4 Performing the Postconfiguration Tasks for the Microsoft Active Directory User Management Connector
These are the tasks that you must perform after creating an application in Oracle Identity Governance.
4.1 Configuring Oracle Identity Governance
During application creation, if you did not choose to create a default form, then you must create a UI form for the application that you created by using the connector.
Note:
Perform the procedures described in this section only if you did not choose to create the default form during creating the application.The following topics describe the procedures to configure Oracle Identity Governance:
4.1.1 Creating and Activating a Sandbox
You must create and activate a sandbox to begin using the customization and form management features. You can then publish the sandbox to make the customizations available to other users.
See Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
4.1.2 Creating a New UI Form
You can use Form Designer in Oracle Identity System Administration to create and manage application instance forms.
See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance.
While creating the UI form, ensure that you select the resource object corresponding to the newly created application that you want to associate the form with. In addition, select the Generate Entitlement Forms check box.
4.1.3 Publishing a Sandbox
Before publishing a sandbox, perform this procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published.
-
In Identity System Administration, deactivate the sandbox.
-
Log out of Identity System Administration.
-
Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
-
In the Catalog, ensure that the application instance form for your resource appears with correct fields.
-
Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
4.1.4 Updating an Existing Application Instance with a New Form
For any changes that you do in the schema of your application in Identity Self Service, you must create a new UI form and update the changes in an application instance.
To update an existing application instance with a new form:
-
Create and activate a sandbox.
-
Create a new UI form for the resource.
-
Open the existing application instance.
-
In the Form field, select the new UI form that you created.
-
Save the application instance.
-
Publish the sandbox.
See Also:
-
Creating a Sandbox and Activating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance
-
Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Governance
-
Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance
4.2 Configuring the IT Resource for the Target System
If you have used the target system, then you must configure values for the parameters of the Active Directory IT resource.
If you are using the connector for group management or organizational unit management, then you must configure values for the parameters of the Active Directory IT resource.
After you create the application for your target system, the connector creates a default IT resource for the target system. The name of this default IT resource is Active Directory
.
In Oracle Identity System Administration, search for and edit the Active Directory IT resource to specify values for the parameters of IT resource listed in Table 4-1. For more information about searching for IT resources and updating its parameters, see Managing IT Resources in Oracle Fusion Middleware Administering Oracle Identity Governance.
Table 4-1 Parameters of the Active Directory IT Resource for the Target System
Parameter | Description |
---|---|
ADLDSPort |
Enter the number of the port at which Microsoft AD LDS is listening. Sample value: Note: Do not enter a value for this parameter if you are using Microsoft ActiveDirectory as the target system. |
BDCHostNames |
Enter the host name of the backup domain controller to which Oracle Identity Governance must switch to if the primary domain controller becomes unavailable. Sample value: Note: Multiple backup domain controllers must be separated by semicolon (;). |
Configuration Lookup |
This parameter holds the name of the lookup definition that stores configuration information used during reconciliation and provisioning. If you have configured your target system as a target resource, then enter If you have configured your target system as a trusted source, then enter Default value: |
Connector Server Name |
Name of the IT resource of the type "Connector Server." Note: Enter a value for this parameter only if you have deployed the Active Directory User Management connector in the Connector Server. Default value: |
Container |
Enter the fully qualified domain name of the user container into or from which users must be provisioned or reconciled into Oracle Identity Governance, respectively. Sample value: |
DirectoryAdminName |
Enter the user name of account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations. Enter the value for this parameter in the following format:
Sample value: Note: If you are using AD LDS as the target system and this machine belongs to a workgroup, enter the username of the account created in Creating a Target System User Account for Connector Operations. Enter a value for this parameter in the following format:
Sample value: |
DirectoryAdminPassword |
Enter the password of the user account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations. |
DomainName |
Enter the domain name for the Microsoft Active Directory domain controller on which the connector is being installed. Sample value: Note: This is a mandatory parameter if you are using Microsoft Active Directory as the target system. |
isADLDS |
Enter Enter |
LDAPHostName |
Enter the host name, IP address, or domain name of the Microsoft Windows computer (target system host computer) on which Microsoft Active Directory is installed. Note: If you do not specify a value for this parameter and the BDCHostNames parameter (discussed earlier in this table), then a serverless bind is used. The connector leverages ADSI for determining the domain controller in the domain and then creates the directory entry. Therefore, all interactions with the target system are not specific to a domain controller. To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field. Sample values:
|
SyncDomainController |
Enter the name of the domain controller from which user accounts must be reconciled. Note: The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set to Sample value: |
SyncGlobalCatalogServer |
Enter the host on which the global catalog server is located. Note: The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set to It is strongly recommended to provide a value for this parameter if you have set the SearchChildDomains lookup entry to Sample value: |
UseSSL |
Enter Default value: Note:
|
4.3 Configuring the IT Resource for the Connector Server
If you have used the Connector Server, then you must configure values for the parameters of the Connector Server IT resource.
