Oracle Identity Governance : Integrating Identity Manager and Identity Analytics

Overview

    Purpose

    This tutorial covers the steps required to integrate Oracle Identity Manager with Oracle Identity Analytics.

    Time to Complete

    Approximately 2 hours.

    Introduction

    Oracle Identity Manager is a class-leading provisioning solution, allowing the delegated administration of accounts and passwords on diverse managed resources, such as ERP systems, databases, and directories.

    Oracle Identity Analytics provides a powerful means of analyzing and certifying the access granted to employees, allowing organizations to meet regulatory requirements for governance and control.

    By integrating Oracle Identity Manager and Oracle Identity Analytics, the data in Oracle Identity Manager can be automatically imported into Oracle Identity Analytics, minimizing manual entry and errors, and reducing the length of the identity governance cycle.

    The scope of the integration in this tutorial is restricted to copying data from Oracle Identity Manager into Oracle Identity Analytics to allow analysis and certification in Oracle Identity Analytics. The reverse flow (updating objects in Oracle Identity Manager as a result of role and policy changes in Oracle Identity Analytics) is not covered in this tutorial.

    In this tutorial, you are the administrator of Example Corporation. You have been given the task of configuring and verifying the integration between Oracle Identity Manager and Oracle Identity Analytics. In your deployment, you have an existing installation of Oracle Identity Manager, which has been integrated with an LDAP directory server.

    Users have already been created in Oracle Identity Manager. A role, Portal User, and an associated access policy Portal User on Corporate LDAP have been created. When a user in Oracle Identity Manager is assigned the Portal User role, a user account is created on the LDAP directory server, and the LDAP account is assigned membership in the LDAP group Portal User.

    After configuring the integration, you import the user, resource and role data from Oracle Identity Manager into Oracle Identity Analytics. You then verify at each step, that the required data has been correctly imported.

    Hardware and Software Requirements

    The following is a list of hardware and software requirements:

    • Oracle Identity Manager 11gR2
    • Oracle Identity Analytics 11gR1 PS1 BP5 (patch 14831724)

    Prerequisites

    Before starting this tutorial, you should have:

    • Installed and configured Oracle Identity Manager 11gR2
    • Installed an LDAP directory server
    • Created a connector in Oracle Identity Manager 11gR2 to provision accounts on the LDAP directory server
    • Created the Portal User role
    • Created the Portal User on Corporate LDAP access policy on Oracle Identity Manager, which provisions users with accounts and groups on the LDAP directory Server
    • Created users in Oracle Identity Manager, and assigned the Portal User role to the user DBRATTEN
    • Installed and configured Oracle Identity Analytics 11gR1 PS1 BP5

    You should also be familiar with:

    • Working in a Linux environment
    • Editing XML files
    • Basic WebLogic server administration

    Refer to the setup document for details on installing and configuring the environment used in this tutorial. The required artifacts for creating the environment are in the file setup.zip.

    Assumptions

    In this tutorial, RBACX_HOME is the installation directory for Oracle Identity Analytics and in this example has the value /u01/app/oia.

    It is assumed that the exploded WAR file for the Oracle Identity Analytics application is in the rbacx directory below this directory.

    OIM_HOME is the installation directory for Oracle Identity Manager and in this example has the value /u01/app/Oracle/Middleware/Oracle_IDM1.

Verifying Roles and Access Policies in Oracle Identity Manager

    To verify the roles and access policies in Oracle Identity Manager, perform the following steps:

    Sign into the Oracle Identity Manager System Administration console as an administrator user. In this tutorial, the administrator user is xelsysadm and the password is Welcome1.

    The URL is of the form http://<hostname>:<port>/sysadmin.

    Click Access Policies.

    In the Manage Access Policies popup window, click Search Access Policies.

    Select the Access Policy called Portal User on Corporate LDAP.

    Select the access policy

    Note that the Access Policy Portal User on Corporate LDAP is applied to the role Portal User. This means that users assigned the role Portal User, are provisioned with an account on an LDAP directory server.

    Close the Manage Access Policies popup window.

    You have verified that the Access Policy Portal User on Corporate LDAP is applied to the role Portal User.

Verifying User Role Assignments in Oracle Identity Manager

    To verify the roles assigned to a user in Oracle Identity Manager, perform the following steps:

    If prompted, sign into the Oracle Identity Manager System Identity Self-Service console as an administrator user. In this tutorial, the administrator user is xelsysadm and the password is Welcome1.

    The URL is of the form http://<hostname>:<port>/identity.

    Click Users.

    Enter DBRATTEN in the User Login field, and click Search.

    Click DBRATTEN in the result list.

