View
218
Download
0
Category
Preview:
Citation preview
Luminis PlatformBanner Integration Setup Guide
Release 503November 2011
Bannerreg Colleaguereg PowerCAMPUSreg Luminisreg and Datatelreg are trademarks of Ellucian or its affiliates and are registered in the US and othEllu
copy2the
Cosub
In pclalawthe
Pre437FaUn
Re
Pu
No
er countries Ellucian Advance DegreeWorks fsaATLAS Course Signals SmartCall Recruiter MOX ILP and WCMS are trademarks of cian or its affiliates Other names may be trademarks of their respective owners
010-2011 Ellucian All rights reserved The unauthorized possession use reproduction distribution display or disclosure of this material or information contained herein is prohibited
ntains confidential and proprietary information of Ellucian and its subsidiaries Use of these materials is limited to Ellucian licensees and is ject to the terms and conditions of one or more written license agreements between Ellucian and the licensee in question
reparing and providing this publication Ellucian is not rendering legal accounting or other similar professional services Ellucian makes no ims that an institutions use of this publication or the software for which it is provided will guarantee compliance with applicable federal or state s rules or regulations Each organization should seek legal accounting and other similar professional services from competent providers of organizationrsquos own choosing
pared by Ellucian5 Fair Lakes Court
irfax Virginia 22033ited States of America
vision History
blication Date Summary
vember 2011 New version that supports Luminis Platform 503 software
Contents
Luminis Platform 503Banner Integration Setup Guide
Chapter 1 Introduction 1-1
Banner product and setup prerequisites 1-1
Luminis Platform product and setup pre-requisites 1-2
Integrate Banner and Luminis Platform Broker and LMG setup 1-2
Test and validate the integration 1-2
Success criteria 1-2
Banner product dependencies 1-3
Deployment architecture overview 1-4
Chapter 2 Central Authentication Service and Banner Enterprise IdentityServices2-1
CAS server configuration for UDCIdentifier 2-1
Prerequisites 2-2
CAS protocol extension 2-2
Specify bannerValidate parameters 2-3
Returned bannerValidate responses 2-3
Configure the CAS server 2-4
CAS managed services 2-4
Banner CAS client configuration 2-6
Banner Enterprise Identity Services Configuration Information Tables 2-8
Luminis Banner Web application 2-9
November 2011 Luminis Platform 503 iiiBanner Integration Setup Guide
Contents
Prepare to Install Luminis Platform Portlets for Banner 2-10
Create the home directory for Luminis Channels for Banner 2-11
Edit the configuration file 2-11
Banner database connection configuration properties 2-11
Generate the banportalsear file 2-14
Deploy the EAR file 2-15
Banner portlet life cycle 2-16
Chapter 3 Data-Level Integration and Provisioning 3-1
Learning Message Gateway 3-1
Background from a Luminis Platform 4 perspective 3-1
Install LMG 40 3-2
Set up users and administered objects in o=messaging 3-3
Enable LDAP user repository for MQ 3-5
Set up GlassFish MQ access control 3-5
Custom JMS Clients 3-6
Configure JMS provider with Luminis Platform 3-6
Chapter 4 SSB and INB Integration 4-1
User ID mappings 4-1
Create the o=SCTSSOapplications base DN 4-2
Verify usermap mapping setup for INB users using the proxyinfosql script 4-3
Configure user map lookups 4-4
Create an encryption key 4-4
Create entries in LDAP for usermap 4-5
Configure parameters using GUAUPRF 4-6
iv Luminis Platform 503 November 2011Banner Integration Setup GuideContents
Appendix A CAS Server Configuration A-1
Appendix B Logs B-1
Banportals logs B-1
Banner Enterprise Identity Services logs B-2
GlassFishMQ and Luminis Platform Message Brokerage logs B-3
Learning Management Gateway (LMG) logs B-4
GlassFish MQ 45 logs B-5
Appendix C Sample Scripts and Files C-1
Sample proxyinfosql script C-1
Sample 00-coreldif C-2
Sample 99-userldif C-3
Sample sso_oclass_lum5ldif C-3
Sample o=sctssoapplicationsldif C-4
Full lp5_mqinitsh script C-5
Troubleshooting T-1
Error message when banproxy is not configured correctly T-1
Banner Enterprise Identity Services - INB SSO T-2
Validating Banner Enterprise Identity Services event streams T-3
Oracle streamsBanner Enterprise Identity Services validation T-4
November 2011 Luminis Platform 503 vBanner Integration Setup Guide
Contents
vi Luminis Platform 503 November 2011Banner Integration Setup GuideContents
Novemb
1 Introduction
Todays higher education institution requires a fully integrated solution that provides automated student information system integration with their portal and web-services delivery program This guide outlines the steps necessary to configure data and presentation layer integration between the Banner Enterprise Resource Planning (ERP) systems and the Luminis Platform portal offering Data integration refers to the transfer of user group term department course and other information from Banner through a Java Message Service (JMS) message queue and into Luminis Platform Presentation layer integration refers to the setup and configuration necessary to enable CAS integration and single sign-on through Banner Enterprise Identity Services for the suite of Banner portlets
The steps required to successfully complete Banner and Luminis Platform integration have been categorized into four sections The first section relates to the Banner General INBSSB Middle Tier and Banner Enterprise Identity Services (BEIS) products The second section relates specifically to the Luminis Platform The third section outlines the items required to integrate the two The fourth section provides suggestions on how to validate and fully test your setup Your specific environment and setup may require variations in the sequence
This section also contains an overview of the overall integration architecture for integrating Banner with Luminis Platform
Banner product and setup prerequisites
The following is a list of Banner products you must install before you can integrate Banner and Luminis Platform
bull Banner General Banner General implemented and configured according to the Banner General instructions
bull Internet Native Banner (INB) INB implemented and configured according to the Middle Tier Implementation Guide
bull Self-Service Banner SSB implemented and configured according to the Middle Tier Implementation Guide
bull Channels App Banner Channels App implemented and configured according to the Luminis-Banner and Banportals installation instructions described later in this guide
bull Banner Enterprise Identity Services (BEIS) implemented and configured according to the Banner Enterprise Identity Services Handbook
er 2011 Luminis Platform 503 1-1Banner Integration Setup Guide
Introduction
1-2
Luminis Platform product and setup pre-requisites
Luminis Platform must be installed and operational as a stand-alone application before attempting to integrate with Banner For information about installing and configuring the CAS server that is included with Luminis Platform refer to the Luminis Platform 50 Installation Guide and the CAS customization steps documented in the Banner Enterprise Identity Services Handbook
BEIS version 814 and above support Jasig CAS versions 3211 331 and 342 For future Google-apps integration the CAS server should be configured outside the firewall in the demilitarized zone
Integrate Banner and Luminis Platform Broker and LMG setup
The following is a list of the final products you must install before you can integrate Banner with Luminis Platform
bull Open Message Queue 45 Install and configure the Open Message Queue 45 For more information about installing this program see ldquoData-Level Integration and Provisioningrdquo on page 3-1 later in this document You can also reference the documentation located at httpglassfishjavanet
bull Learning Management Message Gateway Install and Customize or import LMG For more information see ldquoLearning Message Gatewayrdquo on page 3-1
Test and validate the integration
Once the Banner integration setup has been completed a Banner user must login to the system and create a page with an embedded portlet This page should have an URL for example httplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService Invoking this page brings up the Banner Self Service screen
Success criteria
The successful deployment and configuration of Banner Integration for Luminis Platform is best measured by the resulting ability to authenticate into Luminis Platform and Banner simultaneously using Central Authentication Service (CAS) to accomplish single sign-on and access Banner data and links in the Banner portlets In addition the Luminis Platform
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
system should be able to create users and course information in all appropriate content areas such as the My Courses portlet whenever a Banner system is updated
Banner product dependencies
The following components are recommended when configuring the Luminis Platform Banner integration Please refer to the Banner DC Release Interdependency Matrix for additional options
bull Luminis Platform 502
bull Banner Enterprise Identity Services (BEIS) 813 or higher
bull Banner General 84
bull Banner Student 841 or 85
bull Banner Student Self-Service 841 or 85
bull Banner Intcomp 801
bull Web Tailor 84 or higher
bull Internet Native Banner (INB) configured per the Middle Tier Implementation Guide
bull GlassFish Server Open Source Edition - 31 or higher This includes Open MQ
bull Banner Channels 82 or higher
bull Central Authentication Service (CAS) 342 331 or 3211
NoteCAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 1-3Banner Integration Setup Guide
Introduction
1-4
Deployment architecture overview
The deployment model for a fully integrated Banner system or Luminis Platform portal and CAS server is illustrated below
The next few chapters discuss the following topics
bull ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo
bull ldquoData-Level Integration and Provisioningrdquo
bull ldquoSSB and INB Integrationrdquo
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Bannerreg Colleaguereg PowerCAMPUSreg Luminisreg and Datatelreg are trademarks of Ellucian or its affiliates and are registered in the US and othEllu
copy2the
Cosub
In pclalawthe
Pre437FaUn
Re
Pu
No
er countries Ellucian Advance DegreeWorks fsaATLAS Course Signals SmartCall Recruiter MOX ILP and WCMS are trademarks of cian or its affiliates Other names may be trademarks of their respective owners
010-2011 Ellucian All rights reserved The unauthorized possession use reproduction distribution display or disclosure of this material or information contained herein is prohibited
ntains confidential and proprietary information of Ellucian and its subsidiaries Use of these materials is limited to Ellucian licensees and is ject to the terms and conditions of one or more written license agreements between Ellucian and the licensee in question
reparing and providing this publication Ellucian is not rendering legal accounting or other similar professional services Ellucian makes no ims that an institutions use of this publication or the software for which it is provided will guarantee compliance with applicable federal or state s rules or regulations Each organization should seek legal accounting and other similar professional services from competent providers of organizationrsquos own choosing
pared by Ellucian5 Fair Lakes Court
irfax Virginia 22033ited States of America
vision History
blication Date Summary
vember 2011 New version that supports Luminis Platform 503 software
Contents
Luminis Platform 503Banner Integration Setup Guide
Chapter 1 Introduction 1-1
Banner product and setup prerequisites 1-1
Luminis Platform product and setup pre-requisites 1-2
Integrate Banner and Luminis Platform Broker and LMG setup 1-2
Test and validate the integration 1-2
Success criteria 1-2
Banner product dependencies 1-3
Deployment architecture overview 1-4
Chapter 2 Central Authentication Service and Banner Enterprise IdentityServices2-1
CAS server configuration for UDCIdentifier 2-1
Prerequisites 2-2
CAS protocol extension 2-2
Specify bannerValidate parameters 2-3
Returned bannerValidate responses 2-3
Configure the CAS server 2-4
CAS managed services 2-4
Banner CAS client configuration 2-6
Banner Enterprise Identity Services Configuration Information Tables 2-8
Luminis Banner Web application 2-9
November 2011 Luminis Platform 503 iiiBanner Integration Setup Guide
Contents
Prepare to Install Luminis Platform Portlets for Banner 2-10
Create the home directory for Luminis Channels for Banner 2-11
Edit the configuration file 2-11
Banner database connection configuration properties 2-11
Generate the banportalsear file 2-14
Deploy the EAR file 2-15
Banner portlet life cycle 2-16
Chapter 3 Data-Level Integration and Provisioning 3-1
Learning Message Gateway 3-1
Background from a Luminis Platform 4 perspective 3-1
Install LMG 40 3-2
Set up users and administered objects in o=messaging 3-3
Enable LDAP user repository for MQ 3-5
Set up GlassFish MQ access control 3-5
Custom JMS Clients 3-6
Configure JMS provider with Luminis Platform 3-6
Chapter 4 SSB and INB Integration 4-1
User ID mappings 4-1
Create the o=SCTSSOapplications base DN 4-2
Verify usermap mapping setup for INB users using the proxyinfosql script 4-3
Configure user map lookups 4-4
Create an encryption key 4-4
Create entries in LDAP for usermap 4-5
Configure parameters using GUAUPRF 4-6
iv Luminis Platform 503 November 2011Banner Integration Setup GuideContents
Appendix A CAS Server Configuration A-1
Appendix B Logs B-1
Banportals logs B-1
Banner Enterprise Identity Services logs B-2
GlassFishMQ and Luminis Platform Message Brokerage logs B-3
Learning Management Gateway (LMG) logs B-4
GlassFish MQ 45 logs B-5
Appendix C Sample Scripts and Files C-1
Sample proxyinfosql script C-1
Sample 00-coreldif C-2
Sample 99-userldif C-3
Sample sso_oclass_lum5ldif C-3
Sample o=sctssoapplicationsldif C-4
Full lp5_mqinitsh script C-5
Troubleshooting T-1
Error message when banproxy is not configured correctly T-1
Banner Enterprise Identity Services - INB SSO T-2
Validating Banner Enterprise Identity Services event streams T-3
Oracle streamsBanner Enterprise Identity Services validation T-4
November 2011 Luminis Platform 503 vBanner Integration Setup Guide
Contents
vi Luminis Platform 503 November 2011Banner Integration Setup GuideContents
Novemb
1 Introduction
Todays higher education institution requires a fully integrated solution that provides automated student information system integration with their portal and web-services delivery program This guide outlines the steps necessary to configure data and presentation layer integration between the Banner Enterprise Resource Planning (ERP) systems and the Luminis Platform portal offering Data integration refers to the transfer of user group term department course and other information from Banner through a Java Message Service (JMS) message queue and into Luminis Platform Presentation layer integration refers to the setup and configuration necessary to enable CAS integration and single sign-on through Banner Enterprise Identity Services for the suite of Banner portlets
The steps required to successfully complete Banner and Luminis Platform integration have been categorized into four sections The first section relates to the Banner General INBSSB Middle Tier and Banner Enterprise Identity Services (BEIS) products The second section relates specifically to the Luminis Platform The third section outlines the items required to integrate the two The fourth section provides suggestions on how to validate and fully test your setup Your specific environment and setup may require variations in the sequence
This section also contains an overview of the overall integration architecture for integrating Banner with Luminis Platform
Banner product and setup prerequisites
The following is a list of Banner products you must install before you can integrate Banner and Luminis Platform
bull Banner General Banner General implemented and configured according to the Banner General instructions
bull Internet Native Banner (INB) INB implemented and configured according to the Middle Tier Implementation Guide
bull Self-Service Banner SSB implemented and configured according to the Middle Tier Implementation Guide
bull Channels App Banner Channels App implemented and configured according to the Luminis-Banner and Banportals installation instructions described later in this guide
bull Banner Enterprise Identity Services (BEIS) implemented and configured according to the Banner Enterprise Identity Services Handbook
er 2011 Luminis Platform 503 1-1Banner Integration Setup Guide
Introduction
1-2
Luminis Platform product and setup pre-requisites
Luminis Platform must be installed and operational as a stand-alone application before attempting to integrate with Banner For information about installing and configuring the CAS server that is included with Luminis Platform refer to the Luminis Platform 50 Installation Guide and the CAS customization steps documented in the Banner Enterprise Identity Services Handbook
BEIS version 814 and above support Jasig CAS versions 3211 331 and 342 For future Google-apps integration the CAS server should be configured outside the firewall in the demilitarized zone
Integrate Banner and Luminis Platform Broker and LMG setup
The following is a list of the final products you must install before you can integrate Banner with Luminis Platform
bull Open Message Queue 45 Install and configure the Open Message Queue 45 For more information about installing this program see ldquoData-Level Integration and Provisioningrdquo on page 3-1 later in this document You can also reference the documentation located at httpglassfishjavanet
bull Learning Management Message Gateway Install and Customize or import LMG For more information see ldquoLearning Message Gatewayrdquo on page 3-1
Test and validate the integration
Once the Banner integration setup has been completed a Banner user must login to the system and create a page with an embedded portlet This page should have an URL for example httplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService Invoking this page brings up the Banner Self Service screen
Success criteria
The successful deployment and configuration of Banner Integration for Luminis Platform is best measured by the resulting ability to authenticate into Luminis Platform and Banner simultaneously using Central Authentication Service (CAS) to accomplish single sign-on and access Banner data and links in the Banner portlets In addition the Luminis Platform
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
system should be able to create users and course information in all appropriate content areas such as the My Courses portlet whenever a Banner system is updated
Banner product dependencies
