Integrating Oracle Identity Manager with Sun Java System Directory Server: Performing Reconciliation
Integrating Oracle Identity Manager with Sun Java System
Directory Server: Performing Reconciliation
This OBE tutorial describes and shows you how to use Oracle Identity Manager to
reconcile with an external resource automatically. New accounts, as well as changes
to existing accounts, can be retrieved and transferred into Oracle Identity Manager.
For this tutorial, Jim and Jane function as the users, and Sun Java System Directory
Server acts as the resource. Approximately
2 hours
This
OBE tutorial covers the following topics:  Place
the cursor over this icon to load and view all the screenshots for this tutorial.
(Caution: Because this action loads all screenshots simultaneously, response time
may be slow depending on your Internet connection.)
Note:
Alternatively, you can place the cursor over each individual icon in the following
steps to load and view only the screenshot associated with that step. The
screenshots will not reflect the specific environment you are using. They are
provided to give you an idea of where to locate specific functionality in Oracle
Identity Manager.
Oracle
Identity Manager is a highly flexible and scalable enterprise identity management
system that controls user accounts and access privileges within enterprise IT
resources centrally. It provides the functionalities of provisioning, identity
and role administration, approval and request management, policy-based entitlement
management, technology integration, and audit and compliance automation. Features
and benefits of Oracle Identity Manager include identity and role administration
(user and group management, self-service functionalities for users, and delegated
administration), provisioning (approval and request management, and configurable
workflow models), policy-based entitlements, reconciliation, and attestation support
(for audit and compliance purposes). Back
to Topic List
Linda
is employed as a network administrator for Mydo Main Corporation. In Mydo Main,
she is responsible for performing identity and access management tasks on various
users within the organization. Linda needs to create and
maintain users in Oracle Identity Manager so that these users can be provisioned
with resources and entitlements in various target systems. She reconciles Oracle
Identity Manager with Sun Java System Directory Server, Mydo Main's authoritative
source for users. This process, known as trusted source reconciliation, involves
identifying new users in Sun Java System Directory Server, and creating corresponding
records in Oracle Identity Manager. This process also modifies and synchronizes
Oracle Identity Manager users, whose account information in Sun Java System Directory
Server is changed. Jane is employed in the Product Management
department of Mydo Main Corporation. She is a full-time employee, based in Atlanta,
and needs to be provisioned with the Sun Java System Directory Server resource.
In addition, she manages Jim, who is a contractor for Mydo Main. Back
to Topic List
Before starting this tutorial, you should: Back to Topic
List
The purpose
of this OBE is for Oracle Identity Manager to retrieve user records from a trusted
source. For this OBE, Sun Java System Directory Server functions as the trusted
source. To have Oracle Identity Manager perform
trusted source reconciliation with Sun Java System Directory Server, Linda must
import two *.xml files into the Oracle Identity Manager
environment of Mydo Main. These files are: - iPlanetResourceObject.xml:
This file contains the Oracle Identity Manager connector definitions for Sun Java
System Directory Server.
- iPlanetResourceXLObject.xml:
This file contains the definition for Sun Java System
Directory Server when using it as an authoritative source.
These
two files represent an Oracle Identity Manager Connector for this type of directory
server. So, by importing these *.xml files, Linda
is importing the connector for Sun Java System Directory Server into Oracle Identity
Manager. To import this connector, perform the following
steps:
1. | Launch
your Oracle Identity Manager Server, Administrative Console, and Design Console. Note:
For more information about loading, setting up, or starting Oracle Identity Manager,
refer to the OBE titled "Installing
Oracle Identity Manager." |
2. | Log
in to your Administrative Console with the "superuser" account for Oracle
Identity Manager (that is, enter xelsysadm in the
User ID field and abcd1234 in the
Password field). Note:
The first time you log in to Oracle Identity Manager with a particular account,
you must select and answer "challenge" questions. These questions are
used to verify your identity if you need to reset your password. However, for
all subsequent logins with that account, these questions do not appear. Instead,
you are taken directly to the Home page of your Oracle Identity Manager Administrative
Console. For more information about selecting and answering
"challenge" questions, refer to the OBE titled "Installing
Oracle Identity Manager." |
3. | Open
the Import form in the Deployment Management
folder. Note:
If the Warning – Security window appears, click the Yes
or Grant This Session button, depending on which version of the
Web browser is installed on your machine. |
4. |
The “Please choose a file for import” window appears. In this window,
select the folder path where the export file resides, along with the name of the
*.xml file. For this OBE, you are selecting
the iPlanetResourceObject.xml file, which can be
found in the E:\OIM_Installs\OIM_CP_900\Directory Servers\Sun
Java System Directory Server\Sun Java System Directory Server Rev 4.1.0\xml
directory (after unzipping the Sun Java System Directory
Server Rev 4.1.0.zip file).
