Deploying the Microsoft Active Directory User Management Connector

The procedure to deploy the connector is divided across three stages namely preinstallation, installation, postinstallation. upgrading the Microsoft Active Directory User Management Connector, and cloning the Microsoft Active Directory User Management Connector.

The following topics discuss these stages:

• Preinstallation

• Installation

• Postinstallation

• Upgrading the Microsoft Active Directory User Management Connector

• About Cloning the Microsoft Active Directory User Management Connector

Note:

Some of the procedures described in this chapter are meant to be performed on the target system. The minimum permissions required to perform these procedures depends on the target system that you are using:

• If the target system is Microsoft Active Directory, then the permissions required are those assigned to members of the Domain Admins group.

• If the target system is Microsoft AD LDS, then the permissions required are those assigned to members of the Administrators group.

Preinstallation

Preinstallation for the Microsoft Active Directory User Management connector involves registering a client application for the connector with the target system. It also involves generating the Client ID and Client Secret values for authenticating to the target system and setting the permissions for the client application.

The preinstallation stage for deploying the AD User Management connector involves performing the following procedures:

• Creating a Target System User Account for Connector Operations

• Assigning Permissions to Perform Delete User Reconciliation Runs

• Delegating Control for Organizational Units and Custom Object Classes

• About the Connector Server

• Managing Logging for Microsoft Active Directory User Management Connector

Creating a Target System User Account for Connector Operations

Oracle Identity Manager requires a target system user account to access the target system during reconciliation and provisioning operations. You provide the credentials of this user account while performing the procedure described in Configuring the IT Resource for Microsoft AD and AD LDS.

Depending on the target system that you are using, perform the procedure described in one of the following sections:

• Creating a User Account for Connector Operations in Microsoft Active Directory

• Creating a User Account for Connector Operations in Microsoft AD LDS

Creating a User Account for Connector Operations in Microsoft Active Directory

You can use a Microsoft Windows 2008 Server (Domain Controller) administrator account for connector operations. Alternatively, you can create a user account and assign the minimum required rights to the user account.

To create the Microsoft Active Directory user account for connector operations:

See Also:

Microsoft Active Directory documentation for detailed information about performing this procedure

1. Create a group (for example, OIMGroup) on the target system. While creating the group, select Security Group as the group type and Global or Universal as the group scope.

   Note:

   In a parent-child domain setup, create the group in the parent domain.

2. Make this group a member of the Account Operators group.
3. Assign all read permissions to this group. If there are multiple child domains in the forest, then log in to each child domain and add the above group to the Account Operators group of each child domain.

   Note:

   You assign read permissions on the Security tab of the Properties dialog box for the user account. This tab is displayed only in Advanced Features view. To switch to this view, select Advanced Features from the View menu on the Microsoft Active Directory console.

4. Create a user (for example, OIMUser) on the target system. In a parent-child domain setup, create the user in the parent domain.
5. Make the user a member of the group (for example, OIMGroup) created in Step 1.

Creating a User Account for Connector Operations in Microsoft AD LDS

You must create and use a user account that belongs to the Administrators group for performing connector operations.

To create the Microsoft AD LDS user account for connector operations:

See Also:

Microsoft AD LDS documentation for detailed information about these steps

1. Create a user account in Microsoft AD LDS.
2. Set a password for the user account.
3. Enable the user account by setting the msDS-UserAccountDisabled field to false.
4. Enter a value in the userPrincipalName field.
   The value that you provide must be in the user_name@domain_name format, for example, OIMuser@mydomain.com.
5. Add the distinguished name of the user to the Administrators group.

   Note:

   To create the user account for connector operations in a standalone Microsoft ADLDS instance:

   1. Create a user account in the standalone computer.

   2. Add the newly created user to the ADLDS Administrators group[CN=Administrators,CN=Roles,DC=X].

Assigning Permissions to Perform Delete User Reconciliation Runs

In order to enable the user account that you created for performing connector operations to retrieve information about deleted user accounts during delete reconciliation runs, you must assign permissions to the deleted objects container (CN=DeletedObjects) in the target system.

Note:

In a forest environment, if you are performing reconciliation by using the Global Catalog Server, then perform the procedure described in this section on all child domains.

To do so:

1. Log in to the target system as an administrator.
2. In a terminal window, run the following command:

   dsacls DELETED_OBJ_DN /takeownership
   

   In this command, replace DELETED_OBJ_DN with the distinguished name of the deleted directory object.

   Sample value:

   dsacls "CN=Deleted Objects,DC=mydomain,dc=com" /takeownership
   

3. In a terminal window, run the following command to grant a user or group permissions to perform successful runs of the delete user reconciliation scheduled job:

   dsacls DELETED_OBJ_DN /G USER_OR_GROUP:PERMISSION
   

   In this command, replace:

   • DELETED_OBJ_DN with the distinguished name of the deleted directory object.

   • USER_OR_GROUP with name of the user or group to which you want to assign permissions

   • PERMISSION with the permissions to grant.

   Sample value:

   dsacls "CN=Delet ed Objects,DC=mydomain,dc=com" /G ROOT3\OIMUser:LCRP
   

Delegating Control for Organizational Units and Custom Object Classes

By default, user accounts that belong to the Account Operators group can manage only user and group objects. To manage organizational units or custom object classes, you must assign the necessary permissions to a user account. In other words, you must delegate complete control for an organizational unit or custom object class to a user or group object. In addition, you need these permissions to successfully perform provisioning of custom object classes.

This is achieved by using the Delegation of Control Wizard. An example for managing organizational units is creating organizational units.

See the Microsoft documentation for detailed instructions to delegate control for an organizational unit or custom object class to a user account.

About the Connector Server

Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.

You deploy the Active Directory User Management connector remotely in the connector server. A connector server is a Microsoft Windows application that enables remote execution of an Identity Connector.

Connector servers are available in two implementations:

• As a .Net implementation that is used by Identity Connectors implemented in .Net

• As a Java Connector Server implementation that is used by Java-based Identity Connectors

The Active Directory User Management connector is implemented in .Net, so you must deploy this connector to a .Net framework-based connector server.

For detailed instructions about installing, configuring, and upgrading the Microsoft . Net Connector Server, see Using the Microsoft .NET Framework Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

Managing Logging for Microsoft Active Directory User Management Connector

Logging for the Active Directory User Management connector is enabled and managed on the computer hosting the Connector Server. The following sections contain detailed information:

• Enabling Logging for Microsoft Active Directory User Management Connector

• Configuring Log File Rotation

Enabling Logging for Microsoft Active Directory User Management Connector

The Active Directory User Management connector uses the built-in logging mechanism of the .NET framework. Logging for the Active Directory User Management connector is not integrated with Oracle Identity Manager. The log level is set in the .NET Connector Server configuration file (ConnectorServer.exe.config).

To enable logging for the Active Directory User Management connector, perform the following procedure:

1. Go to the directory where the ConnectorServer.exe.config file is installed. The default directory is C:\Program Files\Identity Connectors\Connector Server.

   The ConnectorServer.exe.config file must be present in this directory.

2. In the ConnectorServer.exe.config file, add the lines shown in bold text:

   <system.diagnostics>
     <trace autoflush="true" indentsize="4">
       <listeners>
         <remove name="Default" />
         <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\connectorserver2.log" traceOutputOptions="DateTime">
           <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" />
         </add>
       </listeners>
     </trace>
     <switches>
       <add name="ActiveDirectorySwitch" value="4" />
     </switches>
   </system.diagnostics>
   

   The value="4" sets the log level to Verbose. This value can be set as any one of the following log levels:

   • value="4" or value="Verbose"

     This value sets the log level to the "Verbose" level. It is most granular

   • value="3" or value="Information"

     This value sets the log level to the "Information" level.

