IBM Security Identity Governance and Intelligence: Oracle ...public.dhe.ibm.com/.../adapters/...oracleebs_book.pdf · IBM Security Identity Governance and Intelligence Orac le eBS

IBM Security Identity Governance and Intelligence

Oracle eBS Adapter Installation andConfiguration Guide

IBM

IBM Security Identity Governance and Intelligence

Oracle eBS Adapter Installation andConfiguration Guide

IBM

ii IBM Security Identity Governance and Intelligence: Oracle eBS Adapter Installation and Configuration Guide

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Chapter 1. Overview . . . . . . . . . 1Features of the adapter . . . . . . . . . . . 1Architecture of the adapter . . . . . . . . . 1Supported configurations . . . . . . . . . . 2

Chapter 2. Planning. . . . . . . . . . 5Roadmap for IBM Tivoli Directory Integrator basedadapters, for IBM Security Identity Governance andIntelligence . . . . . . . . . . . . . . . 5Prerequisites . . . . . . . . . . . . . . 6Installation worksheet . . . . . . . . . . . 8

Chapter 3. Installing in the IdentityGovernance and Intelligence virtualappliance . . . . . . . . . . . . . . 9

Chapter 4. Installing . . . . . . . . . 11Installing the dispatcher . . . . . . . . . . 11Installing the adapter binaries or connector . . . . 11Restarting the adapter service . . . . . . . . 12Importing the adapter profile . . . . . . . . 12Importing attribute mapping file . . . . . . . 13Adding a connector . . . . . . . . . . . 14Enabling connectors . . . . . . . . . . . 15Reviewing and setting channel modes for each newconnector . . . . . . . . . . . . . . . 16Attribute Mapping . . . . . . . . . . . . 17Deploying the custom subforms . . . . . . . 18Service/Target form details . . . . . . . . . 19Verifying that the adapter is working correctly . . 23

Chapter 5. Upgrading . . . . . . . . 25Upgrading the dispatcher. . . . . . . . . . 25

Upgrading the adapter profile . . . . . . . . 25

Chapter 6. Configuring . . . . . . . . 27Enabling SSL communication . . . . . . . . 27

Configuring Oracle eBS database tier . . . . . 27Configuring the Tivoli Directory Integrator forOracle eBS database tier authentication . . . . 28Configuring Tivoli Directory Integrator for OracleeBS Adapter authentication . . . . . . . . 29Changes to the adapter service form . . . . . 29JDBC driver location for SSL . . . . . . . 30

Customizing the adapter profile . . . . . . . 31Editing adapter profiles on the UNIX or LINUXoperating system . . . . . . . . . . . . 32Password management when restoring accounts . . 32Verifying that the adapter is working correctly . . 33

Chapter 7. Troubleshooting . . . . . . 35Techniques for troubleshooting problems . . . . 35Error messages and problem solving . . . . . . 37

Chapter 8. Uninstalling . . . . . . . . 39Uninstalling the dispatcher . . . . . . . . . 39Deleting the adapter profile . . . . . . . . . 39

Chapter 9. Reference . . . . . . . . 41Adapter attributes and object classes . . . . . . 41Adapter attributes by operations . . . . . . . 43

System Login Add . . . . . . . . . . . 43System Login Change . . . . . . . . . . 43System Login Delete . . . . . . . . . . 44System Login Suspend . . . . . . . . . 44System Login Restore . . . . . . . . . . 44Test . . . . . . . . . . . . . . . . 44Reconciliation . . . . . . . . . . . . 44

Index . . . . . . . . . . . . . . . 45

iii

iv IBM Security Identity Governance and Intelligence: Oracle eBS Adapter Installation and Configuration Guide

Figures

1. The architecture of the Oracle eBS Adapter 22. Example of a single server configuration . . . 2

3. Example of a multiple server configuration 3

v

vi IBM Security Identity Governance and Intelligence: Oracle eBS Adapter Installation and Configuration Guide

Tables

1. Prerequisites to run the adapter . . . . . . 72. Required information to install the adapter 83. Adapter package contents . . . . . . . . 94. Prerequisites for enabling a connector . . . . 155. Ports . . . . . . . . . . . . . . . 206. Warning and error messages . . . . . . . 377. Attributes, descriptions, constraints, and

permissions . . . . . . . . . . . . 41

8. Add request attributes for Oracle . . . . . 439. Change request attributes for Oracle . . . . 43

10. Suspend request attributes for Oracle . . . . 4411. Restore request attributes for Oracle . . . . 4412. Test attributes . . . . . . . . . . . . 4413. Reconciliation request attributes for Oracle 44

vii

viii IBM Security Identity Governance and Intelligence: Oracle eBS Adapter Installation and Configuration Guide

Chapter 1. Overview

An adapter is an interface between a managed resource and the IBM® SecurityIdentity server. The Oracle eBS Adapter enables communication between the IBMSecurity Identity server and the Oracle eBS user database, also known as theFND_USER directory.

Adapters can be installed on the managed resource. The IBM Security Identityserver manages access to the resource by using the security system. Adaptersfunction as trusted virtual administrators on the target operating system. Theadapter creates, suspends, restores user accounts, and other functions thatadministrators run manually. The adapter runs as a service, independently ofwhether you are logged on to the IBM Security Identity server.

Features of the adapterThe adapter automates several administrative and management tasks.

Automated user account management tasks include:v Reconciling user accounts and support datav Adding user accountsv Modifying user account attributesv Modifying user account passwordsv Suspending and restoring user accounts

Architecture of the adapterSeveral components are involved in running and using the adapter. Install all thesecomponents so that the adapter can function correctly.

The adapter contains Tivoli® Directory Integrator AssemblyLines that serve one ormore account operation. When IBM Security Identity Manager sends the firstrequest, the required AssemblyLine is loaded into the Tivoli Directory Integrator.The same Assemblyline is then cached to serve subsequent operations of the sametype.

You must install the following components for the adapter to function correctly:v The RMI Dispatcherv The Tivoli Directory Integrator connectorv IBM Security Identity Adapter profile

You need to install the RMI Dispatcher and the adapter profile; however, the TivoliDirectory Integrator connector might already be installed with the base TivoliDirectory Integrator product.

Figure 1 on page 2 describes the components that work together to complete theuser account management tasks in a Tivoli Directory Integrator environment.

1

Supported configurationsThe adapter supports both single and multiple server configurations.

The fundamental components in each environment are:v The IBM Security Identity serverv The IBM Tivoli Directory Integrator serverv The managed resourcev The adapter

The adapter must be installed directly on the server that runs the Tivoli DirectoryIntegrator server.

Single server configuration

In a single server configuration, install the IBM Security Identity server, the TivoliDirectory Integrator server, and the Oracle eBS Adapter on one server to establishcommunication with the Oracle eBS. The Oracle eBS is installed on a differentserver as described Figure 2.

Multiple server configuration

In a multiple server configuration, install the IBM Security Identity server, theTivoli Directory Integrator server, the Oracle eBS Adapter, and the Oracle eBS ondifferent servers.

RMI callsIBM SecurityIdentityServer

DispatcherService(an instanceof the IBMTivoliDirectoryIntegrator)

Adapterresource

Figure 1. The architecture of the Oracle eBS Adapter

IBM SecurityIdentity Server

Tivoli DirectoryIntegrator Server

Adapter

Managedresource

Figure 2. Example of a single server configuration

2 IBM Security Identity Governance and Intelligence: Oracle eBS Adapter Installation and Configuration Guide

Install the Tivoli Directory Integrator server and the Oracle eBS Adapter on thesame server as described in Figure 3.

IBM SecurityIdentity Managerserver

Security DirectoryIntegrator server Managed

resource

Adapter

Figure 3. Example of a multiple server configuration

Chapter 1. Overview 3


Chapter 2. Planning

Installing and configuring the adapter involves several steps that you mustcomplete in a specific sequence. Follow the roadmap for the main tasks.

Roadmap for IBM Tivoli Directory Integrator based adapters, for IBMSecurity Identity Governance and Intelligence

Follow this section when using the guide to install, configure, troubleshoot, oruninstall the adapter.

