -storetype jks

2.3.5.2.2 Signing the Certificate

Use the following keytool command to sign the certificate that you created:

keytool -selfcert -alias PRIVATE_KEY_ALIAS -sigalg MD5withRSA -validity 2000 -keypass PRIVATE_KEY_PASSWORD -keystore IDENTITY_STORE_FILE -storepass IDENITTY_STORE_FILE_PASSWORD

Note:

It is recommended that you use trusted certificate authorities, for example, VeriSign or Thawte, for signing certificates.

The following is a sample command:

keytool -selfcert -alias serverjboss -sigalg MD5withRSA -validity 2000 -keypass welcome -keystore  E:\jboss-4.0.3SP1\server\jbossserver.jks -storepass welcome

2.3.5.2.3 Exporting the Certificate

Use the following keytool command to export the certificate from the identity keystore to a file:

keytool -export -alias PRIVATE_KEY_ALIAS -file CERT_FILE_NAME -keypass PRIVATE_KEY_PASSWORD -keystore IDENITTY_STORE_FILE -storepass IDENTITY_STORE_FILE_PASSWORD -storetype jks -provider sun.security.provider.Sun

In this command, replace CERT_FILE_NAME with the name that you want to use for the certificate file.

The following is a sample command:

keytool -export -alias serverjboss -file E:\jboss-4.0.3SP1\server\jbossserver.cert -keypass welcome -keystore E:\jboss-4.0.3SP1\server\jbossserver.jks -storepass welcome -storetype jks -provider sun.security.provider.Sun

2.3.5.2.4 Importing the Certificate

To import the application server certificate:

Copy the certificate (exported in "Exporting the Certificate") to any directory on the Microsoft Active Directory host computer.
Click Start and then click Run.
Enter the following command, and then click OK:

mmc

The Microsoft Management Console is displayed.
From the File menu, select Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.
In the certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, accept the defaults, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the Console Root window, on the left pane, expand Certificates (Local Computer) under the Console Root folder.
Expand Trusted Root Certification Authorities, right-click Certificates, select All Tasks, and then click Import.

The Certificate Import Wizard is displayed.
On the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, you can either specify the path to the directory in which you copied the exported certificate, or use the Browse button to specify the directory in which you copied the exported certificate.
Click Next.
On the Certificate Store page, select Place all certificates in the following store, and click Next.
On the Completing the Certificate Import Wizard, click Finish.

A message indicating that the import was successful is displayed.
Click OK to close the Certificate Import Wizard dialog box.

2.3.5.2.5 Configuring the server.xml File

Copy the following entry to the server.xml file located in the OIM_HOME\jboss-4.0.3SP1\server\default\deploy\jbossweb-tomcat55.sar directory:

<Connector port="8443" address="${jboss.bind.address}"
           maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
           emptySessionPath="true"
           scheme="https" secure="true" clientAuth="false"
              sslProtocol="TLS" 
           keystoreFile="E:\jboss-4.0.3SP1\server\jbossserver.jks"
           keystorePass="welcome"
           truststoreFile="E:\jboss-4.0.3SP1\server\jbossserver.jks"
           truststorePass="welcome"/>

After you have performed the preceding steps, restart the server for the changes to take effect.

2.3.5.3 Configuring SSL on Oracle Application Server

The following sections provide information about enabling SSL communication when Oracle Identity Manager is running on Oracle Application Server.

2.3.5.3.1 Enabling SSL for HTTP Communication to Oracle HTTP Server

By default, the Oracle HTTP Server is configured with SSL and the SSL certificate store is located at ORACLE_HOME\Apache\Apache\conf\ssl.wlt\default\. The listen parameter in the ORACLE_HOME\Apache\Apache\conf\ssl.conf file points to the SSL port being used by the Oracle HTTP Server.

A custom wallet and certificate should be created for the Oracle HTTP Server.