|
| 5. |
Select the iPlanetResourceObject.xml
file. Click Open. |
| 6. | The
Deployment Manager window appears. In this window, click Add File.
|
| 7. | The
Deployment Manager – Import window appears. Click Next. |
| 8. | A
Confirmation window appears. Click Next. |
| 9. | You
do not need to provide the parameter values at this time. Click Skip. | | 10. | A
Confirmation window appears. Click View Selections. |
| 11. | The
Deployment Manager – Import window appears. Click Import. |
| 12. | A
Confirmation window appears. Click Import. |
| 13. | A
Success window appears, indicating that the iPlanetResourceObject.xml
file is imported successfully. Click OK. |
| 14. | The
Deployment Manager – Import window appears again. You are now ready to import
the second *.xml file (that is, the iPlanetResourceXLObject.xml
file). To import this file, click Add File. |
15. |
The “Please choose a file for import” window appears. In this window,
select the folder path where the export file resides, along with the name of the
*.xml file. For this OBE, you are selecting
the iPlanetResourceXLObject.xml file, which can be
found in the E:\OIM_Installs\OIM_CP_900\Directory Servers\Sun
Java System Directory Server\Sun Java System Directory Server Rev 4.1.0\xml
directory. | | 16. |
Select the iPlanetResourceXLObject.xml file. Click
Open. |
| 17. | The
Deployment Manager window appears. In this window, click Add File.
|
| 18. | The
Deployment Manager – Import window appears. Click Next. |
| 19. | A
Confirmation window appears. Click Next. |
| 20. | The
Deployment Manager – Import window appears. Click Import. |
| 21. | A
Confirmation window appears. Click Import. |
| 22. | A
Success window appears, indicating that the iPlanetResourceXLObject.xml
file is imported successfully. Click OK. As
a result of importing both *.xml files, the connector
for Sun Java System Directory Server is also imported into Oracle Identity Manager.
Now that Linda imported this connector, she must configure
it so that it is operable within Mydo Main's Oracle Identity Manager environment. |
Back to Topic
List
In the previous section
of this OBE, Linda imported an Oracle Identity Manager Connector for Sun Java
System Directory Server into her corporation's Oracle Identity Manager environment.
Now, she must configure this connector so that it is operable within the environment. This
includes the following: - Copying any JAR files that
are used for provisioning purposes. For this OBE, Linda is copying the xliIPLanet.jar
file into the E:\oracle\oim_server\xellerate\JavaTasks
directory.
- Recompiling the adapters that she imported
(along with the other components of the Oracle Identity Manager Connector). She
must recompile these adapters. Otherwise, their code cannot reside within
the application server that is associated with Mydo Main's Oracle Identity Manager
environment. As a result, they cannot be operable.
- Creating
a definition that contains the administrative credentials, which Oracle Identity
Manager needs to reconcile with a specific resource. For this OBE, the
resource is a Sun Java System Directory Server, which has the following administrative
credentials:
| Parameter |
Value | | Admin id | cn=Directory
Manager | | Admin Password | abcd1234 |
| Server Address | ten.mydomain.com |
| Port | 2389 |
| SSL | false |
| Root DN | dc=contractors,dc=com |
| Use XL Org Structure | false |
| Prov Attribute Lookup Code | AttrName.Prov.Map.iPlanet |
| Recon Attribute Lookup Code | AttrName.Recon.Map.iPlanet |
| Last Recon TimeStamp | 0 |
To make the connector operable, perform
the following steps:
1. | Copy
the xliIPlanet.jar file (which resides
within the E:\OIM_Installs\OIM_CP_900\Directory Servers\Sun
Java System Directory Server\Sun Java System Directory Server Rev 4.1.0\lib
directory) to the E:\oracle\oim_server\xellerate\JavaTasks
directory. |
2. | Log
in to your Design Console with the "superuser" account for Oracle Identity
Manager (that is, enter xelsysadm in the User
ID field and abcd1234 in
the Password field).