Note: There is a separate instruction for installing, upgrading or uninstallingadapters from the IBM Security Identity Governance and Intelligence virtualappliance.

Pre-installation

Complete these tasks.1. Verify that your environment meets the software and hardware requirements

for the adapter. See Prerequisites.2. Obtain the installation software. See Software downloads.3. Obtain the necessary information for the installation and configuration. See

Installation worksheet.

Installation

Complete these tasks.1. Install the dispatcher.2. Install the adapter binaries or connector.3. Install 3rd party client libraries.4. Set up the adapter environment.5. Restart the adapter service.6. Import the adapter profile.7. Load attribute mapping.8. Set account defaults.9. Create an adapter service/target.

10. Install the adapter language package.11. Verify that the adapter is working correctly.

Upgrade

To upgrade the adapter, do a full installation of the adapter. Follow the Installationroadmap.

Configuration

Complete these tasks.1. Configure secure communication between the IBM Security Identity server and

the adapter.

5

a. Configure 1-way authentication.b. Configure 2-way authentication.

2. Configure secure communication between the adapter and the managed target.a. Configure 1-way authentication.b. Configure 2-way authentication.

3. Configure the adapter.4. Modify the adapter profiles.5. Customize the adapter.

Troubleshooting

See the following topics.v Techniques for troubleshooting problemsv Configure debuggingv Logsv Error messages and problem solving

Uninstallation

Complete these tasks.1. Stop the adapter service.2. Remove the adapter binaries or connector.3. Remove 3rd party client libraries.4. Delete the adapter service/target.5. Delete the adapter profile.

Reference

See the following topics.v Adapter attributes and object classesv Adapter attributes by operationsv Special attributes

PrerequisitesVerify that your environment meets the software and hardware requirements forthe adapter.

Table 1 on page 7 identifies the software and operating system prerequisites for theadapter installation.

Ensure that you install the adapter on the same workstation as the IBM TivoliDirectory Integrator server.

Note: See the release notes in the adapter package for the most current list ofrequirements.


Table 1. Prerequisites to run the adapter

Prerequisite Description

Directory Integrator v IBM Tivoli Directory Integrator Version 7.1.1+ 7.1.1-TIV-TDI-FP0004 +7.2.0-ISS-SDI-LA0008

v IBM Security Directory Integrator Version 7.2

Note:

v Earlier versions of IBM Tivoli DirectoryIntegrator that are still supported mightfunction properly. However, to resolve anycommunication errors, you must upgradeyour Directory Integrator release to theversions that the adapter officially supports.

v The adapter supports IBM Security DirectoryIntegrator 7.2, which is available only tocustomers who have the correct entitlement.Contact your IBM representative to find outwhether you have the entitlement todownload IBM Security Directory Integrator7.2.

IBM Security Identity server The following servers are supported:

v IBM Security Identity Manager server Version6.0

v IBM Security Identity Manager server Version7.0

v IBM Security Privileged Identity ManagerVersion 2.0

v IBM Security Identity Governance andIntelligence server Version 5.2.2

Oracle e-Business Suite A system that runs the Oracle eBS release:

v 12.0

v 12.1.1

v 12.1.3

v 12.2.4

Oracle Thin JDBC DriverNote: For information about the JDBCdriver installation, seehttp://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html.

All the listed JDBC driver can talk with all thesupported version of Oracle except Oracle 10gr2:

v JDBC 8.1.7 Driver

v JDBC 9.0.1 Driver

For Oracle 10g r2:

v JDBC 10.2.0.1.0 Driver

Network Connectivity The adapter must be installed on a system thatcan communicate with the IBM SecurityIdentity Governance and Intelligence servicethrough the TCP/IP network.

System Administrator AuthorityTo complete the adapter installation procedure,you must have system administrator authority.

Tivoli Directory Integrator adapterssolution directory

A Tivoli Directory Integrator adapters solutiondirectory is a Tivoli Directory Integrator workdirectory for adapters. See the DispatcherInstallation and Configuration Guide.

Chapter 2. Planning 7

http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html

http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html

For information about the prerequisites and supported operating systems for TivoliDirectory Integrator, see the IBM Tivoli Directory Integrator 7.1: Administrator Guide.

Installation worksheetThe installation worksheet lists the information that is required to install andconfigure the adapter. Complete this worksheet before you start the installationprocedure for ease of reference. Make a copy of the worksheet for each adapterinstance you install.

Table 2 identifies the information that you need before installing the adapter.

Table 2. Required information to install the adapter

Required information Description Value

Tivoli DirectoryIntegrator HomeDirectory

The ITDI_HOME directory containsthe jars/connectors subdirectorythat contains adapter JAR files. Forexample, the jars/connectorssubdirectory contains the JAR filesfor the UNIX adapter.

Windows:

v for version 7.1:

drive\ProgramFiles\IBM\TDI\V7.1

UNIX:

v for version 7.1:

/opt/IBM/TDI/V7.1

Adapters solutiondirectory

For more information about theadapter solution directory, see theDispatcher Installation andConfiguration Guide.

Windows:

v for version 7.1:

drive\ProgramFiles\IBM\TDI\V7.1\timsol

UNIX:

v for version 7.1:

/opt/IBM/TDI/V7.1/timsol


Chapter 3. Installing in the Identity Governance andIntelligence virtual appliance

For Identity Governance and Intelligence target management, you can install anIBM Security Identity Adapters or a custom adapter on the built-in SecurityDirectory Integrator in the virtual appliance instead of installing the adapterexternally. As such, there is no need to manage a separate virtual machine orsystem.

About this task

This procedure is applicable for a selected list of Identity Adapters. See the IdentityAdapters product documentation at http://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/c_adapters_intro.htm todetermine which adapters are supported in Identity Governance and Intelligence,and which can be installed on the virtual appliance.

All Identity Governance and Intelligence supported adapters can be installedexternally on the virtual appliance. Depending on the adapter, an external SecurityDirectory Integrator may be required.

See the corresponding Adapter Installation and Configuration Guide for the specificprerequisites, installation and configuration tasks, and issues and limitations. Seethe Adapters Release Notes for any updates to these references.

Procedure1. Download the adapter package from the IBM Passport Advantage. For

example, Adapter-<Adaptername>.zip.The adapter package includes the following files:

Table 3. Adapter package contents

Files Descriptions

bundledefinition.json The adapter definition file. It specifies thecontent of the package, and the adapterinstallation and configuration properties thatare required to install and update theadapter.

Adapter JAR profile An Security Directory Integrator adapteralways include a JAR profile which contains:

v targetProfile.json

– Service provider configuration

– Resource type configuration

– SCIM schema extensions

– List of assembly lines

v A set of assembly lines in XML files

v A set of forms in XML files

v Custom properties that include labels andmessages for supported languages.

Use the Target Administration module toimport the target profile.

9

http://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/c_adapters_intro.htm?view=kc

http://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/c_adapters_intro.htm?view=kc

Table 3. Adapter package contents (continued)

Files Descriptions

Additional adapter specific files Examples of adapter specific files:

v Connector jar files

v Configuration files

v Script files

v Properties files

The file names are specified in the adapterdefinition file along with the destinationdirectory in the virtual appliance.

2. From the top-level menu of the Appliance Dashboard, click Configure > SDIManagement.

3. Select the instance of the Security Directory Integrator for which you want tomanage the adapters and click Manage > SDI Adapters The SDI Adapterswindow is displayed with a table that list the name, version, and anycomments about the installed adapters.

4. On the SDI Adapters window, click Install.5. On the File Upload window, click Browse to locate the adapter package and

then click OK. For example, Adapter-<Adaptername>.zip.6. Provide the missing 3rd party libraries when prompted.

a. On the File Upload for Pre-requisite files window, click Select Files. A newFile Upload window is displayed.

b. Browse and select all the missing libraries. For example,httpclient-4.0.1.jar

c. Click Open. The selected files are listed in the File Upload for Pre-requisitefiles window.

d. Click OK. The missing files are uploaded and the adapter package isupdated with the 3rd party libraries.