   • value="2" or value="Warning"

     This value sets the log level to the "Warning" level

   • value="1" or value="Error"

     This value sets the log level to the "Error" level

   • value="0"

     Logging is not configured when the value is set to "0".

   However, remember that the logging level has a direct effect on the performance of the .NET Connector Server.

3. After you make the configuration change, stop and then restart the .NET Connector Server service. Or, you can also restart the .NET Connector Server using the following command:

   ConnectorServer.exe /run

Configuring Log File Rotation

Information about events that occur during the course of reconciliation and provisioning operations are stored in a log file. As you use the connector over a period time, the amount of information written to a log file increases. If no rotation is performed, then log files become huge.

To avoid such a scenario, perform the procedure described in this section to configure rotation of the log file.

To configure rotation of a log file on a daily basis:

1. Log in to the computer that is hosting the Connector Server.
2. Stop the Connector Server.
3. Back up the ConnectorServer.exe.config file. The default location of this file is C:\Program Files\Identity Connectors\Connector Server.
4. In a text editor, open the ConnectorServer.exe.config file for editing.
5. Search for the <listeners> and </listeners> elements and replace the text between these elements with the following:

   <remove name="Default" />
   <add name="FileLog" type="Microsoft.VisualBasic.Logging.FileLogTraceListener,Microsoft.VisualBasic,Version=8.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
   initializeData="FileLogWriter"
   traceOutputOptions="DateTime"
   BaseFileName="ConnectorServerDaily"
   Location="Custom"
   CustomLocation="C:\ConnectorServerLog\"
   LogFileCreationSchedule="Daily">
   <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information"/>
   </add>
   

6. Save the file and close it.
7. Start the Connector Server.

See Also:

The following URL for more information about configuring log file rotation:

http://msdn.microsoft.com/en-us/library/microsoft.visualbasic.logging.filelogtracelistener.aspx

Installation

You must install the Active Directory User Management connector in Oracle Identity Manager and if required, place the connector code bundle in the Connector Server.

The following topics discuss installing the Active Directory User Management connector:

• Installing Microsoft Active Directory User Management Connector in Oracle Identity Manager

• Installing the Microsoft Active Directory User Management Connector in the Connector Server

Installing Microsoft Active Directory User Management Connector in Oracle Identity Manager

Installation on Oracle Identity Manager consists of the following procedures:

• Running the Connector Installer

• Configuring the IT Resource for Microsoft AD and AD LDS

Note:

For information about configuring the .NET Connector Server, see Configuring the .NET Connector Server.

Running the Connector Installer

Note:

In this guide, the term Connector Installer has been used to refer to the Connector Installer feature of the Administrative and User Console.

To run the Connector Installer:

1. Copy the contents of the connector installation media directory into the following directory:

   OIM_HOME/server/ConnectorDefaultDirectory

2. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 11.1.1.x:

     1. Log in to the Administrative and User Console.

     2. On the Welcome to Identity Manager Advanced Administration page, in the System Management region, click Manage Connector.

   • For Oracle Identity Manager release 11.1.2.x or later:

     1. Log in to Oracle Identity System Administration.

     2. In the left pane, under System Management, click Manage Connector.

3. In the Manage Connector page, click Install.

4. From the Connector List list, select ActiveDirectory RELEASE_NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory in Step 1.

   If you have copied the installation files into a different directory, then:

   1. In the Alternative Directory field, enter the full path and name of that directory.

   2. To repopulate the list of connectors in the Connector List list, click Refresh.

   3. From the Connector List list, select ActiveDirectory RELEASE_NUMBER.

5. Click Load.

6. To start the installation process, click Continue.

   The following tasks are performed, in sequence:

   1. Configuration of connector libraries

   2. Import of the connector XML files (by using the Deployment Manager)

   3. Compilation of adapters

   On successful completion of a task, a check mark is displayed for the task. If a task fails, then an X mark and a message stating the reason for failure is displayed. Depending on the reason for the failure, make the required correction and then perform one of the following steps:

   • Retry the installation by clicking Retry.

   • Cancel the installation and begin again from Step 1.

7. If all three tasks of the connector installation process are successful, then a message indicating successful installation is displayed. In addition, a list of steps that you must perform after the installation is displayed. These steps are as follows:

   1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the Oracle Identity Manager PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. See Clearing Content Related to Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility.

      There are no prerequisites for some predefined connectors.

   2. Configuring the IT resource for the connector

      The procedure to configure the IT resource is described later in this guide.

   3. Configuring the scheduled jobs

      The procedure to configure these scheduled jobs is described later in this guide.

When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Table 2–1.

Configuring the IT Resource for Microsoft AD and AD LDS

Note:

If you have configured your target system as a trusted source, then create an IT resource of type Active Directory. For example, Active Directory Trusted. The parameters of this IT resource are the same as the parameters of the IT resources described in Configuring the IT Resource for Microsoft AD and AD LDS of this section. See Creating IT Resources in Administering Oracle Identity Manager for more information about creating an IT resource.

The IT resource for the target system is created during connector installation. This IT resource contains connection information about the target system. Oracle Identity Manager uses this information during reconciliation and provisioning.

You must specify values for the parameters of the Active Directory IT resource as follows:

1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 11.1.1.x:

     Log in to the Administrative and User Console

   • For Oracle Identity Manager release 11.1.2.x or later:

     Log in to Oracle Identity System Administration

2. If you are using Oracle Identity Manager release 11.1.1.x, then:

   1. On the Welcome page, click Advanced in the upper-right corner of the page.

   2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.

3. If you are using Oracle Identity Manager release 11.1.2.x or later, then in the left pane, under Configuration, click IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter Active Directory and then click Search. Figure 2-1 shows the Manage IT Resource page.

   Figure 2-1 Manage IT Resource Page

   
   Description of "Figure 2-1 Manage IT Resource Page"

5. Click the edit icon corresponding to the Active Directory IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Specify values for the parameters of the Active Directory IT resource. Figure 2-2 shows the Edit IT Resource Details and Parameters page.

   Figure 2-2 Edit IT Resource Details and Parameters Page for the Active Directory IT Resource

   
   Description of "Figure 2-2 Edit IT Resource Details and Parameters Page for the Active Directory IT Resource"

   The following list describes each parameter of the Active Directory IT resource

   • ADLDSPort

     Enter the number of the port at which Microsoft AD LDS is listening.

     Sample value: 50001

     Note:

     Do not enter a value for this parameter if you are using Microsoft Active Directory as the target system.

   • BDCHostNames

     Enter the host name of the backup domain controller to which Oracle Identity Manager must switch to if the primary domain controller becomes unavailable.

     Sample value: mydc1;mydc2;mydc3

     Note:

     Multiple backup domain controllers must be separated by semicolon (;).

   • Configuration Lookup

     This parameter holds the name of the lookup definition that stores configuration information used during reconciliation and provisioning.

     If you have configured your target system as a target resource, then enter Lookup.Configuration.ActiveDirectory.

     If you have configured your target system as a trusted source, then enter Lookup.Configuration.ActiveDirectory.Trusted.

     Default value: Lookup.Configuration.ActiveDirectory

   • Connector Server Name

     Name of the IT resource of the type "Connector Server." You create an IT resource for the Connector Server in Configuring the IT Resource for the Connector Server.

     Note:

     Enter a value for this parameter only if you have deployed the Active Directory User Management connector in the Connector Server.

     Default value: Active Directory Connector Server

   • Container

     Enter the fully qualified domain name of the user container into or from which users must be provisioned or reconciled into Oracle Identity Manager, respectively.