    Select the access policy

    Select the Roles sub-tab.

    Verify that the Portal User role is assigned to the user DBRATTEN.

    Note: The ALL USERS role is a role that Oracle Identity Manager assigns, by default, to every user automatically.

    You have verified that the Portal User is assigned to the user DBRATTEN.

Verifying Process Form Properties in Oracle Identity Manager

    Oracle Identity Manager prepares account data based on the properties associated with account and resource objects. Most predefined connectors are already configured correctly. For example, the ICF-based LDAP connector used in this tutorial already has these properties set. Older connectors and custom connectors will require further configuration. To verify that the correct properties are set on the account and resource objects, perform the following steps.

    Generate the the wlfullclient.jar file. To do this, navigate to the server/lib directory under your WebLogic server installation directory, and execute the command:

    java -jar wljarbuilder.jar cp wlfullclient.jar OIM_HOME/designconsole/ext

    Start the Design Console, and sign as an administrator user. To start the Design Console, open a terminal window, navigate to the OIM_HOME/designconsole directory, and execute the xlclient.sh command. In this tutorial, the administrator user is xelsysadm.

    Open each child process form for the connector. Click the Properties tab, and verify that one (and only one) entitlement field has the property Entitlement, with the value true. Also, verify that this field has the property OIAParentAttribute, with the value true.

    In this tutorial, the LDAP connector has a child process form for LDAP groups, called UD_LDAP_GRP. The entitlement field is Group Name. In the screenshot below, the Group Name field has two properties, Entitlement and OIAParentAttribute, which each value set to true.

    If these properties are not set, create these properties by performing the following steps for each of the child forms.

    1. Create a new version of the form
    2. Select the Properties tab, and click Add Property
    3. Add a property Entitlement, with the value true
    4. Add a property OIAParentAttribute, with the value true
    5. Save the form, and make the new version active

    Open the process form for the connector. Click the Properties tab to make it active. Verify that the field that identifies the account in the target system has the property AccountName, with the value true. Verify that field which identifies the IT Resource instance has the property ITResource, with the value true.

    In this tutorial, the LDAP connector has the process form UD_LDAP_USR. The User ID field (which identifies the account) has a property AccountName, with the value true. The Server field (which identifies the IT Resource instance) has the property ITResource, with the value true.

    If these properties are not set, create these properties by performing the following steps for the process form.

    1. Create a new version of the form
    2. Select the Properties tab
    3. Select the field that identifies the account (in this example, User ID), and add a property AccountName, with the value true
    4. Select the field that identifies the IT Resource instance (in this example, Server), and add a property ITResource, with the value true
    5. If you created new versions of the associated child process forms, select the Child Tables tab and ensure that the new versions are selected.
    6. Save the process form, and make the new version active

    Close the Design Console window.

    You have verified that the required properties are added to the process forms for the resources in Oracle Identity Manager.

Configuring Oracle Identity Analytics

    To configure Oracle Identity Analytics, you must:

    • Copy the required library files from Oracle Identity Manager to Oracle Identity Analytics
    • Edit the configuration files to activate the integration code
    • Configure Oracle Identity Analytics with connection information

    Copying required library and configuration files to Oracle Identity Analytics

      Copy the required library files from the Oracle Identity Manager installation to the Oracle Identity Analytics installation folder. To do this, execute the following commands in a terminal window:

      cd OIM_HOME/designconsole/lib
      cp xlAPI.jar xlCache.jar xlDataObjectBeans.jar xlDataObjects.jar xlScheduler.jar xlUtils.jar xlVO.jar oimclient.jar iam-platform-utils.jar RBACX_HOME/rbacx/WEB-INF/lib
      cd OIM_HOME/server/lib
      cp xlCrypto.jar wlXLSecurityProviders.jar xlAuthentication.jar xlLogger.jar RBACX_HOME/rbacx/WEB-INF/lib
      cd OIM_HOME/designconsole/ext
      cp wlfullclient.jar RBACX_HOME/rbacx/WEB-INF/lib

      Copy the required configuration directory from the Oracle Identity Manager installation to the Oracle Identity Analytics installation folder. To do this, execute the following commands in a terminal window:

      mkdir RBACX_HOME/xellerate
      cd OIM_HOME/designconsole
      cp -r config RBACX_HOME/xellerate

      You have now copied the required library and configuration files to the Oracle Identity Analytics installation folder.

    Editing Oracle Identity Analytics configuration files

      Shut down the Oracle Identity Analytics server instance.

      Edit the iam-context.xml file in the RBACX_HOME/rbacx/WEB-INF directory.