Perform the following steps to create a custom wallet and certificate for Oracle HTTP Server:

To create a custom wallet, run the following command:
```
orapki wallet create -wallet WALLET_LOCATION -auto_login
```
In this command, WALLET_LOCATION is the path to the directory where the wallet is created.
To add a self-signed certificate to the wallet, run the following command:
```
orapki wallet add -wallet WALLET_LOCATION -dn CN=HOSt_NAME -keysize 2048 -self_signed -validity 3650
```
When prompted, enter the Wallet password.

This creates a self-signed certificate with a validity of 3650 days. The distinguished name of the subject is CN=HOST_NAME. Here HOST_NAME is the host name of the machine. The key size for the certificate is 2048 bits.

Note:

Ensure that you obtain the certificate from an appropriate Certificate Authority.
To export the self-signed certificate, run the following command:
```
orapki wallet export -wallet WALLET_LOCATION -dn 'CN=HOST_NAME' -cert WALLET_LOCATION/b64certificate.txt
```
In this command, the value of HOST_NAME must be same as the value of HOST_NAME specified in Step 2.
Edit the ssl.conf file located in the ORACLE_HOME/Apache/Apache/conf/ as follows:
1. In a text editor, open the ssl.conf file and find the following entry:
```
SSLWallet file:
```
2. Enter WALLET_LOCATION (specified in Step 1) as the value of the SSLWallet file: entry.
  
  The following is a sample value of the SSLWallet file: entry:
```
SSLWallet file:/home/testoc4j/OIM9102/product/10.1.3.1/OracleAS_1/Apache/Apache/conf/ssl.wlt/default
```
3. Save and close the updated ssl.conf file.
Restart Oracle Application Server.

2.3.5.3.2 Exporting the Certificate

To export the application server certificate from the WALLET_LOCATION directory that you specified in Step 1 of Enabling SSL for HTTP Communication to Oracle HTTP Server, perform the following steps after you have started Oracle Wallet Manager:

Note:

The default Oracle wallet directory is ORACLE_HOME\Apache\Apache\conf\ssl.wlt\default\ewallet.p12

Depending on the operating system used, perform one of the following steps to start Oracle Wallet Manager:
- For Microsoft Windows, click Start, Programs, ORACLE-HOME_NAME, Integrated Management Tools, and Wallet Manager.
- For UNIX, in a terminal window, change to the ORACLE_HOME/bin directory and then enter the owm command.
Open the WALLET_LOCATION directory by using Oracle Wallet Manager.
Enter the wallet password (that you specified in Step 2 of Enabling SSL for HTTP Communication to Oracle HTTP Server) as the store password when prompted.
Right-click Certificate (Ready) and click Export User Certificate.
Enter server.cert as the file name and save the file.

The connector uses this certificate to trust Oracle Application Server.

See Also:

The "Secure Sockets Layer" section in Oracle Application Server Administrator's Guide for more information about Oracle Wallet Manager

2.3.5.3.3 Importing the Certificate

To import the application server certificate:

Copy the certificate (exported in Step 3 of Enabling SSL for HTTP Communication to Oracle HTTP Server) to any directory on the Microsoft Active Directory host computer.
Click Start and then click Run.
Enter the following command, and then click OK:

mmc

The Microsoft Management Console is displayed.
From the File menu, select Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.
In the certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, accept the defaults, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the Console Root window, on the left pane, expand Certificates (Local Computer) under the Console Root folder.
Expand Trusted Root Certification Authorities, right-click Certificates, select All Tasks, and then click Import.

The Certificate Import Wizard is displayed.
On the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, you can either specify the path to the directory in which you copied the exported certificate, or use the Browse button to specify the directory in which you copied the exported certificate.
Click Next.
On the Certificate Store page, select Place all certificates in the following store, and click Next.
On the Completing the Certificate Import Wizard, click Finish.

A message indicating that the import was successful is displayed.
Click OK to close the Certificate Import Wizard dialog box.

