Integrating Oracle Identity Manager with Sun Java System Directory Server: Performing User Management and Provisioning
Integrating Oracle Identity Manager with Sun Java System Directory Server: Performing User Management and Provisioning
Purpose
This OBE tutorial describes and shows you how to use Oracle Identity Manager to provision a user with a resource. For this tutorial, Robert La Vallie is the user and Sun Java System Directory Server is the resource.
Place
the cursor over this icon to load and view all the screenshots for this tutorial.
(Caution: Because this action loads all screenshots simultaneously, response
time may be slow depending on your Internet connection.)
Note: Alternatively, you can place the cursor
over each individual icon in the following steps to load and view only the screenshot
associated with that step.
The screenshots will not reflect the specific environment
you are using. They are provided to give you an idea of where to locate specific
functionality in Oracle Identity Manager.
Overview
Oracle Identity Manager is a component of the suite of Oracle Identity and Access Management products. It administers and selectively automates tasks to manage user access privileges across a company’s resources throughout the identity management life cycle. Specifically, Oracle Identity Manager handles tasks for creating user access privileges, modifying these privileges dynamically (based on changes to user and business requirements),
and removing user access privileges. As a result, Oracle Identity Manager handles user identity information across multiple identity data stores to maintain data accuracy.
Features and benefits of Oracle Identity Manager include identity and role administration (user and group management, self-service functionalities for users, and delegated administration), provisioning (approval and request management, and configurable workflow models), policy-based entitlements, reconciliation, and attestation support (for audit, regulatory, and compliance purposes).
Linda works as a network administrator for Mydo Main Corporation. In Mydo Main, she performs identity and access management tasks on users within the company. To perform these tasks, she uses Oracle Identity Manager to assign connectors to them. These connectors represent resources to be provisioned to them.
Robert works for Mydo Main Corporation. Because all company employees have access rights to Sun Java System Directory Server, Linda must assign the connector, which represents this resource, to Robert. When this occurs, Linda fills out the electronic form associated with the connector. After she populates the fields of this form, Oracle Identity Manager saves the corresponding values to its database, and uses these values to provision Robert with the resource (that is, Sun Java System Directory Server).
Linda is ready to transfer Oracle Identity Manager connector files and external code files for Sun Java System Directory Server to folders on Oracle Identity Manager Server. By doing so, the associated connector can function with Oracle Identity Manager, and Linda can use it to provision Robert with the corresponding resource (that is, Sun Java System Directory Server).
To copy connector and external code files, perform the following steps:
1.
Shut down Oracle Identity Manager Server, the Administrative and User Console, and the Design Console.
Copy the SJSDSProv.jar file, located in the C:\stage\Oracle Identity Manager Connector Pack 9.1.0\Directory Servers\Sun Java System Directory Server\lib directory.
Note:C:\stage\Oracle Identity Manager Connector Pack 9.1.0 is the base directory for all Oracle Identity Manager connector files.
6.
Paste this file into the C:\OIM91_server\xellerate\JavaTasks directory.
7.
Copy the xlScheduler.jar file, located in the temporary directory Linda created in step 2 of this procedure.
8.
Paste this file into the C:\OIM91_server\xellerate\ScheduleTask directory.
9.
Copy the SJSDSRecon.jar file, located in the C:\stage\Oracle Identity Manager Connector Pack 9.1.0\Directory Servers\Sun Java System Directory Server\lib directory.
10.
Paste this file into the C:\OIM91_server\xellerate\ScheduleTask directory.
11.
Copy all files in the C:\stage\Oracle Identity Manager Connector Pack 9.1.0\Directory Servers\Sun Java System Directory Server\resources directory.
12.
Paste these files into the C:\OIM91_server\xellerate\connectorResources directory.
13.
Create the SJSDS subdirectory within the C:\OIM91_server\xellerate directory.
14.
Copy the C:\stage\Oracle Identity Manager Connector Pack 9.1.0\Directory Servers\Sun Java System Directory Server\test directory.
15.
Paste this directory into the C:\OIM91_server\xellerate\SJSDS directory.
As a result, the test directory and all of its files and subdirectories are nested in the C:\OIM91_server\xellerate\SJSDS directory.