The following components are recommended when configuring the Luminis Platform Banner integration Please refer to the Banner DC Release Interdependency Matrix for additional options
bull Luminis Platform 502
bull Banner Enterprise Identity Services (BEIS) 813 or higher
bull Banner General 84
bull Banner Student 841 or 85
bull Banner Student Self-Service 841 or 85
bull Banner Intcomp 801
bull Web Tailor 84 or higher
bull Internet Native Banner (INB) configured per the Middle Tier Implementation Guide
bull GlassFish Server Open Source Edition - 31 or higher This includes Open MQ
bull Banner Channels 82 or higher
bull Central Authentication Service (CAS) 342 331 or 3211
NoteCAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 1-3Banner Integration Setup Guide
Introduction
1-4
Deployment architecture overview
The deployment model for a fully integrated Banner system or Luminis Platform portal and CAS server is illustrated below
The next few chapters discuss the following topics
bull ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo
bull ldquoData-Level Integration and Provisioningrdquo
bull ldquoSSB and INB Integrationrdquo
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Contents
Luminis Platform 503Banner Integration Setup Guide
Chapter 1 Introduction 1-1
Banner product and setup prerequisites 1-1
Luminis Platform product and setup pre-requisites 1-2
Integrate Banner and Luminis Platform Broker and LMG setup 1-2
Test and validate the integration 1-2
Success criteria 1-2
Banner product dependencies 1-3
Deployment architecture overview 1-4
Chapter 2 Central Authentication Service and Banner Enterprise IdentityServices2-1
CAS server configuration for UDCIdentifier 2-1
Prerequisites 2-2
CAS protocol extension 2-2
Specify bannerValidate parameters 2-3
Returned bannerValidate responses 2-3
Configure the CAS server 2-4
CAS managed services 2-4
Banner CAS client configuration 2-6
Banner Enterprise Identity Services Configuration Information Tables 2-8
Luminis Banner Web application 2-9
November 2011 Luminis Platform 503 iiiBanner Integration Setup Guide
Contents
Prepare to Install Luminis Platform Portlets for Banner 2-10
Create the home directory for Luminis Channels for Banner 2-11
Edit the configuration file 2-11
Banner database connection configuration properties 2-11
Generate the banportalsear file 2-14
Deploy the EAR file 2-15
Banner portlet life cycle 2-16
Chapter 3 Data-Level Integration and Provisioning 3-1
Learning Message Gateway 3-1
Background from a Luminis Platform 4 perspective 3-1
Install LMG 40 3-2
Set up users and administered objects in o=messaging 3-3
Enable LDAP user repository for MQ 3-5
Set up GlassFish MQ access control 3-5
Custom JMS Clients 3-6
Configure JMS provider with Luminis Platform 3-6
Chapter 4 SSB and INB Integration 4-1
User ID mappings 4-1
Create the o=SCTSSOapplications base DN 4-2
Verify usermap mapping setup for INB users using the proxyinfosql script 4-3
Configure user map lookups 4-4
Create an encryption key 4-4
Create entries in LDAP for usermap 4-5
Configure parameters using GUAUPRF 4-6
iv Luminis Platform 503 November 2011Banner Integration Setup GuideContents
Appendix A CAS Server Configuration A-1
Appendix B Logs B-1
Banportals logs B-1
Banner Enterprise Identity Services logs B-2
GlassFishMQ and Luminis Platform Message Brokerage logs B-3
Learning Management Gateway (LMG) logs B-4
GlassFish MQ 45 logs B-5
Appendix C Sample Scripts and Files C-1
Sample proxyinfosql script C-1
Sample 00-coreldif C-2
Sample 99-userldif C-3
Sample sso_oclass_lum5ldif C-3
Sample o=sctssoapplicationsldif C-4
Full lp5_mqinitsh script C-5
Troubleshooting T-1
Error message when banproxy is not configured correctly T-1
Banner Enterprise Identity Services - INB SSO T-2
Validating Banner Enterprise Identity Services event streams T-3
Oracle streamsBanner Enterprise Identity Services validation T-4
November 2011 Luminis Platform 503 vBanner Integration Setup Guide
Contents
vi Luminis Platform 503 November 2011Banner Integration Setup GuideContents
Novemb
1 Introduction
Todays higher education institution requires a fully integrated solution that provides automated student information system integration with their portal and web-services delivery program This guide outlines the steps necessary to configure data and presentation layer integration between the Banner Enterprise Resource Planning (ERP) systems and the Luminis Platform portal offering Data integration refers to the transfer of user group term department course and other information from Banner through a Java Message Service (JMS) message queue and into Luminis Platform Presentation layer integration refers to the setup and configuration necessary to enable CAS integration and single sign-on through Banner Enterprise Identity Services for the suite of Banner portlets
The steps required to successfully complete Banner and Luminis Platform integration have been categorized into four sections The first section relates to the Banner General INBSSB Middle Tier and Banner Enterprise Identity Services (BEIS) products The second section relates specifically to the Luminis Platform The third section outlines the items required to integrate the two The fourth section provides suggestions on how to validate and fully test your setup Your specific environment and setup may require variations in the sequence
This section also contains an overview of the overall integration architecture for integrating Banner with Luminis Platform
Banner product and setup prerequisites
The following is a list of Banner products you must install before you can integrate Banner and Luminis Platform
bull Banner General Banner General implemented and configured according to the Banner General instructions
bull Internet Native Banner (INB) INB implemented and configured according to the Middle Tier Implementation Guide
bull Self-Service Banner SSB implemented and configured according to the Middle Tier Implementation Guide
bull Channels App Banner Channels App implemented and configured according to the Luminis-Banner and Banportals installation instructions described later in this guide
bull Banner Enterprise Identity Services (BEIS) implemented and configured according to the Banner Enterprise Identity Services Handbook
er 2011 Luminis Platform 503 1-1Banner Integration Setup Guide
Introduction
1-2
Luminis Platform product and setup pre-requisites
Luminis Platform must be installed and operational as a stand-alone application before attempting to integrate with Banner For information about installing and configuring the CAS server that is included with Luminis Platform refer to the Luminis Platform 50 Installation Guide and the CAS customization steps documented in the Banner Enterprise Identity Services Handbook
BEIS version 814 and above support Jasig CAS versions 3211 331 and 342 For future Google-apps integration the CAS server should be configured outside the firewall in the demilitarized zone
Integrate Banner and Luminis Platform Broker and LMG setup
The following is a list of the final products you must install before you can integrate Banner with Luminis Platform
bull Open Message Queue 45 Install and configure the Open Message Queue 45 For more information about installing this program see ldquoData-Level Integration and Provisioningrdquo on page 3-1 later in this document You can also reference the documentation located at httpglassfishjavanet
bull Learning Management Message Gateway Install and Customize or import LMG For more information see ldquoLearning Message Gatewayrdquo on page 3-1
Test and validate the integration
Once the Banner integration setup has been completed a Banner user must login to the system and create a page with an embedded portlet This page should have an URL for example httplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService Invoking this page brings up the Banner Self Service screen
Success criteria
The successful deployment and configuration of Banner Integration for Luminis Platform is best measured by the resulting ability to authenticate into Luminis Platform and Banner simultaneously using Central Authentication Service (CAS) to accomplish single sign-on and access Banner data and links in the Banner portlets In addition the Luminis Platform
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
system should be able to create users and course information in all appropriate content areas such as the My Courses portlet whenever a Banner system is updated
Banner product dependencies
The following components are recommended when configuring the Luminis Platform Banner integration Please refer to the Banner DC Release Interdependency Matrix for additional options
bull Luminis Platform 502
bull Banner Enterprise Identity Services (BEIS) 813 or higher
bull Banner General 84
bull Banner Student 841 or 85
bull Banner Student Self-Service 841 or 85
bull Banner Intcomp 801
bull Web Tailor 84 or higher
bull Internet Native Banner (INB) configured per the Middle Tier Implementation Guide
bull GlassFish Server Open Source Edition - 31 or higher This includes Open MQ
bull Banner Channels 82 or higher
bull Central Authentication Service (CAS) 342 331 or 3211
NoteCAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 1-3Banner Integration Setup Guide
Introduction
1-4
Deployment architecture overview
The deployment model for a fully integrated Banner system or Luminis Platform portal and CAS server is illustrated below
The next few chapters discuss the following topics
bull ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo
bull ldquoData-Level Integration and Provisioningrdquo
bull ldquoSSB and INB Integrationrdquo
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Prepare to Install Luminis Platform Portlets for Banner 2-10
Create the home directory for Luminis Channels for Banner 2-11
Edit the configuration file 2-11
Banner database connection configuration properties 2-11
Generate the banportalsear file 2-14
Deploy the EAR file 2-15
Banner portlet life cycle 2-16
Chapter 3 Data-Level Integration and Provisioning 3-1
Learning Message Gateway 3-1
Background from a Luminis Platform 4 perspective 3-1
Install LMG 40 3-2
Set up users and administered objects in o=messaging 3-3
Enable LDAP user repository for MQ 3-5
Set up GlassFish MQ access control 3-5
Custom JMS Clients 3-6
Configure JMS provider with Luminis Platform 3-6
Chapter 4 SSB and INB Integration 4-1
User ID mappings 4-1
Create the o=SCTSSOapplications base DN 4-2
Verify usermap mapping setup for INB users using the proxyinfosql script 4-3
Configure user map lookups 4-4
Create an encryption key 4-4
Create entries in LDAP for usermap 4-5
Configure parameters using GUAUPRF 4-6
iv Luminis Platform 503 November 2011Banner Integration Setup GuideContents
Appendix A CAS Server Configuration A-1
Appendix B Logs B-1
Banportals logs B-1
Banner Enterprise Identity Services logs B-2
GlassFishMQ and Luminis Platform Message Brokerage logs B-3
Learning Management Gateway (LMG) logs B-4
GlassFish MQ 45 logs B-5
Appendix C Sample Scripts and Files C-1
Sample proxyinfosql script C-1
Sample 00-coreldif C-2
Sample 99-userldif C-3
Sample sso_oclass_lum5ldif C-3
Sample o=sctssoapplicationsldif C-4
Full lp5_mqinitsh script C-5
Troubleshooting T-1
Error message when banproxy is not configured correctly T-1
Banner Enterprise Identity Services - INB SSO T-2
Validating Banner Enterprise Identity Services event streams T-3
Oracle streamsBanner Enterprise Identity Services validation T-4
November 2011 Luminis Platform 503 vBanner Integration Setup Guide
Contents
vi Luminis Platform 503 November 2011Banner Integration Setup GuideContents
Novemb
1 Introduction
Todays higher education institution requires a fully integrated solution that provides automated student information system integration with their portal and web-services delivery program This guide outlines the steps necessary to configure data and presentation layer integration between the Banner Enterprise Resource Planning (ERP) systems and the Luminis Platform portal offering Data integration refers to the transfer of user group term department course and other information from Banner through a Java Message Service (JMS) message queue and into Luminis Platform Presentation layer integration refers to the setup and configuration necessary to enable CAS integration and single sign-on through Banner Enterprise Identity Services for the suite of Banner portlets
The steps required to successfully complete Banner and Luminis Platform integration have been categorized into four sections The first section relates to the Banner General INBSSB Middle Tier and Banner Enterprise Identity Services (BEIS) products The second section relates specifically to the Luminis Platform The third section outlines the items required to integrate the two The fourth section provides suggestions on how to validate and fully test your setup Your specific environment and setup may require variations in the sequence
This section also contains an overview of the overall integration architecture for integrating Banner with Luminis Platform
Banner product and setup prerequisites
The following is a list of Banner products you must install before you can integrate Banner and Luminis Platform
bull Banner General Banner General implemented and configured according to the Banner General instructions
bull Internet Native Banner (INB) INB implemented and configured according to the Middle Tier Implementation Guide
bull Self-Service Banner SSB implemented and configured according to the Middle Tier Implementation Guide
bull Channels App Banner Channels App implemented and configured according to the Luminis-Banner and Banportals installation instructions described later in this guide
bull Banner Enterprise Identity Services (BEIS) implemented and configured according to the Banner Enterprise Identity Services Handbook
er 2011 Luminis Platform 503 1-1Banner Integration Setup Guide
Introduction
1-2
Luminis Platform product and setup pre-requisites
Luminis Platform must be installed and operational as a stand-alone application before attempting to integrate with Banner For information about installing and configuring the CAS server that is included with Luminis Platform refer to the Luminis Platform 50 Installation Guide and the CAS customization steps documented in the Banner Enterprise Identity Services Handbook
BEIS version 814 and above support Jasig CAS versions 3211 331 and 342 For future Google-apps integration the CAS server should be configured outside the firewall in the demilitarized zone
Integrate Banner and Luminis Platform Broker and LMG setup
The following is a list of the final products you must install before you can integrate Banner with Luminis Platform
bull Open Message Queue 45 Install and configure the Open Message Queue 45 For more information about installing this program see ldquoData-Level Integration and Provisioningrdquo on page 3-1 later in this document You can also reference the documentation located at httpglassfishjavanet
bull Learning Management Message Gateway Install and Customize or import LMG For more information see ldquoLearning Message Gatewayrdquo on page 3-1
Test and validate the integration
Once the Banner integration setup has been completed a Banner user must login to the system and create a page with an embedded portlet This page should have an URL for example httplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService Invoking this page brings up the Banner Self Service screen
Success criteria
The successful deployment and configuration of Banner Integration for Luminis Platform is best measured by the resulting ability to authenticate into Luminis Platform and Banner simultaneously using Central Authentication Service (CAS) to accomplish single sign-on and access Banner data and links in the Banner portlets In addition the Luminis Platform
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
system should be able to create users and course information in all appropriate content areas such as the My Courses portlet whenever a Banner system is updated
Banner product dependencies
The following components are recommended when configuring the Luminis Platform Banner integration Please refer to the Banner DC Release Interdependency Matrix for additional options
bull Luminis Platform 502
bull Banner Enterprise Identity Services (BEIS) 813 or higher
bull Banner General 84
bull Banner Student 841 or 85
bull Banner Student Self-Service 841 or 85
bull Banner Intcomp 801
bull Web Tailor 84 or higher
bull Internet Native Banner (INB) configured per the Middle Tier Implementation Guide
bull GlassFish Server Open Source Edition - 31 or higher This includes Open MQ
bull Banner Channels 82 or higher
bull Central Authentication Service (CAS) 342 331 or 3211
NoteCAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 1-3Banner Integration Setup Guide
Introduction
1-4
Deployment architecture overview
The deployment model for a fully integrated Banner system or Luminis Platform portal and CAS server is illustrated below
The next few chapters discuss the following topics
bull ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo
bull ldquoData-Level Integration and Provisioningrdquo
bull ldquoSSB and INB Integrationrdquo
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Appendix A CAS Server Configuration A-1
Appendix B Logs B-1
Banportals logs B-1
Banner Enterprise Identity Services logs B-2
GlassFishMQ and Luminis Platform Message Brokerage logs B-3
Learning Management Gateway (LMG) logs B-4
GlassFish MQ 45 logs B-5
Appendix C Sample Scripts and Files C-1
Sample proxyinfosql script C-1
Sample 00-coreldif C-2
Sample 99-userldif C-3
Sample sso_oclass_lum5ldif C-3
Sample o=sctssoapplicationsldif C-4
Full lp5_mqinitsh script C-5
Troubleshooting T-1
Error message when banproxy is not configured correctly T-1
Banner Enterprise Identity Services - INB SSO T-2
Validating Banner Enterprise Identity Services event streams T-3
Oracle streamsBanner Enterprise Identity Services validation T-4
November 2011 Luminis Platform 503 vBanner Integration Setup Guide
Contents
vi Luminis Platform 503 November 2011Banner Integration Setup GuideContents
Novemb
1 Introduction
Todays higher education institution requires a fully integrated solution that provides automated student information system integration with their portal and web-services delivery program This guide outlines the steps necessary to configure data and presentation layer integration between the Banner Enterprise Resource Planning (ERP) systems and the Luminis Platform portal offering Data integration refers to the transfer of user group term department course and other information from Banner through a Java Message Service (JMS) message queue and into Luminis Platform Presentation layer integration refers to the setup and configuration necessary to enable CAS integration and single sign-on through Banner Enterprise Identity Services for the suite of Banner portlets