2.3.5.4 Configuring SSL on Oracle WebLogic Server

The following sections provide information about enabling SSL communication when Oracle Identity Manager is running on Oracle WebLogic Server:

Generating Keys
Signing the Certificate
Exporting the Certificate
Configuring Custom Identity Keystore in Oracle WebLogic Server

Note:

The procedure described in the preceding sections must be performed on the Oracle WebLogic Server host computer.
Importing the Certificate

Note:

The procedure described in the preceding section must be performed on the Microsoft Active Directory host computer.

2.3.5.4.1 Generating Keys

Generate private/public certificate pairs by using the keytool command provided. The following command creates an identity keystore:

keytool –genkey -alias PRIVATE_KEY_ALIAS -keyalg RSA -keysize 1024 -dname DN_VALUE -keypass PRIVATE_KEY_PASSWORD -keystore IDENTITY_STORE_FILE -storepass IDENTITY_STORE_FILE_PASSWORD -storetype jks

In this command:

PRIVATE_KEY_ALIAS is the alias that you want to use for the private key.
PRIVATE_KEY_PASSWORD is the password that you want to use for the private key.
DN_VALUE is the distinguished name (DN) for your organization.

The common name (CN) value in the DN must be the host name of the Oracle Identity Manager server.
IDENTITY_STORE_FILE is the identity store that you want to use.
IDENTITY_STORE_FILE_PASSWORD is the password of the identity store that you want to use.

The following is a sample command that creates an identity key store (support.jks):

keytool –genkey -alias support -keyalg RSA -keysize 1024 -dname "CN=oimserver" -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support -storetype jks

2.3.5.4.2 Signing the Certificate

The procedure to sign a certificate and import the self-signed certificate as a trusted entry in the Java standard store is as follows:

Use the following command to sign a certificate:

keytool -selfcert -alias PRIVATE_KEY_ALIAS -sigalg MD5withRSA -validity2000 -keypass PRIVATE_KEY_PASSWORD -keystore IDENTITY_STORE_FILE -storepass IDENITTY_STORE_FILE_PASSWORD -storetype jks

Note:

It is recommended that you use trusted certificate authorities, for example, VeriSign or Thawte, for signing certificates.

The following is a sample command:

keytool -selfcert -alias support -sigalg MD5withRSA -validity 2000 -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support -storetype jks

Use the following command to import the certificate (signed in Step 1) as trusted entry in the Java standard store:

keytool -importcert -trustcacerts -alias PRIVATE_KEY_ALIAS -file CERT_FILE_NAME  -keystore JAVA_STANDARD_TRUST -storepass JAVA_STANDARD_STORE_FILE_PASSWORD

The following is a sample command:

keytool -importcert -trustcacerts -alias support -file C:\bea\user_projects\domains\oim\supportcert.pem -keystore c:\jdk-6u25\jre\lib\security\cacerts -storepass changeit

2.3.5.4.3 Exporting the Certificate

Use the following command to export the certificate from the identity keystore to a file:

keytool -export -alias PRIVATE_KEY_ALIAS -file CERT_FILE_NAME -keypass PRIVATE_KEY_PASSWORD -keystore IDENITTY_STORE_FILE -storepass IDENTITY_STORE_FILE_PASSWORD -storetype jks -provider sun.security.provider.Sun

In this command, replace CERT_FILE_NAME with the complete path and name of the certificate file.

The following is a sample command:

keytool -export -alias support -file C:\bea\user_projects\domains\oim\supportcert.pem -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support -storetype jks -provider sun.security.provider.Sun

2.3.5.4.4 Configuring Custom Identity Keystore in Oracle WebLogic Server

To configure the custom identity keystore:

In the WebLogic Server Administration Console, click Servers, Configuration, and then click General.
Select SSL listen port enabled. The default port is 7002.