     Sample value: DC=example,DC=com

   • DirectoryAdminName

     Enter the user name of account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations.

     Enter the value for this parameter in the following format:

     DOMAIN_NAME\USER_NAME

     Sample value: mydomain\admin

     Note:

     If you are using AD LDS as the target system and this machine belongs to a workgroup, enter the username of the account created in Creating a Target System User Account for Connector Operations.

     Enter a value for this parameter in the following format:

     USER_NAME

     Sample value: admin

   • DirectoryAdminPassword

     Enter the password of the user account that you create by performing the procedure described in Creating a Target System User Account for Connector Operations.

   • DomainName

     Enter the domain name for the Microsoft Active Directory domain controller on which the connector is being installed.

     Sample value: example.com

     Note:

     This is a mandatory parameter if you are using Microsoft Active Directory as the target system.

   • isADLDS

     Enter yes to specify that the target system is Microsoft AD LDS.

     Enter no to specify that the target system is Microsoft Active Directory.

   • LDAPHostName

     Enter the host name, IP address, or domain name of the Microsoft Windows computer (target system host computer) on which Microsoft Active Directory is installed.

     Note:

     If you do not specify a value for this parameter and the BDCHostNames parameter (discussed earlier in this table), then a serverless bind is used. The connector leverages ADSI for determining the domain controller in the domain and then creates the directory entry. Therefore, all interactions with the target system are not specific to a domain controller.

     To determine the host name, on the computer hosting the target system, right-click My Computer and select Properties. On the Computer Name tab of the System Properties dialog box, the host name is specified as the value of the Full computer name field.

     Sample values:

     w2khost

     172.20.55.120

     example.com

   • SyncDomainController

     Enter the name of the domain controller from which user accounts must be reconciled.

     Note:

     The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set to no. If no value is specified for the SyncDomainController parameter and the SearchChildDomains lookup entry is set to no, then the connector automatically finds a domain controller for the target system and reconciles users from it.

     Sample value: mynewdc

   • SyncGlobalCatalogServer

     Enter the host on which the global catalog server is located.

     Note:

     The value specified in this parameter is used if the value of the SearchChildDomains lookup entry is set to yes. If no value is specified for the SyncGlobalCatalogServer parameter and the SearchChildDomains lookup entry is set to yes, then the connector automatically finds a global catalog server for the target system, and then reconciles user accounts from the domain controller on which the global catalog server is running.

     It is strongly recommended to provide a value for this parameter if you have set the SearchChildDomains lookup entry to yes.

     Sample value: myglobalcatalogdc

   • UseSSL

     Enter yes if the target system has been configured for SSL. This enables secure communication between the Connector Server and target system. Otherwise, enter no.

     Default value: no

     Note:

     • For resetting user password during provisioning operations, the communication with the target system must be secure. The default communication between the .NET Connector Server and Microsoft Active Directory is secure. Therefore, even if you set the value of this parameter to no, it is possible to reset user passwords during provisioning operations because the default communication is secure. See Configuring SSL for Microsoft Active Directory and Microsoft AD LDS for information about configuring SSL.

     • The default communication between the .NET Connector Server and Microsoft AD LDS is not secure. Therefore, for enabling password reset provisioning operations, you must set the value of this parameter to yes to secure communication with Microsoft AD LDS. See Configuring SSL Between Connector Server and Microsoft AD LDS for more information about configuring SSL.

8. To save the values, click Update.

Installing the Microsoft Active Directory User Management Connector in the Connector Server

Installation in the Connector Server consists of the following procedures:

• Copying and Extracting the Connector Bundle to the Connector Server

• Configuring the IT Resource for the Connector Server

Copying and Extracting the Connector Bundle to the Connector Server

To copy and extract the connector bundle to the Connector Server:

1. Stop the Connector Server.

   Note:

   You can download the necessary Connector Server from the Oracle Technology Network web page.

2. From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-1.1.0.6380.zip file to the CONNECTOR_SERVER_HOME directory.
3. Start the Connector Server for the connector bundle to be picked up by the Connector Server.

Configuring the IT Resource for the Connector Server

Note:

A predefined IT resource for the Connector Server by the name Active Directory Connector Server is available after connector installation. The parameters of the predefined IT resource is the same as the parameters described in Table 2-1.

In addition to configuring the Active Directory IT resource, you must configure the IT resource for the Connector Server as follows:

1. Depending on the Oracle Identity Manager release you are using, perform one of the following steps:

   • For Oracle Identity Manager release 11.1.1.x:

     Log in to the Administrative and User Console

   • For Oracle Identity Manager release 11.1.2.x or later:

     Log in to Oracle Identity System Administration

2. If you are using Oracle Identity Manager release 11.1.1.x, then:

   1. On the Welcome page, click Advanced in the upper-right corner of the page.

   2. On the Welcome to Oracle Identity Manager Advanced Administration page, in the Configuration region, click Manage IT Resource.

3. If you are using Oracle Identity Manager release 11.1.2.x or later, then in the left pane, under Configuration, click IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter Active Directory Connector Server and then click Search.

5. Click the edit icon corresponding to the Active Directory Connector Server IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Specify values for the parameters of the Active Directory Connector Server IT resource, as described in Table 2-1.

   Table 2-1 Parameters of the Active Directory Connector Server IT Resource

   Parameter	Description
   Host	Enter the host name or IP address of the computer hosting the connector server. Sample value: myhost.com
   Key	Enter the key for the connector server.
   Port	Enter the number of the port at which the connector server is listening. Default value: 8759
   Timeout	Enter an integer value which specifies the number of milliseconds after which the connection between the connector server and Oracle Identity Manager times out. Sample value: 0 A value of 0 means that the connection never times out.
   UseSSL	Enter true to specify that you will configure SSL between Oracle Identity Manager and the Connector Server. Otherwise, enter false. Default value: false Note: It is recommended that you configure SSL to secure communication with the connector server. To configure SSL between Oracle Identity Manager and Connector Server, see Configuring SSL Between Oracle Identity Manager and Connector Server.

8. Click Update to save the values.

Postinstallation

Postinstallation steps are detailed across the following sections:

• Configuring Oracle Identity Manager 11.1.2 or Later

• Localizing Field Labels in UI Forms

• Clearing Content Related to Connector Resource Bundles from the Server Cache

• Setting Up the Lookup Definition for Connection Pooling

• Setting Up the Lookup Definition for the Ignore Event API

• Configuring the Connector for the Microsoft AD LDS Target System

• Configuring Oracle Identity Manager for Request-Based Provisioning

• Configuring the Connector for Provisioning Organizations

• Enabling or Disabling Password Policies in Microsoft Active Directory

• Configuring SSL for Microsoft Active Directory and Microsoft AD LDS

Configuring Oracle Identity Manager 11.1.2 or Later

If you are using Oracle Identity Manager release 11.1.2 or later, you must create additional metadata such as a UI form and an application instance. In addition, you must run entitlement and catalog synchronization jobs. These procedures are described in the following sections:

• Creating and Activating a Sandbox

• Creating a New UI Form

• Creating an Application Instance

• Publishing a Sandbox

• Harvesting Entitlements and Sync Catalog

Creating and Activating a Sandbox

Create and activate a sandbox as follows. For detailed instructions, see Managing Sandboxes in Administering Oracle Identity Manager.

1. Log in to Oracle Identity System Administration.
2. In the upper right corner of the page, click the Sandboxes link.

   The Manage Sandboxes page is displayed.

3. On the toolbar, click Create Sandbox.
4. In the Create Sandbox dialog box, enter values for the following fields:

   • Sandbox Name: Enter a name for the sandbox.

   • Sandbox Description: Enter a description of the sandbox.