|
| 3. |
Expand the Development Tools folder, and double-click the Adapter
Manager node. |
| 4. | The
list of adapters that Linda imported earlier appears. Select the Compile
All option. Click Start. Oracle
Identity Manager begins to recompile the adapters. After
all adapters are recompiled, an OK message is displayed in the Status
column for each adapter. This signifies that the adapters are recompiled successfully,
and can be used within Mydo Main's Oracle Identity Manager environment. |
| 5. | Expand
the Resource Management folder, and double-click the IT
Resources node. |
| 6. | In
the Name field, enter iPlanet User. | | 7. |
Double-click the Type lookup field (in the Type
text field). From the Lookup window that appears, select LDAP Server.
Click OK. |
| 8. | Click
Save. |
| 9. | The
parameters for the IT resource type appear. Enter the values for the parameters,
as follows (double-click each Value field to enter the value):
| Parameter | Value |
| Admin id | cn=Directory
Manager | | Admin Password | abcd1234 |
| Server Address | ten.mydomain.com |
| Port | 2389 |
| SSL | false |
| Root DN | dc=contractors,dc=com |
| Use XL Org Structure | false |
| Prov Attribute Lookup Code | AttrName.Prov.Map.iPlanet |
| Recon Attribute Lookup Code | AttrName.Recon.Map.iPlanet |
| Last Recon TimeStamp | 0 |
| | 10. | Click
Save.
Linda
configured the Oracle Identity Manager Connector so that it is operable with Mydo
Main Corporation's environment. One component of this connector is the iPlanet
User process form. This form contains information about the user records
Oracle Identity Manager retrieves from Sun Java System Directory Server. This
information includes each user's department, geographic location, organization,
role, group membership(s), and job titles. However, the
definitions that reference this information (that is, the lookup definitions)
may not accurately reflect the user-related values, which are transferred into
Oracle Identity Manager via reconciliation. As an example, the predefined values
for the Department lookup definition are Marketing and Finance. Some users, who
are brought into Oracle Identity Manager, belong to the Development, Product Management,
or Human Resources department. Therefore, Linda must modify the Department lookup
definition so that it reflects these values. In the next
section of this OBE, Linda learns how to modify the lookup definitions, which
are contained within the Oracle Identity Manager Connector that she imported and
configured. | Back
to Topic List
In the previous section
of this OBE, Linda configured a connector so that it is operable with Mydo Main
Corporation's Oracle Identity Manager environment. One component of this connector
is the iPlanet User custom process form. This form contains information
about the user records Oracle Identity Manager retrieves from a trusted source,
including each user's department, geographic location, organization, role, group
membership(s), and job titles. However, the lookup definitions
that reference this information may not accurately reflect the user-related values,
which are transferred into Oracle Identity Manager via reconciliation. As an example,
the predefined values for the Department lookup definition are Marketing and Finance.
Some users, who are brought into Oracle Identity Manager, belong to the Development,
Product Management, or Human Resources department. Therefore, Linda must modify
the Department lookup definition so that it contains these values. To
modify the lookup definitions, which are contained within the connector that is
imported and configured, perform the following steps:
1. | Expand
the Xellerate Administration folder of the Design Console, and
double-click the Lookup Definition node. |
2. | Enter
Lookup.IPNT.Department in the Code
field and click Query. The
lookup definition for which Linda queried appears. This
lookup definition represents the departments to which users can belong. |
3. | Use
the Add button to include the following entries for this lookup
definition (double-click each field to enter a value):
| Code Key | Decode | Language | Country |
| Development | Development | en | us |
| Product Management | Product
Management | en | us |
| Human Resources | Human
Resources | en | us |
| 4. | Click
Save. Linda
edited this lookup definition. She is now ready to modify the lookup definition
that represents the geographic locations where users can reside. |
5. | Click
New. Oracle
Identity Manager clears the contents of the existing lookup definition from the
form. |
6. | Enter
Lookup.IPNT.Location in the Code
field and click Query. The
lookup definition for which Linda queried appears. This
lookup definition represents the geographic locations where users can reside.