7. Enable secure communication.a. Select the instance of the Security Directory Integrator for which you want

to manage the adapter.b. Click Edit.c. Click the Enable SSL check box.d. Click Save Configuration.

8. Import the SSL certificate to the IBM Security Directory Integrator server.a. Select the instance of the Security Directory Integrator for which you want

to manage the adapter.b. Click Manage > Certificates.c. Click the Signer tab.d. Click Import. The Import Certificate window is displayed.e. Browse for the certificate file.f. Specify a label for the certificate. It can be any name.g. Click Save.


Chapter 4. Installing

Installing the adapter mainly involves importing the adapter profile and creatingan adapter service. Depending on the adapter, several other tasks can be involvedto completely install it.

All IBM Tivoli Directory Integrator based adapters require the Dispatcher for theadapters to function correctly. If the Dispatcher is installed from a previousinstallation, do not reinstall it unless the Dispatcher is upgraded. See Verification ofthe Dispatcher installation .

Depending on your adapter, the Tivoli Directory Integrator connector mightalready be installed as part of the Tivoli Directory Integrator product and nofurther action is required. If the connector is not pre-installed, install it after theDispatcher.

Installing the dispatcherIf this is the first Tivoli Directory Integrator-based adapter installation, you mustinstall the RMI Dispatcher before you install the adapter. Install the RMIDispatcher on the same Tivoli Directory Integrator server where you want to installthe adapter.

If you already installed the RMI Dispatcher for another adapter, you do not needto reinstall it.

If you have not yet installed the RMI Dispatcher in the Tivoli Directory Integratorenvironment, download the Dispatcher installer from the IBM Passport Advantagewebsite. For more information about the installation, see the Dispatcher Installationand Configuration Guide.

Installing the adapter binaries or connectorThe connector might or might not be available with the base Tivoli DirectoryIntegrator or Security Directory Integrator product. The connector is required toestablish communication between the adapter and the Dispatcher.

Before you beginv The Dispatcher must be installed.

About this task

The adapter uses the IBM Tivoli Directory Integrator JDBC connector. Thisconnector is already available with the base Tivoli Directory Integrator product. Assuch, you just need to install the Dispatcher. See the IBM Security DispatcherInstallation and Configuration Guide..

11

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Restarting the adapter serviceVarious installation and configuration tasks might require the adapter to berestarted to apply the changes. For example, you must restart the adapter if thereare changes in the adapter profile, connector, or assembly lines. To restart theadapter, restart the Dispatcher.

The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Security Directory Integrator instance.

See the topic about starting, stopping, and restarting the Dispatcher service in theDispatcher Installation and Configuration Guide.

Importing the adapter profileYou can import a profile definition file, which creates a profile in IBM SecurityIdentity Governance and Intelligence server. Use this option for importing adapterprofiles.

Before you beginv The IBM Security Identity Governance and Intelligence server is installed and

running.v You have administrator authority on the IBM Security Identity Governance and

Intelligence server.v The file to be imported must be a Java archive (JAR) file. The

<Adapter>Profile.jar file includes all the files that are required to define theadapter schema, account form, service/target form, and profile properties. Ifnecessary, you can extract the files from the JAR file, modify the files, andrepackage the JAR file with the updated files.

About this task

Target definition files are also called adapter profile files. The profile definition filesare provided with the various IBM Security Identity Adapter. The adapter profilemust be imported because it defines the types of resources that the IdentityGovernance and Intelligence server can manage.

The adapter profile definition file is used to create a target profile on the IdentityGovernance and Intelligence server and to establish communication with theadapter. If the adapter profile is not imported, you cannot create a connector forthat adapter type.

An upload error might occur when no file is selected, or when the file is empty, ordue to any upload operation error, such as a timeout or connection error. If theadapter profile is not installed correctly, the adapter cannot function correctly. Youcannot create a connector with the adapter profile or open and account on theservice. You must import the adapter profile again.

This task can be completed from the Enterprise Connectors module in theAdministration Console. To import an adapter target profile, complete these steps:

Procedure1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.


3. Select Manage > Profiles.4. Optional: Click Filter to toggle the filter on to refine your search results, or

click Hide Filter to toggle the filter off. When the filter is visible, you canspecify search criteria for your requests, and then click Search.

5. Click Actions > Import.6. On the Import page, complete these steps:

a. Select Profile.b. Click Browse to locate the JAR file that you want to import.c. Click Upload file. A message indicates that you successfully imported a

profile.7. Click Close. The new profile is displayed in the list of profiles.

Results

The upload is synchronous but has a timeout. The progress bar on the Import pageaccurately indicates the upload status. However, when a timeout is reached, thefollowing message occurs: "The import is still in progress and will completeshortly. Close this window to proceed." If you see that message, allow a fewminutes for the upload to complete and for the profile to be available.

What to do next

After the target profile is imported successfully, complete these tasks.v Import the attribute mapping file. See “Importing attribute mapping file.”v Create a connector that uses the target profile. See “Adding a connector” on

page 14.

Importing attribute mapping fileAfter importing the adapter profile, you must import an attribute map from aprofile mapping definition file.

About this task

This task involves importing an account attribute mapping definition file, which isincluded in the adapter package. The imported file must be a DEF file.

Procedure1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Profiles.4. Optional: Click Filter to toggle the filter on to refine your search results, or


5. Click Actions > Import.6. On the Import page, complete these steps:

a. Select Attribute Mapping.b. Click Browse to locate the attribute mapping file that you want to import.c. Click Upload file. A message indicates that you successfully imported the

file.7. Click Close.

Chapter 4. Installing 13

Adding a connectorAfter you import the adapter profile on the Identity Governance and Intelligenceserver, add a connector so that Identity Governance and Intelligence server cancommunicate with the managed resource.

Before you begin

Complete “Importing the adapter profile” on page 12.

Note: If you migrated from Identity Governance and Intelligence V5.2.2 or V5.2.2.1and want to add or configure a connector, see Adding and configuring a connector foreach target in the IBM Security Identity Governance and Intelligence productdocumentation.

About this task

The connectors consolidate, extract, and reconcile user identities, organizationunits, permissions, and user entitlements with the most common enterpriseapplications. Configure a connector to keep the Access Governance Core repositorysynchronized with the target system.

This task can be completed from the Enterprise Connectors module in theAdministration Console.

Procedure

To add a connector, complete these steps.1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Connectors. A list of connectors is displayed on the

Connectors tab.4. Optional: Click Filter to toggle the filter on to refine your search results, or


5. Optional: To view all of the columns in the list of connectors, expand theConnectors pane.

6. Click Actions > Add. The Connector Details pane is enabled for your input.7. On the Connector Details tab, complete these steps:

a. Assign a name and description for the connector.b. Select the target profile type as Identity Brokerage and its corresponding

target profile.c. Select the entity, such as Account or User. Depending on the connector

type, this field might be preselected.d. Optional: Select Trace ON and the corresponding Trace Level to enable

trace logs. The available trace levels are DEBUG, INFO, and ERROR.e. Optional: Select History ON to save and track the connector usage.f. Click Save. The fields for enabling the channels for sending and receiving

data are now visible.g. Select and set the connector properties in the Global Config accordion

pane. For information about the global configuration properties, see GlobalConfig accordion pane.


https://www.ibm.com/support/knowledgecenter/SSGHJR_5.2.3/com.ibm.igi.doc/CrossIdeas_Topics/ECONN/configureConnectorDriver.htm

https://www.ibm.com/support/knowledgecenter/SSGHJR_5.2.3/com.ibm.igi.doc/CrossIdeas_Topics/ECONN/configureConnectorDriver.htm

h. Click Save. The fields for enabling the channels for sending and receivingdata are now visible.

Results

The connector is saved and added to the list of connectors in the Connectors pane.

If you cannot create a connector with the target profile or open an account on anexisting connector, the target profile was not installed correctly during the import.You must import the target profile again.