The steps required to successfully complete Banner and Luminis Platform integration have been categorized into four sections The first section relates to the Banner General INBSSB Middle Tier and Banner Enterprise Identity Services (BEIS) products The second section relates specifically to the Luminis Platform The third section outlines the items required to integrate the two The fourth section provides suggestions on how to validate and fully test your setup Your specific environment and setup may require variations in the sequence
This section also contains an overview of the overall integration architecture for integrating Banner with Luminis Platform
Banner product and setup prerequisites
The following is a list of Banner products you must install before you can integrate Banner and Luminis Platform
bull Banner General Banner General implemented and configured according to the Banner General instructions
bull Internet Native Banner (INB) INB implemented and configured according to the Middle Tier Implementation Guide
bull Self-Service Banner SSB implemented and configured according to the Middle Tier Implementation Guide
bull Channels App Banner Channels App implemented and configured according to the Luminis-Banner and Banportals installation instructions described later in this guide
bull Banner Enterprise Identity Services (BEIS) implemented and configured according to the Banner Enterprise Identity Services Handbook
er 2011 Luminis Platform 503 1-1Banner Integration Setup Guide
Introduction
1-2
Luminis Platform product and setup pre-requisites
Luminis Platform must be installed and operational as a stand-alone application before attempting to integrate with Banner For information about installing and configuring the CAS server that is included with Luminis Platform refer to the Luminis Platform 50 Installation Guide and the CAS customization steps documented in the Banner Enterprise Identity Services Handbook
BEIS version 814 and above support Jasig CAS versions 3211 331 and 342 For future Google-apps integration the CAS server should be configured outside the firewall in the demilitarized zone
Integrate Banner and Luminis Platform Broker and LMG setup
The following is a list of the final products you must install before you can integrate Banner with Luminis Platform
bull Open Message Queue 45 Install and configure the Open Message Queue 45 For more information about installing this program see ldquoData-Level Integration and Provisioningrdquo on page 3-1 later in this document You can also reference the documentation located at httpglassfishjavanet
bull Learning Management Message Gateway Install and Customize or import LMG For more information see ldquoLearning Message Gatewayrdquo on page 3-1
Test and validate the integration
Once the Banner integration setup has been completed a Banner user must login to the system and create a page with an embedded portlet This page should have an URL for example httplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService Invoking this page brings up the Banner Self Service screen
Success criteria
The successful deployment and configuration of Banner Integration for Luminis Platform is best measured by the resulting ability to authenticate into Luminis Platform and Banner simultaneously using Central Authentication Service (CAS) to accomplish single sign-on and access Banner data and links in the Banner portlets In addition the Luminis Platform
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
system should be able to create users and course information in all appropriate content areas such as the My Courses portlet whenever a Banner system is updated
Banner product dependencies
The following components are recommended when configuring the Luminis Platform Banner integration Please refer to the Banner DC Release Interdependency Matrix for additional options
bull Luminis Platform 502
bull Banner Enterprise Identity Services (BEIS) 813 or higher
bull Banner General 84
bull Banner Student 841 or 85
bull Banner Student Self-Service 841 or 85
bull Banner Intcomp 801
bull Web Tailor 84 or higher
bull Internet Native Banner (INB) configured per the Middle Tier Implementation Guide
bull GlassFish Server Open Source Edition - 31 or higher This includes Open MQ
bull Banner Channels 82 or higher
bull Central Authentication Service (CAS) 342 331 or 3211
NoteCAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 1-3Banner Integration Setup Guide
Introduction
1-4
Deployment architecture overview
The deployment model for a fully integrated Banner system or Luminis Platform portal and CAS server is illustrated below
The next few chapters discuss the following topics
bull ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo
bull ldquoData-Level Integration and Provisioningrdquo
bull ldquoSSB and INB Integrationrdquo
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
vi Luminis Platform 503 November 2011Banner Integration Setup GuideContents
Novemb
1 Introduction
Todays higher education institution requires a fully integrated solution that provides automated student information system integration with their portal and web-services delivery program This guide outlines the steps necessary to configure data and presentation layer integration between the Banner Enterprise Resource Planning (ERP) systems and the Luminis Platform portal offering Data integration refers to the transfer of user group term department course and other information from Banner through a Java Message Service (JMS) message queue and into Luminis Platform Presentation layer integration refers to the setup and configuration necessary to enable CAS integration and single sign-on through Banner Enterprise Identity Services for the suite of Banner portlets
The steps required to successfully complete Banner and Luminis Platform integration have been categorized into four sections The first section relates to the Banner General INBSSB Middle Tier and Banner Enterprise Identity Services (BEIS) products The second section relates specifically to the Luminis Platform The third section outlines the items required to integrate the two The fourth section provides suggestions on how to validate and fully test your setup Your specific environment and setup may require variations in the sequence
This section also contains an overview of the overall integration architecture for integrating Banner with Luminis Platform
Banner product and setup prerequisites
The following is a list of Banner products you must install before you can integrate Banner and Luminis Platform
bull Banner General Banner General implemented and configured according to the Banner General instructions
bull Internet Native Banner (INB) INB implemented and configured according to the Middle Tier Implementation Guide
bull Self-Service Banner SSB implemented and configured according to the Middle Tier Implementation Guide
bull Channels App Banner Channels App implemented and configured according to the Luminis-Banner and Banportals installation instructions described later in this guide
bull Banner Enterprise Identity Services (BEIS) implemented and configured according to the Banner Enterprise Identity Services Handbook
er 2011 Luminis Platform 503 1-1Banner Integration Setup Guide
Introduction
1-2
Luminis Platform product and setup pre-requisites
Luminis Platform must be installed and operational as a stand-alone application before attempting to integrate with Banner For information about installing and configuring the CAS server that is included with Luminis Platform refer to the Luminis Platform 50 Installation Guide and the CAS customization steps documented in the Banner Enterprise Identity Services Handbook
BEIS version 814 and above support Jasig CAS versions 3211 331 and 342 For future Google-apps integration the CAS server should be configured outside the firewall in the demilitarized zone
Integrate Banner and Luminis Platform Broker and LMG setup
The following is a list of the final products you must install before you can integrate Banner with Luminis Platform
bull Open Message Queue 45 Install and configure the Open Message Queue 45 For more information about installing this program see ldquoData-Level Integration and Provisioningrdquo on page 3-1 later in this document You can also reference the documentation located at httpglassfishjavanet
bull Learning Management Message Gateway Install and Customize or import LMG For more information see ldquoLearning Message Gatewayrdquo on page 3-1
Test and validate the integration
Once the Banner integration setup has been completed a Banner user must login to the system and create a page with an embedded portlet This page should have an URL for example httplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService Invoking this page brings up the Banner Self Service screen
Success criteria
The successful deployment and configuration of Banner Integration for Luminis Platform is best measured by the resulting ability to authenticate into Luminis Platform and Banner simultaneously using Central Authentication Service (CAS) to accomplish single sign-on and access Banner data and links in the Banner portlets In addition the Luminis Platform
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
system should be able to create users and course information in all appropriate content areas such as the My Courses portlet whenever a Banner system is updated
Banner product dependencies
The following components are recommended when configuring the Luminis Platform Banner integration Please refer to the Banner DC Release Interdependency Matrix for additional options
bull Luminis Platform 502
bull Banner Enterprise Identity Services (BEIS) 813 or higher
bull Banner General 84
bull Banner Student 841 or 85
bull Banner Student Self-Service 841 or 85
bull Banner Intcomp 801
bull Web Tailor 84 or higher
bull Internet Native Banner (INB) configured per the Middle Tier Implementation Guide
bull GlassFish Server Open Source Edition - 31 or higher This includes Open MQ
bull Banner Channels 82 or higher
bull Central Authentication Service (CAS) 342 331 or 3211
NoteCAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 1-3Banner Integration Setup Guide
Introduction
1-4
Deployment architecture overview
The deployment model for a fully integrated Banner system or Luminis Platform portal and CAS server is illustrated below
The next few chapters discuss the following topics
bull ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo
bull ldquoData-Level Integration and Provisioningrdquo
bull ldquoSSB and INB Integrationrdquo
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
1 Introduction
Todays higher education institution requires a fully integrated solution that provides automated student information system integration with their portal and web-services delivery program This guide outlines the steps necessary to configure data and presentation layer integration between the Banner Enterprise Resource Planning (ERP) systems and the Luminis Platform portal offering Data integration refers to the transfer of user group term department course and other information from Banner through a Java Message Service (JMS) message queue and into Luminis Platform Presentation layer integration refers to the setup and configuration necessary to enable CAS integration and single sign-on through Banner Enterprise Identity Services for the suite of Banner portlets
The steps required to successfully complete Banner and Luminis Platform integration have been categorized into four sections The first section relates to the Banner General INBSSB Middle Tier and Banner Enterprise Identity Services (BEIS) products The second section relates specifically to the Luminis Platform The third section outlines the items required to integrate the two The fourth section provides suggestions on how to validate and fully test your setup Your specific environment and setup may require variations in the sequence
This section also contains an overview of the overall integration architecture for integrating Banner with Luminis Platform
Banner product and setup prerequisites
The following is a list of Banner products you must install before you can integrate Banner and Luminis Platform
bull Banner General Banner General implemented and configured according to the Banner General instructions
bull Internet Native Banner (INB) INB implemented and configured according to the Middle Tier Implementation Guide
bull Self-Service Banner SSB implemented and configured according to the Middle Tier Implementation Guide
bull Channels App Banner Channels App implemented and configured according to the Luminis-Banner and Banportals installation instructions described later in this guide
bull Banner Enterprise Identity Services (BEIS) implemented and configured according to the Banner Enterprise Identity Services Handbook
er 2011 Luminis Platform 503 1-1Banner Integration Setup Guide
Introduction
1-2
Luminis Platform product and setup pre-requisites
Luminis Platform must be installed and operational as a stand-alone application before attempting to integrate with Banner For information about installing and configuring the CAS server that is included with Luminis Platform refer to the Luminis Platform 50 Installation Guide and the CAS customization steps documented in the Banner Enterprise Identity Services Handbook
BEIS version 814 and above support Jasig CAS versions 3211 331 and 342 For future Google-apps integration the CAS server should be configured outside the firewall in the demilitarized zone
Integrate Banner and Luminis Platform Broker and LMG setup
The following is a list of the final products you must install before you can integrate Banner with Luminis Platform
bull Open Message Queue 45 Install and configure the Open Message Queue 45 For more information about installing this program see ldquoData-Level Integration and Provisioningrdquo on page 3-1 later in this document You can also reference the documentation located at httpglassfishjavanet
bull Learning Management Message Gateway Install and Customize or import LMG For more information see ldquoLearning Message Gatewayrdquo on page 3-1
Test and validate the integration
Once the Banner integration setup has been completed a Banner user must login to the system and create a page with an embedded portlet This page should have an URL for example httplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService Invoking this page brings up the Banner Self Service screen
Success criteria
The successful deployment and configuration of Banner Integration for Luminis Platform is best measured by the resulting ability to authenticate into Luminis Platform and Banner simultaneously using Central Authentication Service (CAS) to accomplish single sign-on and access Banner data and links in the Banner portlets In addition the Luminis Platform
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
system should be able to create users and course information in all appropriate content areas such as the My Courses portlet whenever a Banner system is updated
Banner product dependencies
The following components are recommended when configuring the Luminis Platform Banner integration Please refer to the Banner DC Release Interdependency Matrix for additional options
bull Luminis Platform 502
bull Banner Enterprise Identity Services (BEIS) 813 or higher
bull Banner General 84
bull Banner Student 841 or 85
bull Banner Student Self-Service 841 or 85
bull Banner Intcomp 801
bull Web Tailor 84 or higher
bull Internet Native Banner (INB) configured per the Middle Tier Implementation Guide
bull GlassFish Server Open Source Edition - 31 or higher This includes Open MQ
bull Banner Channels 82 or higher
bull Central Authentication Service (CAS) 342 331 or 3211
NoteCAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 1-3Banner Integration Setup Guide
Introduction
1-4
Deployment architecture overview
The deployment model for a fully integrated Banner system or Luminis Platform portal and CAS server is illustrated below
The next few chapters discuss the following topics
bull ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo
bull ldquoData-Level Integration and Provisioningrdquo
bull ldquoSSB and INB Integrationrdquo
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
1-2
Luminis Platform product and setup pre-requisites
Luminis Platform must be installed and operational as a stand-alone application before attempting to integrate with Banner For information about installing and configuring the CAS server that is included with Luminis Platform refer to the Luminis Platform 50 Installation Guide and the CAS customization steps documented in the Banner Enterprise Identity Services Handbook
BEIS version 814 and above support Jasig CAS versions 3211 331 and 342 For future Google-apps integration the CAS server should be configured outside the firewall in the demilitarized zone
Integrate Banner and Luminis Platform Broker and LMG setup
The following is a list of the final products you must install before you can integrate Banner with Luminis Platform
bull Open Message Queue 45 Install and configure the Open Message Queue 45 For more information about installing this program see ldquoData-Level Integration and Provisioningrdquo on page 3-1 later in this document You can also reference the documentation located at httpglassfishjavanet
bull Learning Management Message Gateway Install and Customize or import LMG For more information see ldquoLearning Message Gatewayrdquo on page 3-1
Test and validate the integration
Once the Banner integration setup has been completed a Banner user must login to the system and create a page with an embedded portlet This page should have an URL for example httplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService Invoking this page brings up the Banner Self Service screen
Success criteria
The successful deployment and configuration of Banner Integration for Luminis Platform is best measured by the resulting ability to authenticate into Luminis Platform and Banner simultaneously using Central Authentication Service (CAS) to accomplish single sign-on and access Banner data and links in the Banner portlets In addition the Luminis Platform
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
system should be able to create users and course information in all appropriate content areas such as the My Courses portlet whenever a Banner system is updated
Banner product dependencies
The following components are recommended when configuring the Luminis Platform Banner integration Please refer to the Banner DC Release Interdependency Matrix for additional options
bull Luminis Platform 502
bull Banner Enterprise Identity Services (BEIS) 813 or higher
bull Banner General 84
bull Banner Student 841 or 85
bull Banner Student Self-Service 841 or 85
bull Banner Intcomp 801
bull Web Tailor 84 or higher
bull Internet Native Banner (INB) configured per the Middle Tier Implementation Guide
bull GlassFish Server Open Source Edition - 31 or higher This includes Open MQ