| 7. | Use
the Add button to include the following entries for this lookup
definition: | Code Key | Decode | Language | Country |
| Redwood Shores | Redwood
Shores | en | us |
| Atlanta | Atlanta | en | us |
| New York | New
York | en | us |
| Los Angeles | Los
Angeles | en | us |
| 8. | Click
Save. Linda
edited this lookup definition. She is now ready to modify the lookup definition
that represents the organizations to which users can belong. |
9. | Click
New. Oracle
Identity Manager clears the contents of the existing lookup definition from the
form. | 10. | Enter
Lookup.IPNT.Organization in the
Code field and click Query. The
lookup definition for which Linda queried appears. This
lookup definition represents the organizations to which users can belong.
| 11. | Use
the Delete button to remove the following entries from this lookup
definition (highlight each entry and click Delete):
| Code Key | Decode | Language | Country |
| ou=People2 | ou=People2 | en | us |
| ou=People3 | ou=People3 | en | us |
| 12. | Click
Save. Linda
edited this lookup definition. She is now ready to modify the lookup definition
that represents the roles that users can have. |
13. | Click
New. Oracle
Identity Manager clears the contents of the existing lookup definition from the
form. | 14. | Enter
Lookup.IPNT.Role in the Code
field and click Query. The
lookup definition for which Linda queried appears. This
lookup definition represents the roles that users can have. |
15. | Use
the Delete button to remove the following entries from this lookup
definition: | Code Key | Decode | Language | Country |
| cn=cn=nsDisabledRole\,dc=corp\,dc=mphasis\,
dc=com,cn=nsAccountInactivationTmp | cn=nsDisabledRole,dc=corp,
dc=mphasis,dc=com | en | US |
| cn=nsAccountInactivation_cos | nsAccountInactivation_cos | en | US |
| cn=nsDisabledRole | nsDisabledRole | en | US |
| cn=nsManagedDisabledRole | nsManagedDisabledRole | en | US |
| 16. | Enter
Users in the Group
field. | 17. | Click
Save. Linda
edited this lookup definition. She is now ready to modify the lookup definition
that represents the groups of which users can be members. |
18. | Click
New. Oracle
Identity Manager clears the contents of the existing lookup definition from the
form. | 19. | Enter
Lookup.IPNT.UserGroup in the Code
field and click Query. The
lookup definition for which Linda queried appears. This
lookup definition represents the groups of which users can be members. |
20. | Use
the Delete button to remove the following entries from this lookup
definition: | Code Key | Decode | Language | Country |
| cn=GROUP1,ou=Groups | GROUP1 | en | US |
| cn=GROUP2,ou=Groups | GROUP2 | en | US |
| cn=GROUP3,ou=Groups | GROUP3 | en | US |
| 21. | Enter
Users in the Group
field. | 22. | Click
Save. Linda
edited this lookup definition. She is now ready to modify the lookup definition
that represents the job titles that users can have. |
23. | Click
New. Oracle
Identity Manager clears the contents of the existing lookup definition from the
form. | 24. | Enter
Lookup.IPNT.UserTitle in the Code
field and click Query. The
lookup definition for which Linda queried appears. This
lookup definition represents the job titles that users can have. |
25. | Use
the Add button to include the following entries for this lookup
definition: | Code Key | Decode | Language | Country |
| Mr. | Mr. | en | us |
| Dr. | Dr. | en | us |
| Miss | Ms. | en | us |
| Mrs. | Mrs. | en | us |
| Honorable | Hon. | en | us |
| 26. | Use
the Delete button to remove the following entries from this lookup
definition: | Code Key | Decode | Language | Country |
| Mr | Mr | en | us |
| Doc | Doc | en | us |
| Mrs | Mrs | en | us |
| 27. | Click
Save. Linda
edited this lookup definition. All of the lookup definitions, which are contained
within the connector she imported and configured, now reflect the values of the
user records that are transferred into Oracle Identity Manager via reconciliation.