What to do next

Enable the channel modes to synchronize the data between the target systems andIdentity Governance and Intelligence. For more information, see “Enablingconnectors.”

Enabling connectorsAfter you create a connector, by default it is in a disabled state. You must enable aconnector to use it.

Before you begin

Table 4. Prerequisites for enabling a connector

Prerequisite Find more information

A connector must exist in IdentityGovernance and Intelligence.

“Adding a connector” on page 14.

Ensure that you enabled the appropriatechannel modes for the connector.

“Reviewing and setting channel modes foreach new connector” on page 16.

Procedure

To enable a connector, complete these steps:1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Connectors. A list of connectors is displayed on the




6. Select the connector that you want to enable.7. On the Connector Details tab, complete these steps:

a. Select the channel modes that you want to enable, and then click Save.Depending on the channels that you enable, the corresponding Channeltabs are displayed.

Enable write-to channelPropagates every change in the Access Governance Core repositoryinto the target system.


For connectors that are not HR feed, the check boxes for enablingthe read-from channel and the write-to channel are available.

Enable read-from channelReads the INPUT EVENTS and USER DATA from the target system.Imports data from the target system to the Access Governance Corerepository.

For HR feed connectors, only the check box for enabling theread-from channel is available.

Enable reconciliationSynchronizes the modified data between the Access GovernanceCore repository and the target system.

Results

The connector is enabled

What to do next

Enable the channel modes to synchronize the data between the target systems andIdentity Governance and Intelligence.

Reviewing and setting channel modes for each new connectorUse this procedure to set up the read-from and write-to channels and to set thesynchronization schedule for each new connector.

About this task

Note: Legacy Identity Governance and Intelligence Enterprise connectors useReconciliation channel, whereas Identity Brokerage Enterprise connectors useRead From Channel and Change Log Sync.

For more information about any of tasks in the following steps, see the IBM®

Security Identity Governance and Intelligence product documentation.

Procedure

To enable the read-from and write-to channels, and to set the change logsynchronization schedule for each new connector, complete these steps in IdentityGovernance and Intelligence V5.2.3:1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Connectors. A list of connectors is displayed on the




6. Select the connector that you want to enable.7. On the Connector Details tab, complete these steps:


a. Select the channel modes that you want to enable, and then click Save.Depending on the channels that you enable, the corresponding Channeltabs are displayed, in which you can do more configuration, such asmapping attributes and setting up rules.

Enable write-to channelPropagates every change in the Access Governance Core repositoryinto the target system.

Enable read-from channelReads the INPUT EVENTS and USER DATA from the targetsystem. Imports data from the target system to the AccessGovernance Core repository.

Enable reconciliationSynchronizes the modified data between the Access GovernanceCore repository and the target system.

8. Select Monitor > Change Log Sync Status. A list of connectors is displayed.9. On the Change Log Sync Status tab, complete these steps:

a. Optional: Click Filter to toggle the filter on to refine your search results, orclick Hide Filter to toggle the filter off. When the filter is visible, you canspecify search criteria for your requests, and then click Search.

b. Select a connector, and click Actions > Sync Now. The synchronizationprocess begins.

c. Optional: To view the status of the synchronization request, select SyncHistory in the right pane. Information about the synchronization isdisplayed in the Sync History tab.

10. Set the change log synchronization schedule for each new connector that youmigrated.

11. When the connector configuration is complete, enable the connector bycompleting these steps:a. Select Manage > Connectors.b. Select the connector that you want to enable, and then select the Enable

check box in the Connector Details tab.c. Click Save. For more information, see “Enabling connectors” on page 15.

For Identity Brokerage connectors that are not HR feed, the check boxes forenabling the read-from channel and the write-to channel are available.For Identity Brokerage HR feed connectors, only the check box for enablingthe read-from channel is available.

12. Start the connector by selecting Monitor > Connector Status. Select theconnector that you want to start, and then select Actions > Start.

Attribute MappingAttribute mapping is required to define which target attributes correspond to theIdentity Governance and Intelligence account attributes.

About this task

This task involves an account attribute mapping definition file, which is includedin the adapter package.


The file consists of Identity Governance and Intelligence account attributes andtheir equivalent attributes in the managed target. The file is structured as<IGI_attribute> = <target_attribute>.

The <IGI_attribute> is fixed and must not be modified. Edit only the<target_attribute>. Some <IGI_attribute> already has a fixed equivalent<target_attribute> of eraccount.

Some <IGI_attribute> do not have a defined <target_attribute> and you can assignthe mapping. For example:USER_TYPE=USER_TYPEATTR1=ATTR1

Note:

v The default mapping is already included out-of-the box. If there are no changesto the attribute mapping, there is no need to import the attribute mapping files.

v It might take up to 10 minutes for the attribute mapping changes to take effectonce the file is imported.

Procedure1. Open the mapping definition file by using any text editor.2. Edit the mapping.3. If the target attribute has a list of predefined values, use the following syntax to

convert its values to the corresponding Identity Governance and Intelligenceattribute values.[conversion].<target_attribute>.<IGI_attribute> =[<target_attribute_value1>=<IGI_attribute_value1>;...;<target_attribute_valuen>=<IGI_attribute_valuen>]

4. For attributes that contains date and time, use the following syntax to convertits values. For example:[conversion.date].erbirthDate.BIRTHDAY=[yyyyMMdd=dd/MM/yyyy HH:mm:ss][conversion.date].ACCOUNT_EXPIRY_DATE.ACCOUNT_EXPIRY_DATE=[dd/MM/yyyy HH:mm:ss=dd/MM/yyyy HH:mm:ss]

5. Import the updated mapping definition file through the Enterprise Connectorsmodule. For more information, see Attribute-to-permission mapping service in theIBM Security Identity Governance and Intelligence product documentation.

6. Map the following attributes for Chaneel-Write To and Chaneel-Read From

Attribute Mapped Attribute

eruid CODE

erpassword PASSWORD

For more information, see Mapping attributes for a connector in the IBM SecurityIdentity Governance and Intelligence product documentation.

Deploying the custom subformsThe Oracle eBS Adapter is supplied with custom subforms to specify the roles,responsibilities, and securing attributes associated with a user. The subforms arecontained in the OraEBSSubForms.zip file.


Before you begin

Extract the contents of the OraEBSSubForms.zip file to the subforms folder of theinstalled IBM Security Identity Governance and Intelligence web application.

For a self service console installationWAS_PROFILE_HOME/installedApps/nodeName/ITIM.ear/itim_self_service.war

For an administrative console installationWAS_PROFILE_HOME/installedApps/nodeName/ITIM.ear/itim_console.war

For Identity Service Center installation WAS_PROFILE_HOME/installedApps/nodeName/ITIM.ear/isim_isc_subform.war

About this task

In a clustered environment the subform must be deployed on each WebSphereapplication server. If WebSphere version 6.1 is being used, the jdkSourceLevel JSPengine configuration parameter must be set to 15 for each web application onwhich the subforms are deployed.

Procedure1. Open the WEB-INF/ibm-web-ext.xmi file from the configuration directory. For

example, WAS_PROFILE_HOME/config/cells/cellName/applications/ITIM.ear/deployments/ITIM/webModuleName. The webModuleName is theitim_self_service.war file or the itim_console.war file or both.

2. Add the following tag within the content of the webappext:webAppExtensiontag:<jspAttributes xmi:id="JSPAttribute_1" name="jdkSourceLevel" value="15"/>

Note: The integer n in JSPAttribute_n has to be unique within the file.3. Save the file.4. Take one of the following actions:v Restart the IBM Security Identity Governance and Intelligence application

from the WebSphere Administrative Console.v Restart the service.

Service/Target form detailsComplete the service/target form fields.

The APPS account owns the Oracle eBS database and the adapter must run as theAPPS user unless you have followed special configuration steps. If you use APPS,you do not require configuration changes on the managed resource.