bull Banner Channels 82 or higher
bull Central Authentication Service (CAS) 342 331 or 3211
NoteCAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 1-3Banner Integration Setup Guide
Introduction
1-4
Deployment architecture overview
The deployment model for a fully integrated Banner system or Luminis Platform portal and CAS server is illustrated below
The next few chapters discuss the following topics
bull ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo
bull ldquoData-Level Integration and Provisioningrdquo
bull ldquoSSB and INB Integrationrdquo
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
system should be able to create users and course information in all appropriate content areas such as the My Courses portlet whenever a Banner system is updated
Banner product dependencies
The following components are recommended when configuring the Luminis Platform Banner integration Please refer to the Banner DC Release Interdependency Matrix for additional options
bull Luminis Platform 502
bull Banner Enterprise Identity Services (BEIS) 813 or higher
bull Banner General 84
bull Banner Student 841 or 85
bull Banner Student Self-Service 841 or 85
bull Banner Intcomp 801
bull Web Tailor 84 or higher
bull Internet Native Banner (INB) configured per the Middle Tier Implementation Guide
bull GlassFish Server Open Source Edition - 31 or higher This includes Open MQ
bull Banner Channels 82 or higher
bull Central Authentication Service (CAS) 342 331 or 3211
NoteCAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 1-3Banner Integration Setup Guide
Introduction
1-4
Deployment architecture overview
The deployment model for a fully integrated Banner system or Luminis Platform portal and CAS server is illustrated below
The next few chapters discuss the following topics
bull ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo
bull ldquoData-Level Integration and Provisioningrdquo
bull ldquoSSB and INB Integrationrdquo
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
1-4
Deployment architecture overview
The deployment model for a fully integrated Banner system or Luminis Platform portal and CAS server is illustrated below
The next few chapters discuss the following topics
bull ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo
bull ldquoData-Level Integration and Provisioningrdquo
bull ldquoSSB and INB Integrationrdquo
Luminis Platform 503 November 2011Banner Integration Setup GuideIntroduction
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
2 Central Authentication Service and Banner Enterprise Identity Services
Central Authentication Service (CAS) is an enterprise Single Sign-On (SSO) solution for Web applications CAS SSO improves the user experience when running several Web applications that have their own means of authentication With an SSO solution users authenticate to one central authentication service and can access other Web applications that have a trust relationship with the central authentication service without a secondary login For example if you want to access your portal instance you are redirected to CAS to log in CAS authenticates the user credentials and returns a ticket to the browser which allows access to the portal
CAS and Banner Enterprise Identity Services (BEIS) are required for the success of single sign-on (SSO) links within Luminis Platform
This chapter contains the following sections
bull ldquoCAS server configuration for UDCIdentifierrdquo
bull ldquoBanner CAS client configurationrdquo
bull ldquoBanner Enterprise Identity Services Configuration Information Tablesrdquo
bull ldquoLuminis Banner Web applicationrdquo
bull ldquoPrepare to Install Luminis Platform Portlets for Bannerrdquo
CAS server configuration for UDCIdentifier
This section provides information about configuring the Luminis Platform CAS server to support Banner Enterprise Identity Services (BEIS) or any other SunGard Higher Education products that are UDCIdentifier aware and participate in a CAS SSO session
NoteCAS versions 3211 and 331 are supported CAS 342 will be certified with the release of BEIS 814
er 2011 Luminis Platform 503 2-1Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
2-2
This section includes the following topics
bull ldquoPrerequisitesrdquo
bull ldquoCAS protocol extensionrdquo
bull ldquoSpecify bannerValidate parametersrdquo
bull ldquoReturned bannerValidate responsesrdquo
bull ldquoConfigure the CAS serverrdquo
bull ldquoCAS managed servicesrdquo
Prerequisites
Before implementing CAS with UDCIdentifier the following prerequisites must be met
bull The identity repository used by the CAS server must be UDCIdentifier aware
bull You must have an understanding of the CAS protocol (20) and architecture (32)
CAS protocol extension
SunGard Higher Education uses the CAS attribute assertion features to assert additional identity attributes The SunGard Higher Education CAS protocol is implemented by adding a validation service (bannerValidate) to the CAS server
NoteThe bannerValidate service is similar to the serviceValidate feature available in the JA-SIG CAS server reference implementation
Upon successful CAS authentication the CAS client validation filter calls the bannerValidate service to get information for the enterprise user The service checks the validity of a service ticket and returns a UDCIdentity XML fragment response
NoteThe bannerValidate service does not generate and issue proxy-granting tickets when requested The bannerValidate service must not return a successful authentication if it receives a proxy ticket
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
Specify bannerValidate parameters
The following HTTP request parameters must be specified to the bannerValidate service These parameters are case sensitive and are handled by bannerValidate
Returned bannerValidate responses
The bannerValidate service returns one of the following three responses
bull If the ticket validation is successful the following XML-formatted response is returned
lturnUDCIdentity xmlnsurn=rdquournsungardheenterprisedomainidentity10rdquogt
lturnUDCIdentifiergt3C9CBAC307313872E0440003BA1015A4lt urnUDCIdentifiergt
lturnLogonIDgttriddlelturnLogonIDgt
lturnExtensiongt
lturnAttributegt
lturnAttributegt
lturnnamegtBANNER-SVlturnnamegt
lturnvaluegtmaldevl5sctcomcas-client-31 authorizedbannerSelfServicelturnvaluegt
lturnAttributegt
lturnExtensiongt
lturnUDCIdentitygt
bull If the UDC_IDENTIFIER is not asserted as a part of the validation response an AssertionValidation error is returned
bull If the ticket validation fails an HTTP 401 error code is returned
Parameter Description
BANNER-SV Identifier of the service for which the CAS ticket was issued Refer to JA-SIG CAS overview section 22 of CAS protocol for information pertaining to the login
BANNER-ST Service ticket issued by the CAS login service when a client presents credentials A service ticket is an opaque string that the client uses as a credential to obtain access to a service
er 2011 Luminis Platform 503 2-3Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
2-4
The CAS server asserts the following attributes
Configure the CAS server
The Luminis Platform CAS server must be configured to extend the basic CAS services to support the bannerValidate service This service is configured to retrieve UDC_IDENTIFIER data from your LDAP directory
If the Luminis Platform CAS server was installed using the Luminis Installer support for the bannerValidate service has been automatically configured If you are using an externally managed CAS server as described in the Luminis Platform Installation Guide then you must manually configure the CAS server to support the bannerValidate service by following the steps outlined in the ldquoConfigure the CAS Serverrdquo appendix
CAS managed services
The following are the primary CAS managed services Some or all of these services may already exist in your CAS managed services page after the initial installation of Luminis The CAS managed services page is found in the following location
httpsltcassservernamegtltportgtcas-webservicesmanagehtml
bull A typical LuminisCAS installation would require at least the following CAS-managed services
httpsltcasservernamegtlthttps portgtcas-web services
For this service select the uid attribute and check the Enabled Allowed to Proxy and SSO Participant check boxes
bull The Admin server login URL would display as followshttpsltluminisservernamegtlthttps portgtcportallogin
A separate cportallogin service URL needs to be defined for each Luminis Platform hostname such as the Admin and Portal tiers or virtual hostname if that is the URL that is being used by end users to access the service This service does not require any attributes Recommended Status check boxes are Enabled Allowed to Proxy and SSO Participant
bull The Admin server Banner-cas-client URL should display as followshttpsltadminservernamegtlthttps portgtbanner-cas-clientauthorizedbanner
A separate banner-cas-clientauthorizedbanner service URL needs to be defined for each Luminis Platform instance (Admin and Portal tiers or the
Attribute Location in Response
UDCIdentity UDCIdentifier UDC_IDENTIFIERUDCIdentity LogonID CAS Net ID
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
virtual hostname if end users are using that URL to access the service in question Mark the Enabled and SSO Participant check boxes check boxes and select the UDC_IDENTIFIER attribute
NoteUDC_IDENTIFIER does not display in the attribute list until the CAS customizations detailed in the ldquoConfiguring CAS server to enable bannerValidaterdquo section take effect A restart of the CAS server is required
If necessary edit the CAS managed services that the CAS server protects
Use the following steps to define new CAS managed services if required
1 Launch a browser and navigate to the CAS server management page
You find the following CAS server management pageURL httpsltCAS servergtltportgtcas-webservicesmanagehtml
2 Supply a valid administrator user name and password obtained from the CAS administrator
The Services Management page is displayed
3 Click the Add New Service tab in the left corner of the page
4 Add a new service by entering the fields as exemplified in the table below
5 Click Save Changes
The CAS server protects the service that you defined
Parameter Description
Name CAS services
Service URL httpsltcas-servergtltportgtcas-webservices
Description Protect cas services
Theme Name Cas
Status Select Enabled and SSO Participant
Attributes The service attributes
er 2011 Luminis Platform 503 2-5Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
2-6
Banner CAS client configuration
Once the CAS server is configured to support Banner Enterprise Identity Services we can configure Internet-native Banner and Banner Self-Service to participate in a CAS Single Sign-On (SSO) session This is accomplished when you deploy the Banner CAS Client Web application in the Admin server and the Portal server This application proxies the CAS authentication process to the Banner SSO proxy Web applications that support Internet-native Banner and Banner Self-Service The application is only required in a CAS-based environment
Use the following steps to install and configure the Banner CAS Client Web application
1 After you deploy the banner-cas-client version supplied with Banner Enterprise Identify Services for the Luminis Platform Admin and Portal instances modify the following parameters in the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file
Parameter Description
bannerssogateway URL to the Banner SSO Web Proxy which is part of the Banner Identity Gateway deployment
casservergateway Property that determines whether the login screen is displayed to the user The default is set to false
casserverrenew Property that determines whether users must log in to each application If set to true users must log in to each application regardless of whether a SSO session was established Use this setting if users are allowed to log in to another application within the SSO realm without providing credentials again If set to false users do not need to log in to each application if a SSO session was established Use this setting for general use
casserverurl URL to the CAS server Generally this is a secured container meaning the URL should include an HTTPS at the beginning
casserverproxyCallbackUrl
Server proxy callback URL which should point to the CAS server and port
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
For example the $CP_ROOTproductstomcattomcat-ltportal|admingtwebapps banner-cas-clientWEB_INFclassescas-propertiescas-clientproperties file may appear as follows
bull Adminbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup37sctcom443
bull Portalbannerssogateway=httpslcban4sctcom9010bnSSOWeb
casserverrenew=false
casserverurl=httpsslcsup37sctcom8447cas-web
casclientserverName=slcsup38sctcom443
bull The following three properties marked are not in usecasservergateway=false
casserverproxyCallbackUrl
casclientproxyCallbackUrl
2 Test the Web application by invoking the following URL This URL should be accessible from all resource and Portal tiershttpsltLuminis hostgtltSSL PORTgtbanner-cas-client
The following URLs are used to start Banner in a CAS Single Sign-On environment
bull Internet-native Bannerhttplthostgtltportgtbanner-cas-clientauthorizedbannerOracleForms
bull Banner Self-Servicehttplthostgtltportgtbanner-cas-clientauthorizedbannerSelfService
casclientserverName Client server address which consists of the fully qualified server name and port where the application is running
Note This should include the SSL port number
casclientproxyCallbackUrl
Client proxy callback URL which should point to the server and port where the client application is running
Note This should include the SSL port number
Parameter Description
er 2011 Luminis Platform 503 2-7Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
2-8
Banner Enterprise Identity Services Configuration Information Tables
The following is a list of tables that store the configuration information for Banner Enterprise Identity Services as described in solution 1-BNA67F in the SunGard Higher Education Customer Support Center
For Identity Data Export Utilities as with other Web apps the configuration is stored in the properties file The properties files are located in the home directory of the OC4J instance where the Identity Data Export Utilities application is deployed Within the home directory the files are stored in the following location
applicationsltideu_application_namegtIdentityDataExportUtilitiesWEB-INF properties
Schema Table Application Comments
BNIXMGR APCONFG Banner Identity Gateway
Stores Application Configuration for SSB and INB
BNIXMGR WSCONFG Banner Identity Gateway
Stores Configuration for Open Digital Campus Identity Web Service for Credential service and Ticketing service
IDENTMGR T_UDC_PST_LIST Enterprise Identity Proxy Services
Stores a list of Provisioning Service Targets
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
Luminis Banner Web application
This Web application contains all the Banner portlets to be deployed as part of Luminis Platform You must deploy and edit the WAR file for all Luminis Platform instances including the Admin tier and each Portal tier
Use the following steps to deploy these portlets
1 Make the necessary changes to certain properties located in the following folders$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses
$CP_ROOTproductstomcattomcat-portalwebappsluminis-bannerWEB-INFclasses
2 The properties that needs to be modified with respect to banner portlets are as follows
The url to access the Banner Portal Servlet
Example httpslcban3sungardhecom7778banportals
providerServleturl=ltURL for the banportals applicationgt
The user name to secure the servlet
providerServletuserName=channelAdmin
The password to secure the servlet
providerServletpassword=u_pick_it
version=development
The SSB URL for English locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlen_US=ltThe URL for the English locale for SSBgt
The SSB URL for French locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlfr_FR=ltThe URL for the French locale for SSBgt
The SSB URL for Spanish Mexican locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurles_MX=ltThe URL for the Spanish-Mexican locale for SSBgt
er 2011 Luminis Platform 503 2-9Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
2-10
The SSB URL for Arabic locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlar_SA=ltThe URL for the Arabic locale for SSBgt
The SSB URL for Brazilian locale
Example httpslcban3sctcom9200plsSMPL
ssbbannerlinkurlpt_BR=ltThe URL for the Brazilian locale for SSBgt
The BEIS version can be either 814 for version that are lt= 814 or the version needs to be set to 815
beisversion=814
The banner-cas-client URL for SSB in case BEIS lt= 814 is used
bannercasclientssb=banner-cas-clientauthorizedbannerSelfService
The banner-cas-client URL for INB in case BEIS lt= 814 is used
bannercasclientinb=banner-cas-clientauthorizedbannerOracleFormslaunch_form=
The URL for the SSB for SSO Manager in case BEIS 815 is used (note that the parameter pkg has to be the same as configured in SSO Manager)
beisssomanagerssb=httpltssomanagerhostgtltssomanagerportgtssomanagercSSBpkg=
The URL for the INB for SSO Manager in case BEIS 815 is used
beisssomanagerinb=httpltssomanagerhostgtltssomanagerportgtssomanagercINBotherParams=launch_form=
Prepare to Install Luminis Platform Portlets for Banner
The basic model for Luminis Portlets for Banner uses a web service call into a servlet running in the Luminis Channels Web application running in a separate Web application
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
server or running as a Web application in the Internet Native Banner (INB) Application server
This authentication model requires Banner Enterprise Identity Services to be installed in the Banner server and modification to be made to the deployment of the Luminis Platform portlet for Banner Server Additionally both Banner Enterprise Identity Services and the channel application should point to the same banner instance
For updates to the Middle Tier instructions see the CommonsLuminis Luminis Platform 5 collaboration wiki as follows
httpwwwedu1worldorgCommonsLuminis
This section includes the following topics
bull ldquoCreate the home directory for Luminis Channels for Bannerrdquo
bull ldquoEdit the configuration filerdquo
bull ldquoBanner database connection configuration propertiesrdquo
bull ldquoGenerate the banportalsear filerdquo
bull ldquoDeploy the EAR filerdquo
bull ldquoBanner portlet life cyclerdquo
Create the home directory for Luminis Channels for Banner
To manipulate and configure the files create a directory on the OAS10g server such as the following example
u01PRODsghebannerchannels
Copy the contents of your Banner production directorychanneladmin to this directory In the instructions in this chapter this directory is referred to as the CHANNEL_HOME directory
Edit the configuration file
