Sunday, May 27, 2012

Oracle Identity Manager 11.1.1.5 Integration With Oracle Identity Analytics 11.1.1.5


Oracle Identity Manager 11.1.1.5 Integration With Oracle Identity Analytics 11.1.1.5

  • At least Oracle Identity Manager version 9.1.0.2 BP17 or version 11.1.1.5.0 (11gR1 PS1) is required. (Oracle Identity Manager 11gR1 (version 11.1.1.3.0) is not supported.)
  • At least Oracle Identity Analytics 11.1.1.5.0 is required.

Step 1: Copy the Required Files From the OIM Server

  • Copy the following Oracle Identity Manager Java API JAR files located in the <OIMDesignConsole>/lib folder to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:
    • xlAPI.jar
    • xlCache.jar
    • xlDataObjectBeans.jar
    • xlDataObjects.jar
    • xlScheduler.jar
    • xlUtils.jar
    • xlVO.jar
  • Copy the following JAR files located in the <IDM-HOME>/server/lib folder to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:
    • xlCrypto.jar
    • wlXLSecurityProviders.jar
    • xlAuthentication.jar
    • xlLogger.jar
  • Copy the config folder located at <OIMDesignConsole>/config and paste it in the Oracle Identity Analytics $RBACX_HOME/xellerate folder.
  • If using at least Oracle Identity Manager 11.1.1.5.0 ( 11gR1 PS1), copy the following OIM files to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder:
    • oimclient.jar
    • Use the version located in the <OIMDesignConsole>/lib folder. (Important: Do not use a copy of this JAR file located in any other directory.)
    • iam-platform-utils.jar
    • This file is located in the <OIMDesignConsole>/lib folder.
  • If deploying to a WebLogic application server, and if Oracle Identity Analytics and Oracle Identity Manager are on different WebLogic domains, copy the <WLS-HOME>/server/lib/wlfullclient.jar file to the Oracle Identity Analytics $RBACX_HOME/WEB-INF/lib folder.
          Note - If the wlfullclient.jar file is not present, follow these steps to generate it:
          1.Type cd<WLS-HOME>/server/lib, where <WLS-HOME> is the base WebLogic installation directory
          2.Type java -jar wljarbuilder.jar
          3.Copy the wlfullclient.jar file to the $RBACX_HOME/WEB-INF/lib folder

Step 2: Edit the Oracle Identity Analytics Configuration Files

  • Stop Oracle Identity Analytics.
  • Enable Oracle Identity Manager as a supported provisioning server by editing iam-context.xml in the $RBACX_Home/WEB-INF folder as follows:
    • Uncomment the following lines at the start of iam-context.xml:
                     <import resource="oim-commons-context.xml"/>
                      <import resource="oim-11g-context.xml"/> <!-- This also works with at least Oracle Identity Manager 9.1.0.2 BP17-->
    • Enable the following:
                  <entry key="oracle">
                    <ref bean="oimSolution"/>
                  </entry>
    • Save your changes.
  • Start Oracle Identity Analytics.
  • Edit $RBACX_HOME/conf/oimjdbc.properties. This should contain the Oracle Identity Manager database information.

    • Run the OIA Property Encryption Utility to encrypt the database password located in the oimjdbc.properties file.
    • For details, see the Administrator’s Guide for Oracle Identity Analytics, "Securing Oracle Identity Analytics" chapter, "Understanding the Property Encryption Utility" section.
    • Open the oim-11g-context.xml file for editing and search for the word password.`
    • Comment out the oim.jdbc.password line and uncomment the oim.jdbc.password.encrypted line. The XML should look like the following sample:
                     <property name="URL" value="${oim.jdbc.url}"/>
                     <property name="user" value="${oim.jdbc.username}"/
                     <!--<property name="password" value="${oim.jdbc.password}"/>-->
                     <property name="password" value="${oim.jdbc.password.encrypted}"/>


Step 3: Modify the Oracle Identity Manager Forms Using the Form Designer

In this step you will open Form Designer and, for each OIM resource, add the properties that OIA needs to exchange data with OIM.

  1. Log in to the Oracle Identity Manager Design Console.
  2. Open the Form Designer.
  3. For each Resource, the following properties need to be added to some identified feed for accounts, policies, and entitlements imports:
    1. AccountName - Identifies the unique account in the target system
    2. ITResource - Identifies the unique IT Resource field for the target system
    3. Entitlement - Identifies the account attribute designated for privileges
    4. OIAParentAttribute - This property identifies the parent or mandatory entitlement attributes. Add this property only if you have installed at least OIM 11.1.1.5.0 or at least OIM 9.1.0.2 BP17.

                Complete this step as follows:

      1. Locate the Process Form for the given resource.
      2. Open the child Process Form and create a new version.
      3. Click the Properties tab.
      4. Locate ONLY ONE entitlement field per form, click Add Property, and add the Entitlement = true property setting.
      5. If there are multiple Entitlement child forms, add one Entitlement = true property setting per Entitlement form.
      6. If you have installed at least OIM 11.1.1.5.0 or at least OIM 9.1.0.2 BP17, add the OIAParentAttribute property.
      7. Save the child form and make it active.
      8. Locate the parent process form and create a new version.
      9. Click the Properties tab.
      10. Locate the field that uniquely identifies the account in the target system, click Add Property, and add the AccountName = true
      11. Locate the ITResource field for the target system, click Add Property, and add the ITResource = true property setting.
      12. Save the parent form and make it active.
      13. Repeat for each Resource.
      14. Restart the Oracle Identity Analytics server.

Step 4: Configure the Oracle Identity Manager Data Collection Scheduler


  • Before You Begin - Verify that the OIM installation/upgrade script created the DataCollection Schedule Job in OIM and that the job is enabled but not scheduled for execution. Your integration will not work without this important job.
  • Follow these steps to register the task with OIM:
    1. Enable the DataCollection Schedule task if you are using Oracle Identity Manager 9.1.0.2. (If you are using at least Oracle Identity Manager 11.1.1.5.0, the DataCollection Schedule task is already enabled so you should skip this step.)  To enable the DataCollection Schedule task, open the Design Console, search for the    DataCollection Schedule task, and make it Active.
    2. Enable the following system property in Oracle Identity Manager by setting the value to TRUE:
                 OIM.IsOIAIntegrationEnabled = TRUE

Step 5: Configure Oracle Identity Analytics to Connect to Oracle Identity Manager

         1.Log in to Oracle Identity Analytics.
         2.Choose Administration > Configuration.
         3.Click Provisioning Servers.
         4.Click New Provisioning Server Connection.
                The New Provisioning Server Connection wizard asks you to choose the type of provisioning server connection that you want to create.
         5.From the Type of Provisioning Server Connection drop-down menu, select oracle and click Next.
        6.Complete the form:
    • Server Name - Type the Oracle Identity Manager server name.
    • Xellerate Home - Type the path to the xellerate folder in OIM. (Example: C:\oracle\xellerate)
              If Oracle Identity Manager is on a separate machine, create a local xellerate folder and copy the  config folder from <OIMDesignConsole> in the xellerate folder.
    • Login Config - Type the path to the authentication configuration (auth<AS>.conf) file. (Example: C:\oracle\xellerate\config\authwl.conf)
    • User Name - Enter the OIM user name. (For example, xelsysadm.) The specified OIM user needs to have system administrator privileges.
    • Password - Enter the OIM password.
           7.Click Save.

No comments:

Post a Comment

ForgeRock IAM : OpenDS (Open Directory Server). Importing LDIF files

The most efficient method of importing LDIF data is to take the OpenDJ server offline. Alternatively, you can schedule a task to import the ...