After you create the application for your target system, the connector creates a default IT resource for the target system. The name of this default IT resource is Active Directory Connector Server
.
In Oracle Identity System Administration, search for and edit the Active Directory Connector Server IT resource to specify values for the parameters of IT resource listed in Table 4-2. For more information about searching for IT resources and updating its parameters, see Managing IT Resources in Oracle Fusion Middleware Administering Oracle Identity Governance.
Table 4-2 Parameters of the Active Directory Connector Server IT Resource
Parameter | Description |
---|---|
Host |
Enter the host name or IP address of the computer hosting the connector server. Sample value: |
Key |
Enter the key for the connector server. |
Port |
Enter the number of the port at which the connector server is listening. Default value: |
Timeout |
Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Governance times out. Sample value: A value of 0 means that the connection never times out. |
UseSSL |
Enter Default value: Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL between Oracle Identity Governance and Connector Server, see Configuring SSL Between Oracle Identity Governance and Connector Server. |
4.4 Harvesting Entitlements and Sync Catalog
You can populate Entitlement schema from child process form table, and harvest roles, application instances, and entitlements into catalog. You can also load catalog metadata.
To harvest entitlements and sync catalog:
- Run the scheduled jobs for lookup field synchronization listed in Scheduled Jobs for Lookup Field Synchronization
- Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table.
- Run the Catalog Synchronization Job scheduled job.
See Also:
Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Governance for a description of the Entitlement List and Catalog Synchronization Job scheduled jobs4.5 Enabling Logging for Microsoft Active Directory User Management Connector
The Active Directory User Management connector uses the built-in logging mechanism of the .NET framework. Logging for the Active Directory User Management connector is not integrated with Oracle Identity Governance. The log level is set in the .NET Connector Server configuration file (ConnectorServer.exe.config).
To enable logging for the Active Directory User Management connector, perform the following procedure:
4.5.1 Configuring Log File Rotation
Information about events that occur during the course of reconciliation and provisioning operations are stored in a log file. As you use the connector over a period time, the amount of information written to a log file increases. If no rotation is performed, then log files become huge.
To avoid such a scenario, perform the procedure described in this section to configure rotation of the log file.
To configure rotation of a log file on a daily basis:
See Also:
The following URL for more information about configuring log file rotation:
http://msdn.microsoft.com/en-us/library/microsoft.visualbasic.logging.filelogtracelistener.aspx
4.6 Localizing Field Labels in UI Forms
You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. The resource bundles are available in the connector installation package.
To localize field label that you add to in UI forms:
-
Log in to Oracle Enterprise Governance.
-
In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
-
In the right pane, from the Application Deployment list, select MDS Configuration.
-
On the MDS Configuration page, click Export and save the archive (oracle.iam.console.identity.sysadmin.ear_V2.0_metadata.zip) to the local computer.