If your security standards do not permit the use of APPS as an administratoraccount for the Oracle eBS Adapter, you must create a new user and grant requiredpermissions as provided in the nonAPPS.sql file. The nonAPPS.sql file is suppliedwith the Oracle eBS Adapter compressed file. The adapter depends on wrapperstored procedures when an account other than APPS is used. Create the wrapperstored procedures specified in nonAPPS.sql file.


Note: If the following fields on the service form are changed for an existingservice, the adapter service on the Tivoli Directory Integrator server must berestarted.v Service Name

v Password

v Owner

v Service prerequisite

On the Oracle EBS Profile tab:

Service nameSpecify a name that defines the adapter service on the IBMSecurity Identity server.

Note: Do not use forward (/) or backward slashes (\) in theservice name.

Description Optional: Specify a description that identifies the service for yourenvironment.

Tivoli Directory Integrator location

Specify the URL for the IBM Tivoli Directory Integrator instance.The valid syntax for the URL is rmi://ip-address:port/ITDIDispatcher, where ip-address is the IBM Tivoli DirectoryIntegrator host and port is the port number for the RMI Dispatcher.

The default URL for the default SDI1 instance isrmi://localhost:1099/ITDIDispatcher.

The following table shows the ports that are open in the firewallfor every instance that is created. However, usage of these portnumbers do not support high availability.

Table 5. Ports

Instance Ports

SDI1 1199, 1198, 1197, 1196, 1195, 1194

SDI2 2299, 2298, 2297, 2296, 2295, 2294

SDI3 3399, 3398, 3397, 3396, 3395, 3394

SDI4 4499, 4498, 4497, 4496, 4495, 4494

SDI5 5599, 5598, 5597, 5596, 5595, 5594

SDI6 6699, 6698, 6697, 6696, 6695, 6694

SDI7 7799, 7798, 7797, 7796, 7795, 7794

SDI8 8899, 8898, 8897, 8896, 8895, 8894

SDI9 9999, 9998, 9997, 9996, 9995, 9994

SDI10 11099, 11098, 11097, 11096, 11095, 11094

For a high availability implementation, use any of these portnumbers.v 1099v 2099v 3099


Oracle EBS Service NameSpecify the service name of Oracle eBS database instance to whichthe adapter must connect.

Oracle EBS Service HostSpecify the host workstation on which the Oracle eBS databaseinstance is running.

Oracle EBS Service PortSpecify the port on which the Oracle eBS database service islistening.

Use SSL communication with Oracle?Click the check box to force an SSL connection from the adapter tothe Oracle eBS database.

Oracle EBS Server Distinguished NameOptional. Specify the distinguished name that is contained in thecertificate of the Oracle eBS database. If SSL communication isenabled and this field is not blank, the connection succeeds only ifthe distinguished names match.

Administrator NameSpecify the name of the user who has access to the Oracle eBSdatabase and can perform administrative operations.

PasswordSpecify the password for the user.

Do not Reconcile Roles?Select this check box if you do not want the list of roles to beretrieved during a reconciliation operation.

Do not Reconcile Persons?Select this check box if you do not want the list of persons to beretrieved during a reconciliation operation.

Do not Reconcile Suppliers?Select this check box if you do not want the list of suppliers to beretrieved during a reconciliation operation.

Do not Reconcile Customers?Select this check box if you do not want the list of customers to beretrieved during a reconciliation operation.

Do not Reconcile Responsibilities?Select this check box if you do not want the list of responsibilitiesto be retrieved during a reconciliation operation.

Do not Reconcile Securing Attributes?Select this check box if you do not want the list of securingattributes to be retrieved during a reconciliation operation.

End Date the Responsibilities on Account SuspendSelect this check box if you want to end the responsibilities onaccount suspend.

OwnerOptional: Specify a user as a service owner.

Service PrerequisiteOptional: Specify a service that is prerequisite to this service.

On the Dispatcher Attributes tab:


Disable AL CachingSelect the check box to disable the assembly line caching in thedispatcher for the service. The assembly lines for the add, modify,delete, and test operations are not cached.

AL FileSystem PathSpecify the file path from where the dispatcher loads the assemblylines. If you do not specify a file path, the dispatcher loads theassembly lines that are received from IBM Security Identity server.For example, you can specify the following file path to load theassembly lines from the profiles directory of the Windowsoperating system: c:\Files\IBM\TDI\V7.1\profiles or you canspecify the following file path to load the assembly lines from theprofiles directory of the UNIX and Linux operating systems:system:/opt/IBM/TDI/V7.1/profiles

Max Connection CountSpecify the maximum number of assembly lines that the dispatchercan run simultaneously for the service. For example, enter 10 whenyou want the dispatcher to run maximum 10 assembly linessimultaneously for the service. If you enter 0 in the MaxConnection Count field, the dispatcher does not limit the numberof assembly lines that are run simultaneously for the service.

On the Status and information tabContains read only information about the adapter and managed resource.These fields are examples. The actual fields vary depending on the type ofadapter and how the service form is configured. The adapter must berunning to obtain the information. Click Test Connection to populate thefields.

Last status update: DateSpecifies the most recent date when the Status and information tabwas updated.

Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.

Managed resource status Specifies the status of the managed resource that the adapter isconnected to.

Adapter version Specifies the version of the adapter that the service uses toprovision request to the managed resource.

Profile version Specifies the version of the profile that is installed in the IBMSecurity Identity server.

TDI version Specifies the version of the Tivoli Directory Integrator on which theadapter is deployed.

Dispatcher version Specifies the version of the Dispatcher.

Installation platformSpecifies summary information about the operating system wherethe adapter is installed.


Adapter account Specifies the account that running the adapter binary file.

Adapter up time: Date Specifies the date when the adapter started.

Adapter up time: Time Specifies the time of the date when the adapter started.

Adapter memory usage Specifies the memory usage for running the adapter.

If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the test request was successfully

sent to the adapter.v Verify the adapter configuration information.v Verify service parameters for the adapter profile. For example, verify the

work station name or the IP address of the managed resource and theport.

Verifying that the adapter is working correctlyAfter you install and configure the adapter, verify that the installation andconfiguration are correct.

Procedure1. Test the connection for the service that you created on the IBM Security Identity

Governance and Intelligence server.2. Run a full reconciliation from the IBM Security Identity Governance and

Intelligence server.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the trace.log file to ensure that no errors are reported when you run an

adapter operation.



Chapter 5. Upgrading

Upgrading an IBM Tivoli Directory Integrator-based adapter involves tasks such asupgrading the dispatcher, the connector, and the adapter profile. Depending on theadapter, some of these tasks might not be applicable. Other tasks might also berequired to complete the upgrade.

To verify the required version of these adapter components, see the adapter releasenotes. For the installation steps, see Chapter 4, “Installing,” on page 11.

Upgrading the dispatcherBefore you upgrade the dispatcher, verify the version of the dispatcher.v If the dispatcher version mentioned in the release notes is later than the existing

version on your workstation, install the dispatcher.v If the dispatcher version mentioned in the release notes is the same or earlier

than the existing version, do not install the dispatcher.

Note: Stop the dispatcher service before the upgrading the dispatcher and start itagain after the upgrade is complete.

Upgrading the adapter profileRead the adapter Release Notes for any specific instructions before you import anew adapter profile.

Note: Restart the Dispatcher service after importing the profile. Restarting theDispatcher clears the assembly lines cache and ensures that the dispatcher runs theassembly lines from the updated adapter profile.

25


Chapter 6. Configuring

After you install the adapter, configure it to function correctly. Configuration isbased on your requirements or preference.

See the IBM Security Dispatcher Installation and Configuration Guide for additionalconfiguration options such as:v JVM propertiesv Dispatcher filteringv Dispatcher propertiesv Dispatcher port numberv Logging configurationsv Secure Sockets Layer (SSL) communication

Enabling SSL communicationYou must configure a truststore to enable SSL communication between the OracleeBS Adapter and the Oracle eBS database. You can optionally configure a keystorefor the dispatcher.

If the Oracle eBS database is configured to require SSL client authentication, youmust configure a keystore.