5. Click Save and Close.
6. Click OK on the confirmation message that is displayed.

   The sandbox is created and displayed in the Available Sandboxes section of the Manage Sandboxes page.

7. From the table showing the available sandboxes in the Manage Sandboxes page, select the newly created sandbox that you want to activate.
8. On the toolbar, click Activate Sandbox.

   The sandbox is activated.

Creating a New UI Form

Create a new UI form as follows. For detailed instructions, see Managing Forms in Administering Oracle Identity Manager.

1. In the left pane, under Configuration, click Form Designer. The Form Designer page is displayed.
2. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Form page is displayed.
3. On the Create Form page, enter values for the following UI fields:

   • Resource Type: Select the resource object that you want to associate the form with. For example, AD User.

   • Form Name: Enter a name for the form.

4. Click Create.

   A message is displayed stating that the form is created.

Creating an Application Instance

Create an application instance as follows. For detailed instructions, see Managing Application Instances in Administering Oracle Identity Manager.

1. In the left pane of the System Administration console, under Configuration, click Application Instances. The Application Instances page is displayed.
2. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Application Instance page is displayed.
3. Specify values for the following fields:

   • Name: The name of the application instance.

   • Display Name: The display name of the application instance.

   • Description: A description of the application instance.

   • Resource Object: The resource object name. Click the search icon next to this field to search for and select AD User.

   • IT Resource Instance: The IT resource instance name. Click the search icon next to this field to search for and select Active Directory.

   • Form: Select the form name (created in Creating a New UI Form).

4. Click Save. The application instance is created.
5. Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See Managing Organizations Associated With Application Instances in Administering Oracle Identity Manager for detailed instructions.

Publishing a Sandbox

To publish the sandbox that you created in Creating and Activating a Sandbox:

1. Close all the open tabs and pages.
2. In the upper right corner of the page, click the Sandboxes link.

   The Manage Sandboxes page is displayed.

3. From the table showing the available sandboxes in the Manage Sandboxes page, select the sandbox that you created in Creating and Activating a Sandbox.
4. On the toolbar, click Publish Sandbox. A message is displayed asking for confirmation.
5. Click Yes to confirm. The sandbox is published and the customizations it contained are merged with the main line.

Harvesting Entitlements and Sync Catalog

To harvest entitlements and sync catalog:

1. Run the scheduled jobs for lookup field synchronization listed in Scheduled Jobs for Lookup Field Synchronization.
2. Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.
3. Run the Catalog Synchronization Job scheduled job. See Predefined Scheduled Tasks in the Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.

Localizing Field Labels in UI Forms

Note:

Perform the procedure described in this section only if you are using Oracle Identity Manager release 11.1.2.x or later and you want to localize UI form field labels.

To localize field label that you add to in UI forms:

1. Log in to Oracle Enterprise Manager.

2. In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.

3. In the right pane, from the Application Deployment list, select MDS Configuration.

4. On the MDS Configuration page, click Export and save the archive to the local computer.

5. Extract the contents of the archive, and open one of the following files in a text editor:

   • For Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):

     SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf

   • For releases prior to Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0):

     SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf

6. Edit the BizEditorBundle.xlf file in the following manner:

   1. Search for the following text:

      <file source-language="en"  
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      

   2. Replace with the following text:

      <file source-language="en" target-language="LANG_CODE"
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      

      In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

      <file source-language="en" target-language="ja"
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf"
      datatype="x-oracle-adf">
      

   3. Search for the application instance code. This procedure shows a sample edit for Microsoft Active Directory application instance. The original code is:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.<Field_Name>__c_description']}">
      <source><Field_Label></source>
      <target/>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.<UI_Form_NaME>EO.<Field_Name>__c_LABEL">
      <source><Field_Label></source>
      <target/>
      </trans-unit>
      

      The sample edit of the code is as follows:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ADUSER_FULLNAME__c_description']}">
      <source>Full Name</source>
      <target/>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.ad11EO.UD_ADUSER_FULLNAME__c_LABEL">
      <source>Full Name</source>
      <target/>
      </trans-unit>
      

   4. Open the resource file from the connector package, for example ActiveDirectoryIdC_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_ADUSER_FULLNAME=\u6C0F\u540D.

   5. Replace the original code shown in Step 6.c with the following:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_<Field_Name>__c_description']}">
      <source>< Field_Label></source>
      <target>global.udf.<UD_<Field_Name></target>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.<UI_Form_Name>.entity. <UI_Form_Name>EO.UD_<Field_Name>__c_LABEL">
      <source><Field_Label></source>
      <target><global.udf.UD_Field_Name></target>
      </trans-unit>
      

      As an example, the code for Full Name is as follows:

      <trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_ADUSER_FULLNAME__c_description']}">
      <source>Full Name</source>
      <target>\u6C0F\u540D</target>
      </trans-unit>
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.ad11.entity.ad11EO.UD_ADUSER_FULLNAME__c_LABEL">
      <source>Full Name</source>
      <target>\u6C0F\u540D</target>
      </trans-unit>
      

   6. Repeat Steps 6.a through 6.d for all attributes of the process form.

   7. Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing.

      Sample file name: BizEditorBundle_ja.xlf.

7. Repackage the ZIP file and import it into MDS.

   See Also:

   The Deploying and Undeploying Customizations in Developing and Customizing Applications for Oracle Identity Manager for more information about exporting and importing metadata files

8. Log out of and log in to Oracle Identity Manager.

Clearing Content Related to Connector Resource Bundles from the Server Cache

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, switch to the OIM_HOME/server/bin directory.

   Note:

   You must perform Step 1 before you perform Step 2. An exception is thrown if you run the command described in Step 2 as follows:

   OIM_HOME/server/bin/SCRIPT_FILE_NAME
   

2. Enter one of the following commands:

   Note:

   You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.

   For example, the following commands purge Metadata entries from the server cache:

   PurgeCache.bat MetaData

   PurgeCache.sh MetaData

   On Microsoft Windows: PurgeCache.bat All

   On UNIX: PurgeCache.sh All

   When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:

   t3://OIM_HOST_NAME:OIM_PORT_NUMBER
   

   In this format:

   • Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.

   • Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

Setting Up the Lookup Definition for Connection Pooling

Connection pooling allows reuse of physical connections and reduced overhead for your application. This procedure of setting up the lookup definition for connector pooling can be divided into the following sections:

• Connection Pooling Properties

• Adding Connection Pooling Properties

Connection Pooling Properties

By default, this connector uses the ICF connection pooling. Table 2-2 lists the connection pooling properties, their description, and default values set in ICF:

Table 2-2 Connection Pooling Properties

Property	Description
Pool Max Idle	Maximum number of idle objects in a pool. Default value: 10
Pool Max Size	Maximum number of connections that the pool can create. Default value: 10
Pool Max Wait	Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Default value: 150000
Pool Min Evict Idle Time	Minimum time, in milliseconds, the connector must wait before evicting an idle object. Default value: 120000
Pool Min Idle	Minimum number of idle objects in a pool. Default value: 1

Adding Connection Pooling Properties

If you want to add the connection pooling properties to use values that suit requirements in your environment, then perform the following procedure:

1. Log in to the Design Console.
2. Expand Administration, and then double-click Lookup Definition.
3. Search for and open one of the following lookup definitions:

   For the trusted source mode: Lookup.Configuration.ActiveDirectory.Trusted

   For target resource mode: Lookup.Configuration.ActiveDirectory

4. On the Lookup Code Information tab, click Add.

   A new row is added.

5. In the Code Key column of the new row, enter Pool Max Idle.
6. In the Decode column of the new row, enter a value corresponding to the Pool Max Idle property.
7. Repeat Steps 4 through 6 for adding each of the connection pooling properties listed in Table 2-2.
8. Click the Save icon.