Edit the banportalsconfig file that is located in your CHANNEL_HOME directory such as the following example
DSGHEBAN7CHANNELSbanportalsconfig
Banner database connection configuration properties
The following table specifies descriptions and examples of the Banner database connection configuration properties
er 2011 Luminis Platform 503 2-11Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
2-12
Property Description Example
connectionNamelist
Connection listings Each item in this list should have ltconnection namegtltpropertygt specified The default value in the list makes the configuration look for defaulttnsName defaultUserName
connectionNamelist=default or connectionNamelist=default other
defaulttnsName TNS Name used when connecting to the Banner database
defaulttnsName=LB70sctcom
defaultuserName Connection pool user name defaultuserName=banproxy
defaultpassword Connection pool password defaultpassword=banproxy
defaultpoolConfig
min-limit
Minimum number of physical connections maintained by the pool Since banportals uses OCI database connection pooling the default value of 1 is recommended
defaultpoolConfigmin-limit=1
defaultpoolConfig
max-limit
Maximum number of physical connections maintained by the pool
defaultpoolConfigmax-limit=5
defaultpoolConfig
increment
Incremental number of physical connections opened when all the existing connections are busy and a new connection is requested
defaultpoolConfigincrement=1
defaultpoolConfig
timeout
The amount of time that must pass before an idle physical connection is disconnected This does not affect a logical connection The default time is in seconds
defaultpoolConfigtimeout=30
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
log4jrootCategory
The logging level and logging scheme used from within the servlet The default logging level is INFO stdout which directs the output of the servlet to the system output which in turn writes to the ltORACLE_HOMEgtopmnltoc4j instancegt logs To limit the growth and overall size of the log the logging can be turned down to ERROR To do so set the value of log4jrootCategory to ERROR stdout
providerServleturl
URL to access the Banner portal servlet This is the URL of the webserver and points to the OC4J servlet which resides on the webserver machine
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameterThe port of 4445 in the document is an example You provide the port number that routes you to the welcome page of the webserver such as httpltyourservernamecomgt7777 The banportals portion of the URL is suggested as the virtual path for the OC4J servlet Reference ldquoGenerate the banportalsear filerdquo on page 2-14 for the banportals portion of the URL
providerServletuser
Name
User name to secure the servlet
providerServletuserName=channelAdmin
providerServlet
password
Password used to secure the servlet
providerServletpassword=u_pick_it
Property Description Example
er 2011 Luminis Platform 503 2-13Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
2-14
The recommended value for username is channelAdmin You can use any value for the password
This username and password are used for authentication between Luminis (specifically the luminis-banner webapp) and the OC4J servlet engine When the OC4J servlet engine receives a Channel request it compares the username and password stored in banportalsear with the username and password sent by Luminis from the luminis-banner webapp Thus the providerServlet username and password should only be defined in the banportalsconfig file There does not need to be any corresponding OS user Oracle user and so forth
Generate the banportalsear file
The banportalsconfig file contains values that should be inserted into the banportalsear file
To roll out the changes an installer file use the banportalsadminjar To use this installer a Java VM must be installed on the same machine as the CHANNEL_HOME A Java VM of 131 or higher is required To execute the installer run the following file
java -jar banportalsadminjar banportalsconfig
NoteThis executable JAR statement generates two files bannerCommoncar and banportalsear as described in the Middle Tier Implementation Guide Configure the luminis-banner webapp as described in ldquoLuminis Banner Web applicationrdquo on page 2-9 Then deploy the resulting EAR file
via the Oracle Enterprise Manager as described in ldquoDeploy the EAR filerdquo on page 2-15
xsl-parametererpUrlBase
URL for the INB server
Note If you want to load Banner forms in a separate window remove 2526separateFrame3Dfalse from the URL above
xsl-parametererpUrlBase=httpltyourservernamecomgt7777forms90f90servlet3Fconfig3Dsctsso2526separateFrame3Dfalse2526otherParams3Dlaunch_form3D
xsl-parameterurlHostAnd
Path
URL for the self-service application
xsl-parameterurlHostAndPath=httpltyourservernamecomgt9001YourDADxsl-parameter
Property Description Example
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
Deploy the EAR file
SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file
To use the Oracle Enterprise Manager complete the following steps
1 Create an OC4J instance for the EAR file For example if the Banner database is named PROD the OC4J instance would be PROD_banportals
It is recommended that you create a new OC4J instance for each channel servlet instance SunGard Higher Education recommends a naming convention of ltSIDgt_banportals where ltSIDgt is the service identifier for your Banner instance
2 Select the created OC4J instance and go to the Applications tab Click Deploy EAR file (or Deploy Application in older versions)
3 You may be shown an introduction After you read the introduction click Next
4 Browse for the banportalsear file that has been updated in the CHANNEL_HOME directory Select this file for deployment
This step takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server The EAR file must be made available to the machine on which you are browsing the Enterprise Manager If access is not readily available the file must be moved locally to the browser machine to upload it to the OAS10g server When selecting an application select J2EE Application = the local file system location of the EAR file If you do not have access form your local (browser) server using mapped drives or symbolic links to the banportalsear file you need to FTP the file to your local machine and then select the file locally
5 Select a name to identify the application within the OC4J instance This name must be unique to the OC4J instance and should typically contain the application currently being deployed The suggested name is as followsltSIDgt_banportals
6 Click Next
7 Map the URL for the web modules If the desired web root URL is not banportals alter the value on this step of the Oracle Enterprise Manager deployment wizard
8 Click Finish to navigate to the last summary step
9 When the summary is displayed click Deploy to deploy the EAR file
10 Navigate to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started
er 2011 Luminis Platform 503 2-15Banner Integration Setup Guide
Central Authentication Service and Banner Enterprise Identity Services
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
2-16
11 Ensure that on each Luminis server the files in $CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasses(banportalsproperties) are customized to match the configuration deployed above for the banportalsear file
Banner portlet life cycle
The process of surfacing content in the portal by means of a portlet calling into Banner is as follows
bull The user authenticates into the portal
bull User places Banner Portlet on the portal Page
bull During portlet rendering the portlet class calls out to Banner
bull The XML content is generated by Banner in response to the request
bull The XML content is returned to the portlet class and is transformed using the preloaded XSLT style sheet
bull The resulting XHTML generated from the transform is rendered in the portlet with deep links pointing directly to locations within SSB or INB
Channel authentication depends on proper GSASECR configuration including BANPROXY configuration and appropriate username mappings for existing INB users An LDAP user mapping option adds significant weight to this process and contributes to LDAP trafficking To enhance the performance set USERMAP_OPT parameter in the General User Preferences Maintenance Form (GUAUPRF) in Banner to read as follows
USERMAP_OPT = N
The variable N means that you do not want to use the usermap option If USERMAP_OPT does not equal N the Banner Middle Tier single sign-on process will look for an LDAP username mapping first based on GUAUPRF LDAP settings then fail over to the mapping set in the Banner GOBEACC mapping For more information SSB and INB configurations see ldquoSSB and INB Integrationrdquo on page 4-1
Luminis Platform 503 November 2011Banner Integration Setup GuideCentral Authentication Service and Banner Enterprise Identity Services
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
3 Data-Level Integration and Provisioning
Data-level integration and provisioning are associated with eLearning 80 and LDI integration including XML imports and event-driven infrastructure
This chapter discusses the following sections
bull ldquoLearning Message Gatewayrdquo
bull ldquoConfigure JMS provider with Luminis Platformrdquo
Learning Message Gateway
The Learning Management Gateway (LMG) is an architectural component designed for use with Banner Integration for e-Learning It supports Banner Integration for eLearning
This section explains the following topics
bull ldquoBackground from a Luminis Platform 4 perspectiverdquo
bull ldquoInstall LMG 40rdquo
bull ldquoSet up users and administered objects in o=messagingrdquo
bull ldquoEnable LDAP user repository for MQrdquo
bull ldquoSet up GlassFish MQ access controlrdquo
bull ldquoCustom JMS Clientsrdquo
Background from a Luminis Platform 4 perspective
Luminis Platform 4 and the standalone Luminis Message Broker (LMB) 4 include some JMSMQ-wrapper code Utilities such as the mbtool commandline utility and the tomcat-mb Web server (which provided an HTTP interface for administration) were part of this package In Luminis Platform 5 these components have been deprecated in favor of using the vendor-specific tools included with each JMS provider Luminis Platform 5 runs in the Liferay Enterprise Spring-Framework Application Server context which contains native JMS-client connectivity by default In addition the JMS-provider middleware has been decoupled from the Luminis-specific portal and administration tools
Any JMS-compliant provider can be configured to work with eLearning integration but the option selected by SunGard Higher Education for eLearning-related testing and
er 2011 Luminis Platform 503 3-1Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
3-2
verification is the GlassFish Server Open Source Edition - 31 application server which includes MQ 45
GlassFish MQ 45 is the modern generation of the same MQ technology that was provided with LMB 40 The 45 version of GlassFish OpenMQ runs natively against the latest JVM whereas LMB 40 runs on the 14 JVM Mbtool and the tomcat-mb interface have been deprecated However LuminisLMB 4x administrators will be familiar with the MQ-specific commandline utilities and configuration files such as imqbrokerd imqcmd the hellipimqinstancesimqbroker directory structure including propsconfigproperties and etc accesscontrolproperties and so on
You may use the older LMB 40 Luminis Platform does not depend on a specific JMS provider but SunGard Higher Education recommends you use the new technology provided with the GlassFish enterprise server which is more actively supported by the openMQ community in general In this document it is assumed that eLearning integration for Luminis 5 and Banner will use GlassFish Enterprise Server 3x with MQ 44x
The LMG installation remains virtually the same as it was for LMG 40 Create the $SCT_LMG_HOME and run the executable JAR file with parameters to create the directory structure and configuration files as described below and in the Banner LMG installation guide
The differences required for Luminis Platform 5 integration are related to the post-install setup and configuration The mbldisetup and webct_mbldisetup configurations are no longer supported since they rely on the deprecated mbtool utility The following new script meets the same purpose with GlassFish MQ and is described in the following steps
lp5_mqinitsh
Install LMG 40
NoteYou must have already installed and configured Java 142 or higher You must verify the Java installation by running the which Java and Java-version commands
To install LMG 40 complete the following steps
1 Create an install directory where Learning Management Gateway and the SCT_LMG_HOME environment variable reside
For example the directory might display as followsmkdir exporthome cpadminSCTERPGateway
2 Add the following code to bash_profile for your LUMADMIN userSCT_LMG_HOME=exporthomelumadminSCTERPGateway export
SCT_LMG_HOME
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
3 Copy the lmg40jar into your SCTERPGateway installation directory
The JAR file can be obtained from the Downloads section of the Customer Support Center
4 Run the following commandjava -jar lmgXxjar -erp plusbanner -lmbhost lmbserver -dburl
dbserverportinstance -dbpw mydbpasswd -jmspw myjmspasswd -
ldi truefalse -notification truefalse
For example the command may display as followsjava -jar lmg40jar -erp banner -lmbhost slcsup27sctcom -dburl bannersctcom1521BAN8 -dbpw u_pick_it -jmspw pipeline -ldi true -notification true
NoteFor more information on command attributes refer to the Banner Learning Message Gateway Installation Guide
Set up users and administered objects in o=messaging
A bourne-shell script lp5_mqinitsh was developed on Unix and assumes OpenDS LDAP relies on the same server along with the GlassFish installation The script will bind as cn=Directory Manager and make modifications in the ltopendsgtdb and ltopendsgtconfig directories so a backup of opends before executing is recommended
The full script is listed in ldquoFull lp5_mqinitsh scriptrdquo on page C-5
To check for updates and additional comments on this script see the CommonsLuminis collaboration wiki page as follows
wwwedu1worldorgCommonsLuminis
The lp5_mqinitsh script will create users and administered objects such as topics queues and connection factories in $OPENDS_MQ_BASEDN generally o=messaging The properties include the following
bull Environmental settings include the following
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
bull MQ_LMG should match the credentials defined for LMG in event_providersplist as follows
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 3-3Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
3-4
bull MQ_LUM should match the credentials in tomcat-admin bootstrapproperties for comsgheluminisimqConnection settings The tomcat-admins bootstrapproperties file is located in $CP_ROOTproductstomcattomcat-adminsharedclasses as follows
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
bull MQ_JMS_PORT should match imqjmstcpport and MQ_SSLJMS_PORT should match imqssljmstlsport both located in imqbrokerpropsconfigproperties If these values are not specified in the configproperties then use the imqportmapperport which have a default value of 7676
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
Static ports should be defined when there are networking restrictions and also to ensure highest efficiency in the connection-factories If you configure static ports in configproperties later you can re-visit the administered-object config in o=messaging to update these values in the connection factory definitions as well
bull TUNNEL settings refer to the HTTPHTTPS and IMQHTTPS configuration The MQ_HTTP_TUNNEL_PORT should match the port assigned to http-listener in your GlassFish domainxml default 8080 However SunGard Higher Education recommends 8081 to avoid a port conflict with WebCache
MQ_HTTPS_TUNNEL_PORT should match the port used by http-listener-2 [https] which has a default value of 8181
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
NoteThese settings may not reflect those in use by Luminis Platform 5 but they are used within this script to define the imqConnectionURL in the connection factory definitions This script could be used by other applications or in a future version of Luminis The tunnel by definition requires additional overhead and will not perform as efficiently as a straight JMS or SSLJMS connection
bull Other settings which should only be modified in non-standard configurations include the following
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=o=messaging
INSECURE_LDAP_PORT=389
Once these variables are set to match your configuration execute the script to create the objects in LDAP
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
Enable LDAP user repository for MQ
Update the ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties to include the following properties
imqauthenticationtype=basic
imqauthenticationbasicuser_repository=ldap
imquser_repositoryldapuidattr=cn
imquser_repositoryldapgrpsearch=false
imquser_repositoryldapserver=localhost389
imquser_repositoryldapbase=ou=Peopleo=messaging
imquser_repositoryldapprincipal=cn=ltusergtou=Peopleo=messaging
imquser_repositoryldappassword=ltpasswordgt
The ltusergt and ltpasswordgt variables should represent a privileged user in ou=People o=messaging Both the MQ_LMG_USER and MQ_LUM_USER qualify whether you ran lp5_mqinitsh since they are specifically granted read search and compare privileges in o=messaging
To enable logging in the same style as the Luminis Platform 4 mb-brokerlog file in $CP_ROOTlogs add the following parameters to your MQ configproperties file
imqdestinationlogDeadMsgs=true
imqlogfiledirpath=ltpathgtlogs
imqlogfilefilename=mb-brokerlog
imqlogfilerolloverbytes=1048576
imqlogfilerolloversecs=0
imqloglevel=ERROR
Change the latter imqloglevel to INFO for low-leveldebug logging
Another log that may be useful after the LDAP user repository is enabled is ltopendsgtlogsaccess This log displays whether bind attempts are successful
Set up GlassFish MQ access control
Below is a sample ltimqgtinstancesimqbrokeretcaccesscontrolproperties which can be edited to suit your needs After the LDAP user repository is enabled for authentication one of your users in LDAP should be granted ADMIN access in order to perform administrative functions with MQ
er 2011 Luminis Platform 503 3-5Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
3-6
To increase security for topics and queues within the MQ access control set queuetopic-specific permissions In this example lmguser is the user connecting from LMG and lumuser is the user connecting from Luminis
connectionADMINallowuser=lumuserlmguser
queuecom_sct_ldi_sis_UpdateReplyproduceallowuser=lmguser
queuecom_sct_ldi_sis_UpdateRequestconsumeallowuser=lmguser
topiccom_sct_ldi_sis_EntityEventsconsumeallowuser=lumuser