      Comment the line containing oimg-11g-context.xml, and uncomment the line containing oim-11gR2-context.xml.

      Save the file.

      Before editing:

      After editing:

      Edit the oimjdbc.properties file in the RBACX_HOME/conf directory.

      Change the value of the oim.jdbc.username property the name of the schema for Oracle Identity Manager. In this example, the schema for Oracle Identity Manager is DEV_OIM.

      Uncomment the line for the oim.jdbc.password property, and change the value to the password of the schema for Oracle Identity Manager. In this example, the password is Welcome1.

      Change the value of the oim.jdbc.url property to reflect the hostname, port and SID of the database hosting the Oracle Identity Manager schema. In this example, the database is on localhost (the same system), is listening on port 1521 and has the SID orcl.

      Save the file.

      Before editing:

      After editing:

      Run the password encryption utility.

      Open a terminal window, and navigate to the RBACX_HOME/conf directory.

      Enter the following command (all on one line):

      java -jar RBACX_HOME/rbacx/WEB-INF/lib/vaau-commons-crypt.jar -encryptProperty -cipherKeyProperties ./cipherKey.properties -propertyFile ./oimjdbc.properties -propertyName oim.jdbc.password

      After running the command, the oim.jdbc.password property is encrypted:

      Edit the RBACX_HOME/rbacx/WEB-INF/log4j.properties file to enable debug logging.

      Change the value for the property log4.logger.com.vaau.rbacx.iam from WARN to DEBUG.

      Start the Oracle Identity Analytics server instance.

    Configuring Oracle Identity Analytics to connect to Oracle Identity Manager

      Sign into Oracle Identity Analytics as the rbacxadmin user. For this tutorial, the user has a password of Welcome1.



      Select Administration > Configuration from the menu.

      Select Provisioning Servers from the sub-menu.


      Click New Provisioning Server Connection .

      Select oracle from the Type of Provisioning Server Connection drop-down list, and click Next.

      In the Connection Name field, enter the name of the Oracle Identity Manager system. In this example, the system is localhost.
      In the Xellerate Home field, enter the name of the RBACX_HOME/xellerate directory. In this example, the directory is /u01/app/oia/xellerate.
      In the Login Config field, enter the name of the RBACX_HOME/xellerate/config/authwl.conf file. In this example, the directory is /u01/app/oia/xellerate/config/authwl.conf.
      In the User Name field, enter the name of an Oracle Identity Manager user with system administrator privileges. In this example, the user is xelsysadm.
      in the Password field, enter the password for the system administrator user specified in the previous field. In this example, the password for the xelsysadm user is Welcome1.
      Click Save.

Importing Data from Oracle Identity Manager

    By importing data from Oracle Identity Manager into Oracle Identity Analytics, you populate the Oracle Identity Analytics identity warehouse. The data in the identity warehouse can then be used for certification, auditing, role management and role mining. To import data, the following import jobs must be performed in Oracle Identity Analytics:

    • Importing Resource Metadata
    • Importing Resources
    • Importing Glossary Data
    • Importing Policies
    • Importing Roles
    • Importing Users, Accounts, User Role Memberships, and Entitlements

    Importing Resource Metadata

      If prompted, sign into Oracle Identity Analytics as the rbacxadmin user.

      Select Administration > Configuration from the menu.

      Select Import/Export from the sub-menu.

      Select Schedule Job.

      Select Import Resource Metadata.

      Select the radio button for oim11gR2, and click Next. oim11gR2 is the Provisioning Server connection created previously.

      In the Name field, enter res metadata 1. In the Description field, enter import resource metadata 1. Click Finish.

      Click Completed Jobs.

      Click Refresh until the res metadata 1 job has the status Success. If the job has the status Error, view the server logs and resolve the issue.

      Verify that the resource metadata has been successfully imported. Select Resource Types from the Administration sub-menu.

      Expand the LDAP User entry under Resource Types.

      Verify that the resource metadata items LDAP User Group, LDAP User Role, and General Details are listed.

    Importing Resources

      Navigate to the Import/Export screen by selecting Administration > Configuration from the main menu, and then selecting Import/Export frum the sub-menu.

      Click Schedule Job.

      Click Import Resources.

      Select the radio button for oim11gR2, and click Next.

      In the Name field, enter import resources 1. In the Description field, enter import resources 1. Click Finish.

      Click Completed Jobs.

      Click Refresh until the import resources 1 job has the status Success. If the job has the status Error, view the server logs and resolve the issue.

      Verify that the resource Corporate LDAP has been successfully imported. Select Identity Warehouse > Resources from the menu.

      Verify that the Corporate LDAP resource is listed.