16.
Copy the C:\stage\Oracle Identity Manager Connector Pack 9.1.0\Directory Servers\Sun Java System Directory Server\xml directory.
17.
Paste this directory into the C:\OIM91_server\xellerate\SJSDS directory.
As a result, the xml directory and all of its files are nested in the C:\OIM91_server\xellerate\SJSDS directory.
Linda copied Oracle Identity Manager connector files and external code files for Sun Java System Directory Server to folders on Oracle Identity Manager Server. She is ready to configure Oracle Identity Manager Server so that the associated connector can function with Oracle Identity Manager, and Linda can use it to provision Robert with the corresponding resource (that is, Sun Java System Directory Server).
In the previous section of this OBE, Linda transferred Oracle Identity Manager connector files and external code files for Sun Java System Directory Server to folders on Oracle Identity Manager Server. She is ready to configure Oracle Identity Manager Server so that the associated connector can function with Oracle Identity Manager, and Linda can use it to provision Robert with the corresponding resource (that is, Sun Java System Directory Server).
Linda must perform the following actions to configure Oracle Identity Manager Server:
Clear content related to connector files from the Server cache. In the previous section of this OBE, Linda copied connector and external code files to folders on Oracle Identity Manager Server. She copied some files to the C:\OIM91_server\xellerate\connectorResources folder. Whenever a file is added or modified in this folder, content related to connector files must be cleared from the Server cache.
Enable logging. By enabling logging, Oracle Identity Manager stores information in a log file about events that occur during provisioning and reconciliation operations. In addition, by customizing the log level, Linda can specify the type of event for which she wants logging to take place.
To configure Oracle Identity Manager Server, perform the following steps:
1.
Open a DOS window. To do so, from the Windows Start Menu, select Run.
2.
On the Run window, enter cmd in the Open field and click OK.
3.
On the DOS window, navigate to the C:\OIM91_server\xellerate\bin directory.
4.
Enter PurgeCache.bat ConnectorResourceBundle at the DOS prompt.
5.
Press Enter. Oracle Identity Manager empties the content from its Server cache. After the cache is cleared, a DOS prompt appears.
Note: The java.lang.NullPointerException message appears because the cache is being purged, along with the cache’s reference point.
Linda cleared content related to connector files from the Server cache. She is ready to enable logging for Oracle Identity Manager Server.
6.
In Windows Explorer, navigate to the C:\OIM91_server\xellerate\config directory.
7.
Using Microsoft Notepad, open the log.properties file.
8.
Locate the log4j.logger.XELLERATE=WARN line of code.
9.
Add the following line of code to this file:
log4j.logger.XL_INTG.SJSDS=WARN
Note: By setting the log level for Sun Java System Directory Server (SJSDS), Oracle Identity Manager logs information about events with that level that occur during provisioning and reconciliation with this resource.
10.
Save and close the log.properties file.
Linda configured Oracle Identity Manager Server by clearing content related to connector files from the Server cache and setting the log level for the Server.
She is ready to import an XML file, which represents a connector for Sun Java System Directory Server, into her company's Oracle Identity Manager environment. As a result, she can assign this connector to Robert to provision him with the associated resource (that is, a Sun Java System Directory Server).
Because Robert works for Mydo Main Corporation, he must have access rights to Sun Java System Directory Server. For Robert to receive this resource, Linda must import an XML file, which represents a connector for Sun Java System Directory Server, into her company's Oracle Identity Manager environment. Then, she can assign this connector to Robert to provision him with the resource.
To import a connector,
perform the following steps:
1.
Restart Oracle Identity Manager Server, and the Administrative and User Console.
2.
Populate the fields of the Oracle Identity Manager Administrative and User Console login page, as follows (and click Login):
Field
Value
User ID
xelsysadm
Password
abcd1234
3.
Open the Import form (found in the Deployment Management folder of the Oracle Identity Manager Explorer).
Note: If a Popup Blocker message appears, enable pop-ups for the Web browser. Then, repeat steps 2-3.
4.
On the Warning – Security window, click Yes.
5.
On the “Select a file for import” window, select the folder path where the import file resides, along with the name of the XML file. For this OBE, select the iPlanetResourceObject.xml file, found in the C:\OIM91_server\xellerate\SJSDS\xml directory.