topiccom_sct_ldi_sis_EntityEventsproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_Errorconsumeallowuser=lumser
topiccom_sct_ldi_sis_Errorproduceallowuser=lumserlmguser
topiccom_sct_ldi_sis_LmsSyncproduceallowuser=lmguser
topiccom_sct_ldi_sis_Syncconsumeallowuser=lumuser
topiccom_sct_ldi_sis_Syncproduceallowuser=lmguser
Custom JMS Clients
Ensure your JMS clients contain the same versions of jmsjar and imqjar in their classpath for any connecting applications These JAR files should match ltglassfishgtmqlib
Configure JMS provider with Luminis Platform
The Open MQ configuration depends on the clients requirements There are many available options for GlassFish domain settings ports Message Queue (MQ) services and so on When encountering problems with GlassFishMQUpdate Center reference httpjavanetjirasecureIssueNavigatorjspa
In most cases installation is simply extracting the archive to a desired directory
As a reference installation you could use the following steps to install Open GlassFish on a Linux 4x or 5x server
1 Download and install JDK 16x
Downloads and documentation can be obtained at the following URL
http javasuncomjavasedownloadswidgetjdk6jsp
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
2 Download and install the GlassFish Server 31 which includes Open MQ GlassFish downloads and documentation are located at the following URL
httpglassfishjavanet
For documentation on subsequent GlassFish Server 3x Open Source Edition releases greater than 31 refer to the link above
Use the following steps to configure GlassFish and MQ
21 Before running asadmin for both non-SSL and SSL setups complete the following steps
NoteEdit the port numbers in domainxml glassfishv3domainsdomain1configdomainxml as needed If installing on the same server as Luminis Platform you may need to change 8080 to 8081 for example since it is used by WebCache
22 Once the GlassFish archive is extracted to ltGLASSFISH_HOMEgt (such as optglassfishv3) while logged in as root start the GlassFish server from ltGLASSFISH_HOMEgtbin using the following command
3 Create a JMS user that Luminis Platform can use to connect to JMS This step is optional
To create a JMS user complete the following steps
NoteThe imqusermgr command will create users in the file-system based user repository but can be ignored if you are using an LDAP or JAAS-based user repository for MQ The default credentials to use in IMQCMD are adminadmin These credentials may differ in your environment if you have already changed the admin userrsquos password or if you configured MQ to use an LDAP or JAAS-based user repository Refer to the Open MQ Administration guide for more details or contact the Luminis-Integration ActionLine for additional help
31 If the jmsuserid property is something other than admin run the following command from ltGLASSFISH_HOMEgtmqbin
imqusermgr add -u cpadmin -p pipeline -g admin -i imqbroker
32 In ltGLASSFISH_HOMEgtmqbin update the password if desired
imqusermgr update -u admin -p ltpasswordgt
4 If desired configure the Message Queue (MQ) to use static ports By default the MQ uses ephemeral (dynamic) port assignments The initial connection to the MQ is made
er 2011 Luminis Platform 503 3-7Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
3-8
on port 7676 The MQ then broadcasts the ports to use for other services as illustrated below
telnet localhost 7676
Trying 127001
Connected to localhostlocaldomain (127001)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
portmapper tcp PORTMAPPER 7676 [imqvarhome=ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqimqhome=ltGLASSFISH_HOMEgtmqsessionid=5263911276327346176]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 39925
jms tcp NORMAL 42103
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 37453
Connection closed by foreign host
If ephemeral ports are not enabled at the firewall or if you otherwise prefer to use static ports the firewall and the MQ must be configured to use static ports The MQ is configured to use static ports by adding the following lines to the bottom of the file ltGLASSFISH_HOMEgtglassfishdomainsdomain1imqinstancesimqbrokerprops
configproperties
imqadmintcpport=7574
imqjmstcpport=7575
imqssljmstlsport=7576
After the iMQ reconfiguration restart GlassFish (asadmin restart-domain) and re-run telnet test this time using the hostname (after the change in step 32) to confirm that the new static ports are being used as expected[rootudclumsvc21 bin] telnet udclumsvc21sungardhecom 7676
Trying 1492421528
Connected to userportalsungardhecom (1492421528)
Escape character is ^]
101 imqbroker 45
cluster_discovery tcp CLUSTER_DISCOVERY 0
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
portmapper tcp PORTMAPPER 7676 [imqvarhome=u01luminisproductsglassfishv3glassfishdomainsdomain1imqimqhome=u01luminisproductsglassfishv3mqsessionid=255908551848553472]
jmxrmi rmi JMX 0 [url=servicejmxrmiudclumsvc21sungardhecomjndirmiudclumsvc21sungardhecom8686udclumsvc21sungardhecom7676jmxrmi]
admin tcp ADMIN 7574
jms tcp NORMAL 7575
httpsjms https NORMAL 0
mqdirect2 none NORMAL 0
jmsdirect none NORMAL 0
cluster tcp CLUSTER 50627
Connection closed by foreign host
NoteIf you have not installed Luminis Platform yet these settings would go in your setupproperties
If Luminis Platform was installed with the default setting of jmsenabled=false JMS can be enabled within the following location $CP_ROOTproductstomcattomcat-adminsharedclassesbootstrapproperties
NoteIt is recommended to set isMessageBrokerEnabled=true only for the tomcat-admin instance and false for the tomcat-portal instances so that the admin tier is doing all the JMS work while portal tiers focus on the HTTPS trafficking
For example the settings may appear as followscomsgheluminisjmstype=sun
isMessageBrokerEnabled=true
comsgheluminisimqConnectionPrincipal=ltjmsuseridgt
comsgheluminisimqConnectionCredentials=ltjmspasswordgt
comsgheluminisimqBrokerHostName=ltjmshostgt
comsgheluminisimqAddressList=mqltjmshostgt7676jms
er 2011 Luminis Platform 503 3-9Banner Integration Setup Guide
Data-Level Integration and Provisioning
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
3-10
5 The GlassFish Enterprise Server should be installed and the JMS and admin services listed in imqserviceactivelist within ltglassfishdomaingtimqinstancesimqbrokerpropsconfigproperties
51 To query the broker run the following command
cd ltglassfishgtmqbin
imqcmd query bkr -b ltlocalhostgt
52 To ensure the JMS service is active run the following command
imqcmd query svc -b ltlocalhostgt -n jms
53 SunGard Higher Education recommends that you rename the default host used by the broker from localhost to your FQDN
To update the default host change the jms-servicejms-host entry in ltglassfishgtdomainsdomain1configdomainxml so that the host parameter matches your FQDN as illustrated in the following example
ltjms-service default-jms-host=rdquodefault_JMS_hostrdquo type=rdquoEMBEDDEDrdquogt ltjms-host host=rdquomy-hostschooledurdquo name=rdquodefault_JMS_hostrdquo lazy-init=rdquotruerdquo gt
ltjms-servicegt
After you update the domainxml jms-service definition and restart the GlassFish domain use the FQDN on any IMQCMD commands
Luminis Platform 503 November 2011Banner Integration Setup GuideData-Level Integration and Provisioning
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
4 SSB and INB Integration
This chapter discusses points to consider when integrating Self-Service Banner (SSB) and Internet Native Banner (INB) These points include the following
bull ldquoUser ID mappingsrdquo
bull ldquoCreate the o=SCTSSOapplications base DNrdquo
bull ldquoVerify usermap mapping setup for INB users using the proxyinfosql scriptrdquo
bull ldquoConfigure user map lookupsrdquo
User ID mappings
User ID mappings are important in Open Digital Campus The PIDM is the root key The PIDM lt-gt UDC ID mapping is in the GOBUMAP configuration PIDM lt-gt SPRIDEN ID mappings occur in the SPRIDEN table PIDM lt-gt INB (Oracle) login mappings occur in the GOBEACC table For more details about GOBUMAP see the Banner General 751 Release Guide
The LDAP-authentication layer is not necessary beyond the initial CAS authentication Luminis Platform Portlets for Banner continue to rely upon Banner Oracle INB ID or BANPROXY proxy ID which gather data from Oracle to stream back via the portlets There is no additional LDAP authentication nor spriden-ID lookup against LDAP involved in the SSO transaction Instead bnSSOWeb applications (SSO via CAS to INB and SSB) accessed via banner-cas-clientauthorizedbanner now place trust in the initial CAS ticket as in Luminis-CAS login on port 8447 coupled with the assertion of the UDCID in the configured cookie and header
Luminis Portlets for Banner add database-level security with Banportals for each transaction using the users actual INBOracle user account or by proxy via BANPROXY
Other questions to consider when setting a user in Banner applications are as follows
bull Does the user have a map in GOBUMAP for his UDC ID to a valid PIDM and does the user have a UDCID defined in the Luminis Platform LDAP record
bull Have the CAS banner-cas-client service URLs been configured via your CAS servers services management page cas-webservicesmanagehtml to specifically pass the UDC_IDENTIFIER
er 2011 Luminis Platform 503 4-1Banner Integration Setup Guide
SSB and INB Integration
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
4-2
bull Does the cookie or header name for SSB and INB in your bnigWeb configuration match the IDM settings in Web Tailor Parameters
NoteIf you are using a version of Web Tailor older than version 84 ensure that you have Web Tailor 831 installed with the b_0110_twb8030001 or Web Tailor 82 with the b_0110_twb8020001 Otherwise the bnSSOWeb will not function Pay strict attention to the domain name and port assignments wherever INB URLS are referenced in the BEIS and banportals configurations The domain name sctcom is not necessarily sungardhecom
Create the o=SCTSSOapplications base DN
To create an optional base DN like o=SCTSSOapplications you can use the opends control-panel to generate the o=SCTSSOapplications base-dn This base DN is not necessary unless the LDAP-based user mapping is needed as configured by the baseline user in GUAUPRF
For more information about managing base DNs with the control panel click the following link
httpswwwopendsorgwikipageManagingDnsWithControlpanel
To create the base DN complete the following steps
1 Run the command $CP_ROOTproductsopendsbin as followsdsconfig -h ltFQDNgt -p 4444 -D cn=directory manager set-backend-prop --advanced
11 Select userRoot
12 Select base-dn
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
13 Select Add one or more values
14 Enter the DN
For example enter o=SCTSSOapplications
15 Click Enter to continue
16 Enter Use these values
17 Click F to finish and apply any changes to the Local DB Backend
2 Import the attached sso_oclass_lum5ldif file as followsldapmodify -h localhost -p 4444 -D cn=Directory Manager -X --useSSL -c -a -v -f sso_oclass_lum5ldif
For example files see the Sample sso_oclass_lum5ldif and Sample o=sctssoapplications sections in Appendix C ldquoSample Scripts and Filesrdquo
3 Import the sctssoapplicationsldif fileimport-ldif -a -l ltfull pathgtsctssoapplicationsldif -n userRoot -h localhost -D cn=directory manager -p 4444 -w pipeline
Verify usermap mapping setup for INB users using the proxyinfosql script
The proxyinfosql script determines which Oracle ID is connected to a specific Luminis ID When run the script prompts you to enter a Luminis ID If a generic Oracle ID such as INTEGMGR or WWW_USER is returned it indicates that there was no mapping found and the default is used
Mappings defined in o=usermapo=Bannero=sctssoapplications take precedence here and for any users who do not have an explicit usermap defined the default Oracle ID (usually banproxy) results
If you are using INB this script must respond with your INB username You must also be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteBe careful about using the GSASECR form to check BANPROXY access If you are using a default Oracle ID other than BANPROXY you must manually assign the connect-through grants via SQL
er 2011 Luminis Platform 503 4-3Banner Integration Setup Guide
SSB and INB Integration
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
4-4
Configure user map lookups
In order for the mappings in o=usermapo=Bannero=sctssoapplications to function the configuration in the GUAUPRF Banner form must match the Luminis LDAP configuration This GUAUPRF configuration in turn relies upon a proper encryption-key configuration
The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature The GOBEACC mapping is also used for UDC via the IAM process on GORRSQL Please note that for the purposes of INB channels such as the My Banner channel the mapping in GOBEACC does not apply Instead a separate usermap (usually maintained on the Luminis LDAP server) must be generated to associate the Luminis logon ID to an OracleINB login name
Create an encryption key
When performing user map lookups Banner must bind as the Directory Manager against the LDAP server which hosts the user mappings The Directory Manager password used to bind with LDAP is stored on GUAUPRF and uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT This type of encryption uses a key or password to perform the encryption
NoteDuring your Banner installation or upgrade you should have created the directory KEY_DIR The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created If KEY_DIR exists in the database and the physical directory has been created on your database server and you have a valid enckey file then you may skip this step and proceed to ldquoCreate entries in LDAP for usermaprdquo on page 4-5
If KEY_DIR does not exist in the DBA_DIRECTORIES table and the physical directory has not been created on your database server you must create it using the following steps Make sure your group permissions are readable by Oracle
1 Create the physical directory on your database server such as mkdir $BANNER_HOMEkey_dir
2 Create a plain text file named enckey in the directory
3 Edit the enckey file and enter the key such as PASSWORD
Your key must start in column 1 and include a combination of letters and numbers and contain at least eight characters The key may be longer (in multiples of eight only) but the GOKKSSO package only uses the first 24 characters The DES encryption only uses eight characters but SunGard Higher Education has provided for
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
eventual use of the DES3 algorithm in the future which uses a 24-character key The string you enter as the key is padded to a length of 24 but you must still use at least eight characters since those are the characters used by the current DES encryption
The passwords stored and passed by the SSO process are encrypted using DES and your key
4 Edit the banssodirsql script located in the $BANNER_HOMEinstall directory and change the directory name to match the name of the directory you created in step one For example the directory may read as follows$BANNER_HOMEKEY_DIR
NoteIf you cannot find the banssodirsql script you may need to manually copy the file from upgradeGen70banssodirsql to $BANNER_HOMEinstallbanssodirsql
5 Run the script as followssqlplus nolog
connect generalgeneral_password
start banssodir
Create entries in LDAP for usermap
If LDAP user mappings are enabled (as optionally configured by the baseline user in GUAUPRF) then you must add the configuration entries to your LDAP directory The default DN path is as follows
o=configo=Bannero=SCTSSOapplications
UserMapDN points to a location in the LDAP directory where users can be mapped if they are different from the LDAP server and the Banner database Each entry in this location should be of the object class SCTSSOConfig and the Common Name (CN) of the entry should be the same as the LDAP user The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database If the user IDs for a user is the same in both systems an entry in this location is not necessary or recommended for that user
In order for users to use SSO to INB through Luminis Platform using LDAP authentication the LDAP and Banner IDs must use one of the following criteria
bull The same valueLuminis ID = jsmith
OracleBanner ID = jsmith
bull Mapped to one another in LDAPLuminis ID = JoeSmith
OracleBanner ID = jsmith
er 2011 Luminis Platform 503 4-5Banner Integration Setup Guide
SSB and INB Integration
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
4-6
The following example explains how to establish and test the ID mapping if the IDs are different from one another In this example the OracleBanner account name is jsmith and the Luminis account name is JoeSmith
1 Create a mapping file for example sso_mapldifsso_mapldif
dn cn=JoeSmitho=usermapo=Banner o=SCTSSOapplications
SCTSSOConfigString jsmith
objectClass top
objectClass SCTSSOConfig
description Map of Luminis ID - JoeSmith to BannerOracle ID - jsmith
cn JoeSmith
2 Import the mapping file into the LDAP Serverldapmodify -a -c -v -f sso_mapldif -D cn=Directory Manager -w pipeline
NoteYou must wait approximately 20 minutes for the mapping to take effect
3 Run the proxyinfosql script as bansecr or sysdba to verify that the mapping is working correctly For more information see the ldquoLuminis Banner Web applicationrdquo on page 2-9
NoteThe mapping defined in the o=usermap tree is read once after banportals startup when the user first accesses the Luminis Portlets for Banner The value is cached during subsequent startups If changes to a particular mapping are made you must restart banportals OC4J before the mapping may be read accordingly
Configure parameters using GUAUPRF
To configure parameters using the General User Preferences Maintenance Form (GUAUPRF) complete the following steps
1 Logon to Banner as the BASELINE user
2 Access the GUAUPRF
3 Navigate to the LDAP tab
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
4 Enter the following values for your institution in the User Value field for each configuration parameter When you change the BASELINE user field value that value will display in the Default value for new users who login to Banner
Parameter Description
BIND_PASSWORD The password for the bind user This is stored in the database using the DES encryption with the encryption key you configured in an earlier step
BIND_USER A user with rights to bind to the LDAP server to retrieve the configuration data for SSO This user should also be able to search the LDAP directory to determine if users exist
DN The location in the LDAP directory where the SSO configuration parameters are stored Several LDIF files are delivered as examples of where this could be stored
SERVER The LDAP server used to validate users and to store additional SSO configuration parameters The parameter is formatted using Internet URL format for LDAP such as the following example ldapmyldapserver389