    Importing Glossary Data

      Navigate to the Import/Export screen by selecting Administration > Configuration from the main menu, and then selecting Import/Export frum the sub-menu.

      Click Schedule Job.

      Click Schedule Job.

      Click Import Glossary.

      Select the radio button for oim11gR2, and click Next.

      In the Name field, enter import glossary 1. In the Description field, enter import glossary 1. Click Finish.

      Click Completed Jobs.

      Click Refresh until the import glossary 1 job has the status Success. If the job has the status Error, view the server logs and resolve the issue.

    Importing Policies

      Navigate to the Import/Export screen by selecting Administration > Configuration from the main menu, and then selecting Import/Export frum the sub-menu.

      Click Schedule Job.

      Click Schedule Job.

      Click Import Policies.

      Select the radio button for oim11gR2, and click Next.

      Select the checkbox for LDAP User, and click Next. Only policy data relating to the LDAP User resource within Oracle Identity Manager will be imported.

      In the Name field, enter import policies 1. In the Description field, enter import policies 1. Click Finish.

      Click Completed Jobs.

      Click Refresh until the import policies 1 job has the status Completed or Success. If the job has the status Error, view the server logs and resolve the issue.

      Verify that the policies Portal Administrator on Corporate LDAP and Portal User on Corporate LDAP have been successfully imported. Select Identity Warehouse > Policies from the menu.

      Expand the LDAP User entry under Policies, and verify that the policies Portal Administrator on Corporate LDAP and Portal User on Corporate LDAP are listed.

    Importing Roles

      Navigate to the Import/Export screen by selecting Administration > Configuration from the main menu, and then selecting Import/Export frum the sub-menu.

      Click Schedule Job.

      Click Schedule Job.

      Click Import Roles .

      Select the radio button for oim11gR2, and click Next.

      In the Name field, enter import roles 1. In the Description field, enter import roles 1. Click Finish.

      Click Completed Jobs.

      Click Refresh until the import roles 1 job has the status Success. If the job has the status Error, view the server logs and resolve the issue.

      Verify that the roles Portal Administrator and Portal User have been successfully imported. Select Identity Warehouse > Roles from the menu.

      Verify that the policies Portal Administrator and Portal User are listed.

    Importing Users, Accounts, User Role Memberships, and Entitlements

      Navigate to the Import/Export screen by selecting Administration > Configuration from the main menu, and then selecting Import/Export frum the sub-menu.

      Click Schedule Job.

      Click Schedule Job.

      Click Import Users, Accounts, User Role Memberships and Entitlements .

      Select the radio button for oim11gR2, and click Next.

      Select Load all resources defined in the system at the time the job is run, and click Next.

      In the Name field, enter combo import 1. In the Description field, enter combo import 1. Verify that the checkboxes for Users, Entitlements, and User Role Membership are selected. Verify that the radio button for a Full import is selected. Click Finish.

      Click Completed Jobs.

      Click Refresh until the import roles 1 job has the status Success. If the job has the status Error, view the server logs and resolve the issue.

      Verify that the roles Portal Administrator and Portal User have been successfully imported. Select Identity Warehouse > Users from the menu.

      Verify that the Search field contains a * (an asterisk) and click Search.

      Select the user DBRATTEN to view the user's record.

      Select the Roles tab in the user's record.

      Verify that the user has the Portal User role assigned.

Summary

    Now that you have completed this tutorial, you have configured the integration between Oracle Identity Analytics and Oracle Identity Manager. By integrating these products, data can be automatically transferred into Oracle Identity Analytics in order to perform certification, auditing, role management and role mining.

    In this tutorial, you have learned how to:

    • Configure Oracle Identity Analytics for integration
    • Import data from Oracle Identity Manager into Oracle Identity Analytics
    • Verify that data is correctly imported

    Resources

    Please refer to the following resources for more information on the products and procedures discussed in this tutorial:

    Credits

    Put credits here

    • Lead Curriculum Developer: Deeran Peethamparam
    • Reviewer / Tester : Rober Lavallie
    • Subject Matter Expert / Reviewer: Lex Lim Chee-Mum

To navigate this Oracle by Example tutorial, note the following:

Hide Header Buttons:
Click the title to hide the buttons in the header. To show the buttons again, click the title again.
Topic List:
Click a topic to navigate to that section.
Expand All Topics:
Click the button to show or hide the details for the sections. By default, all topics are collapsed.
Hide All Images:
Click the button to show or hide the screenshots. By default, all images are displayed.
Print:
Click the button to print the content. The content that is currently displayed or hidden is printed.

To navigate to a particular section in this tutorial, select the topic from the list.