Trusted source reconciliation results in a user being
created within Oracle Identity Manager. The user information can now be maintained
and administered using the Oracle Identity Manager user profile form (that is,
the Create User form). As time progresses, this form may need
to be extended to take into account additional information being sent from the
authoritative source. Linda now faces such a scenario and needs to modify the
Create User form. In the next section
of this OBE, Linda learns how to modify the Create User form. |
Back
to Topic List Create UserIn
the previous section of this OBE, Linda modified the lookup definitions that are
contained within the connector she imported and configured. As a result, they
reflect the values of the user records that are transferred into Oracle Identity
Manager via reconciliation. After a user record is transferred
into Oracle Identity Manager, a copy is stored within the Create User
form. However, although information may be required for that user to be created,
the information may not be available in the form. As an example, a user's role
may be that of a contractor, but this role is not available within the form. Or,
a field may need to exist in the form, signifying that this user
has special privileges with the company's resources. Therefore, Linda needs to
modify the Create User form so that it reflects these fields
and values. To modify the Create User
form, perform the following steps:
1. | Expand
the Xellerate Administration folder of the Design Console, and
double-click the Lookup Definition node. |
2. | Enter
Lookup.Users.Role in the Code
field and click Query. The
lookup definition for which Linda queried appears. This
lookup definition represents the default roles that users can have within Oracle
Identity Manager. Note: This lookup definition
differs from the Lookup.IPNT.Role
definition you modified in the section of this OBE titled "Modifying
the Lookup Definitions." The Lookup.IPNT.Role
lookup definition is associated with the roles a user can have with the Sun Java
System Directory Server resource only. The Lookup.Users.Role
lookup definition corresponds to a user's roles with all resources. |
3. | Use
the Add button to include the following entry for this lookup
definition: | Code Key | Decode | Language | Country |
| Contractor | Contractor | en | US |
| 4. | Enter
Users in the Group
field. | 5. | Click
Save. Linda
edited this lookup definition. As a result, the role of Contractor is now available
within the Create User form. Linda
is now ready to create a check box for this form. This check box, titled "Special,"
is reserved for users who have distinctive privileges with the company's resources. |
6. | Expand
the Xellerate Administration folder of the Design Console, and
double-click the User Defined Field Definition node. |
7. | Enter
Users in the Form Name
field and click Query. The
tabs of this form are active, signifying that Linda can create fields for the
Create User form. One such field is a check box. This check box,
titled "Special," is reserved for users who have distinctive
privileges with the company's resources. |
8. | To
create this check box, click the Add button that appears within
the User Defined Columns tab. |
| 9. | The
User Defined Fields window appears. Populate the fields of this window, as follows:
| Field |
Value | | Label | Special |
| DataType | boolean |
| Field Type | Check
Box | | Column Name | SPECIAL
(it appears as USR_UDF_SPECIAL) | | Default
Value | 0 (0
indicates that the check box is deselected; 1 signifies
that the check box is populated.) | | Sequence | 1 |
| | 10. | Click
Save. Then, click Close.
Note:
If a Closing Form window appears, click Yes. Information
about the check box Linda created now appears within the User Defined
Columns tab of the User Defined Field Definition form.
Linda
modified the Create User form. She configured this form so that
it contains the role of Contractor. She also created a check box for this form.
This check box, titled "Special," is reserved for users
who have distinctive privileges with the company's resources. In
the section of this OBE titled "Modifying the Lookup Definitions,”
Linda edited the lookup definitions that reference the iPlanet User
process form. This form contains information about the user records Oracle Identity
Manager retrieves from the Sun Java System Directory Server trusted source. This
process form also has default values, or values that Oracle Identity
Manager uses to populate various fields of the form. However, because Linda modified
the lookup definitions, the default values of the process form are no longer synchronized
with the values contained within the lookup definitions. Therefore, she must modify
the default values, so that they reflect the values of the lookup definitions.