To configure the truststore for the dispatcher, you must minimally import theCertification Authority (CA) certificate. This certificate is the one used to sign thecertificate for the Oracle eBS database.

Note:

v All the files in the following tasks are in the solutions directory. For example:TDI_HOME/timsol.

v The store password ThePwd12 in the code examples is a variable. Substitute yourpassword for ThePwd12.

Configuring Oracle eBS database tierUse the Oracle tools to configure both the truststore and the keystore on the OracleeBS database tier.

About this task

The Oracle Wallet Manager and the orapki command, are used in the followingsteps. The following task sets up a self-signed certification authority, truststore, andkeystore.

Procedure1. Create a self-signed certificate authority. Issue the following commands:

mkdir authority

orapki wallet create -wallet ./authority -pwd=ThePwd12

orapki wallet add -wallet ./authority -dn "CN=authority, C=US" -keysize 2048

27

-self_signed -validity 3650 -pwd=ThePwd12

orapki wallet export -wallet ./authority -dn "CN=authority, C=US"-cert CA.cer-pwd=ThePwd12

The CA.cer file is the trusted certificate that is used in the keytool command toimport a CA certificate into the truststore for the dispatcher.

2. Create stores for Oracle eBS database tier authentication Issue the followingcommands:mkdir server

orapki wallet create -wallet ./server -auto_login -pwd=ThePwd12

orapki wallet add -wallet ./server -trusted_cert -cert CA.cer -pwd=ThePwd12

orapki wallet add -wallet ./server -dn "CN=server, C=US" -keysize 2048-pwd=ThePwd12

orapki wallet export -wallet ./server -dn "CN=server, C=US" -request creq.cer-pwd=ThePwd12

orapki cert create -wallet ./authority -request creq.cer -cert signed.cer-validity 3650 -pwd=ThePwd12

orapki wallet add -wallet ./server -user_cert -cert signed.cer -pwd=ThePwd12

3. Configure the Oracle network. You must configure the listener.ora andsqlnet.ora files on the Oracle eBS database tier to enable SSL. These files aretypically edited with the Oracle Net Manager or with a text editor. These filesare in the ORACLE_HOME/network/admin/instance directory of the database tier.This example does not require adapter authentication. If you want to requireauthentication for the Oracle eBS Adapter, set SSL_CLIENT_AUTHENTICATION toTRUE.a. Edit the listener.ora file.b. Locate the following lines and substitute the appropriate values for

SERVER_WALLET_LOCATION and HOSTNAME.SSL_CLIENT_AUTHENTICATION = FALSEWALLET_LOCATION = (SOURCE = (METHOD = FILE)(METHOD_DATA =(DIRECTORY = SERVER_WALLET_LOCATION)))LISTENER = (DESCRIPTION_LIST = (DESCRIPTION =(ADDRESS = (PROTOCOL = TCPS)(HOST = HOSTNAME)(PORT = 2484))))

Note: Port 2484 is typically used for SSL communication (TCPS protocol).c. Edit the sqlnet.ora file.d. Locate the following lines and substitute the appropriate values for

highlighted values.SSL_CLIENT_AUTHENTICATION = FALSEWALLET_LOCATION = (SOURCE = (METHOD = FILE)(METHOD_DATA =(DIRECTORY = SERVER_WALLET_LOCATION)))

Configuring the Tivoli Directory Integrator for Oracle eBSdatabase tier authentication

You must import a CA certificate into the truststore.


Procedure1. Import a CA certificate into the truststore. Issue the command:

keytool -import -v -alias OACA -file CA.cer -keystore truststore.jks-storetype JKS -storepass "ThePwd12"

2. In the solutions.properties file, set the following properties:javax.net.ssl.trustStore=truststore.jksjavax.net.ssl.trustStorePassword=ThePwd12javax.net.ssl.trustStoreType=jks

Note: If the javax.net.ssl.trustStore property is already set to a truststoreother than truststore.jks, import the CA certificate into that file instead.

3. Set the keystore properties. If a keystore is not required and no keystoreproperties are set in the solution.properties file, use the truststore propertiesvalues for the keystore properties:javax.net.ssl.keyStore=truststore.jksjavax.net.ssl.keyStorePassword=ThePwd12javax.net.ssl.keyStoreType=jks

Configuring Tivoli Directory Integrator for Oracle eBS Adapterauthentication

If the Oracle eBS database is configured for SSL client authentication, you mustconfigure a keystore.

Before you begin

You created a self-signed certificate authority in the Oracle eBS Adapter databasetier.

Procedure1. Create a JKS keystore. Issue the following commands:

keytool -genkey -alias OADB -dname "CN=client,C=US" -storetype JKS-keystore client.jks -keyalg RSA -storepass "ThePwd12"

keytool -certreq -alias OADB -file creq.cer -keystore client.jks-storepass "ThePwd12"

orapki cert create -wallet ./authority -request creq.cer -cert signed.cer-validity 3650 -pwd=ThePwd12

keytool -import -v -alias OACA -file CA.cer -keystore client.jks-storepass "ThePwd12"

keytool -import -v -alias OADB -file signed.cer -keystore client.jks-storepass "ThePwd12"

2. Set the following properties in the solutions.properties file:javax.net.ssl.keyStore=client.jksjavax.net.ssl.keyStorePassword=ThePwd12javax.net.ssl.keyStoreType=jks

Changes to the adapter service formTo enable SSL communication between the Oracle eBS Adapter and the Oracle eBSdatabase, you must supply information for the Oracle eBS adapter service form.

To access the service form, use the Manage Services utility on the IBM SecurityIdentity Governance and Intelligence console. Supply following information for thefields on the service form.

Chapter 6. Configuring 29

Use SSL communication with Oracle?Click this check box.

Oracle EBS Service PortChange the value to the TCPS port. For example 2484.

Oracle EBS Server Distinguished NameOptional. When a value is entered for this field, the entry is verifiedagainst the Oracle eBS database server certificate.

Note:

v Start the listener and database services with the same user who created thewallet, so that they are both able to access the wallet.

v The wallet location is provided in both the sqlnet.ora and the listener.orafiles. Typically, both files contain the same wallet location. However, thelistener.ora file can use its own wallet.– The distinguished name of the certificate pointed by the wallet in the

sqlnet.ora file is the name to which the Oracle eBS Adapter must verify. Thisrequirement applies only if a distinguished name is supplied on the serviceform.

– Include a distinguished name in the service form as an extra measure ofsecurity. Doing so prevents another server from faking the identity.

v For information about how to configure SSL with the Oracle JDBC Thin driver,go to the Oracle website. Search for the Oracle technical white paper SSL withOracle JDBC Thin Driver.

JDBC driver location for SSLYou must download the JDBC Thin driver to support SSL.

Obtain the JDBC Thin driver from either:v The ORACLE_HOME/jdbc/lib directory of the database tierv The JDBC Driver Downloads page on the Oracle Technology Network (OTN)

website.

Depending on your JRE, select the appropriate driver. The driver for JRE 1.5 isojdbc5.jar. The driver for JRE 1.6 is ojdbc6.jar.

Copy the appropriate driver to the TDI_HOME/jars/3rdparty/others directory onthe Tivoli Directory Integrator server.

Remove previous versions of the JDBC Thin driver from the TDI_HOME/jars/3rdparty/others directory. For example:v ojdbc14.jarv classes12.zipv nls_charset12.zipv classes111.zipv nls_charset11.zip

Note: The .zip file in the list might alternatively be named as .jar files. Forexample classes12.jar.


http://www.oracle.com/index.html

Customizing the adapter profileTo customize the adapter profile, you must modify the Oracle eBS Adapter JARfile.

About this task

You might customize the adapter profile to change the account form or the serviceform. You can also change the labels on the forms with the Form Designer orCustomLabels.properties. Each adapter has a CustomLabels.properties file forthat adapter.

The JAR file is included in the Oracle eBS Adapter compressed file that youdownloaded from the IBM website. The JAR file and the files contained in the JARfile vary depending on your operating system.

Note: You cannot modify the schema for this adapter. Attributes cannot be addedto or deleted from the schema.