NoteIf you are using LDAPs you should also configure the parameters in the SSL key
USERMAP_OPT Usermap option Valid values are as followsL LoginID is being used for login mappingN No usermap option is used
USERMAP_PRFX Prefix for the usermap This file contains the prefix for the usermap option The default delivered value is cn=With Luminis IV you could also use immutable ID to create the mapping
NoteThese options are defined in the USERMAP_OPT parameter The expected usermap is L (logon ID) or N (none)
er 2011 Luminis Platform 503 4-7Banner Integration Setup Guide
SSB and INB Integration
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
4-8
5 In the SSL (Secured Socket Layer) key configure the following parameters
Parameter Description
LOCATION To configure SSL a certificate wallet must be created on the Database Server using Wallet Manager This parameter is set to point to the physical location on the server where this wallet is created It uses the file URL format For example the location may be as followsfiledwallet for Windowsfileu01wallet for Unix
PASSWORD The password to the wallet is stored using DES encryption using the key you created in a previous step
MODE The SSL authentication mode can be one of the following values1 - No authentication is required (SSL encryption only)2 - One-way authentication is required the client certificate is authenticated by the server3 - Two-way authentication is required the client and the server authenticate each others certificates
Luminis Platform 503 November 2011Banner Integration Setup GuideSSB and INB Integration
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
A CAS Server Configuration
Use the following steps to specify LDAP connection information and identify the LDAP attribute name where the UDC_IDENTIFIER value is stored
For an overview of CAS in relation to Luminis Platform 5 see ldquoCentral Authentication Service and Banner Enterprise Identity Servicesrdquo on page 2-1 For additional information about configuring a CAS server see the Banner Enterprise Identity Services Handbook
1 If you do not already have an existing CAS server installed download JA-SIG CAS server distribution
2 Download CAS extensions JAR file
A standard JAR file is available from SunGard Higher Education to use in modifying the CAS server SunGard Higher Education supports CAS versions
21 Download the CAS extension JAR file from the SunGard Higher Education Customer Support Center
22 Select the file that supports your version of CAS
SGHE_CAS_3211_UTILSjarSGHE_CAS_3211_UTILSzip SGHE_CAS_331_UTILSjarSGHE_CAS_331_UTILSzip
3 Unpack the SGHE CAS 331 UTILSzip file to a temporary location For example consider temp location as CAS_EXTENSION= DBanner_IdM_Extension and consider the following Luminis Platform CAS server location_SGHE_CAS_SERVER = $CP_ROOTproductstomcatcas-serverwebappscas-webwar
er 2011 Luminis Platform 503 A-1Banner Integration Setup Guide
CAS Server Configuration
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
A-2
4 To configure the CAS server to enable the bannerValidate service complete the following steps
41 Copy the following JAR files from CAS_EXTENSIONWEB-INFlib to SGHE_CAS_SERVERWEB-INFlib
jsr173_10_apijar
sghe_udc_identity_xmlbeans_bindingjar
sghe-cas-extjar
xbeanjar
xercesImpljar
xml-apisjar
41 Modify the SGHE_CAS_SERVERWEB-INFwebxml file by opening webxml and adding the following servlet mapping to it
ltservlet-mappinggt
ltservlet-namegtcasltservlet-namegt
lturl-patterngtbannerValidatelturl-patterngt
ltservlet-mappinggt
42 Modify SGHE_CAS_SERVERWEB-INFspring-configuration uniqueIdGeneratorsxml by completing the following steps
421 Open the uniqueIdGeneratorsxml file
422 Add the following lines to the uniqueIdGeneratorsxml file
utilmap id=uniqueIdGeneratorsMap ltentry key=comsghecasprincipalBannerAccountsService value-ref=serviceTicketUniqueIdGenerator gt
423 Save and close the uniqueIdGeneratorsxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
43 Modify the SGHE_CAS_SERVERWEB-INFspring-configuration argumentExtractorsConfigurationxml file
Use the following steps to modify the argumentExtractorsConfigurationxml file
431 Open the argumentExtractorsConfigurationxml file
432 Add the following XML configuration
ltbean id=BannerArgumentExtractor class=comsghecaswebsupportBannerArgumentExtractorgt
ltbeangt
433 Add the following reference to utillist - argumentExtractors
ltutillist id=argumentExtractorsgt
ltref bean=BannerArgumentExtractor gt
ltref bean=casArgumentExtractor gt
ltref bean=samlArgumentExtractor gt
ltutillistgt
434 Save and close argumentExtractorsConfigurationxml
44 Modify the SGHE_CAS_SERVERWEB-INFcas-servletxml file
Use the following steps to modify the cas-servletxml file
er 2011 Luminis Platform 503 A-3Banner Integration Setup Guide
CAS Server Configuration
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
A-4
441 Open cas-servletxml and add the following XML configuration
ltbean id=bannerAccountValidateController class=orgjasigcaswebServiceValidateController
pvalidationSpecificationClass=orgjasigcasvalidationCas20Pro tocolValidationSpecification
pcentralAuthenticationService-ref=centralAuthenticationService
pproxyHandler-ref=proxy20Handler
pargumentExtractor-ref=BannerArgumentExtractor
psuccessView=bannerAccountServiceSuccessView
pfailureView=bannerAccountServiceFailureView gt
442 Add the following property to the bean handlerMappingC
ltprop key=bannerValidategtbannerAccountValidateControllerlt propgt
443 Save and close the cas-servletxml file
45 Modify the SGHE_CAS_SERVERWEB-INFdeployerConfigContextxml file
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
451 Add entry keys UDC_IDENTIFIER and Formatted Name to bean attributeRepository
ltbean id=attributeRepository class=orgjasigservicespersondirsupportldapLdapPersonAttrib uteDaogt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=query value=(uid=0) gt
ltproperty name=contextSource ref=contextSource gt
ltproperty name=ldapAttributesToPortalAttributesgt
ltmapgt
lt-- Mapping beetween LDAP entrys attributes (key) and Principals (value) --gt
ltentry key=uid value=uid gt
ltentry key=udcid value=UDC_IDENTIFIER gt
ltentry key=cn value=cn gt
ltentry key=givenname value=Formatted Name gt
ltentry key=mail value=EmailAddress gt
ltmapgt
ltpropertygt
ltbeangt
er 2011 Luminis Platform 503 A-5Banner Integration Setup Guide
CAS Server Configuration
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
A-6
452 Add the following property configuration inside bean authenticationManager
ltproperty name=authenticationMetaDataPopulatorsgt
ltlistgt
ltbean class=comsghecasextensionUDCIDAuthenticationMetaDataPopulato rgt
ltproperty name=template ref=LdapTemplategt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cpgt
ltproperty name=casTokenAttributesgt
ltmapgt
ltentrygt
ltkeygtltvaluegtudcidltvaluegtltkeygt
ltvaluegtUDC_IDENTIFIERltvaluegt
ltentrygt
ltmapgt
ltpropertygt
ltbeangt
ltlistgt
ltpropertygt
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
453 Add the following bean definition under the beans root element
ltbean id=LdapTemplate class=orgspringframeworkldapcoreLdapTemplategt
ltproperty name=contextSource ref=contextSourcegtlt propertygt
ltbeangt
ltbean id=udcattributeRepository class=comsghecasextensionUDCPersonAttributeDaogt
ltproperty name=daoUtil ref=UDCPersonAttributeDaoUtilgtlt propertygt
ltbeangt
ltbean id=UDCPersonAttributeDaoUtil class=comsghecasextensionUDCPersonAttributeDaoUtilgt
ltproperty name=template ref=LdapTemplategtltpropertygt
ltproperty name=netIdAttr value=uid gt
ltproperty name=baseDN value=ou=Peopleo=cp gt
ltproperty name=samlToLdapAttributeNameMapgt
ltmapgt
ltentry key=UDC_IDENTIFIER value=udcid gt
ltentry key=Formatted Name value=sn gt
ltmapgt
ltpropertygt
ltbeangt
ltbean id=httpClient class=orgjasigcasutilHttpClientgt
er 2011 Luminis Platform 503 A-7Banner Integration Setup Guide
CAS Server Configuration
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
A-8
454 Save and close the deployerConfigContextxml file
46 Modify SGHE_CAS_SERVERWEB-INFclassesdefault_viewsproperties
461 Open default_viewsproperties
462 Add the following lines
Banner Applications Views
bannerAccountServiceSuccessView(class)=comsghecasviewBannerA ccountSuccessResponseView
bannerAccountServiceFailureView(class)=comsghecasviewBannerA ccountFailureResponseView
463 Save and close default_viewsproperties
47 Define CAS managed services For more information see ldquoCAS managed servicesrdquo on page 2-4
Luminis Platform 503 November 2011Banner Integration Setup GuideCAS Server Configuration
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
B Logs
Banner Enterprise Identity Services logs allow you to better understand the UDC aspect of sharing and ensuring identity (which involves SOAP calls and JMS trafficking via web services) and CAS ticket management Banner Enterprise Identity Services also includes the bnSSOWeb gateway for SSO when accessing Banner via CAS ticketing Any application that uses the luminis-banner webapp (Banner portlets) relies on banportals which is the secure content provider for the Luminis Channels for Banner also known as Banner Channels for Luminis Platform It uses a DB connection pool and secured access to data at the Banner DB level
You can also enable debug logging for the GlassFish message queue (MQ) component
Banportals logs
BANPORTALS-related logs are most often located under the home application in $OAS_HOMEj2eehome To crank up banportals logging on the application server side use the following to set verbosity
$OAS_HOMEj2eehomeapplicationsbanportalsbanportalsWEB-INFclasseslog4jproperties
For example to create a unique logfile which captures details of the channel Web Proxy activity edit the log4503jproperties file as follows
log4jappenderstdout=orgapachelog4jConsoleAppender
log4jappenderstdoutlayout=orgapachelog4jPatternLayout
log4jappenderstdoutlayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileFile=u01apporacle10gASfr1012opmnlogschannelWebProxylog
log4jappenderlogfileappend=True
log4jappenderlogfilelayoutConversionPattern=d -4r -5p c2 ML x - mn
log4jappenderlogfileMaxBackupIndex=10
log4jappenderlogfileMaxFileSize=1MB
log4jappenderlogfilelayout=orgapachelog4jPatternLayout
log4jappenderlogfile=orgapachelog4jRollingFileAppender
log4jrootCategory=DEBUG logfile
er 2011 Luminis Platform 503 B-1Banner Integration Setup Guide
Logs
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
B-2
On the Luminis Platform side you can set logging verbosity for the luminis-banner webapp (which drives connectivity to the banportals OC4J application) in the following file
$CP_ROOTproductstomcattomcat-adminwebappsluminis-bannerWEB-INFclasseslog4jproperties
Alternately you can add the following to your common log4jproperties stored in the following location
$CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties
log4jloggercomsctbannerportals=DEBUGfile
log4jloggercomsgheluminisbanner=DEBUGfile
If you are not actively debugging lower the verbosity to ERROR level
Banner Enterprise Identity Services logs
If one of the Banner Enterprise Identity Services applications does not start check the OC4J log in $OAS_HOMEopmnlogs Most applications use stdout logging for their loggers which is routed into the Redirect log as follows
$OAS_HOMEopmnlogsOC4J~BEIS~default_island~1
There are several app-specific logs you can also refer to such as the following[u01apporacle10gASfr1012j2eeBEIS]$ find -name log
application-deploymentsSPML_LDAP_AdapterBEIS_default_island_1applicationlog
application-deploymentsbnigBEIS_default_island_1bnig_applicationlog
application-deploymentsIdentityServicesBEIS_default_island_1idproxy_applicationlog
application-deploymentsIdentity_Data_Export_UtilitiesBEIS_default_island_1applicationlog
logidentity_data_export_utilitieslog
logBEIS_default_island_1default-web-accesslog
logBEIS_default_island_1serverlog
logBEIS_default_island_1global-applicationlog
logBEIS_default_island_1rmilog
logBEIS_default_island_1jmslog
logspml_publisher_failurelog
logsqlnetlog
For HTTP-layer monitoring reference the $OAS_HOMEApacheApachelogs file
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
Most of the above log files have a corresponding log4j file such as log4jproperties which you can use to configure the log files
You can also configure logging via the Oracle Application Server (OAS) Oracle Enterprise Manager (OEM) OEM usually runs on port 1156 (ias_adminmanager1) Through this interface you can stop start and restart individual containers such as OC4J containers These containers are called main for banportals and BEIS for Banner Enterprise Identity Services
Another option is to zoom in on and configure individual applications such as bnig or banportals For example you might specify specific JAVA_OPTS (-Dltparamgt command-line options) for each installed application and OC4J container at will which take effect after the next restart of that component
GlassFishMQ and Luminis Platform Message Brokerage logs
Logs are placed in the following directory assuming default domainoptglassfishv3glassfishdomainsdomain1logs
If you want to adjust the verbosity of the jmslog edit the imqloglevel in the following location
optglassfishv3glassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
Otherwise you can adjust other GlassFish server-level logging in the following locationoptglassfishv3glassfishdomainsdomain1configloggingproperties
Within Luminis Platform if you want to create a unique logger for the JMS message listener package you can do so as follows in the $CP_ROOTproductstomcattomcat-admincommonclasseslog4jproperties file
JMS Appender
log4jloggercomsgheluminisjmslistener=DEBUG jms
log4jappenderjms=orgapachelog4jRollingFileAppender
log4jappenderjmsFile=optluminisproductstomcattomcat-adminlogsjmslog
log4jappenderjmslayout=orgapachelog4jPatternLayout
log4jappenderjmslayoutConversionPattern=dISO8601 -5p [t] c mn
log4jappenderjmsMaxFileSize=10MB
log4jappenderjmsMaxBackupIndex=5
er 2011 Luminis Platform 503 B-3Banner Integration Setup Guide
Logs
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
B-4
As a Luminis Platform administrator you should also become familiar with the MQ 45 administration documentation available from httpglassfishjavanet
Learning Management Gateway (LMG) logs
Once the event has been processed in Banner and the status on GOAEQRM is 2 (Processed) the event displays with the same event ID (as shown on GOAEQRM) within the LMG log files
The main LMG log files are as follows $SCT_LMG_HOMEEventslogsadapterlog
$SCT_LMG_HOMEEventslogsldi_event_datalog
$SCT_LMG_HOMEEventslogssmart_event_datalog (only for smart and notify events on GOAEQRM under Target System=PIPELINE)
The Event Sequence field on the Banner Event Queue form (GOAEQRM) corresponds to the EventID tag in the LMG adapterlog and ldi_event_datalog files
To debug LMG for Events make the following changes in the $SCT_LMG_HOMEEventsconfigloggingproperties file
log4jrootCategory=DEBUG
log4jcategorycom=DEBUG out
log4jcategorycomsctcorpeventsMessageAdapter=DEBUG
Once these properties are set restart LMG and capture the following logs after reproducing the issue When reproducing the error note the time stamp or any other identifying information about the event in question such as the eventID or the event type
If the LMG processed the files successfully you see messages in the log files similar to the following example
2010-07-12 051356091 [Thread-11] INFO eventscomsctcorpeventsStandardEventProvider - XML for 370660 is a valid document
2010-07-12 051357585 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - Message 370660 published to Luminis Message Broker
2010-07-12 051357590 [Thread-1] INFO eventscomsctcorpeventsMessageAdapter - The event 370660 has been published to _onlineCoursePublisher
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
GlassFish MQ 45 logs
If you see that an event is passing through LMG correctly yet Luminis Platform or some other system is not receiving the events start by checking the standard luminislog for synchronization-related errors If you cannot find the source of the problem you can debug Open MQ 44 and above as follows
1 Locate the default MQ logs as stored in the following locationltglassfish_homegtglassfishdomainsdomain1imqinstancesimqbrokerlog
2 To enable debug for those logs run the following commandimqcmd update bkr -b ltbroker hostgt broker portgt -o imqloglevel=DEBUG
This has the same effect as adding or editing the following property in the following locationltglassfishgtglassfishdomainsdomain1imqinstancesimqbrokerpropsconfigproperties
imqloglevel=DEBUG
3 To change the destinationfilename for the MQ log add or edit the following filesimqlogfiledirpath= optluminislogs
imqlogfilefilename=mb-brokerlog
er 2011 Luminis Platform 503 B-5Banner Integration Setup Guide
Logs
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
B-6
Luminis Platform 503 November 2011Banner Integration Setup GuideLogs
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
C Sample Scripts and Files
This appendix contains examples of scripts and LDIF files you might use during the integration These scripts include the following
bull ldquoSample proxyinfosql scriptrdquo
bull ldquoSample 00-coreldifrdquo
bull ldquoSample 99-userldifrdquo
bull ldquoSample sso_oclass_lum5ldifrdquo
bull ldquoSample o=sctssoapplicationsldifrdquo
bull ldquoFull lp5_mqinitsh scriptrdquo
Sample proxyinfosql script
The following is an example proxyinfosql script--------------------------------------------------------------
-- PROXYINFOSQL
--------------------------------------------------------------
-- This script can be used to determine what Oracle ID is
-- connected to a specific Luminis ID When run it will
-- prompt you to enter a Luminis ID If a generic Oracle ID
-- such as INTEGMGR or WWW_USER is returned then there was
-- no mapping found and the default is used
--------------------------------------------------------------
--------------------------------------------------------------
-- Program Usage
-- ___________________________________________________________
-- To use the program
-- 1) login to SQL as BANINST1
-- 2) Type start proxyinfo
-- to run the program
--------------------------------------------------------------
er 2011 Luminis Platform 503 C-1Banner Integration Setup Guide
Sample Scripts and Files
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
C-2
--------------------------------------------------------------
-- Audit Trail 10
-- ___________________________________________________________
-- 1 Initial Release - NON-SUPPORTED PROCESS TH 07-JUN-06
--
-- Audit Trail 11
-- ___________________________________________________________
-- 1 Update TH 06-APR-07
-- Updated g$_get_proxy_info call to accomodate Gen 741
--------------------------------------------------------------
set serveroutput on scan on
spool proxyinfolst
declare
a varchar2(200)=CHANNEL
b varchar2(200)=LUMINIS
c varchar2(200)=ampLuminis_ID
d varchar2(200)
e varchar2(200)
f varchar2(200)
z varchar2(200)
begin