In the next section of this OBE, Linda learns how to modify
the default values of the iPlanet User custom process form. |
Back
to Topic List
Linda is now ready
to modify the iPlanet User process form. This form contains information
about the user records that Oracle Identity Manager retrieves from the Sun Java
System Directory Server trusted source. This process form
also has default values, or values that Oracle Identity Manager
uses to populate various fields of the process form. However, in the section of
this OBE titled "Modifying the Lookup Definitions,” Linda
edited the lookup definitions that reference this form. As a result, the default
values of the process form are no longer synchronized with the values contained
within the lookup definitions. Therefore, Linda must modify the default values,
so that they reflect the values of the lookup definitions. To
modify the iPlanet User process form, perform the following steps:
1. | Expand
the Development Tools folder of the Design Console, and double-click
the Form Designer node. |
2. | Enter
IPNT_USR in the Table Name
field (it appears as UD_IPNT_USR).
Click Query. The
form for which Linda queried appears. Note:
The UD_IPNT_USR value represents
how the process form is recognized within the database. |
3. | The
default values for the process form appear. Double-click the Default Value
field for each of the following values (so that you can delete them):
| Field | Default Value |
| Title | Mr |
| Department | Department1 |
| Location | Bangalore |
| 4. | Add
the following default values to this form (double-click each Default Value
field to enter the value): | Field | Default
Value | | Password | abcd1234 |
| Location | Redwood
Shores | | 5. | Click
Save. Linda
modified the default values of the iPlanet User process form.
As a result, they reflect the values of the lookup definitions that reference
this form. However, this process form has two child forms.
They are: -
iPlanet User Role:
This child form contains information about the roles users can have. These users
are transferred from Sun Java System Directory Server to Oracle Identity Manager
via trusted source reconciliation. -
iPlanet
User Group: This child form contains information about the groups to
which these users can belong. The default values
within these child forms must also be synchronized with the values of the lookup
definitions that reference them. Therefore, Linda needs to modify these default
values, accordingly. First, she must modify the default value of the iPlanet
User Role child form. |
6. | Click
New. Oracle
Identity Manager clears the contents of the existing process form. |
7. | Enter
IPNT_ROL in the Table Name
field (it appears as UD_IPNT_ROL).
Click Query. The
child form for which Linda queried appears. |
8. | Remove
the following default value from the child form:
| Field | Default Value |
| Role | cn=User
Role | | 9. | Add
the following default value to this form:
| Field | Default Value |
| Role | ROLE1 |
| 10. | Click
Save. Linda
modified the default value of the iPlanet User Role child process
form. As a result, it now reflects the value of the lookup definition that references
this form. Linda is now ready to modify the default value
of the iPlanet User Group child form (the second child form). |
11. | Click
New. Oracle
Identity Manager clears the contents of the existing child form. |
12. | Enter
IPNT_GRP in the Table Name
field (it appears as UD_IPNT_GRP).
Click Query. The
child form for which Linda queried appears. |
13. | Remove
the following default value from the child form:
| Field | Default Value |
| Group Name | cn=QA
Managers,ou=groups | |
14. | Click
Save. Linda
modified the default values of the iPlanet User process form,
as well as the default values associated with the iPlanet User Role
and iPlanet User Group child forms. These values now reflect
the values of the lookup definitions that reference this form. Linda
is now ready to create two users within Oracle Identity Manager: Jim and Jane.
Jane, who is based in Atlanta, is a full-time employee, and needs to be provisioned
with the Sun Java System Directory Server resource. In addition, she is employed
in the Product Management department of Mydo Main Corporation. She manages Jim,
who is a contractor for Mydo Main. In the next section
of this OBE, Linda creates users within Oracle Identity Manager and provisions
them with resources. | Back
to Topic List
Linda is now
ready to create records for two users within Oracle Identity Manager: Jim and
Jane. Jane is employed in the Product Management department of Mydo Main Corporation.
She is a full-time employee, based in Atlanta, and manages Jim, a contractor for
Mydo Main. Jane needs to be provisioned with the Sun Java
System Directory Server resource. However, before Linda can provision Jane with
this resource, she needs to start it. Otherwise, Oracle Identity Manager cannot
connect to the resource, and Jane cannot be provisioned with it. To
create and provision resources for users, perform the following steps:
1. | Double-click
the Start Sun icon on the Desktop. The
Start Sun window appears. < | |
Bookmark