Note: The iPlanetResourceObject.xml file represents the connector for Sun Java System Directory Server Linda is importing into her company's Oracle Identity Manager environment.
6.
After selecting the iPlanetResourceObject.xml file, click Open.
7.
On the Deployment Manager window, click Add File.
8.
On the Deployment Manager – Import window, click Next.
9.
On the Confirmation window, click Next.
10.
On the Deployment Manager window, click Skip.
11.
On the Deployment Manager window, click Skip.
Note: In the section of this OBE titled Making the Connector Operable, Linda specifies values Oracle Identity Manager uses to access Sun Java System Directory Server as an administrator for provisioning purposes. Therefore, she does not have to provide parameter values for either Deployment Manager window at this time.
12.
On the Confirmation window, click View Selections.
13.
On the Deployment Manager – Import window, click Import.
14.
On the Confirmation window, click Import.
15.
On the Success window, click OK.
Important: Based on the RAM of the computer that houses Mydo Main's Oracle Identity Manager environment, this step may take up to five minutes to occur.
Note: The Success window indicates the XML file is imported successfully (that is,the iPlanetResourceObject.xml file). As a result, the corresponding connector for Sun Java System Directory Server, represented by this file, is also imported.
16.
Close the Deployment Manager – Import window.
Now that Linda imported a connector for Sun Java System Directory Server, she is ready to configure this connector to operate it in her company's Oracle Identity Manager environment.
In the previous section of this OBE, Linda imported a connector for Sun Java System Directory Server into her company's Oracle Identity Manager environment. Now, she must configure this connector so that it is operable within the environment.
This includes the following:
Recompiling the adapters Linda imported (along with the other components of the connector). She must recompile these adapters. Otherwise, their code cannot reside within the application server associated with Mydo Main's Oracle Identity Manager environment. As a result, they cannot function.
Creating a definition that contains the administrative credentials Oracle Identity Manager requires to provision Robert with a specific resource. For this OBE, the resource is a Sun Java System Directory Server, which has the following administrative credentials:
Parameter
Value
Admin Id
cn=Directory Manager
Admin Password
dead_line
CustomizedReconQuery
[leave empty]
Last Recon TimeStamp
20070801170000Z
Port
53016
Prov Attribute Lookup Code
AttrName.Prov.Map.iPlanet
Recon Attribute Lookup Code
AttrName.Recon.Map.iPlanet
Root DN
dc=oracle,dc=com
SSL
false
Server Address
localhost
Use XL Org Structure
false
To make the connector operable,
perform the following steps:
1.
Restart the Oracle Identity Manager Design Console.
2.
Populate the fields of the Oracle Identity Manager Design Console login window, as follows (and click Login):
Field
Value
User ID
xelsysadm
Password
abcd1234
The Oracle Identity Manager Design Console appears:
3.
Double-click the Adapter Manager form (found in the Development Tools folder of the Oracle Identity Manager Explorer).
A list of adapters appears.
Note: Linda imported these adapters in the section of this OBE titled Importing a Connector.
4.
Select the Compile All option. Click Start.
Oracle Identity Manager begins to recompile the adapters.
After all adapters are recompiled, an OK message appears in the Status column for each adapter. The adapters are recompiled successfully, and can be used in Mydo Main's Oracle Identity Manager environment.
Important: If any adapters have a status of Recompile (instead of OK), repeat step 4. This should ensure each imported adapter has an OK status.
5.
Double-click the IT Resources form (found in the Resource Management folder of the Oracle Identity Manager Explorer).
6.
In the Name field, enter iPlanet IT Resource.
7.
Double-click the Type lookup field (in the Type text field). From the Lookup window that appears, select LDAP Server. Click OK.
8.
Click Save. The parameters for the IT resource appear.
9.