dbms_outputput_line(Call G$_Get_Proxy_Info)
gspprxyg$_get_proxy_info(abczdef)
dbms_outputput_line( Role ||e)
--dbms_outputput_line( PWD ||f)
dbms_outputput_line( Luminis User ||c)
dbms_outputput_line( Oracle User ||d)
end
spool off
Sample 00-coreldif
The following is an example of what to add to the 00-coreldif file in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
Sample 99-userldif
The following is an example of what to add to 99-userldif script in $CP_ROOTproductsopendsconfigschema after importing the LDIF file in sso_oclass_lum5ldif
attributeTypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX
1361411466115121126 SINGLE-VALUE )
objectClasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Sample sso_oclass_lum5ldif
The sso_oclass_lum5ldif file must be imported to define the objectclass and attributetypes associated with the o=SCTSSOapplications objects By importing the following LDIF the 00-coreldif and 99-userldif should be updated as stated in their respective sections After you add those entries to the schema you can import the LDIF data in ldquoSample o=sctssoapplicationsldifrdquo on page C-4
The following is a sample sso_oclass_lum5ldifdn cn=Schema
changetype modify
add attributetypes
attributetypes ( SCTSSOConfigString-oid NAME SCTSSOConfigString EQUALITY caseIgnoreMatch SYNTAX 1361411466115121126 SINGLE-VALUE )
dn cn=Schema
changetype modify
add objectclasses
objectclasses ( SCTSSOConfig-oid NAME SCTSSOConfig SUP top STRUCTURAL MUST ( cn $ SCTSSOConfigString $ Description ) )
Note Instead of using the ltnamegt-oid naming convention you can use actual oid numbers such as 136141hellip
er 2011 Luminis Platform 503 C-3Banner Integration Setup Guide
Sample Scripts and Files
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
C-4
Sample o=sctssoapplicationsldif
The following is a sample o=sctssoapplicationsldif fileversion 1
dn o=SCTSSOapplications
objectClass top
objectClass organization
o SCTSSOapplications
description SCT SSO Application Configurations
dn o=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o Banner
description Banner Application Configurations for SSO
dn o=configo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o config
description Banner Application Configurations for SSO
dn cn=UserMapDNo=configo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn UserMapDN
description DN of User Map where the Luminis user is not the same as the Ba
nner user
SCTSSOConfigString o=usermapo=Bannero=SCTSSOapplications
dn o=usermapo=Bannero=SCTSSOapplications
objectClass top
objectClass organization
o usermap
description Banner Application User Mappings
dn cn=610009611o=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
cn 610009611
description Map of 610009611 to saisusr
SCTSSOConfigString saisusr
dn cn=kyleo=usermapo=Bannero=SCTSSOapplications
objectClass SCTSSOConfig
objectClass top
cn kyle
description Map of kyle to saisusr
SCTSSOConfigString saisusr
Full lp5_mqinitsh script
The full lp5_mqinitsh script referred to in ldquoSet up users and administered objects in o=messagingrdquo on page 3-3 is listed below
binsh
author davidnortonsungardhecom
version history
01312011 - initial version rolled
02162011 - slight changes to notes
02202011 - notes moved to separate doc general clean-up but
no changes in the logicexecution
Debug note
To debug execute ldquobinsh [or binbash] [-x|-v] lp5_mqinitshrdquo
Uncomment the following for verbose dsconfigldapmodify
VERBOSE=rdquo--verboserdquo
User-configurable variables before running script
HOSTNAME=slc207123sctcom
MQ_HOME=optglassfishv3mq
MQ_LMG_USER=lmguser
MQ_LMG_USER_PW=password
er 2011 Luminis Platform 503 C-5Banner Integration Setup Guide
Sample Scripts and Files
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
C-6
MQ_LUM_USER=lumuser
MQ_LUM_USER_PW=password
MQ_JMS_PORT=7676
MQ_SSLJMS_PORT=7676
MQ_HTTP_TUNNEL_PORT=8081
MQ_HTTPS_TUNNEL_PORT=8181
MQ_TUNNEL_VPATH=imqtunnel
You probably shouldnt need to adjust these
OPENDS_DIR=$CP_ROOTproductsopends
OPENDS_ADMIN_PORT=4444
OPENDS_MQ_BASEDN=rdquoo=messagingrdquo
INSECURE_LDAP_PORT=389
Non-configurable variables initialized
STEPNO=1
ERRORCODE=0
After each command check for a non-zero error response and exit if applicable
ErrorCheck()
while
do
case $ERRORCODE in
err=0 no error
0 ) break
Not necessarily errors might indicate script already ran
err=20 generally means Attribute of Value Exists
err=68 generally means Entry Already Exists
20|68 )
echo Proceed with script [Press Y|y to continue any other key to abort]
read PROCEED
case $PROCEED in
Y|y )
break 2
)
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
Shouldnt ever get here but just in case no pun
echo Outer loop break
) echo Failed on step $STEPNO with error $ERRORCODE
exit
esac
done
Step 01
Some sanity checks before we start
Does $OPENDS_DIR exist and is it writable
if [[ ( -d $OPENDS_DIR ) || ( -w $OPENDS_DIR ) ]] then
echo ERROR $OPENDS_DIR does not exist or is not writable
echo You must execute this script as the $CP_ROOT installerowner
echo on the resource tier Exiting
exit
fi
Step 02
Prompt [no screen echo] for DM password
echo Enter the Directory Manager password for DS additionsmods
read -s DM_PASSWORD
Refer to httpswwwopendsorg12pageDsconfig for dsconfig options
DSCONFIG_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --trustAll --no-prompt $VERBOSE
Refer to httpswwwopendsorgwikipageLdapmodify for ldapmodify options
er 2011 Luminis Platform 503 C-7Banner Integration Setup Guide
Sample Scripts and Files
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
C-8
LDAPMODIFY_OPTS=-h $HOSTNAME -p $OPENDS_ADMIN_PORT -w $DM_PASSWORD --defaultAdd --trustAll --useSSL $VERBOSE
STEP 1
Create a new base-dn within backend userRoot
cd $CP_ROOTproductsopendsbin
dsconfig $DSCONFIG_OPTS set-backend-prop --backend-name userRoot --add base-dn$OPENDS_MQ_BASEDN
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 2
Ensure that pre-encoded passwords are allowed
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Default Password Policycn=Password Policiescn=config
changetype modify
replace ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords true
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 3
Add $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn $OPENDS_MQ_BASEDN
objectClass top
objectClass organization
o messaging
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 4
Add ou=People to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
dn ou=People $OPENDS_MQ_BASEDN
ou People
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 5
Add ou=AdministeredObjects to $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS -a ltlt-EOF
dn ou=AdministeredObjects $OPENDS_MQ_BASEDN
ou AdministeredObjects
objectClass organizationalunit
objectClass top
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 6
Add $MQ_LMG_USER
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LMG_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LMG_USER_PW
description LMG
objectClass person
objectClass top
sn $MQ_LMG_USER
cn $MQ_LMG_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
If you want to insert a pre-encoded userPassword the format would be
userPassword e1NTSEF9VnBrNk1yV3FkZWZPUm9FVHpYRUdOekNyZEhMSWVLaFB2U2NUUFE9PQ==
er 2011 Luminis Platform 503 C-9Banner Integration Setup Guide
Sample Scripts and Files
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
C-10
STEP 7
Add the $MQ_LUM_USER user
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=$MQ_LUM_USERou=People $OPENDS_MQ_BASEDN
userPassword $MQ_LUM_USER_PW
description Internal message broker administrative user
objectClass person
objectClass top
sn $MQ_LUM_USER
cn $MQ_LUM_USER
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 8
Add LDAP aci so that $MQ_LMG_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LMG_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 9
Add LDAP aci so that $MQ_LUM_USER has readsearchcompare ability in $OPENDS_MQ_BASEDN
ldapmodify -D cn=Directory Manager $LDAPMODIFY_OPTS ltlt-EOF
dn cn=Access Control Handler cn=config
changetype modify
add ds-cfg-global-aci
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
ds-cfg-global-aci (target=ldap$OPENDS_MQ_BASEDN)(targetscope=subtree)
(targetattr=)(version 30 acl User-Visible Root DSE Operational
Attributes allow(readsearchcompare) userdn=ldapcn=$MQ_LUM_USER
ou=People$OPENDS_MQ_BASEDN)
EOF
ERRORCODE=$ ErrorCheck
((STEPNO++))
Define JNDI options for the imqobjmgr commands
JNDI_OPTS=-j javanamingfactoryinitial=comsunjndildapLdapCtxFactory -j javanamingproviderurl=ldap$HOSTNAME$INSECURE_LDAP_PORTou=AdministeredObjects$OPENDS_MQ_BASEDN -j javanamingsecuritycredentials=$DM_PASSWORD -j javanamingsecurityauthentication=simple
Insecure jmshttpjms connection factory options
CONNFACTORY_TCP_OPTS=-o imqConnectionURL=http$HOSTNAME$MQ_HTTP_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_JMS_PORT -o imqConnectionType=TCP -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Secure ssljmshttpsjms connection factory options
CONNFACTORY_TLS_OPTS=-o imqConnectionURL=https$HOSTNAME$MQ_HTTPS_TUNNEL_PORT$MQ_TUNNEL_VPATH -o imqBrokerHostPort=$MQ_SSLJMS_PORT -o imqConnectionType=TLS -o imqBrokerHostName=$HOSTNAME -o imqAddressList=$HOSTNAME
Note the following imqobjmgr queuetopic creations could have also
been done by using imqcmd as follows explicit imqobjmgr is used to
ensure fine-grained control over the JNDI AdministeredObjects location
imqcmd create dst -n com_sct_ldi_sis_Sync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_LmsSync -t t -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_EntityEvents -t t -b $HOSTNAME
er 2011 Luminis Platform 503 C-11Banner Integration Setup Guide
Sample Scripts and Files
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
C-12
imqcmd create dst -n com_sct_ldi_sis_UpdateRequest -t q -b $HOSTNAME
imqcmd create dst -n com_sct_ldi_sis_UpdateReply -t q -b $HOSTNAME
STEP 10
Add the topic$com_sct_ldi_sis_EntityEvents administered object needed for LMG-style integration
cd $MQ_HOMEbin
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_EntityEvents -o imqDestinationName=com_sct_ldi_sis_EntityEvents $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 11
Add the topic$com_sct_ldi_sis_Error administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Error -o imqDestinationName=com_sct_ldi_sis_Error $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 12
Add the topic$com_sct_ldi_sis_LmsSync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_LmsSync -o imqDestinationName=com_sct_ldi_sis_LmsSync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 13
Add the topic$com_sct_ldi_sis_Sync administered object needed for LMG-style integration
imqobjmgr add -t t -l cn=topic$com_sct_ldi_sis_Sync -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
STEP 14
Add the queue$com_sct_ldi_sis_UpdateRequest administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateRequest -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 15
Add the queue$com_sct_ldi_sis_UpdateReply administered object needed for LMG-style integration
imqobjmgr add -t q -l cn=queue$com_sct_ldi_sis_UpdateReply -o imqDestinationName=com_sct_ldi_sis_Sync $JNDI_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 16
Create the cn=com_sct_ldi_sis_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 17
Create the cn=com_sct_ldi_sis_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TCP_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 18
Create the cn=com_sct_ldi_sis_ssl_TopicConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t tf -l cn=com_sct_ldi_sis_ssl_TopicConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
er 2011 Luminis Platform 503 C-13Banner Integration Setup Guide
Sample Scripts and Files
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
C-14
ERRORCODE=$ ErrorCheck
((STEPNO++))
STEP 19
Create the cn=com_sct_ldi_sis_ssl_QueueConnFactory connection factory used by LMG and WebCTBlackboard etc
imqobjmgr add -t qf -l cn=com_sct_ldi_sis_ssl_QueueConnFactory $JNDI_OPTS $CONNFACTORY_TLS_OPTS -j javanamingsecurityprincipal=cn=Directory Manager
ERRORCODE=$ ErrorCheck
((STEPNO++))
Luminis Platform 503 November 2011Banner Integration Setup GuideSample Scripts and Files
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
Troubleshooting
This appendix discusses options for troubleshooting username mapping and other issues in Luminis Platform portlets for Banner
Error message when banproxy is not configured correctly
The error following error often indicates that the banproxy configuration is not configured properly
ORA-28150 proxy not authorized to connect as client
If the default Oracle ID and connection user is the recommended integmgr ID the following ldquoconnect throughrdquo grant is required for all non-INB users
SQLgt Alter user INTEGMGR grant connect through INTEGMGR
The proxy (connect-through) connection for BANPROXY access should appear as follows
SQLgt Alter user USER1 grant connect through USER2
USER2 should be the sole member of the pxy_channel_luminis class and be granted execute on gspprxy and create session (see other GSASECR preliminary setup) USER 2 is the official user through whom channels proxy authentication is allowed USER1 is the connection user referenced in banportalsproperties in the luminis-banner webapp
When Authorize BANPROXY is checked on GSASECR for a given user it grants connect-through using BANPROXY in sysproxy_users regardless of the chosen default Oracle ID If you are using INTEGMGR as your default Oracle ID then you should issue manual grants executed as bansecr for the banportals connection user and for each individual Oracle user requiring INB access For more information about the proxy connection and the required connect through grant see the CMS-13983txt solution document located in the SunGard Higher Education Customer Support Center and the Banner General Security Guide
For a student SSB user this configuration responds with the default Oracle ID which is usually BANPROXY
er 2011 Luminis Platform 503 T-1Banner Integration Setup Guide
Troubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
T-2
For an INB user this script must respond with the actual INB username That user must be granted proper BANPROXY access via GSASECR as described in the Middle Tier Implementation Guide
NoteYou should manually assign the connect through grants via sql when using the GSASECR form to check BANPROXY access if you are using a default Oracle ID other than BANPROXY
To test which Oracle ID should be used for a given spriden ID or Luminis Platform user use the gspproxyget_proxy_info method or the proxyinfosql script described as bansecr in ldquoSample proxyinfosql scriptrdquo on page C-1
Banner Enterprise Identity Services - INB SSO
The handoff logic between SSO systems is somewhat cryptic to prevent hijacking and other security breaches The installation process is manual to ensure that each administrative staff can customize their specific environment to use unique keywords
The configuration of all the moving parts and variable configurations in the various Banner Enterprise Identity Services components and the Luminis webapps must correspond exactly For example the webservices configuration in bnigWeb needs to match what was configured in the baniamproperties within the baniamjar file Likewise the value of the ticket parameter name such as iamticket for INB should match the parameter which was added to your formswebcfg as follows
iamticket=iamticket
Reference the forms configuration across the board when referencing formsfrmservletconfig=hellip in BNIG configuration and in banportals The above example uses smpl_sctsso The INB and SSB cookieheader name in the bnigWeb configuration should match the IDM settings in Web Tailor Parameters
If you see ajp-related errors in the Banner Enterprise Identity Services default island log located in $OAS_HOMEopmnlogs or errors such as ldquoSOAPException faultCode=INVALID SOAP RESPONSErdquo in your idproxy_application logs there may be a problem with the AQ JMS queues or subscriptions or the Oracle streams upon which JMS relies To correct the problem complete the following steps
1 Locate the jmsxml file in $OAS_HOMEj2eeBEISconfig and ensure that the persistence file locations are accurate The base directory within the context of that
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Novemb
jmsxml file is $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
2 Shut down Banner Enterprise Identity Services and delete the old persistence files that are found in the following location $OAS_HOMEj2eeBEISpersistenceBEIS_default_island_1
3 Delete any Lock files
Another SOAP-related error is the following which can occur even if all the JMS queues are configured and operating correctly
This HTTP transport error suggests that the proxy configuration is the problem Adjust the Web Services Configuration from FQDN to localhost or set the http_proxy environment variable as needed for your environment as in the following example
http_proxy=httpwww-proxysungardedu8080export http_proxy
Another solution is to adjust your forms configuration to use Java Plug-In (JPI) instead of JInitiator Solution 1-BDD1LK located in the SunGard Higher Education Customer Support Center describes how to use JPI by default
Validating Banner Enterprise Identity Services event streams
The following topics provide for more information about validating streams used for Banner Enterprise Identity Services events
er 2011 Luminis Platform 503 T-3Banner Integration Setup Guide
Troubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
T-4
Oracle streamsBanner Enterprise Identity Services validation
For more information refer to the Banner Enterprise Identity Services Installation Guide
One typo is the following
1 Select count() from GSVCADT whereGSVCADT_CAPTURE_NAME=IAM_EVENTS_CAPTURE missing single quote
2 If the results from those validation SQL statements do not match the expected results run the following scriptsgorctabi_070501sql
gorccoli_070501sql
gorcruli_070501sql
These are Banner General files and are located on your Banner DB under $Banner_Home upgradegen80000u The files were introduced in Banner General 751 and can be run again to verify the seed data is in place For more information see solution 1-9GK5D7 located in the SunGard Higher Education Customer Support Center
3 Ensure that you are using General 83 or above then enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
The latter command should automatically begin the capture and apply To manually begin the capture enter the following commandexec gp_streams_utilp_start_capture(IAM)
exec gp_streams_utilp_start_apply(IAM)
If streams are locking on archivelogs you can remove the stream by entering the following commandexec gp_streams_utilp_remove_streams(IAM)
4 To recreate and reconfigure the streams enter the following commandexec gp_streams_utilp_create_streams(IAM)
exec gp_streams_utilp_configure_rules(IAM)
Luminis Platform 503 November 2011Banner Integration Setup GuideTroubleshooting
Recommended