-
Extract the contents of the archive, and open the following file in a text editor:
SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf
Note:
You will not be able to view the BizEditorBundle.xlf unless you complete creating the application for your target system or perform any customization such as creating a UDF. -
Edit the BizEditorBundle.xlf file in the following manner:
-
Search for the following text:
<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
-
Replace with the following text:
<file source-language="en" target-language="LANG_CODE" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:
<file source-language="en" target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">
-
Search for the application instance code. This procedure shows a sample edit for Microsoft Active Directory application instance. The original code is:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.<Field_Name>__c_description']}"> <source><Field_Label></source> <target/> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.<UI_Form_NaME>EO.<Field_Name>__c_LABEL"> <source><Field_Label></source> <target/> </trans-unit>
The sample edit of the code is as follows:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ADUSER_FULLNAME__c_description']}"> <source>Full Name</source> <target/> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.ad11EO.UD_ADUSER_FULLNAME__c_LABEL"> <source>Full Name</source> <target/> </trans-unit>
-
Open the resource file from the connector package, for example ActiveDirectoryIdC_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_ADUSER_FULLNAME=\u6C0F\u540D.
-
Replace the original code shown in Step 6.c with the following:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}"> <source>< Field_Label></source> <target>global.udf.<UD_<Field_Name></target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL"> <source><Field_Label></source> <target><global.udf.UD_Field_Name></target> </trans-unit>
As an example, the code for Full Name is as follows:
<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ADUSER_FULLNAME__c_description']}"> <source>Full Name</source> <target>\u6C0F\u540D</target> </trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.ad11EO.UD_ADUSER_FULLNAME__c_LABEL"> <source>Full Name</source> <target>\u6C0F\u540D</target> </trans-unit>
-
Repeat Steps 6.a through 6.d for all attributes of the process form.
-
Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.
Sample file name: BizEditorBundle_ja.xlf.
-
-
Repackage the ZIP file and import it into MDS.
See Also:
Deploying and Undeploying Customizations in Developing and Customizing Applications for Oracle Identity Governance, for more information about exporting and importing metadata files
-
Log out of and log in to Oracle Identity Governance.
4.7 Configuring the Connector for Provisioning Organizations
Perform the procedure described in this section if you intend to provision organizations to a root DN.
Before you provision organizations to a root DN, you must add the DN to the Lookup.ActiveDirectory.OrganizationalUnits lookup definition as follows:
4.8 Enabling and Disabling the Passwords Must Meet Complexity Requirements Policy setting
In Microsoft Active Directory, the "Passwords must meet complexity requirements" policy setting is used to enable or disable password policies.
The procedure that you must perform depends on whether or not you want to achieve either or both of the following objectives:
-
Enable password policies
-
Configure SSL between Oracle Identity Governance and the target system
Note:
The procedure to configure SSL is discussed later in this guide.If you configure SSL and you want to enable both the default Microsoft Windows password policy and a custom password policy, then you must enable the "Passwords must meet complexity requirements" policy setting.
Note:
If you install Microsoft ADAM in a domain controller then it acquires all the policies of Microsoft Active Directory installed in the same domain controller. If you install Microsoft ADAM in a workgroup, then the local system policies are applied.To enable or disable the "Passwords must meet complexity requirements" policy setting, check the password policy setting and select Enabled if you want to enable password policies or Disabled if you do not want to disable password policies.
For detailed information on enabling and disabling the "Passwords must meet complexity requirements" policy, see the Microsoft Active Directory User Management documentation.
4.9 Configuring SSL for Microsoft Active Directory and Microsoft AD LDS
This section discusses the following topics to configure SSL communication between Oracle Identity Governance and the target system:
Note:
-
In this section, Microsoft ADAM and Microsoft AD LDS have both been referred to as Microsoft AD LDS.
-
If you are using Microsoft AD LDS, then you must configure SSL for all connector operations to work as expected.
-
For detailed instructions of the procedures, see the Microsoft Active Directory User Management documentation.
4.9.1 Prerequisites
Public key certificates are used for determining the identity and authenticity of clients in software security systems. Certificate Services create and manage public key certificates. This ensures that organizations have a reliable and secure way to create, manage, and distribute these certificates.