The adapter JAR file includes the following files:v Service.defv Schema.dsmlv CustomLabels.propertiesv erOracleEBSAccount.xmlv erOracleEBSRMIService.xmlv OracleEBSManagerUserAL.xmlv OracleEBSSearchUserAL.xml

To edit the JAR file, perform these steps:

Procedure1. Log on to the workstation where the Oracle eBS Adapter is installed.2. On the Start menu, click Programs > Accessories > Command Prompt.3. Copy the JAR file into a temporary directory.4. Extract the contents of the JAR file into the temporary directory by running the

following command.The following example applies to the Oracle eBS Adapter profile. Type thename of the JAR file for your operating system.cd c:\temp#jar -xvf OraEBSProfile.jar

The jar command extracts the files into the directory.5. Edit the file that you want to change.6. After you edit the file, you must import the file into the IBM Security Identity

server for the changes to take effect. To import the file, perform these steps:a. Create a JAR file with the files in the \temp directory by running the

following commands:cd c:\temp#jar -cvf OraEBSProfile.jar OraEBSProfile

b. Import the JAR file into the IBM Security Identity Governance andIntelligence application server.

c. Stop and start the IBM Security Identity server


d. Restart the adapter service.

Editing adapter profiles on the UNIX or LINUX operating systemThe adapter profile .jar file might contain ASCII files that are created by using theMS-DOS ASCII format.

About this task

If you edit an MS-DOS ASCII file on the UNIX operating system, you might see acharacter ^M at the end of each line. These characters indicate new lines of text inMS-DOS. The characters can interfere with the running of the file on UNIX orLinux systems. You can use tools, such as dos2unix, to remove the ^M characters.You can also use text editors, such as the vi editor, to remove the charactersmanually.

Example

You can use the vi editor to remove the ^M characters. From the vi commandmode, run the following command and press Enter::%s/^M//g

When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V CtrlM sequentially. The ^v instructs the vi editor to use the next keystroke instead ofissuing it as a command.

Password management when restoring accountsHow each restore action interacts with its corresponding managed resourcedepends on either the managed resource, or the business processes that youimplement.

Certain resources reject a password when a request is made to restore an account.In this case, you can configure IBM Security Identity Governance and Intelligenceto forego the new password requirement. You can set the Oracle eBS Adapter torequire a new password when the account is restored, if your company has abusiness process in place that dictates that the account restoration process must beaccompanied by resetting the password.

In the service.def file, you can define whether a password is required as a newprotocol option. When you import the adapter profile, if an option is not specified,the adapter profile importer determines the correct restoration password behaviorfrom the schema.dsml file. Adapter profile components also enable remote servicesto find out if you discard a password that is entered by the user in a situationwhere multiple accounts on disparate resources are being restored. In thissituation, only some of the accounts being restored might require a password.Remote services will discard the password from the restore action for thosemanaged resources that do not require them.

Edit the service.def file to add the new protocol options, for example:<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_REQUIRED_ON_RESTORE"<value>true</value></property><Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_ALLOWED_ON_RESTORE"<value>false</value></property>


By adding the two options in the example above, you are ensuring that you willnot be prompted for a password when an account is restored.

Verifying that the adapter is working correctlyAfter you install and configure the adapter, verify that the installation andconfiguration are correct.

Procedure1. Test the connection for the service that you created on the IBM Security Identity

server.2. Run a full reconciliation from the IBM Security Identity server.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the trace.log file to ensure that no errors are reported when you run an

adapter operation.



Chapter 7. Troubleshooting

Troubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. This topic provides information and techniques foridentifying and resolving problems that are related to the adapter, includingtroubleshooting errors that might occur during the adapter installation.

Techniques for troubleshooting problemsCertain common techniques can help with the task of troubleshooting. The firststep in the troubleshooting process is to describe the problem completely.

Problem descriptions help you and the IBM technical-support representative findthe cause of the problem. This step includes asking yourself basic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When you start to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one operating system, or is it common across multiple

operating systems?v Is the current environment and configuration supported?v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

35

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration. Many problems can betraced back to incompatible levels of software that are not intended to run togetheror are not fully tested together.

When does the problem occur?

Develop a detailed timeline of events that lead up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you use the first suspicious event that you find in adiagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being done?v Is a certain sequence of events required for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might occur around the same time, the problems arenot necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Problems that you canreproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?


v Do multiple users or applications have the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

Error messages and problem solvingA warning or error message might be displayed in the user interface to provideinformation about the adapter or when an error occurs.

Table 6 contains warnings or errors that might be displayed on the user interface ifthe adapter is installed on your workstation.

Table 6. Warning and error messages

Message ID Warning or error message Corrective action

CTGIMT001E The following error occurred. Error:Either the Oracle eBS service name isincorrect or the service is not up.

Ensure that the Oracle database service name givenon IBM Security Identity Governance andIntelligence service form is running.

CTGIMT001E The following error occurred. Error:Either the Oracle eBS host or port isincorrect.

Verify that the host workstation name or the portfor the Oracle eBS database service is correctlyspecified.

CTGIMT002E The login credential is missing orincorrect.

Verify that you have provided correct logincredential on service form.

CTGIMT001E The following error occurred. Error: Nosuitable JDBC driver found.

Ensure that the correct version of the JDBC thindriver is copied onto the workstation where theadapter is installed and that the path is included inthe system CLASSPATH variable.

CTGIMT600E An error occurred while establishingcommunication with the Tivoli DirectoryIntegrator server.

IBM Security Identity Governance and Intelligencecannot establish a connection with Tivoli DirectoryIntegrator. To fix this problem, ensure that:

v The Tivoli Directory Integrator is running.

v The URL specified on the service form for theTivoli Directory Integrator is correct.

Chapter 7. Troubleshooting 37


Chapter 8. Uninstalling

To remove an adapter from the IBM Security Identity server for any reason, youmust remove all the components that were added during installation. Uninstallingan IBM Tivoli Directory Integrator based adapter mainly involves removing theconnector file, and the adapter profile from the IBM Security Identity server.Depending on the adapter, some of these tasks might not be applicable, or therecan be other tasks.

Uninstalling the dispatcherYou might need to remove the Oracle eBS Adapter.

About this task

The Oracle eBS Adapter installation installs the RMI Dispatcher only on the TivoliDirectory Integrator server. Therefore, you only need to uninstall from the RMIDispatcher. There is no uninstall for the Oracle eBS Adapter.

The JAR file needed to uninstall the RMI Dispatcher was created in theITDI_HOME\DispatcherUninstall directory when the RMI Dispatcher was installed.

Note: The RMI Dispatcher is required for all adapters based on Tivoli DirectoryIntegrator. If you uninstall the RMI Dispatcher, none of the other installed adaptersfunction.

Complete these steps:

Procedure1. Stop the adapter service.2. Run the DispatcherUninstall.jar file. To run the JAR file, double click on the

executable file or enter the following command at the command prompt:TDI_HOME/jvm/jre/bin/java –jar DispatcherUninstall.jar

Deleting the adapter profileRemove the adapter service/target type from the IBM Security Identity server.Before you delete the adapter profile, ensure that no objects exist on the IBMSecurity Identity server that reference the adapter profile.

Objects on the IBM Security Identity server that can reference the adapter profile:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

Note: The Dispatcher component must be installed on your system for adapters tofunction correctly in a Tivoli Directory Integrator environment. When you deletethe adapter profile, do not uninstall the Dispatcher.

For specific information about how to delete the adapter profile, see the IBMSecurity Identity Governance and Intelligence product documentation.

39


Chapter 9. Reference

Reference information is organized to help you locate particular facts quickly, suchas adapter attributes, registry settings, and environment variables.

Adapter attributes and object classesAdapter attributes and object classes are required for customization, creatingprovisioning rules, and understanding what service/target attributes are supportedby the adapter. The IBM Security Identity server communicates with the adapterby using attributes, which are included in transmission packets that are sent over anetwork.