Setting Up the Lookup Definition for the Ignore Event API

This section discusses the following topics:

• Understanding the Ignore Event Disabled Entry

• Adding the Ignore Event Disabled Entry

Understanding the Ignore Event Disabled Entry

You can add the 'Ignore Event Disabled' entry to the Configuration lookup definition (Lookup.Configuration.ActiveDirectory.Trusted and Lookup.Configuration.ActiveDirectory for trusted source and target resource modes, respectively) to specify whether reconciliation events must be created for target system records that already exist in Oracle Identity Manager.

If you set the value of the Ignore Event Disabled entry to true, then reconciliation events are created for all records being fetched from the target system, irrespective of their presence in Oracle Identity Manager. If you set the value of this entry to false, then reconciliation events for target system records that are already present in Oracle Identity Manager are not created.

Adding the Ignore Event Disabled Entry

You add the 'Ignore Event Disabled' entry to specify whether reconciliation events must be created for target system records that already exist in Oracle Identity Manager. To do so:

1. Log in to the Design Console.
2. Expand Administration, and then double-click Lookup Definition.
3. Search for and open one of the following lookup definitions:

   For the trusted source mode: Lookup.Configuration.ActiveDirectory.Trusted

   For target resource mode: Lookup.Configuration.ActiveDirectory

4. On the Lookup Code Information tab, click Add.

   A new row is added.

5. In the Code Key column of the new row, enter Ignore Event Disabled.
6. In the Decode column of the new row, depending on your requirement, enter true or false.
7. Click the Save icon.

Configuring the Connector for the Microsoft AD LDS Target System

Note:

Perform the procedure described in this section only if you are using AD LDS as the target system.

Before you start using the connector with the AD LDS target system, you must perform the following procedure:

1. Log in to the Design Console.

2. Expand Administration, and then double-click Lookup Definition.

3. Modify the Lookup.ActiveDirectory.UM.Configuration lookup definition as follows:

   1. Search for and open the Lookup.ActiveDirectory.UM.Configuration lookup definition.

   2. Change the Lookup.ActiveDirectory.UM.ProvAttrMap Decode value to Lookup.ActiveDirectoryLDS.UM.ProvAttrMap.

   3. Change the Lookup.ActiveDirectory.UM.ReconAttrMap Decode value to Lookup.ActiveDirectoryLDS.UM.ReconAttrMap.

4. Modify the Lookup.ActiveDirectory.GM.Configuration lookup definition as follows:

   1. Search for and open the Lookup.ActiveDirectory.GM.Configuration lookup definition.

   2. Change the Lookup.ActiveDirectory.GM.ProvAttrMap Decode value to Lookup.ActiveDirectoryLDS.GM.ProvAttrMap.

   3. Change the Lookup.ActiveDirectory.GM.ReconAttrMap Decode value to Lookup.ActiveDirectoryLDS.GM.ReconAttrMap.

5. Modify the Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition as follows:

   1. Search for and open the Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition.

   2. Change the Lookup.ActiveDirectory.UM.Configuration.Trusted Decode value to Lookup.ActiveDirectoryLDS.UM.Configuration.Trusted.

6. If you have configured the target system as a target resource, then from the Lookup.ActiveDirectory.UM.ProvAttrMap and Lookup.ActiveDirectory.UM.ReconAttrMap lookup definitions, remove entries specific to terminal services fields. For example, the Terminal Home Directory and Terminal Profile Path entries.

7. Click the Save icon.

8. Remove the process form fields and process tasks that are specific to terminal services fields.

Configuring Oracle Identity Manager for Request-Based Provisioning

Note:

Perform the procedures described in this section only if you are using Oracle Identity Manager release 11.1.1.x.

In request-based provisioning, an end user creates a request for a resource by using the Administrative and User Console. Administrators or other users can also create requests for a particular user. Requests for a particular resource on the resource can be viewed and approved by approvers designated in Oracle Identity Manager.

The following sections provide more information about configuring request-based provisioning:

• Features of Request-Based Provisioning

• About Request Datasets

• Copying Predefined Request Datasets

• Importing Request Datasets

• Enabling the Auto Save Form Feature

• Running the PurgeCache Utility

Features of Request-Based Provisioning

The following are features of request-based provisioning:

• A user can be provisioned only one resource (account) on the target system.

  Note:

  Direct provisioning allows the provisioning of multiple Microsoft Active Directory accounts on the target system.

• Direct provisioning cannot be used if you enable request-based provisioning.

About Request Datasets

Request-based provisioning is performed by using a request dataset. A request dataset is an XML file that specifies the information to be submitted by the requester during a provisioning operation. Predefined request datasets are shipped with this connector. These request datasets specify information about the default set of attributes for which the requester must submit information during a request-based provisioning operation. The following is the list of predefined request datasets available in the dataset directory on the installation media:

For Microsoft Active Directory:

• ProvisionResourceADUser.xml

• ModifyResourceADUser.xml

For Microsoft AD LDS:

• ProvisionResourceADLDSUser.xml

• ModifyResourceADLDSUser.xml

Copying Predefined Request Datasets

Copy the predefined request dataset files from the installation media to any directory on the Oracle Identity Manager host computer. It is recommended that you create a directory structure as follows:

/custom/connector/RESOURCE_NAME

For example:

E:\MyDatasets\custom\connector\AD

Note:

Until you complete the procedure to configure request-based provisioning, ensure that there are no other files or directories inside the parent directory in which you create the directory structure. In the preceding example, ensure that there are no other files or directories inside the E:\MyDatasets directory.

The directory structure to which you copy the dataset files is the MDS location into which these files are imported after you run the Oracle Identity Manager MDS Import utility. The procedure to import dataset files is described in the next section.

Depending on your requirement, you can modify the file names of the request datasets. In addition, you can modify the information in the request datasets.

Importing Request Datasets

There are two ways of importing request datasets:

• Importing Request Datasets Using MDS Import Utility

• Importing Request Datasets Using Deployment Manager

Note:

Request Datasets imported either into MDS or by using Deployment Manager are same.

Importing Request Datasets Using MDS Import Utility

All request datasets must be imported into the metadata store (MDS), which can be done by using the Oracle Identity Manager MDS Import utility.

To import a request dataset definition into MDS:

1. Ensure that you have set the environment for running the MDS Import utility as follows:

   1. Set Environment Variable: Set the OIM_ORACLE_HOME environment variable to the Oracle Identity Management Oracle home directory inside the Middleware home directory. For example, for Microsoft Windows, set the OIM_ORACLE_HOME environment variable to C:\Oracle\Middleware\Oracle_IDM1\ directory.

   2. Set Up the Properties File: Set the necessary properties in the weblogic.properties file, which is located in the same folder as the utilities.

      Note:

      While setting up the properties in the weblogic.properties file, ensure that the value of the metadata_from_loc property is the parent directory of the /custom/connector/RESOURCE_NAME directory. For example, while performing the procedure in Copying Predefined Request Datasets, if you copy the files to the E:\MyDatasets\custom\connector\Exchng directory, then set the value of the metada_from_loc property to E:\MyDatasets.

      Property Name	Description	Notes
      wls_servername	Name of the Oracle WebLogic Server on which Oracle Identity Manager is deployed
      application_name	The application name	Value is: oim if importing/exporting an out-of-the-box event handler. OIMMetadata for customizable metadata. If importing or exporting custom data, set application_name to OIMMetadata.
      metadata_from_loc	Directory location from which an XML file should be imported. This property is used by weblogicImportMetadata.sh script.	Microsoft Windows paths include // as file or directory separator.
      metadata_to_loc	Directory location from which an XML file should be imported. This property is used by weblogicExportMetadata.sh script.	Microsoft Windows paths include // as file or directory separator.
      metadata_files	Full path and name of an XML file. This property is used by weblogicExportMetadata.sh and weblogicDeleteMetadata.sh scripts.	For example, you may specify /file/User.xml to export a user entity definition. You can indicate multiple xml files as comma-separated values.