Enter values for the parameters of the IT resource, as follows (double-click each Value field to enter the value):
Parameter
Value
Admin Id
cn=Directory Manager
Admin Password
dead_line
CustomizedReconQuery
[leave empty]
Last Recon TimeStamp
20070801170000Z
Port
53016
Prov Attribute Lookup Code
AttrName.Prov.Map.iPlanet
Recon Attribute Lookup Code
AttrName.Recon.Map.iPlanet
Root DN
dc=oracle,dc=com
SSL
false
Server Address
localhost
Use XL Org Structure
false
Note: For security purposes, the password appears as a series of asterisks. Also, for more information about parameters and values for the iPlanet IT Resource, refer to the Oracle Identity Manager Connector Guide for Sun Java System Directory Server.
10.
Click Save.
Linda defined an IT resource for Sun Java System Directory Server.
Important: Before Linda can proceed further, she must start this application. To do so:
Within Windows Explorer, double-click the startconsole.exe file (found in the C:\Program Files\Sun\MPS directory). Linda created this directory when she installed Sun Java System Directory Server.
Populate the Sun ONE Server Console Login window, as follows (and click OK):
Field
Value
User ID
admin
Password
dead_line
Administration URL
http://localhost:53017
Note: For security purposes, the password appears as a series of asterisks.
After Linda assigns the connector to Robert, she fills out the electronic form associated with the connector. Then, Oracle Identity Manager saves the corresponding values to its database, and uses these values to provision Robert with the resource (that is, Sun Java System Directory Server).
In the previous section of this OBE, Linda configured the connector for Sun Java System Directory Server so that it is operable within Mydo Main's Oracle Identity Manager environment. She is ready to assign this connector to Robert, the user transferred into Oracle Identity Manager in the OBE titled Using the Generic Technology Connector (GTC) Framework: Performing Flat-File Reconciliation.
After Linda assigns the connector to Robert, she fills out the electronic form associated with the connector. Then, Oracle Identity Manager saves the corresponding values to its database, and uses these values to provision Robert with the resource (that is, Sun Java System Directory Server).
To assign the connector to the user,
perform the following steps:
1.
Open the Manage User form of the Administrative and User Console (found in the Users folder of the Oracle Identity Manager Explorer).
From the result set, click the link that contains the ID for RLAVALLI.
4.
On the User Detail form, select Resource Profile from the combo box.
5.
On the Resource Profile form, click Provision New Resource.
Note: The “Resources Not Found” message appears because no Oracle Identity Manager connectors are currently assigned to this user.
6.
On the Select a Resource panel, select the iPlanet User connector. Click Continue.
Note: The iPlanet User connector represents the Sun Java System Directory Server resource.
Linda is ready to populate the fields of the custom process form, contained within this connector, and save this information to the database. By doing so, Oracle Identity Manager provisions the target user with access rights to the corresponding resource (for this OBE, Sun Java System Directory Server).
7.
On the Verify Resource Selection panel, click Continue.
8.
Populate the custom process form, as follows (and click Continue):
Field
Value
Password
rlavalli
Server
iPlanet IT Resource
Note: For security purposes, the password appears as a series of asterisks.
9.
On the iPlanet User Role panel, click Continue.
10.
On the iPlanet User Group panel, click Continue.
11.
On the Verify Process Data panel, click Continue.
12.
Click the Back to User Resource Profile link.
The Resource Profile form appears:
The status of the iPlanet User connector, Provisioned, appears in the Status column of the Resource Profile form. Oracle Identity Manager granted access rights to Sun Java System Directory Server for Robert.
Linda is ready to verify the login credentials for this user, which she specified in the custom process form, can be used to access the resource.
In this OBE, Linda used Oracle Identity Manager to provision a resource (for this OBE, a Sun Java System Directory Server) to a user, whose login credentials are specified in the custom process form.
Now, she must ensure this user is provisioned with the resource. For this OBE, this is accomplished by using Sun ONE Server Console.
To access the resource, perform the following steps.
1.
From Sun ONE Server Console, expand the localhost.oracle.com node. Expand the Server Group node and select the Directory Server item.
2.
Click Open. Click the Directory tab.
3.
Expand the dc=oracle,dc=com node and select the People organization.
RLAVALLI appears in the associated pane. This user is provisioned with Sun Java System Directory Server.
Bookmark
Place
the cursor over this icon to load and view all the screenshots for this tutorial.
(Caution: Because this action loads all screenshots simultaneously, response
time may be slow depending on your Internet connection.)