The combination of attributes, included in the packets, depends on the type ofaction that the IBM Security Identity server requests from the Oracle eBS Adapter.

Table 7 is a listing of the attributes that are used by the Oracle eBS Adapter. Thetable gives a brief description, constraints, and permissions. The permissions are:

Read The attribute is reconciled but not modified by the adapter.

Write The attribute is modified by the adapter but not reconciled.

Read and WriteThe attribute is reconciled and can be modified by the adapter.

Table 7. Attributes, descriptions, constraints, and permissions

Attribute Description Constraints Permissions

erAccountStatus Specifies the status of the account as enabledor disabled.

Read andWrite

erLastAccessDate The users last login date and time in OracleeBS.

Read

erOraEBSCust Customer. Read andWrite

erOraEBSDescription A short description for the user name. The description islimited to amaximum of 240characters.

Read andWrite

erOraEBSLeftPwdAccess Specifies the number of login accessesremaining (from the current day) until thepassword expires.

The maximum valueis 999999999999999.

Read andWrite

erOraEBSPerson Person. Read andWrite

erOraEBSPwdAccesses Specifies the number of login accesses allowedbefore the password expires.


Read andWrite

erOraEBSPwdLifeSpanDays Specifies the number of days after which thepassword expires


Read andWrite

41

Table 7. Attributes, descriptions, constraints, and permissions (continued)


erOraEBSResp Specifies a directly granted responsibilityformatted as

Application_Nameh|hResponsibility_Name|Start_Date|End_Date

The h denotes a space character. Dates areformatted as “dd/mm/yyyy” (for example31/12/2001) or empty to omit. For exampleSales Foundation | Customer RelationshipMgmt|13/01/2001.

Read andWrite

erOraEBSSessionNumber Specifies the session ID Read

erOraEBSSupp Specifies a supplier. Read andWrite

erOraEBSUserEndDate Specifies the user's effective end date. Read andWrite

erOraEBSUserFax Specifies the user's fax number The fax number islimited to amaximum of 80characters.

Read andWrite

erOraEBSUserMail Specifies the user's email address. The email address islimited to amaximum of 240characters.

Read andWrite

erOraEBSUserStartDate Specifies the user's effective start date. Read andWrite

erPassword Specifies the password for the user name. The password islimited to amaximum of 45characters.

Write

erUid Specifies the user name. The user name islimited to amaximum of 100characters.

Read andWrite

erOraEBSSecAttr Specifies an associated securing attributeformatted asApplication_ID|Attribute_Code|Value. Do notuse blank spaces. For example,454|ONE_DAY_BOOK_TO_SHIP_PERCENT|2342. Ifthe Value is DATE, the format is dd-mm-yyyy(For example. 31-12-2001). If the Value isDATETIME, the format is dd-mm-yyyyhh24:mi:ss. (For example 31-12-200113:45:00).

Read andWrite

erOraEBSIndirectResp Specifies an inherited responsibility formattedlike erOraEBSResp.

Read


Table 7. Attributes, descriptions, constraints, and permissions (continued)


erOraEBSDirectRoles Specifies a directly granted role formatted as aJSON object with the fields

role (object)

startDate (string)

endDate (string)

reason (string)

The 'role' object is a JSON object with fieldsname (string), origSystem (string), andorigSystemId (string). The date fields(startDate and endDate) are represented asstrings with the format yyyymmddhh24mi'Z'.(For example 200112311345Z). For example,{"endDate":null,"reason":"Granted byXX","role":{"name":"UMX| SECURITY_ADMIN","origSystem":"UMX","origSystemId":"0"},"startDate":"201103150000Z"}.

Read andWrite

erOraEBSIndirectRole Specifies an inherited role formatted likeerOraEBSDirectRoles.

Read

Adapter attributes by operationsAdapter attributes by operations refer to adapter actions by their functionaltransaction group. They are required for customization, creating provisioning rules,and understanding what service/target attributes are supported by the adapter.

The lists include more information about required and optional attributes sent tothe Oracle eBS Adapter to complete that action.

System Login AddA System Login Add is a request to create a new user account with the specifiedattributes.

Table 8. Add request attributes for Oracle

Required attribute Optional attribute

erUid

erPassword

All other supported attributes

System Login ChangeA System Login Change is a request to change one or more attributes for thespecified users.

Table 9. Change request attributes for Oracle


erUidAll other supported attributes

Chapter 9. Reference 43

System Login DeleteThis operation is not supported.

System Login SuspendYou might need to suspend a system login.

A System Login Suspend is a request to disable a user account. The user is neitherremoved nor are their attributes modified.

Table 10. Suspend request attributes for Oracle


erUid

erAccountStatus

None

System Login RestoreYou might need to restore a system login.

A System Login Restore is a request to activate a user account that was previouslysuspended. After an account is restored, the user can access the system using thesame attributes as the ones before the Suspend function was called.

Table 11. Restore request attributes for Oracle


erUid

erAccountStatus

None

TestThe following table identifies attributes needed to test the connection.

Table 12. Test attributes


None None

ReconciliationYou might need to reconcile user account information.

The Reconciliation request synchronizes user account information between IBMSecurity Identity Governance and Intelligence and the adapter.

Table 13. Reconciliation request attributes for Oracle


None None


Index

Aadapter

attributesby adapter action 43descriptions 41permissions 41

customizationsteps 31

features 1installation

dispatcher requirement 11steps 11troubleshooting errors 35verifying 33warnings 35worksheet 8

overview 1profile

overview 1upgrading 25

SSL communication to thedatabase 27

supported configurations 2uninstall 39upgrading 25

adaptersremoving profiles 39

architecture 1attributes

adapter action, byreconciliation 44restoring 44suspending 44

by Oracle eBS Adapter actionadd 43change 43

by Oracle eBS Adapter action actiondelete 44

descriptions 41for the adapter 41

authentication for the adapter 29

Cchanges to the service form for SSL 29configuring

adapter authentication 29for tier authentication 29

connection 44creating

keystore 27self-signed certificate authority 27truststore 27

custom subforms, deploying 19

Ddatabase

SSL communication to theadapter 27

database (continued)truststore configuration 27

deploying custom subforms 19directory integrator

connector 1unstalling the adapter 39

dispatcherinstallation 11upgrading 25

Eerror messages 37

Iinstallation

adapter 11first steps 27planning roadmaps 5uninstall 39verification

adapter 33worksheet 8

JJDBC Thin driver

for SSL 30

Kkeystore for tier configuration 27

Mmessages

error 37warning 37

MS-DOS ASCII characters 32

Oobtaining the JDBC Thin driver 30operating system prerequisites 6overview 1

Pprofile

editing on UNIX or Linux 32

Rreconciliation 44removing

adapter profiles 39

request attributes 44restore request 44restoring accounts

files, changing 32password requirements 32

RMI dispatcher 1roadmaps

planning 5

Sself-signed certificate authority for tier

configuration 27service

form changes for SSL 29restart 12start 12stop 12

softwarerequirements 6

SSLadapter authentication 29communication between adapter and

database 27information, service form 29JDBC Thin driver 30

subforms, custom 19supported

attributes 41configurations

adapter 2overview 2

suspend request attribute 44system login

restore 44suspend 44

Ttest attributes 44tier

authentication, configuring the TivoliDirectory Integrator 29

configuration 27troubleshooting

error messages 37identifying problems 35techniques for 35warning messages 37

troubleshooting and supporttroubleshooting techniques 35

truststore for tier configuration 27

Uuninstalling

adapter 39from the directory integrator 39

updatingadapter profile 31

45

updating (continued)form labels 31

upgradeadapter 25dispatcher 25

upgradesadapter profiles 25

Vverification

dispatcher installation 11installation 33operating

system prerequisites 6system requirements 6

softwareprerequisites 6requirements 6

vi command 32

Wwarning messages 37


IBM®

Printed in USA

Documents

IBM Security Identity Governance and Intelligence: Oracle ...public.dhe.ibm.com/.../adapters/...oracleebs_book.pdf · IBM Security Identity Governance and Intelligence Orac le eBS