2. In a command window, change to the OIM_HOME\server\bin directory.
3. Run one of the following commands:

   • On Microsoft Windows

     weblogicImportMetadata.bat
     

   • On UNIX

     weblogicImportMetadata.sh
     

4. When prompted, enter the following values:

   • Please enter your username [weblogic]

     Enter the username used to log in to WebLogic server

     Sample value: WL_User

   • Please enter your password [weblogic]

     Enter the password used to log in to WebLogic server

   • Please enter your server URL [t3://localhost:7001]

     Enter the URL of the application server in the following format:

     t3://HOST_NAME_IP_ADDRESS:PORT

     In this format, replace HOST_NAME_IP_ADDRESS with the host name or IP address of the computer on which Oracle Identity Manager is installed, and PORT with the port on which Oracle Identity Manager is listening.

   The request dataset is imported into MDS.

Importing Request Datasets Using Deployment Manager

The request datasets (predefined or generated) can also be imported by using the Deployment Manager (DM). The predefined request datasets are stored in the xml directory on the installation media.

To import a request dataset definition by using the Deployment Manager:

1. Log in to the Oracle Identity Manager Administrative and User Console.
2. On the Welcome page, click Advanced in the upper-right corner of the page.
3. On the Welcome to Oracle Identity Manager Advanced Administration page, in the System Management region, click Import Deployment Manager File. A dialog box for opening files is displayed.
4. Depending on the target system that you are using, locate and open one of the following files, which is located in the xml directory of the installation media:

   For AD: ActiveDirectory-Datasets.xml

   For AD LDS: ActiveDirectoryLDS-Datasets.xml

   Details of this XML file are shown on the File Preview page.

5. Click Add File. The Substitutions page is displayed.
6. Click Next. The Confirmation page is displayed.
7. Click Import.
8. In the message that is displayed, click Import to confirm that you want to import the XML file and then click OK.

   The request datasets are imported into MDS.

Enabling the Auto Save Form Feature

To enable the Auto Save Form feature:

1. Log in to the Design Console.
2. Expand Process Management and then double-click Process Definition.
3. Search for and open the AD User process definition.
4. Select the Auto Save Form check box.
5. Click the Save icon.

Running the PurgeCache Utility

Run the PurgeCache utility to clear content belonging to the Metadata category from the server cache. See Clearing Content Related to Connector Resource Bundles from the Server Cache for instructions.

The procedure to configure request-based provisioning ends with this step.

Configuring the Connector for Provisioning Organizations

Perform the procedure described in this section if you intend to provision organizations to a root DN.

Before you provision organizations to a root DN, you must add the DN to the Lookup.ActiveDirectory.OrganizationalUnits lookup definition as follows:

1. Log in to the Design Console.
2. Expand Administration and then double-click Lookup Definition.
3. Search for and open the Lookup.ActiveDirectory.OrganizationalUnits lookup definition.
4. Add an entry for the root DN. The following is a sample value for the Code Key and Decode values:

   Code Key: 150~DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

   Decode: SamAD~DC=childtest,DC=test,DC=idm,DC=central,DC=example,DC=com

5. Click Save.

Enabling or Disabling Password Policies in Microsoft Active Directory

In Microsoft Active Directory, the "Passwords must meet complexity requirements" policy setting is used to enable or disable password policies.

The procedure that you must perform depends on whether or not you want to achieve either or both of the following objectives:

• Enable password policies

• Configure SSL between Oracle Identity Manager and the target system

  Note:

  The procedure to configure SSL is discussed later in this guide.

If you configure SSL and you want to enable both the default Microsoft Windows password policy and a custom password policy, then you must enable the "Passwords must meet complexity requirements" policy setting.

See the Microsoft documentation for detailed instructions to enable or disable the "Passwords must meet complexity requirements" policy setting.

Note:

If you install Microsoft ADAM in a domain controller then it acquires all the policies of Microsoft Active Directory installed in the same domain controller. If you install Microsoft ADAM in a workgroup, then the local system policies are applied.

Configuring SSL for Microsoft Active Directory and Microsoft AD LDS

This section discusses the following topics to configure SSL communication between Oracle Identity Manager and the target system:

Note:

• In this section, Microsoft ADAM and Microsoft AD LDS have both been referred to as Microsoft AD LDS. Therefore, if you are using Microsoft Windows Server 2003 as the target system, then you must consider the term Microsoft AD LDS as Microsoft ADAM while performing the instructions described in this section. Wherever needed, instructions specific to both Microsoft ADAM and Microsoft AD LDS have been called out separately.

• If you are using Microsoft AD LDS, then you must configure SSL for all connector operations to work as expected.

• For detailed instructions of the procedures, see the Microsoft documentation.

• Prerequisites

• Configuring SSL Between Connector Server and Microsoft Active Directory

• Configuring SSL Between Connector Server and Microsoft AD LDS

• Configuring SSL Between Oracle Identity Manager and Connector Server

Prerequisites

Public key certificates are used for determining the identity and authenticity of clients in software security systems. Certificate Services create and manage public key certificates. This ensures that organizations have a reliable and secure way to create, manage, and distribute these certificates.

Note:

• Before you begin installing Active Directory Certificate Services (AD CS), you must ensure that Internet Information Services (IIS) is installed on the computer hosting the target system.

• For detailed steps to install Certificate Services on the corresponding Windows Server, refer to the Microsoft documentation.

Before you configure SSL, depending on the target system that you are using, you must install Certificate Services on a Windows Server (2003, 2008, or 2012), and then ensure the following:

• If you are installing Certificate Services on Windows Server 2003, ensure that Active Directory or ADAM is installed on the host computer.

• If you are installing Certificate Services on Windows Server 2008, ensure to add the following features using the Server Manager console on the computer which is running the Connector Server:

  • Remote Server Administration Tools

  • Role Administration Tools

  • Active Directory Certificate Services Tools

  • AD DS and AD LDS Tools

Configuring SSL Between Connector Server and Microsoft Active Directory

You can configure SSL between Connector Server and Microsoft Active Directory by ensuring that the computer hosting Microsoft Active Directory has LDAP enabled over SSL (LDAPS).

Note:

To configure SSL, the computer hosting the target system and the computer on which the Connector Server is running must be in the same domain.

To enable LDAPS, request a new certificate using the Automatic Certificate Request Setup Wizard.

Configuring SSL Between Connector Server and Microsoft AD LDS

To configure SSL between Connector Server and Microsoft AD LDS, ensure that ADAM is SSL-enabled.

To configure SSL between Connector Server and Microsoft AD LDS, perform the following procedures:

1. Request a certificate when Microsoft AD LDS is deployed within the connector domain or used as a standalone deployment.

   Note:

   • This procedure can be performed either on the computer on which the Connector Server is running or on the computer hosting the target system.

   • Before you begin generating the certificate, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.

2. Issue the certificate that you requested earlier when Microsoft AD LDS was deployed within the connector domain in the Microsoft Active Directory Certificate Services window.

3. In the Microsoft Management Console, add the certificate to the personal store of the Microsoft AD LDS service.

4. Assign permissions to the MachineKeys folder that contains the certificate key. To do so, add the following groups and users and then provide full Control permission:

   • Administrators

   • Everyone

   • NETWORK SERVICE

   • The user name of the account used to install Microsoft ADAM

   • SYSTEM

   Note that the path to th MachineKeys folder is similar to the following:

   C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

   Assign the same groups and users to the certificate.