Note:

If Oracle WebLogic Server is deployed on Oracle Identity Manager release 11.1.1 or 11.1.2.x, then the default port is 14001.
In the Administrative Console, click Servers.
On the Configuration tab, click the server name in the Name column of the table.
On the Keystores tab:
1. In the Change Center region, click Lock & Edit to enable modification to the settings on the page.
2. From the Keystores box, perform one of the following steps:
  - If Oracle WebLogic Server is deployed on Oracle Identity Manager release 9.1.0.x, then select Custom Identity and Custom Trust, and then click Continue.
  - If Oracle WebLogic Server is deployed on Oracle Identity Manager release 11.1.1 or 11.1.2.x, then select Custom Identity and Custom Trust or Custom Identity and Java Standard Trust, and then click Continue.
3. In the Custom Identity Keystore and Custom Trust Keystore fields, enter C:\bea\user_projects\domains\oim\support.jks as the custom identity keystore file name.
4. In the Custom Identity Keystore Type field, enter JKS.
5. In the Custom Identity Keystore Passphrase and Confirm Custom Identity Keystore Passphrase fields, enter the password of the custom identity keystore.
On the SSL tab:
1. In the Change Center region, click Lock & Edit to enable modification to the settings on the page.
2. From the Identity and Trust Location box, select Keystores.
3. In the Private Key Alias field, enter support as the private key alias.
4. In the Private Key Passphrase and Confirm Private Key Passphrase fields, enter the password, for example, support.
Click the Advanced Properties tab, and select Client Certs not Requested from the dropdown list, and save the changes.
Restart the server for the changes to take effect.

Note:

For a clustered installation, repeat all the steps on each node of the cluster. Then, restart each node.

2.3.5.4.5 Importing the Certificate

To import the application server certificate:

Copy the certificate (exported in "Exporting the Certificate") to any directory on the Microsoft Active Directory host computer.
Click Start and then click Run.
Enter the following command, and then click OK:

mmc

The Microsoft Management Console is displayed.
From the File menu, select Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.
In the certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, accept the defaults, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the Console Root window, on the left pane, expand Certificates (Local Computer) under the Console Root folder.
Expand Trusted Root Certification Authorities, right-click Certificates, select All Tasks, and then click Import.

The Certificate Import Wizard is displayed.
On the Welcome to the Certificate Import Wizard page, click Next.
On the File to Import page, you can either specify the path to the directory in which you copied the exported certificate, or use the Browse button to specify the directory in which you copied the exported certificate.
Click Next.
On the Certificate Store page, select Place all certificates in the following store, and click Next.
On the Completing the Certificate Import Wizard, click Finish.

A message indicating that the import was successful is displayed.
Click OK to close the Certificate Import Wizard dialog box.

2.3.6 Excluding Users for Password Synchronization

Note:

You can perform this procedure only if you are using the latest 9.1.1.5.x patch for the connector.

By default, the connector captures all passwords changed on the target system and propagates them to Oracle Identity Manager. If you do not want the connector to propagate the password changes to Oracle Identity Manager for certain users, then you must configure the connector to use the ADUsrExclusionFilter config parameter. In other words, by using the AD UsrExclusionFilter config parameter, you can configure the connector to filter AD users whose password changes must not be propagated to Oracle Identity Manager.

To configure the ADUsrExclusionFilter config parameter to exclude AD Users for password synchronization with Oracle Identity Manager:

Open the system registry by running the regedit.exe command.
Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\oimpwdsync\OIMConfig
In the right pane, double-click the ADUsrExclusionFilter value.
In the Value data field of the Edit String dialog box, enter a filter string value for all AD users that the connector must exclude for password synchronization.
Consider the following examples:
- If you want to exclude all AD users whose account name contains "xyz", then enter (samAccountName=*xyz*).
- If you want to exclude a specific user whose account name is johndoe, then enter (samAccountName=johndoe).
- If you want to exclude more than one user, then enter (|(samAccountName=johndoe)(samAccountName=richardroe)(samAccountName=janedoe)).
If the Value data field is empty, then the exclusion filter is disabled.

Note:

You can apply filters only for User objects. Filtering records for password synchronization based on attributes of other objects such as Groups, Organizational Units, and so on is not supported.