Note:
-
Before you begin installing Active Directory Certificate Services (AD CS), you must ensure that Internet Information Services (IIS) is installed on the computer hosting the target system.
-
For detailed steps to install Certificate Services on the corresponding Windows Server, refer to the Microsoft documentation.
-
Remote Server Administration Tools
-
Role Administration Tools
-
Active Directory Certificate Services Tools
-
AD DS and AD LDS Tools
4.9.2 Configuring SSL Between Connector Server and Microsoft Active Directory
You can configure SSL between Connector Server and Microsoft Active Directory by ensuring that the computer hosting Microsoft Active Directory has LDAP enabled over SSL (LDAPS).
Note:
To configure SSL, the computer hosting the target system and the computer on which the Connector Server is running must be in the same domain.To enable LDAPS, request a new certificate using the Automatic Certificate Request Setup Wizard.
4.9.3 Configuring SSL Between Connector Server and Microsoft AD LDS
To configure SSL between Connector Server and Microsoft AD LDS, ensure that ADAM is SSL-enabled.
-
Request a certificate when Microsoft AD LDS is deployed within the connector domain or used as a standalone deployment.
Note:
-
This procedure can be performed either on the computer on which the Connector Server is running or on the computer hosting the target system.
-
Before you begin generating the certificate, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.
-
-
Issue the certificate that you requested earlier when Microsoft AD LDS was deployed within the connector domain in the Microsoft Active Directory Certificate Services window.
-
In the Microsoft Management Console, add the certificate to the personal store of the Microsoft AD LDS service.
-
Assign permissions to the MachineKeys folder that contains the certificate key. To do so, add the following groups and users and then provide full Control permission:
-
Administrators
-
Everyone
-
NETWORK SERVICE
-
The user name of the account used to install Microsoft ADAM
-
SYSTEM
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Assign the same groups and users to the certificate.
-
-
Restart the Microsoft AD LDS instance for the changes to take effect.
-
Test the certificate from the AD LDS Tools Command Prompt window. If SSL is successfully configured, then status messages about the connection are displayed on the LDAPS window.
4.9.4 Configuring SSL Between Oracle Identity Governance and Connector Server
The following sections provide information about configuring SSL between Oracle Identity Governance and Connector Server:
4.9.4.1 Exporting the Certificate
Note:
Perform this procedure on the computer hosting the connector server.
To export the certificate requested and issued from the Microsoft Management console, navigate to and open the Certificate Export Wizard. Ensure to export the certificate in the Base-64 encoded X.509(.CER) file format.
4.9.4.2 Configuring the Connector Server for SSL
Note:
-
Perform this procedure on the computer hosting the connector server.
-
Connector Server 12c (12.2.1.3.0) can be used with older versions of connectors.
See Configuring the .NET Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for detailed instructions to configure the Connector Server for SSL.
4.10 Setting Up the Lookup Definition for the Ignore Event API
This section discusses the following topics:
4.10.1 Understanding the Ignore Event Disabled Entry
You can add the 'Ignore Event Disabled' entry to the Configuration lookup definition (Lookup.Configuration.ActiveDirectory.Trusted and Lookup.Configuration.ActiveDirectory for trusted source and target resource modes, respectively) to specify whether reconciliation events must be created for target system records that already exist in Oracle Identity Manager.
If you set the value of the Ignore Event Disabled entry to true,
then reconciliation events are created for all records being fetched from the target system, irrespective of their presence in Oracle Identity Manager. If you set the value of this entry to false,
then reconciliation events for target system records that are already present in Oracle Identity Manager are not created.
4.10.2 Adding the Ignore Event Disabled Entry
You add the 'Ignore Event Disabled' entry to specify whether reconciliation events must be created for target system records that already exist in Oracle Identity Manager. To do so:
Note:
If you are are adding the Ignore Event Disabled entry in the AOB installation setup, then open the Advanced Settings section and perform step 4 onwards only.