5. Restart the Microsoft AD LDS instance for the changes to take effect.

6. Test the certificate from the AD LDS Tools Command Prompt window. If SSL is successfully configured, then status messages about the connection are displayed on the LDAPS window.

Configuring SSL Between Oracle Identity Manager and Connector Server

The following sections provide information about configuring SSL between Oracle Identity manager and Connector Server:

• Exporting the Certificate

• Configuring the Connector Server for SSL

• Configuring Oracle Identity Manager for SSL

Exporting the Certificate

Note:

Perform this procedure on the computer hosting the connector server.

To export the certificate requested and issued from the Microsoft Management console, navigate to and open the Certificate Export Wizard. Ensure to export the certificate in the Base-64 encoded X.509(.CER) file format.

Configuring the Connector Server for SSL

Note:

• Perform this procedure on the computer hosting the connector server.

• Connector Server 12c (12.2.1.3.0) can be used with older versions of connectors.

See Configuring the .NET Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed instructions to configure the Connector Server for SSL.

Configuring Oracle Identity Manager for SSL

The following is the procedure to configure Oracle Identity Manager for SSL:

1. Copy the certificate generated in Exporting the Certificate to the computer on which Oracle Identity Manager is running.
2. Import the target system certificate into the JDK used by Oracle Identity Manager (running on Oracle WebLogic Application Server) by running the following command:

   keytool -import -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD

   In this command:

   • MY_CACERTS is the full path and name of the certificate store (the default is cacerts).

   • CERT_FILE_NAME is the full path and name of the certificate file.

   • PASSWORD is the password of the keystore.

   The following is a sample command:

   keytool -import -keystore /home/testoc4j/OIM/jrockit_160_14_R27.6.5-32/jre/lib/security/cacerts -file /home/ADSSLCer.cer -storepass changeit

3. Import the target system certificate into the keystore of the application server by running the following command:

   keytool -import -keystore MY_CACERTS -file CERT_FILE_NAME -storepass PASSWORD

   In this command:

   • MY_CACERTS is the full path and name of the certificate store (the default is WEBLOGIC_HOME/server/lib/DemoTrust.jks)

   • CERT_FILE_NAME is the full path and name of the certificate file.

   • PASSWORD is the password of the keystore.

   The following is a sample command:

   keytool -import -keystore WEBLOGIC_HOME/server/lib/DemoTrust.jks -file /home/ADSSLCer.cer -storepass DemoTrustKeyStorePassPhrase

4. Set the value of the UseSSL parameter of the Connector Server IT resource to true.

Upgrading the Microsoft Active Directory User Management Connector

If you have already deployed an earlier release of this connector, then upgrade the connector to the current release.

The following sections discuss the procedure to upgrade the connector:

Note:

• Upgrade of the connector from release 9.1.x to 11.1.1.x. is supported.

• Before you perform the upgrade procedure, it is strongly recommended that you create a backup of the Oracle Identity Manager database. Refer to the database documentation for information about creating a backup.

• As a best practice, first perform the upgrade procedure in a test environment.

• Preupgrade Steps

• Upgrade Steps

• Postupgrade Steps

Preupgrade Steps

You must perform the following preupgrade steps to prepare your environment for upgrading the connector:

1. Perform a reconciliation run to fetch all latest updates to Oracle Identity Manager.

2. Perform the preupgrade procedure documented in Managing Connector Lifecycle of Administering Oracle Identity Manager.

3. On the target system, obtain the maximum value of the uSNChanged attribute as follows:

   1. If you are using the connector across multiple domains, then on the domain controller on which the Global Catalog Server is running, navigate to RootDSE, and then look for the RootDSE properties.

   2. If you are using the connector in a single domain, then on the domain controller used for reconciliation, navigate to RootDSE, and then look for the RootDSE properties.

   3. In the RootDSE properties dialog box, search for the highestCommittedUSN attribute, and note down its value. The use of this value is described later in this chapter. Figure 2-3shows the RootDSE properties dialog box in which the highestCommittedUSN attribute is displayed.

      Figure 2-3 RootDSE Properties Dialog Box

      
      Description of "Figure 2-3 RootDSE Properties Dialog Box"

4. Define the source connector (an earlier release of the connector that must be upgraded) in Oracle Identity Manager. You define the source connector to update the Deployment Manager XML file with all customization changes made to the connector. See Managing Connector Lifecycle of Administering Oracle Identity Manager for more information.

Upgrade Steps

Depending on the environment in which you are upgrading the connector, perform one of the following steps:

• Development Environment

  Perform the upgrade procedure by using the wizard mode.

• Staging or Production Environment

  Perform the upgrade procedure by using the silent mode. In the silent mode, use the silent.xml file that is exported from the development environment.

See Managing Connector Lifecycle of Administering Oracle Identity Manager for detailed information about the wizard and silent modes.

Postupgrade Steps

Postupgrade steps involve uploading new connector jars, configuring the upgraded IT resource of the source connector, deploying the Connector Server, and configuring the latest token value of the scheduled job.

The following sections describe the procedures that you must perform after the upgrade operation:

• Performing Postupgrade Steps

• Determining Values For the FromVersion and ToVersion Attributes

• Verifying If the Correct Process Form is Associated With the Resource Object

Performing Postupgrade Steps

Postupgrade steps involve performing the following procedure to conclude the upgrade operation:

1. Perform the postupgrade procedure documented in Managing Connector Lifecycle of Oracle Fusion Middleware Administering Oracle Identity Manager.

2. If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:

   1. Log in to Oracle Identity System Administration.

   2. Create and activate a sandbox. See Creating and Activating a Sandbox for more information.

   3. Create a new UI form to view the upgraded fields. See Creating a New UI Form for more information about creating a UI form.

   4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 2.c), and then save the application instance.

   5. Publish the sandbox. See Publishing a Sandbox for more information.

3. If you are using Oracle Identity Manager release 11.1.2.x or later and you are upgrading from release 11.1.1.5.0 to 11.1.1.6.0, then perform the following procedure to remove the auxiliary class child form (from the AD User form) that is retained after upgrade:

   1. Create a new version of the upgraded AD User form.

   2. Delete the UD_ADUSRCLS child form, and make the version active.

   3. Run the FVC utility using this newly created form. See Step 4 for detailed information on running FVC utility.

4. Run the Form Version Control (FVC) utility to manage user data changes on a form after an upgrade operation. To do so:

   1. In a text editor, open the fvc.properties file located in the OIM_DC_HOME directory and include the following entries:

      ResourceObject;AD User
      FormName;UD_ADUSER
      FromVersion;SPECIFY_THE_VERSION_OF_THE_FORM_USED_BY_USER_ACCOUNTS_CREATED_BY_USING_THE_SOURCE_CONNECTOR
      ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
      ParentParent;UD_ADUSER_AD;UD_ADUSER_SERVER
      

      Note:

      To determine values for the FromVersion and ToVersion attributes, see Determining Values For the FromVersion and ToVersion Attributes.

      To verify whether you are specifying the correct process form associated with the resource object, perform the procedure described in Verifying If the Correct Process Form is Associated With the Resource Object.

   2. Run the FVC utility. This utility is copied into the following directory when you install the design console:

      For Microsoft Windows:

      OIM_DC_HOME/fvcutil.bat

      For UNIX:

      OIM_DC_HOME/fvcutil.sh

      When you run this utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, and the logger level and log file location.

      See Also:

      Using the Form Version Control Utility of Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about the FVC utility

5. To manage AD Group form changes after an upgrade operation, run the FVC utility by performing the instructions in step 4.a and 4.b with the following difference:

   While perform Step 4.a, replace the entry added in Step 4.a with the following:

   ResourceObject;AD Group
   FormName;UD_ADGRP
   FromVersion;SPECIFY_THE_VERSION_OF_THE_FORM_USED_BY_USER_ACCOUNTS_CREATED_BY_USING_THE_SOURCE_CONNECTOR
   ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
   ParentParent;UD_ADGRP_ADSERVER;UD_ADGRP_SERVER
   

6. To manage AD Organization Unit form changes after an upgrade operation, run the FVC utility by performing the instructions in step 4.a and 4.b with the following difference:

   While perform Step 4.a, replace the entry added in Step 4.a with the following:

   ResourceObject;AD Organizational Unit
   FormName;UD_OU
   FromVersion;SPECIFY_THE_VERSION_OF_THE_FORM_USED_BY_USER_ACCOUNTS_CREATED_BY_USING_THE_SOURCE_CONNECTOR
   ToVersion;SPECIFY_THE_VERSION_OF_FORM_THAT_IS_IN_THE_ACTIVE_STATUS_AFTER_THE_UPGRADE
   ParentParent;UD_OU_AD;UD_OU_SERVER
   

7. If you are upgrading the connector from release 11.1.1.5.0 to 11.1.1.6.0, then run the PostUpgradeScript.sql script as follows:

   Note:

   • Skip performing this step if you upgrading the connector directly from release 9.1.x to 11.1.1.6.0.

   • If you first performed an upgrade from release 9.1.x to 11.1.1.5.0, and then are upgrading from release 11.1.1.5.0 to 11.1.1.6.0, then in the PostUpgradeScript.sql file, replace "ADOU" with "OU", and then run the script.

   1. Connect to the Oracle Identity Manager database by using the OIM User credentials.

   2. Run the PostUpgradeScript.sql located in the ConnectorDefaultDir/AD_PACKAGE/upgrade directory.

8. Deploy the Connector Server.

9. Re-configure the IT resource of the source connector (an earlier release of the connector that must be upgraded).

10. Configure the latest token value of the scheduled job as follows:

    The following scheduled jobs contain the Latest Token attribute:

    Active Directory User Target Recon

    Active Directory User Trusted Recon

    Active Directory Group Recon

    Active Directory Organization Recon

    After upgrading the connector, you can perform either full reconciliation or incremental reconciliation. To perform incremental reconciliation, specify the value of the highestCommittedUSN attribute (noted in Preupgrade Steps) as the value of the Latest Token attribute. This ensures that records created or modified since the last reconciliation run (the one that you performed in Preupgrade Steps) are fetched into Oracle Identity Manager. From the next reconciliation run onward, the reconciliation engine automatically enters a value for the Latest Token attribute.

    See Full Reconciliation and Incremental Reconciliation for more information about performing full or incremental reconciliation.

11. Configure the sync token value of the scheduled job as follows:

    The following scheduled jobs contain the Sync Token attribute:

    Active Directory User Target Delete Recon

    Active Directory User Trusted Delete Recon

    Active Directory Group Delete Recon

    After upgrading the connector, you can perform either full delete reconciliation or incremental delete reconciliation. To perform full delete reconciliation, you must not specify any value for the Sync Token attribute of the scheduled job. To perform incremental delete reconciliation, you must specify the value of the Sync Token attribute in the following format:

    <String>0|{uSNChanged}|{True/False}|{DOMAIN_CONTROLLER}</String>

    In this format, replace:

    • {uSNChanged} with the value of the highestCommittedUSN attribute noted in Preupgrade Steps.

    • {True/False} with one of the following values:

      • True if the Global Catalog Server is used during delete reconciliation runs

      • False if the Global Catalog Server is not used during delete reconciliation runs

    • {DOMAIN_CONTROLLER} with the name of the domain controller on which you located RootDSE while performing the procedure described in Preupgrade Steps.

Determining Values For the FromVersion and ToVersion Attributes

To determine values for the FromVersion and ToVersion attributes:

1. Log in to the Design Console.
2. Expand Development Tools and then double-click Form Designer.
3. Search for and open the form whose version you are trying to determine. For example, UD_ADUSER.
4. In the Version Information region, search for and note down the value of the Active Version field, for example, initial version. This is the value of the ToVersion attribute.
5. In the Operations region, click the Current Version list, and note down the second highest value in the list, for example Immediate Version. This is the value of the FromVersion attribute.

Verifying If the Correct Process Form is Associated With the Resource Object

In the fvc.properties file, you might want to specify the process form name too. To verify whether you are specifying the correct process form associated with the resource object:

1. Log in to the Design Console.
2. Expand Process Management and then double-click Process Definition.
3. Search for and open the process form associated with the resource object.
4. In the Form Assignment region, note down the value of the Table Name field. This value is name of the process form that is linked to the process definition and resource object.

About Cloning the Microsoft Active Directory User Management Connector

You can clone the Microsoft Active Directory User Management connector by setting new names for some of the objects that comprise the connector.

The outcome of the process is a new connector XML file. Most of the connector objects, such as Resource Object, Process Definition, Process Form, IT Resource Type Definition, IT Resource Instances, Lookup Definitions, Adapters, Reconciliation Rules and so on in the new connector XML file have new names.

See Also:

Managing Connector Lifecycle of Administering Oracle Identity Manager for detailed information about cloning connectors and the steps mentioned in this section

After a copy of the connector is created by setting new names for connector objects, some objects might contain the details of the old connector objects. Therefore, you must modify the following Oracle Identity Manager objects to replace the base connector artifacts or attribute references with the corresponding cloned artifacts or attributes:

• IT Resource

  The cloned connector has its own set of IT resources. You must configure both the cloned IT resources, Active Directory and Connector Server, and provide the reference of the cloned Connector Server IT Resource in the cloned Active Directory IT resource. Ensure you use the configuration lookup definition of the cloned connector.

• Scheduled Task

  The values of the Resource Object Name and IT Resource scheduled task attributes in the cloned connector refer to the values of the base connector. Therefore, these values (values of the Resource Object Name and IT resource scheduled task attributes that refer to the base connector) must be replaced with the new cloned connector artifacts.

• Lookup Definition

  Verify the lookup entries in all lookup definitions to ensure that there are no references of old process forms. If there are any, then change it to the corresponding new form.

  For example, after cloning, the Lookup.ActiveDirectory.UM.ProvAttrMap lookup definition contains a reference to a child table such as UD_ADUSRC~Group Name[LOOKUP]. You must change this to include the new value, for example, UD_ADUSRC2~Group Name[LOOKUP].

• Process Tasks

  After cloning, you notice that all event handlers attached to the process tasks are the cloned ones. Therefore, no changes are required for process tasks in parent forms. This is because the adapter mappings for all process tasks related to parent forms are updated with cloned artifacts.

  However, the mapping of the childTableName adapter variable must be updated for all process tasks that are associated with the cloned AD IDC Child Table Update adapter. The following predefined process tasks are associated with the AD IDC Child Table Update adapter:

  • Group membership delete

  • Group membership Insert

  • Group membership update

  • Object classes delete

  • Object classes Insert

  • Object classes update

• Localization Properties

  You must update the resource bundle of a user locale with new names of the process form attributes for proper translations after cloning the connector. You can modify the properties file of your locale in the resources directory of the connector bundle.

  For example, the process form attributes are referenced in the Japanese properties file, ActiveDirectoryIdC_ja.properties, as global.udf.UD_ADUSER_FULLNAME. During cloning, if you change the process form name from UD_ADUSER to UD_ADUSER1, then you must update the process form attributes to global.udf.UD_ADUSER1_FULLNAME.